/srv/irclogs.ubuntu.com/2011/06/10/#ubuntu-classroom.txt

=== _LibertyZero is now known as LibertyZero
qwebirc24773hello all10:16
=== medberry is now known as med_out
Trond--why didnt the class start?16:45
jcastro10 minutes until our session with Jamie Strandboge, Ubuntu Security Team Manager17:19
jcastro(and also the 4th member of Rush)17:19
jdstrand\o/17:19
* jdstrand plays opening riff to Freewill17:20
jcastroAlright17:30
=== ChanServ changed the topic of #ubuntu-classroom to: Welcome to the Ubuntu Classroom - https://wiki.ubuntu.com/Classroom || Support in #ubuntu || Upcoming Schedule: http://is.gd/8rtIi || Questions in #ubuntu-classroom-chat || Current Session: Q and A with Jamie Strandboge the Ubuntu Security Team Manager - Instructors: jdstrand
jcastrolet's get started, we'll give people a few minutes to catch up17:30
jcastroin the meantime I'll let you know how this session will work17:30
ClassBotLogs for this session will be available at http://irclogs.ubuntu.com/2011/06/10/%23ubuntu-classroom.html following the conclusion of the session.17:30
jcastroWelcome to our Weekly Q+A with Ubuntu Managers17:30
jcastroYou should be idling in #ubuntu-classroom-chat as well17:31
jcastrofrom there you will ask your questions17:31
jcastroyou need to make sure that you preface it with QUESTION: so the bot can pick it up17:31
jcastroso for example17:31
jcastro"How do I turn on my computer?"17:31
jcastrowon't get picked up17:31
jcastroyou need to do:17:31
jcastro"QUESTION: How do I turn on my computer?"17:32
jcastronow with that being said, for these sessions we'd like the questions to remain ontopic17:32
jcastrosince Jamie is part of the security team try to keep your questions related to that.17:32
jcastroit's not that he doesn't want to help you, but for example he won't be the best person to know how Unity is designed or anything like that17:32
=== ksullivan is now known as Aconek
jcastrook, so, now that that's out of the way, jdstrand, why don't you start it off and introduce yourself!17:33
jdstrandHi! I am Jamie Strandboge, the manager of the Ubuntu Security team. I've been asked to be a part of this Q+A, and I'll do my best to answer your questions. A little background: I've been a part of the Ubuntu Security team for getting on 4 years, my team is great and I find working on security in Ubuntu very rewarding.17:33
jdstrand(it's almost as if I had that ready)17:33
jdstrandLet's get started!17:33
jdstrandSince no one has asked a question yet, I might point out that a lot of information about the Ubuntu Security team can be found in the wiki at: https://wiki.ubuntu.com/SecurityTeam17:35
ClassBotjstvincent asked: Does Ubuntu currently have encryption levels up to any FIPS standard?17:36
jdstrandThat is a good question. That is a pretty broad question. Ubuntu has software which is FIPS certified, such as nss, which is used by for example Firefox17:37
jdstrandFirefox can be configured to meet FIPS-14017:37
jdstrandmost applications use openssl which iirc, had gone through FIPS some time ago, but they haven't renewed17:38
jdstrand(though, that doesn't mean that it still doesn't meet the requirements)17:39
ClassBotjstvincent asked: In essence, could all the parts of Ubuntu (after total installation) be set for something like FIPS 140-2 for client security? As in ALL information is encrypted until login, and only unencrypted as needed.17:41
jdstrandI am going to have to err on the side of caution here and say 'no'. There is a lot of software in Ubuntu, even in the default installation, and I don't think all of it could meet these requirements at this time17:43
jdstrandThat said, Mozilla products use nss, and I know both Firefox and Thunderbird can be configured to require FIPS 140-217:44
jdstrandother sotware like evolution (which is in the default install), also uses nss, but does not have a method of restricting the encryption/hashing algorithms afaik17:45
jdstrandof course, you can configure evolution to connect to pop3s, etc, but it doesn't expose the FIPS 140-2 functionality17:45
jdstrandI think mozilla products (and possibly chromium-browser) are the exceptions17:46
jdstrandthe best course of action to achieve this would be to coordinate either via the blueprint process, or look at our https://wiki.ubuntu.com/SecurityTeam/Roadmap page, then add a list of software that could benefit from this, then work with upstreams to implement the functionality and we can pull it into Ubuntu17:47
ClassBotTrond-- asked: Hi! I am new to Gnu/Linux and Ubuntu, but so far I like it. I changed because I got attacked a lot of times using Windows OS and this time XP. Torpig was the final drop so I wanted to change to something more secure. What are minimum safety requirements for using Ubuntu for a newbeginner like me?17:47
jdstrandgood question17:48
jdstrandIn the default installation, Ubuntu is quite secure. We have a now open ports policy as well as proactive security features in our kernel and toolchain17:49
jcastro(He means "no open ports", not now) -ed.17:49
