=== _LibertyZero is now known as LibertyZero [10:16] hello all === medberry is now known as med_out [16:45] why didnt the class start? [17:19] 10 minutes until our session with Jamie Strandboge, Ubuntu Security Team Manager [17:19] (and also the 4th member of Rush) [17:19] \o/ [17:20] * jdstrand plays opening riff to Freewill [17:30] Alright === ChanServ changed the topic of #ubuntu-classroom to: Welcome to the Ubuntu Classroom - https://wiki.ubuntu.com/Classroom || Support in #ubuntu || Upcoming Schedule: http://is.gd/8rtIi || Questions in #ubuntu-classroom-chat || Current Session: Q and A with Jamie Strandboge the Ubuntu Security Team Manager - Instructors: jdstrand [17:30] let's get started, we'll give people a few minutes to catch up [17:30] in the meantime I'll let you know how this session will work [17:30] Logs for this session will be available at http://irclogs.ubuntu.com/2011/06/10/%23ubuntu-classroom.html following the conclusion of the session. [17:30] Welcome to our Weekly Q+A with Ubuntu Managers [17:31] You should be idling in #ubuntu-classroom-chat as well [17:31] from there you will ask your questions [17:31] you need to make sure that you preface it with QUESTION: so the bot can pick it up [17:31] so for example [17:31] "How do I turn on my computer?" [17:31] won't get picked up [17:31] you need to do: [17:32] "QUESTION: How do I turn on my computer?" [17:32] now with that being said, for these sessions we'd like the questions to remain ontopic [17:32] since Jamie is part of the security team try to keep your questions related to that. [17:32] it's not that he doesn't want to help you, but for example he won't be the best person to know how Unity is designed or anything like that === ksullivan is now known as Aconek [17:33] ok, so, now that that's out of the way, jdstrand, why don't you start it off and introduce yourself! [17:33] Hi! I am Jamie Strandboge, the manager of the Ubuntu Security team. I've been asked to be a part of this Q+A, and I'll do my best to answer your questions. A little background: I've been a part of the Ubuntu Security team for getting on 4 years, my team is great and I find working on security in Ubuntu very rewarding. [17:33] (it's almost as if I had that ready) [17:33] Let's get started! [17:35] Since no one has asked a question yet, I might point out that a lot of information about the Ubuntu Security team can be found in the wiki at: https://wiki.ubuntu.com/SecurityTeam [17:36] jstvincent asked: Does Ubuntu currently have encryption levels up to any FIPS standard? [17:37] That is a good question. That is a pretty broad question. Ubuntu has software which is FIPS certified, such as nss, which is used by for example Firefox [17:37] Firefox can be configured to meet FIPS-140 [17:38] most applications use openssl which iirc, had gone through FIPS some time ago, but they haven't renewed [17:39] (though, that doesn't mean that it still doesn't meet the requirements) [17:41] jstvincent asked: In essence, could all the parts of Ubuntu (after total installation) be set for something like FIPS 140-2 for client security? As in ALL information is encrypted until login, and only unencrypted as needed. [17:43] I am going to have to err on the side of caution here and say 'no'. There is a lot of software in Ubuntu, even in the default installation, and I don't think all of it could meet these requirements at this time [17:44] That said, Mozilla products use nss, and I know both Firefox and Thunderbird can be configured to require FIPS 140-2 [17:45] other sotware like evolution (which is in the default install), also uses nss, but does not have a method of restricting the encryption/hashing algorithms afaik [17:45] of course, you can configure evolution to connect to pop3s, etc, but it doesn't expose the FIPS 140-2 functionality [17:46] I think mozilla products (and possibly chromium-browser) are the exceptions [17:47] the best course of action to achieve this would be to coordinate either via the blueprint process, or look at our https://wiki.ubuntu.com/SecurityTeam/Roadmap page, then add a list of software that could benefit from this, then work with upstreams to implement the functionality and we can pull it into Ubuntu [17:47] Trond-- asked: Hi! I am new to Gnu/Linux and Ubuntu, but so far I like it. I changed because I got attacked a lot of times using Windows OS and this time XP. Torpig was the final drop so I wanted to change to something more secure. What are minimum safety requirements for using Ubuntu for a newbeginner like me? [17:48] good question [17:49] In the default installation, Ubuntu is quite secure. We have a now open ports policy as well as proactive security features in our kernel and toolchain [17:49] (He means "no open ports", not now) -ed. [17:50] some important applications also are confined by AppArmor, so if a flaw is found in the software, an