No Speaker: (Music)
DW: Welcome to the Ubuntu UK podcast. You're greeted by me Daviey
TW: I'm Tony
AP: I'm Alan
CD: ...and I'm Ciemon
DW: This show brings us...
AP: An interview with Ian Ozsvald from http://www.showmedo.com
DW: Graham Bleach from Hants. LUG
AP: ...and Mark Shuttleworth
TW: OK, my body clock is telling me it's three in the morning. What a perfect time to do a podcast, lets get on with it.
No Speaker: (Music)
CD: We've spoken about screencasts previously and for this podcast we've got Ian Ozsvald from http://www.showmedo.com
IO: Yes, Thanks for having me along
CD: Tell me about http://www.showmedo.com What is it all about
IO: So, http://www.showmedo.com is an educational video site. You can think of us as YouTube for education. We show screen-casts, we only show screen-casts, no granny falls off a log videos.
No Speaker: (Laughter)
IO: The whole point of the site is that we realised that we really enjoyed teaching people, my partner and I, Kyren, how to use software, but you have to have us in the room to show you how to use the software.We figured that if there was a video site which showed you how to use software, we could teach people around the world. There wasn't one, so we set about building it and that became http://www.showmedo.com 2½ years ago.
AP: Fantastic! Being you are on Ubuntu podcast, we assume, you have Ubuntu videos on there.
IO: Yep, we've got over 500 screen-casts on the site, around fifty of those are to do with Linux. The majority show Ubuntu in action. A couple recently, show some other derivation of Linux.But, for the most part we got videos showing how to use applications like, Open Office, Inkscape and programing languages like Python, inside Ubuntu. So we've got authors there contributuing these various topics and showing Ubuntu in action
AP: Excellent, and what do I need if I want to go to the site and view them? Do I need to sign up or anything like that?
IO: No, no, you can just turn up to the site cold, from Google, and as long as you've got a Flash player installed so you can watch videos on any other video site on the web, then you'll be able watch our videos as well and they'll just stream straight down.
AP: At the moment you have to use the Adobe...
IO: Yes, you need the Ubuntu Flash Plugin. The Gnash one conflicts with the video player we use, so we can't use that at the moment.
AP: But they're working on that I understand
IO: Yes, yes, I understand that there are improvements being made there. For users that don't like that, you can also download the videos and watch them off line.
AP: What format do they come down in?
IO: The videos when you down load them, they come down as Flash video, with .flv ending. You can watch that with video <unknowm> or mPlayer or any of the standard media players on Ubuntu.
TW: There's 500 videos on the site. Have you and your partner created them all?
IO: Oh no! I've created almost 100 of them in the 2½ years we've been going.But, 400 have been contributed by 70 authers. They're all open source authors people who have knowledge and like to share it. Then they found us, then they realised they could demonstrate their skills to a world wide audience and so they put aside their time, made the videos. then we just help teach people how to use software.
TW: How do they make the videos?
IO: You can use Open Source screencasting software. All you need is a microphone, and half our authors use the built in mic on their laptopsAnyone who's got a microphone built in to their laptop, with some Open Source software like RecordMyDesktop, and we've videos showing you how to use that on Ubuntu, can sit back and in the space of a couple of hours start making screen-casts.It's interesting, we've grown this huge audience and we've never actively advertised. I've tried a little dabble with Google Adsense. But aside from that it's just word of mouth. Our videos are good, people talk about them and we get a large audience.
AP: What are the ones people clamor for and ask you for?
IO: It's a lot of beginner videos, How do I start using 'X'. Out of all the topics we've covered, it's the beginner videos. How do I start writing my first GUI application.How do I install the software and then write my first 'Hello World' GUI tool. Certainly on the Ubuntu ones, how do I use Open Office to write a letter, to configure printing and to configure the letter.