jdstrandsome important applications also are confined by AppArmor, so if a flaw is found in the software, an attacker is 'confined' in a sandbox that prevents reading, writing and executing files outside of the ones needed to run the application17:50
jdstrandUbuntu also provides security updates for 18 months for regular stable releases17:51
jdstrandLTS releases have 3 years of security support on the desktop and 5 on the server17:51
jdstrandthe single most important thing you can do to stay safe is to stay up to date on your security updates17:51
jdstrandour team and the community provide quite a few of them, but we prefer to release as soon as we can as opposed to providing service packs17:52
jdstrandUbuntu also has various security software available such as a firewall and virus scanning (though virus scanning is not nearly as much of a problem on Linux in general at this time)17:53
ClassBotjstvincent asked: Does the vision of the Ubuntu Security Team see FIPS 140-2 as being a possibility in the future? Or perhaps a special distro with only core components of the OS so there is no question as to the defaults of those programs?17:53
jdstrandI would love to see more FIPS 140-2 compliance. There are efforts in the open source world to standardize on nss instead of openssl17:54
jdstrandThis development is ongoing, and something the Ubuntu Security team is keeping an eye on, but it is far from complete17:54
ClassBotOneArmedNoodler asked: I have a friend who is a teacher and she's trying to introduce Ubuntu and OSS in general to the classroom, but she's getting resistance from the district IT team. They claim OSS isn't secure and won't even listen to her. Any suggestions for convincing them otherwise?17:55
jdstrandThere is always resistance to change and when you are talking about computer security, the resistance provides the necessary pause before jumping to a new technology17:56
jdstrandIn other words, the feeling is understandable, and I think that the first step is recognizing their concerns17:57
jdstrandThen try to get specific. Ubuntu is a very secure operating system by default. You can see some of our features in https://wiki.ubuntu.com/Security/Features17:57
jdstrandLinux in general, while not immune to virusus and malware, has some good defenses against them17:58
jdstrandUbuntu in particular has a lot of hardening features and proactive security that helps contain and minimize flaws in software, and we provide timely security updates17:59
jdstrandAs for open source software not being secure-- that is an old argument17:59
jdstrandyou could tout 'yes, but many eyes look at the code and therefore the bugs are found and fixed faster'17:59
jdstrandwhile true, in my experience, that isn't the most effective argument18:00
jdstranda better argument is pointing the the flourishing open source software that is out there: Firefox, Thunderbird, OpenOffice/LibreOffice, CUPS, webkit, chromium, etc, etc18:00
jdstrandApple develops webkit and CUPS which are both open source. Google develops Chrome and Android (based on open source). I'm not sure you could point to much bigger players in the industry :)18:02
ClassBotLost_Cause asked: Do you know anything about the vulnerabilities of pidgin and any possible ways of making it safe enough to use again?18:02
jdstrandLooking at our CVE tracker, I see one open CVE, with a low priority against pidgin. If you are aware of other vulnerabilities, please file a bug in https://bugs.launchpad.net/ubuntu/+source/pidgin/+filebug, being sure to check the security box, or send an email to security@ubuntu.com. pidgin is supported by our team, and we are interested in fixing security issues in it18:04
ClassBotFungalcomb asked: I don't know how true this is, but I was always told that one of the main reasons linux was virus free was because not a lot of people use it. Now that there are more and more people using linux, especially ubuntu which is being marketed as an OS 'your mum could use', are viruses becoming more of a concern? Are there thoughts going in to packaging ubuntu with an anti-virus?18:05
jdstrandThat is a great question18:05
jdstrandWhile it is true that Ubuntu (and Linux in general) have not been the target of malware writers, I believe we have to assume that it is going to be18:06
jdstrandOur goal on the security team when we aren't providing reactive security updates is to develop/integrate proactive security features such that when taken as a whole, Ubuntu becomes a very inhospitable environment for malware18:07
jdstrandWe succeed in many ways, but there is more work to be done18:07
ClassBotLost_Cause asked: Does the the SELinux meta-package work across all ubuntu distros?  This might be a stretch but can it also work with debian seeing how ubuntu is based off of debian18:08
jdstrandSElinux, the technology, should work fine in Ubuntu, however policy maintenance and development is community supported and not actively worked on by the Ubuntu Security team18:10
jdstrandUbuntu uses a different MAC system called AppArmor which is what I like to call "The MAC system for human beings"18:10
jdstrandit is on by default in Ubuntu, and protecting several important applications18:11
