 So hello everyone, welcome again to Security Devroom. This is Michael Stierer from Red Hat who will talk about desktop security. Enjoy. Thank you, thank you. So first thanks for coming so soon in the morning. It's also hard for me and I'm sorry to say that I have a lot of slide. I speak fast and I have only 20 minutes, so I excuse in advance. I would also like for people to not take pictures or at least not too much. Tell me if you cannot hear me, tell me. So as I said, I'm working at Red Hat. I'm a system administrator in the open source and startup team which is a team dedicated to upstream community project. It's mostly community management, but sometimes we also try to fix various things. For example, infrastructure, which is exactly my job. That's why I'm a system administrator. And I'm here to speak mostly about desktop security because in the past I had to handle infrastructure security problem. And it took me three weeks of my time and I do not want to do that. So I'm trying to fix the root cause which is basically fixing developer workflow and fixing server. Today I'm focusing on developer workflow, so making sure that stuff are secure so I do not have to clean after. I do have still my Minecraft server to make fun and everything to build. So yeah, just a quick survey. Who here is using Linux on the desktop? Good, perfect. So let's go back to the basics regarding security. So for security concept, there is a lot of paper out there, but one of the way to define security is to speak about CIA. Not the bad guy in the James Bond movie, but about availability, making sure that your system are working properly. Making sure that people that can read something are the only people authorized to read something. And making sure that people who are not supposed to modify something are not modifying something. That's the basic principle for security from a theoretical point of view. And we'll go back later on why we need that. And if you want to achieve this property, we need to think who wants to break that. And most of the time, there is mostly two types of attackers which are described in some papers that I forgot to type in my notes about Mossad or not Mossad. So that's basically either automated low skill run like some kind of form or brute force SSH and this kind of stuff that happens quite a lot. Anybody reading SSHD log because there is nothing on TV will see that a lot of people are trying to attack that. And there is an APT which is not the Debian Packager. I'm working at Fredat, I'm not trying to attack Debian. It's an advanced persistent threat. It's people that really wants to get you and have time and most of the time money because time is money and you do not pay hackers to just watch that when there is a lot of stuff to do. And usually that's what people refer when they say, oh, the NSA is trying to get on your infrastructure and this kind of stuff, but sometimes it can be anyone else. It can be that this admin that you did at Quake last time, that neighbors that do not like you and want to get you and this kind of stuff. You are not always fighting against someone with a lot of money, but most of the time someone with a lot and a lot of time. So I will just clear some assumptions on what we want to secure. I will assume that people are running laptop because workstation is just a subset of the problem of laptop. A laptop is just a workstation mobile, a mobile workstation. And you just add the problem of someone will steal it, someone will be able to resell it. So first for security, it should be quite obvious. I'm giving that talk to a lot of people, but we are at first them. So start by using free software. And it's not to antagonize people not running free software, but if you cannot inspect anything, if you cannot choose what you want, it's quite hard to make sure it's secure. Use supported software. It seems to be also obvious. But discussing with people, this is not the case. For example, I know that Trello 9 was a better distribution because it was before SystemD and Pulse Audio, but seriously, stop using it. Recent distro get better stuff. By better, I mean a lot of security improvement. I'm pretty sure that people will be able to talk about that later in the day. So I'm not going to speak about this. Do not use random repository. It's pretty nice that you can get random blender stuff from a PPA. But most of the time, people have no idea on what they are doing and you cannot see what they are doing or not. And that's how you get packages that are not updated or packages with crop software or anything. If you choose a distribution, you need to check the build system. Some are highly secure where you build everything in a way separated from Internet with the auditing and everything. And some of them are just, let's build that on a Windows laptop and update it without checking. So, yeah, basically take a mainstream distribution, verify how it works, and you should be fine. Make sure that it's supported. Then for installation, well, you need to use a non-crypted disk. It seems to be obvious, but lots of people do not do that. I would recommend to use a lux and full disk encryption. Last time I did the presentation, people did ask me about veracrypt and