attacker is 'confined' in a sandbox that prevents reading, writing and executing files outside of the ones needed to run the application [17:51] Ubuntu also provides security updates for 18 months for regular stable releases [17:51] LTS releases have 3 years of security support on the desktop and 5 on the server [17:51] the single most important thing you can do to stay safe is to stay up to date on your security updates [17:52] our team and the community provide quite a few of them, but we prefer to release as soon as we can as opposed to providing service packs [17:53] Ubuntu also has various security software available such as a firewall and virus scanning (though virus scanning is not nearly as much of a problem on Linux in general at this time) [17:53] jstvincent asked: Does the vision of the Ubuntu Security Team see FIPS 140-2 as being a possibility in the future? Or perhaps a special distro with only core components of the OS so there is no question as to the defaults of those programs? [17:54] I would love to see more FIPS 140-2 compliance. There are efforts in the open source world to standardize on nss instead of openssl [17:54] This development is ongoing, and something the Ubuntu Security team is keeping an eye on, but it is far from complete [17:55] OneArmedNoodler asked: I have a friend who is a teacher and she's trying to introduce Ubuntu and OSS in general to the classroom, but she's getting resistance from the district IT team. They claim OSS isn't secure and won't even listen to her. Any suggestions for convincing them otherwise? [17:56] There is always resistance to change and when you are talking about computer security, the resistance provides the necessary pause before jumping to a new technology [17:57] In other words, the feeling is understandable, and I think that the first step is recognizing their concerns [17:57] Then try to get specific. Ubuntu is a very secure operating system by default. You can see some of our features in https://wiki.ubuntu.com/Security/Features [17:58] Linux in general, while not immune to virusus and malware, has some good defenses against them [17:59] Ubuntu in particular has a lot of hardening features and proactive security that helps contain and minimize flaws in software, and we provide timely security updates [17:59] As for open source software not being secure-- that is an old argument [17:59] you could tout 'yes, but many eyes look at the code and therefore the bugs are found and fixed faster' [18:00] while true, in my experience, that isn't the most effective argument [18:00] a better argument is pointing the the flourishing open source software that is out there: Firefox, Thunderbird, OpenOffice/LibreOffice, CUPS, webkit, chromium, etc, etc [18:02] Apple develops webkit and CUPS which are both open source. Google develops Chrome and Android (based on open source). I'm not sure you could point to much bigger players in the industry :) [18:02] Lost_Cause asked: Do you know anything about the vulnerabilities of pidgin and any possible ways of making it safe enough to use again? [18:04] Looking at our CVE tracker, I see one open CVE, with a low priority against pidgin. If you are aware of other vulnerabilities, please file a bug in https://bugs.launchpad.net/ubuntu/+source/pidgin/+filebug, being sure to check the security box, or send an email to security@ubuntu.com. pidgin is supported by our team, and we are interested in fixing security issues in it [18:05] Fungalcomb asked: I don't know how true this is, but I was always told that one of the main reasons linux was virus free was because not a lot of people use it. Now that there are more and more people using linux, especially ubuntu which is being marketed as an OS 'your mum could use', are viruses becoming more of a concern? Are there thoughts going in to packaging ubuntu with an anti-virus? [18:05] That is a great question [18:06] While it is true that Ubuntu (and Linux in general) have not been the target of malware writers, I believe we have to assume that it is going to be [18:07] Our goal on the security team when we aren't providing reactive security updates is to develop/integrate proactive security features such that when taken as a whole, Ubuntu becomes a very inhospitable environment for malware [18:07] We succeed in many ways, but there is more work to be done [18:08] Lost_Cause asked: Does the the SELinux meta-package work across all ubuntu distros? This might be a stretch but can it also work with debian seeing how ubuntu is based off of debian [18:10] SElinux, the technology, should work fine in Ubuntu, however policy maintenance and development is community supported and not actively worked on by the Ubuntu Security team [18:10] Ubuntu uses a different MAC system called AppArmor which is what I like to call "The MAC system for human beings" [18:11] it is on by default in Ubuntu, and