Sunday, January 31, 2016

CentOS Dojo 2016 Notes until lunch

This post is meant mostly as notes from the CentOS Dojo before Fosdem 2016, but maybe someone else finds it useful as well.

1. State of the CentOS Project

Well, the Dojo didn't begin very well, my phone decided to turn off during night and since I arrived after midnight, I easily overslept and thus missed the first talk, where Karanbir talked about where CentOS is today, so hopefully I'll see it from recording.

2. Relax-and-Recover simplifies Linux Disaster Recovery

Rear presentation about "relax and recovery" solution, recently also included in RHEL 7, presented by its author, Gratien, who supports these tools for living. It allows to solve recovery scenarios easily, but it is not a backup solution. Live demo showed a recovery on a virtual machine in less than 3 minutes. Interesting stuff even for people without admin experiences.

3. Desktop security, keeping the keys to the castle safe

Michel Scherer talked about security treats of various types, from stealing a computer and putting its RAM into a different computer (coldboot), through stealing a password by various ways to firewire DMA attack.

Big portion of the talk was about protecting the operating system, while many tips were given to protect various specific things. Phishing, password managers, firewall and other technologies were described from interesting point of view, mostly wrapped by a statement that they must be used properly to work properly.

What surprised me was that virus scanners were found insecure themselves, because all tested scanners could be cracked by a file send to be scanned and the fact that they usually run with pretty big privileges makes them quite dangerous.

From desktop world, few technologies were mentioned, but most focus was given to browsers. Chrome mentioned as good at some points like separating processes, but generally taken as proprietary thing by Michael, so not very good from security PoV. Firefox, better integrated alternative, seems to be better alternative for those who believe Mozzila Foundation, as Michael does, but with keeping some rules, like removing Flash, not only disabling it. Same for Java, except where really necessary. No Javascript with noscript module, which makes web faster, but also often broken.
Remove CAs not trusted.

Think about privacy in connection of surveilance. Adblock and cookiemaster, maybe even using Tor or trail...

Local attacks mean a need to protect the laptop from not only colleages, by screensaver with password, not leaving root shell opened, use credential expiration, disable ptrace by SElinux. Use password on SSH keys, use smartcards to store keys, like yubikey.

Server side security is about auditing, making hard/slow to delete data, machine learning on events may help to prevent attacks that are suspicious from its form, like very fast root session, which is always suspicious.
Ideally disable direct access to data at all, use backup, IDS is a lot of work and has same issues as anti viruses. Read-only OS like OStree may work, but update may be hard.
 After this talk we moved to the lobby, where we found a nice refreshments.

Description of the talks and hopefully soon also slides and recording available at:

See also the notes after lunch.