truecrypt. I do not know if they are good or not. I remember there was an audit that was done for truecrypt and it seems to be secure. My main problem is that it's not integrated in distribution. So maybe it's not maintained enough. Maybe it's not as seamless as it would. So go back to the part about supported system. And so the question is why do you need that? Well, it's mostly because my laptop is mobile and it's quite easy to steal one. It happened to a friend of mine two days ago. It happened to people in the office. It happened lots of time. And if the disk is not encrypted, most of the time the laptop is just sold on the black market. And sometimes there is a document like secret MI6 document. It did happen in the past several times. So you just need to do that to protect from someone stealing your laptop. So of course it's not perfect. There is what we call boot attack where people just take your laptop when it's suspended and take out the chips for memory and then dump it and turn out that the key is somewhere in memory. It's quite hard to do without soldering this laptop has a memory soldered. So you cannot do that easily, but you can do that from other laptop. There is an attack called Evil Made where someone replace your bootloader with a bootloader that records the password. So you type the password. This is fully automated with a GitHub project called Evil Abigail. To protect from that, you can use secure boot which will make some free software purist cry but it's working. It's not integrated in distribution as far as I know which is a shame. So if you want to make me happy, please integrate that in a distribution. You can start to use TPM which is another way to make a free software purist cry. Secure boot is using TPM. This is used to verify the integrity of the boot and everything like this. I'm not going to speak more because I have only 20 minutes. And there is various anti Evil Made tricks. Matthew Garrett did propose a TPM, OTP, something I think one year ago where basically each time you boot you get a verification number to verify with your phone to see that no one tampered with your laptop. Usually it's quite easy to carry your laptop everywhere you go but it's not practical. I do that. It starts to be quite easy. If you want to get something usable you need to have a lot of battery and everything. TPM, OTP is not really easy to use but that's the kind of stuff that we should integrate. Then there is fun attack. For example, did people knew that a firewall can be used to dump memory? I guess the answer is no. On some old MacBook and likely on Lenovo laptop you can use a tool called inception. You just plug two laptops together. One pretend to be a firewall system and just dump the memory with the key that we were looking. Despite having lots of MacBook and unprotected laptop from sales people in the office I was never able to test mostly because I was never able to identify what cable I need on Amazon. Which is quite bad but I'm pretty sure it should be working. So to protect against all of that there is a very alternative approach. Bootloader on a USB stick. It's much easier to carry the USB stick with you. It's usually simple. You can get in your pocket. I mean I have deep pocket but not to put my laptop there. There is a system with a grab support of lux. So everything is encrypted except lux. There is some self encrypted stick. It seems to exist on Amazon. I would not recommend that because this is proprietary hardware. I don't know how it works. There is some people who suggest using the fingerprint reader. It's quite easy to copy. If you are fighting against NSA, MOSAD, whatever I would avoid that. If you want something that works I would also avoid that. Mine is quite crappy. I need to do it five times and I'm pretty sure that nobody can fake my fingerprint. And so that just for the boot something to take a look at is the USB attack. So if you find a random key on the parking lot do not plug it on your laptop. If someone wants to test something there is a poison tap and Raspberry Pi Zero which is a nice attack where you plug something on your laptop and it appears as a network device and starts to siphon the whole traffic and attack your browser. It's quite efficient. I have not been able to test on my favorite salesperson because I was not able to finish the setup before leaving for FOSDEM but I will report next year which works and if they decide to fire me for testing on sales. There is all kinds of file system bugs. I'm pretty sure that people who compiled their own kernel did see that there is like 20 file systems that you never heard of like the file system for Amiga and everything. You can be pretty sure that there is bug and no one is using them so no one is looking for security bugs and you do not want to have a security bug on a file system running in the kernel it's just bad. There is USB stack bugs basically again there is a lot of crap we are doing anything. For that you can use something called a USB guard. This is done by a developer at Fredat just look for a USB guard it prevents auto mounting from a random device and I will stop to speak about that because hardware security as a whole is completely depressing if people