protecting several important applications [18:11] I'd love to see more help with policy development, and it is a goal of our team to make that easier [18:12] (this is being tracked in one of our blueprints this cycle) [18:13] If you want to get invloved with SElinux or Apparmor (or any security stuff :) on Ubuntu, I suggest visiting https://wiki.ubuntu.com/SecurityTeam/GettingInvolved and contacting us [18:13] Omega asked: Why don't we enable encrypt the home folder by default? [18:13] Great question [18:13] I thinkit boils down to a few things [18:14] 1. backups [18:14] 2. disaster recovery [18:14] 3. a couple of annoying bugs [18:15] backing up your encyrpted home directory requires planning. Without proper planning, normal backup procedures might make the backups unusable [18:15] in terms of disaster recovery-- the tools are different than what most people (and documentation) are used to [18:16] the bugs are being worked on. But the bottom line is we provide it in the installer so that people can increase the security of their machine in the face of offline attacks. we make it opt in so they have to make a decision-- hopefully an educated one :) [18:17] julie asked: Is there a reason why no firewall is configured by default on a fresh ubuntu install? [18:18] Ubuntu ships with ufw by default since Ubuntu 8.04 LTS [18:19] I hope to have network-manager integration with ufw in Oneiric [18:19] whether or not to enable it by default is an active question [18:20] on the one hand, there are no open ports in the default install, so there is nothing to firewall against [18:20] on the other hand, it would be good to provide this extra level of protection [18:20] There are 10 minutes remaining in the current session. [18:21] in the past we did not enable it by default because ufw is not a GUI application, and it could cause confusion for users [18:21] that should be changing in Oneiric, so we may revisit this next cycle [18:21] Omega asked: Why don't we offer full disk encryption on the live CD? [18:22] I think part of the answer is limitations in ubiquity (the graphical installer for Ubuntu), but the Foundations team could speak more to that [18:23] Even if that could be adjusted, I am not sure it is a viable option on the livecd-- for similar reasons as for ecryptfs [18:25] There are 5 minutes remaining in the current session. [18:25] Since people are clearly interested in disk encryption in this session, I might give my opinion on this: the most secure method is going to be using hard disk encryption with an ATA password and BIOS password. It prevents against many attacks and makes the installation, backups and maintenance so much easier [18:26] newer disks have this built in. Of course, not everyone has access to them, so other options are available [18:26] jstvincent asked: Do you know of any external hazards to an Intranet in a network that is connected to the internet? (is there any way someone could shut down or infiltrate the security on our Intranet from an outside source) [18:27] sure, there are many attacks featuring nat traversal and the like [18:27] and typical best practice is not to run internet facing servers on the same subnet as the rest of your lan (ie, use a DMZ) [18:28] so your best defense here is network segmentation in your topology, VLANs as well as bastion firewalls, client firewalls and egress filtering on your router [18:28] it is not an easy subject, and is highly site specific, but there is a lot of information out there on the topic [18:29] one follow up to the full disk encryption on the live cd-- I want to make sure people know that full disk encryption via LUKS is available on the alternate CD [18:30] Logs for this session will be available at http://irclogs.ubuntu.com/2011/06/10/%23ubuntu-classroom.html [18:30] I think we are out of time, which works, cause we are out of questions :) === ChanServ changed the topic of #ubuntu-classroom to: Welcome to the Ubuntu Classroom - https://wiki.ubuntu.com/Classroom || Support in #ubuntu || Upcoming Schedule: http://is.gd/8rtIi || Questions in #ubuntu-classroom-chat || [18:31] thanks to everyone for participating and following along! Be safe :) [18:32] People interested in Ubuntu Security can visit https://wiki.ubuntu.com/SecurityTeam/GettingInvolved or ask question sin #ubuntu-security on Freenode [18:34] Omega: a colleague of mine pointed me to: https://blueprints.launchpad.net/ubuntu/+spec/foundations-o-ubiquity-lvm-luks [18:34] Thanks! [18:44] QUESTION: When will the nvidia 96.x drivers will be available for natty === yofel_ is now known as yofel === McFrog is now known as BullFrog === BullFrog is now known as McFrog === iago is now known as Guest28800 === med_out is now known as med_BOS === med_BOS is now known as medberry === medberry is now known as med_out === head_v is now known as head_victim === braiam_ is now known as braiam