CD: Are you looking at coordinating the content you're providing. Aiming at specific areas, specific bits of software. Or is it just people thinking I'd like to make on IRCSI, the IRC client. Going after anything specific or people make their videos and put them on and that's it.
IO: People make the videos in their own time for free. They're giving back to the comunity and so we encourage our authors to just make videos on the topics that they enjoy and they know the most about, and they want to share with the world. We don't ask anyone to actively focus on certain topics. If know something and you want to share it, and certainly if you've taught other people that topic before, that's a fantastic area for you to make screen-casts in.
DW: I provide a video files with sound. How do I get that to you?
IO: You login to http://www.showmedo.com and then you get a tab for My Page. It's very much like YouTube. You go into My Page and you can Add Video and then in there, you add some detail. You can add a title, a couple of paragraphs description, some tags. Upload the video file, takes maybe half an hour to up load and then our servers process it. Then it's ready half an hour later.One thing to add, unlike YouTube and other video sites. We preview all the material that comes through. We're incredibly careful that we only want educational material so people can trust in us, and we're not an unfiltered video site.Every thing comes in. We get notified and then within 24 hours we'll have seen the video and then given any feed back, if necessary. For the most part videos come in, we look at them,. We're hugely impressed and we publish them.
TW: If you have all this band width usage. All these people viewing the site and viewing the videos. How do you paying for all that?
IO: It comes out of our own pocket. Starting a video based start-up is an easy propositon if you think about what you're trying to deliver.We run this out of our own investment. Then before Christmas we decided to build up the showmedo club. The club is a subscription based club, it's a bit like subscribing to a magazine.There, rather then produce videos, in a ad-hoc manner, on topics that we thought were interesting. We instead decided to focus on a very clear and focused series about ½ hour in length each.Starting with Python. Teaching beginners how to program with Python. It's a club containing all the material you'll need over time to learn the language.Once we've established that club, and it's growing very nicely at the moment. We're going to spread out in to other areas. I'd imagine that Ubuntu would come into the club, because that's a large open source area we'd love to support.
TW: What is it, specifically, about educational videos that attracted you to start working on this project. Have you done any thing in the educational field before.
IO: Both Kyran and I are long term academics, Kyran much more then me. We are driven by learning, we love to learn and we love to share what we've learned.We know when you pick up a book, you often don't know if what you're reading about will solve your problems. Certianly with computer manuals.But if you can see a video showing you how something works, you can look at it and you can pay half-attention first of all, watching what's happening, and you see your problem has been solved, you can go back and watch it again. Because you know this is exactly what you need to solve your own problem.Video is a very efficient medium for getting across the message.Not only that you can do this, but here are exactly all off the steps you need. Even if a new version of the GUI comes out and the menus are in a different place, you can still follow the gist of the video. Much more so then when a book goes out of date.
TW: That's quite a good point. Because things like screen-casts do get out of date when the next version or distribution comes out. The art work changes, the menu locations.Although some people will be able to follow through and sort of guess. There'll be equal another set of people that will be totlaly thrown by a different menu structureIt's a lot of maintenance to keep those screencasts up to date. Is that something the community shoulders or do you try to keep on top of that.
IO: At the moment, because we're 2½ years old most of the content. All most all of the content is up to date. I've found some of my earliest videos, I've now depreciated them. They're in the site but marked as been depreciated.I would say 5 out of 500 videos are depreciated at the moment. So I'm not worried about material going out of date.As the content grows that will be come an increasing problem, that's much more for the future. That'll be a nice problem to have.
<: Are all of your videos in English?
IO: Interesting question. When we started we assumed everything would be in EnglishIt didn't take us very long to find a couple of European authors. One in Belgium and one in Germany. They both wanted to produce content in their home languages. Which in both cases were German.So we have a mostly English content base. With some German videos and then just recently via a European school we've got Russian and Chinese. I think Spanish video is coming as well. But certainly Russian and Chinese at the moment.
<: Does that mean your going to have to, or if you already have, internationalise the showmedo interface as well.