want to cause computer congress not last year, the year before there is a talk by Johanna Routkova who explained how everything is completely broken if you are too happy in life just for that and then you will start to become depressed as depressed as a sysadmin if you really want I will recommend I am not running it because well I am trying to be corporate so I am running VEL7 but maybe next time for my next laptop I will try to do that someone has to fill the memory of my laptop so yeah let's back to the US and back to the basics of course you need to use a strong password I will not discuss on what is strong because people always disagree on that I just want to remind you to take human factor in account if you have a 20 litre password yeah that's nice but maybe it's hard to remember and sometimes if you are in a hurry for example you are at a pub and suddenly everything is broken and you need to fix it and it turns out that you drink too much you cannot type your password, that's bad it's not at all what happened to me just to make sure use a password manager one solution is to not keep your computer on the laptop which is sometimes doable that's what Chrome OS is doing sometimes it's not doable when you have no internet connectivity like when you are traveling to Belgium you can use separate this is usually cumbersome and annoying and you are likely to miss something and not use the right user you can start to use separate computer I do not have to explain how it's expensive but if you have one computer surf on Facebook and one computer to play with your server it can be done then again it's quite easy to prevent remote exploit obviously a firewall that seems to be basic but again I find a lot of people who say firewall I do not want to have one there is problem with firewall because it breaks stuff but I think we should fix that so disable what you do not need even if you want to just set up a PHP MySQL stuff disable and make sure that nobody can access it make sure that whatever you install do not listen on the network it can be even better to use VM and background you see my other slide to say container can be a solution I think I should have removed it can be a solution if you have too much free time but for now it's not mature enough and you need to wait on people to do integration so virus scanner are dangerous I do not know if you've seen the research from the guy at Google Travis and basically every antivirus are bad clava that's a security issue most of the times I do not find anything so maybe it's working for our windows but I'm not a windows user so I will go more against that it seems that I had a slide about IPv6 and shodan so if you have IPv6 it's quite nice but you might be scanned immediately by shodan it was much more interesting last year when I did the talk because it was new now it's old stuff so people do not care and if you want to know more about how people get attacked I recommend also the TIO NSA talk from enigma last year so TIO is a tailored access operation basically people giving access to the NSA also called Hacker in the movie and they explained how they do stuff, what they do like we are waiting and we are scanning everything we have a lot of documentation more documentation on your network than you have which is nice I mean they should publish it it will save me some work and most of the time the vector of attack if you look at report and everything well that's basic phishing we have seen with the DNC leak phishing can be quite efficient people say yeah you need to enter your password and everything two factor authentication can prevent that but not so much especially when using with mobile phone but I'm not speaking at all about mobile phone it's completely broken obviously do not open random attachment do not do like me we try to run the values unwind just to see if it works it's a bad idea because sometimes it works what you can do is use a sandbox SLINUX sandbox for example I have a co-worker who is using a two hour VM based on Gen2 and everything he did that in half a day just because we are starting to say yeah you cannot do that fast he said okay I'm going to do it and he did that in the afternoon so yeah SLINUX sandbox fire jail except that fire jail is broken so do not do that I should have updated that slide well not the curve because the curve is too complicated it's not made for that seems to be better but it's not made especially for that kind of security if you are really motivated you can turn on SLINUX on the desktop currently on world 7 it contains some process like flash which is a good idea and not so much more I would be happy if someone can contribute to that policy you can also if you are working in the military use the MCS policy where you say this is top secret and only process for secret difference can access it and this kind of stuff it's also quite hard to set up but if the military can you can too you can get a container contain the user which is what the SLINUX guy at credit are doing and they speak about what they do like one user that can only there is still a lot of work to do you can also wait wait wait look at flat pack there is likely some presentation about that this is basically the future and it