jdstrandI'd love to see more help with policy development, and it is a goal of our team to make that easier18:11
jdstrand(this is being tracked in one of our blueprints this cycle)18:12
jdstrandIf you want to get invloved with SElinux or Apparmor (or any security stuff :) on Ubuntu, I suggest visiting https://wiki.ubuntu.com/SecurityTeam/GettingInvolved and contacting us18:13
ClassBotOmega asked: Why don't we enable encrypt the home folder by default?18:13
jdstrandGreat question18:13
jdstrandI thinkit boils down to a few things18:13
jdstrand1. backups18:14
jdstrand2. disaster recovery18:14
jdstrand3. a couple of annoying bugs18:14
jdstrandbacking up your encyrpted home directory requires planning. Without proper planning, normal backup procedures might make the backups unusable18:15
jdstrandin terms of disaster recovery-- the tools are different than what most people (and documentation) are used to18:15
jdstrandthe bugs are being worked on. But the bottom line is we provide it in the installer so that people can increase the security of their machine in the face of offline attacks. we make it opt in so they have to make a decision-- hopefully an educated one :)18:16
ClassBotjulie asked: Is there a reason why no firewall is configured by default on a fresh ubuntu install?18:17
jdstrandUbuntu ships with ufw by default since Ubuntu 8.04 LTS18:18
jdstrandI hope to have network-manager integration with ufw in Oneiric18:19
jdstrandwhether or not to enable it by default is an active question18:19
jdstrandon the one hand, there are no open ports in the default install, so there is nothing to firewall against18:20
jdstrandon the other hand, it would be good to provide this extra level of protection18:20
ClassBotThere are 10 minutes remaining in the current session.18:20
jdstrandin the past we did not enable it by default because ufw is not a GUI application, and it could cause confusion for users18:21
jdstrandthat should be changing in Oneiric, so we may revisit this next cycle18:21
ClassBotOmega asked: Why don't we offer full disk encryption on the live CD?18:21
jdstrandI think part of the answer is limitations in ubiquity (the graphical installer for Ubuntu), but the Foundations team could speak more to that18:22
jdstrandEven if that could be adjusted, I am not sure it is a viable option on the livecd-- for similar reasons as for ecryptfs18:23
ClassBotThere are 5 minutes remaining in the current session.18:25
jdstrandSince people are clearly interested in disk encryption in this session, I might give my opinion on this: the most secure method is going to be using hard disk encryption with an ATA password and BIOS password. It prevents against many attacks and makes the installation, backups and maintenance so much easier18:25
jdstrandnewer disks have this built in. Of course, not everyone has access to them, so other options are available18:26
ClassBotjstvincent asked: Do you know of any external hazards to an Intranet in a network that is connected to the internet? (is there any way someone could shut down or infiltrate the security on our Intranet from an outside source)18:26
jdstrandsure, there are many attacks featuring nat traversal and the like18:27
jdstrandand typical best practice is not to run internet facing servers on the same subnet as the rest of your lan (ie, use a DMZ)18:27
jdstrandso your best defense here is network segmentation in your topology, VLANs as well as bastion firewalls, client firewalls and egress filtering on your router18:28
jdstrandit is not an easy subject, and is highly site specific, but there is a lot of information out there on the topic18:28
jdstrandone follow up to the full disk encryption on the live cd-- I want to make sure people know that full disk encryption via LUKS is available on the alternate CD18:29
ClassBotLogs for this session will be available at http://irclogs.ubuntu.com/2011/06/10/%23ubuntu-classroom.html18:30
jdstrandI think we are out of time, which works, cause we are out of questions :)18:30
=== ChanServ changed the topic of #ubuntu-classroom to: Welcome to the Ubuntu Classroom - https://wiki.ubuntu.com/Classroom || Support in #ubuntu || Upcoming Schedule: http://is.gd/8rtIi || Questions in #ubuntu-classroom-chat ||
jdstrandthanks to everyone for participating and following along! Be safe :)18:31
jdstrandPeople interested in Ubuntu Security can visit https://wiki.ubuntu.com/SecurityTeam/GettingInvolved or ask question sin #ubuntu-security on Freenode18:32
jdstrandOmega: a colleague of mine pointed me to: https://blueprints.launchpad.net/ubuntu/+spec/foundations-o-ubiquity-lvm-luks18:34
OmegaThanks!18:34
NabeelQUESTION: When will the nvidia 96.x drivers will be available for natty18:44
=== yofel_ is now known as yofel
=== McFrog is now known as BullFrog
=== BullFrog is now known as McFrog
=== iago is now known as Guest28800
=== med_out is now known as med_BOS
=== med_BOS is now known as medberry
=== medberry is now known as med_out
=== head_v is now known as head_victim
=== braiam_ is now known as braiam

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!