[conspire] Ubuntu 9.04 (re-sending due to previously accidentally sent to Bcc instead of Cc conspire group)

Thu Oct 13 09:10:15 PDT 2011

Quoting Kai (indigo.kai at gmail.com):

> Kai:  Ok, I might be jumping in a bit later here, but as a few of you
> know the topic of "Security" has been on my mind these past few
> months.  Oh and YES I am back on the Internet and reading my email
> again.

Welcome back to the Internet!  I know how frustrating that sort of
downtime can be.

> And Yes, ok, ok I gravitated toward Ubuntu.... for now.  Back
> to my point....  I found this Ubuntu wiki page and it spoke to me.
> 
> https://wiki.ubuntu.com/Security/Features

Ooh, thanks for that.  That's a really good page.  I see from a note in
the bottom right that it's maintained by Kees Cook, the Ubuntu package
maintainer who manages the App Armor profiles for Ubuntu applications.
I strongly recommend anyone with an interest in desktop security read
through the meat of that page, and not just stop with the comparison
table at the top.

Cook does an outstanding job of explaining what App Armor does, how
programs compiled as as Position Independent Executables (PIE) can
benefit from Address Space Layout Randomisation (ASLR) features in the
kernel and Non-eXecutable (NX) memory regions (heap, stack, etc.) that
you don't _want_ to be executable, various kernel hardening measures,
private /proc/$pid/maps memory-mapping information so processes cannot
pry into each other, protection against exploiting of symlink race
conditions in /tmp, and so on.

I'm impressed.  They're getting really serious about making user
applications able to resist being monkeyed with by sending them
squirrely PDFs, image files, video files, etc. or other mayhem.

> I might want to add that the old rule of thumb of staying with
> something stable (AKA "LTS"), even if it is 18 months old (10.04 LTS
> 2010-04-29 Lucid Lynx) does not seem such a wises move considering the
> recent eruption of security issues I (and a lot of other people) have
> been experiencing lately.

Honestly, the LTS series are Ubuntu's bid for the 'enterprise' market,
where firms will not talk to you unless you guarantee that you'll
continue to maintain the obsolete application versions you shipped five
years ago.  If you're not a stodgy large corporation running a virtual
software museum, there's less point.

> p.s  yeah I just realized the CABAL install-fest was last
> Saturday, opps!  and the next one is a week from Saturday.  See you
> all then.

However, if you wish to drop by this Saturday, give me a call and see if
we'll be in.  Might even have time to help you with an installation.