Monthly Archives: February 2016

12790991_10156512645755332_873019802070272500_n

Live from RSA Conference 2016

This week I am in San Francisco recording a special radio show for TheStack.com and Red Hat called "Locked Down" I will be talking to the brightest and the best at RSA, expect to see a variety of shows going live over the week, discussing everything about the growing technologies, emerging products and the challenges that we are facing in security.

How do I get the show ?

If you have an iOS device simply subscribe via the Apple Podcast client on iOS available from the Apple store (or via Overcast or your podcast client of choice), simply search for "Locked Down" once installed. Stitcher Internet Radio App also is carrying the show.  SoundCloud is also carrying the stream.

If you have an Android device install Player.FM or BeyondPod and again search on "Locked Down" and subscribe. Stitcher Internet Radio App just like Player.FM and BeyondPod carries the show - all installable from the Google Play store. You can also listen in via SoundCloud.

If you are in a browser you can listen to all the shows as they appear using Player.FM directly by bookmarking and clicking http://bit.ly/1KWVVaB directly via your desktop, or via Stitcher http://stitcher.com/s?fid=84147&refid=stpr in Safari, Firefox or on any Mac or Windows browser. Stitcher doesn't always play well with Chrome, if you're a Chrome browser user click the Player FM link.

You can listen to episode 1 here in this post or visit SoundCloud's stream 

I land back in Britain jetlagged, wake up from a brief sleep to find the news flooding my phone's news feed that the Linux distro, LinuxMint, had a bad day at the office. ISO images with backdoors and forum / website rooted and modified with some data potentially stolen.

The thing with LinuxMint is that it's a great project with high user figures, easy to run, it's the goto Linux for the user fed up with Windows and even I have a couple of Mint laptops. However, it's never been "security first and foremost" in the minds of the tiny release crew.

This post isn't going to attack the team behind Mint. Mint is a great project, it's default build does a lot of things right that other distros get wrong. In the default install it allows you to use whole of disk encryption and it also allows you to wipe the target disk and encrypt the user home directory which other distros do not by default. Thats a huge win for users. It's only let down by the default state of the build not defaulting to secure itself down using UFW or basic hardening out the box and a better state of repository awareness to ensure that a better security patching infrastructure isn't utilised. Anybody installing Mint who has a clue needs to spend 45 minutes post build tying it down, once achieved your workstation is pretty damn tight with one exception. That exception is underlying assured trust.

The packages for LinuxMint and other Ubuntu derived projects uses so much bleeding edge and community derived not sanitised code that it is very much a suck it and see approach, e.g you wouldn't deploy Mint in a commercial or workplace environment or anywhere where total data security was an issue. It's a lot more secure than Windows 10 so lets set that straight before we jump into the reasons why you shouldn't be using Mint now on an ongoing basis.

Mint, like many Linux distros before it is built on love. It's maintainer is an amazing guy who has put heart and soul into his project and worked miracles to get regular releases out the door. It's regularly hailed by my friend Stephen J Vaughn Nicholls as a great distribution. A great distribution for hobbyists. You can't compare say Fedora and Mint. Fedora is built on engineering and built by major engineering teams in the OSS community meeting at conferences worldwide (but still built on a tiny shoestring budget and goodwill). Mint relies on Ubuntu but ignores some of the basic security doctrines that Ubuntu has built in (e.g root user hardening) and also ignores some of the upstream patching conventions too.  Makes zero sense, but thats where we're at and you'd think in 2016 there would be more common sense approach to understanding user / sudo segregation and risk avoidance.

The issue with the rooting of the website was just daft. Reading the timeline on the website it looks to have been "handled quickly" and in good order but the damage to reputation may now already have been done. As a community project you never utterly control community gifted mirrors but you should have better controls over your portal and your storage of user data.

Already the finger pointing has started. I'm not sure it helps. One thing is for sure this is a bad day at the office for a project that has given a lot of home Linux users a first taste of Linux.  Mint is not a company with infinite resources and engineers, they're trying their best and marching on goodwill. Now is not the time to tar and feather now is the time to just nod your head and realise that it was a bad day at the office but it was a long time in the making.

Nothing wrong with being a hobbyist, thats where so much goodness in the community is derived.

If you want a Cinnamon flavoured workstation, install Fedora, install Fedy post install then install Cinnamon from the command line. Done. Secure and ready to go to work.

Heading back to The Moscone Center in San Francisco in just over ten days to record a series of radio shows with some of the leading lights in the security industry. Thanks to Emily and Julie in the Press and PR office at RSA for laying the groundworks.

I will be posting a feed location and other information on each episode here and on Twitter.

Planning 12 shows but we will see what we can get.