will be likely contained with something like apart more SLINUX and then I have a lot of slide about browser security because browser is a huge door to your system so you have to choose between Chrome and Firefox I tend to prefer Firefox because there is less conflict in interface between my interest as a user and the interest of the company so remove flash block Java by default if you cannot remove it block multimedia content because multimedia is all kind of parser complicated stuff optimized for performance so it's better if you do not auto play we did see some issue with that in the past we had a lot of presentation about that specific topic in a few hours WebGL and direct 3D access well basically your browser will access directly your hardware by passing the kernel I hope I do not have to explain why it's bad and why the driver are likely full of bugs and everything same goes for WebRTC that's asking for trouble from a network point of view set a master password for your password again in case someone get access to your backups use stuff like HTTPS everywhere to protect your password no script, it's a pain in the ass but I think it's worthwhile search password to verify if someone is changing the certificate most of the time it's just like this starbug trying to METM you sometimes the Chinese government you cannot really see the difference if you are really paranoid you can remove all the CIA and well there is raw armor.js I will let you the surprise for that one because it's really scary you can well I do have a lot of slide of privacy and master variants and all NSA tracking people over the web putting exploit in advertisement and it's even better with precise targeting because we can say yeah I want to send that targeted advertisement to that people, to that person right there so it's so much easier to just send you that specific payload to you so again stuff like ad block, cookie monster and my time is up so I will just skip fast and say if you have any questions to ask them because I did a lot and a lot and a lot of stuff I guess we'll thank Michael for the talk and I'm sure there's more material here and there's more material but I think we also have five minutes for questions so raise your hand if you want to ask a question and we'll pass around the mic anyone? So you mentioned the firewall on my laptop I have zero ports open incoming so what does the firewall help me there? Well in case someone decide to open a port for you the firewall will help anybody that has a question? Any more questions? Do I need to repeat the question? So the question is I have no open port on my laptop what the firewall will achieve and in case something do open a firewall, open a port the firewall will prevent it from doing anything like someone try to exploit you it can block it's a second line of difference against the first line which is being secure enough Hello How do you think you can convince non-technical users to block multimedia content? I think you can't my presentation is mostly targeted as the people will be targeted by that for regular users what we need is more content there is a problem with the multimedia content we need to make sure that for example the parser is not able to access the internet of this kind of stuff but that's something that requires coding it cannot be done now so I will be happy if people start to work on that making sure for example that some nails in GNOME are contained making sure that Firefox start to do stuff in separate process without anything like Chrome is doing but in the meantime I want to get something that people can do now and for stuff that can be done later well it can be done later but yeah and I forgot the question was how do we convince regular non-technical users to block multimedia content More questions? Hello In one of the slides that you put after your speech I saw Ubiquit Do you recommend Ubiquit? So I would recommend Ubiquit to store SSH key You cannot see from here but I do have one to just to store my SSH key If someone will attack my laptop you will be able to use the Ubiquit when I'm connected but you cannot steal it and use it for something else later I do not specially recommend Ubiquit versus other stuff it's just that I got Ubiquit because it's on Amazon and I could not get my hand on a neutral key or regular smart card but it's mostly yeah I would recommend it and it also do universal 2-factor which is quite interesting because if you turn 2-factor you suddenly have 1,000 line on your application on your phone and one phone is bad and secondly 1,000 line is not a proper UX using a Ubiquit and U2F you can get something something workable in my opinion So if people want to contact me do not use it because I do not use that you can use misscatredat.com or you can find me on IRC this idea that blue and black was a good idea so you can find me on FreeNode on anything you can ping me after for them if possible and if anybody has any question last one one minute more for one last question if anyone is and people can also ask me later outside misscatredat.com so for example on FreeNode on OFTC and other stuff so you can just look for misscatredat.com on your favorite IRC network or by mail ok let's thank Michael for