IO: We're Unicoded, but the main language is English throughout the site. But desciptions and titles are in home language.
<: Related to that, there'es also the topic of subtitles. Do you include those or have you considered including them?
IO: We have considered including them. We had a problem with the player. A technical issue when we first looked at the problemSo we choose not to worry about encoding subtitles. For our foreign language videos, our authors typically hard code English subtitles. So you can read the English subtitles while listening to the foreign voice.
<: When you say hard code, it's on the video itself
IO: It's part of the video stream
TW: OK. In your wildest dreams, what do you see showmedo becoming in the future.
IO: Becoming a huge educational resource that everybody can call upon. We'd love to have stacks and stacks of free content.We'd love to go beyond video as well. We've even talk about having interactive education sessions. Almost classrooms on-line.Teach people around the world. If we have the support that we need to grow your side of the business to work at it full time. Then we can keep growing the free side of the business.
AP: So where can people get more information?
IO: Come to http://www.showmedo.com There's a resources menu on the navigation bar. You can find out the author's dicussion formum and the leaner's discussion forumYou can come there to talk to us and if you log into the site then you'll be on the mailing list and you'll hear from me every monthWe'd just love you to come and get involved. Have a look at the videos, realise how easy it is to make screencasts your self. Then have a go at making your own and conributing back to the community.
AP: Great stuff
No Speaker: (Music)
AP: We've been given some prizes to give away on the show
DW: Have we?
AP: Yeeeeesss
DW: What have we been given
AP: We've been given some tokens from the Canonical online store
CD: Cool
CD: There's some good stuff in there. How are we going to get rid of these tokens?
AP: We figured we'd have a trivia question and then in two weeks time, when we record the next episode. Which will be the 3rd of May and pick a winner
TW: ...from the hat
AP: In fact, we'll ask Mark Shuttleworth to pick the winner for us.
TW: Wow!
AP: We'll email the voucher to the winner.
TW: Excellent! So, Canonical employees and those of us sitting in this room, recording the podcast, sadly can't enter as that wouldn't be fair.Any one else can enter, anyone else listening to the show can enter. The way they enter is, I'll read out a question, in a minute and you send your answer to competion@ubuntu-uk.org that's competion@ubuntu-uk.org and it needs to get here before the 3rd of May.
DW: A link to that will be in the show notes.
TW: Cool! so, what's the question.
AP: The question is; What's the name of free software only official derivitive of Ubuntu?What is the name of free software only official derivitive of Ubuntu'
TW: Good luck everybody
No Speaker: (Music)
DW: Now last week we mentioned a certian <unknown> competition which happened where Ubuntu appeared to come out on top. Following that we had Graham Bleach contact us, so I've got Graham here who wants to talk about Linix malware. Hello Graham.
GB: Hi. I was interested in th e segment and I thought that there had been a lot of interesting publicity coming out of that competionWhere there were basicaly three laptops, which were available for people to try and brake into and at the end of the three day competition only the Ubuntu one hadn't been hacked.I thought it was quite interesting, because a lot of people. Mentioning no names, Popey! Seemed to be forming the impression that Linux was more secure than the other OSs and I don't necessarily think that's the case.
AP: Why's that then?
GB: What you've got to remember is, it's a hacking competion where people try to win some money in return for showing a zero day exploit.The interesting thing about it, the Mac machine went down first due to a bug in Safari.Secondly the Windows machine went down due to a bug in flash.On the first day it had to be a remote vulnerabilityOn the second day of the competion they were allowed to actually navigate the browser to a web site they'd crafted, which exploited the browserOn the third day they were allowed to install common applictaions, such as Flash for example. The interesting was that Vista did very well, I thought, in the competion. Because it was only when they installed some Adobe software onit, they could actually compromise it.I was thinking that perhaps, if you installed some common applications Linux would be just as vulnerable as the other OSs.
TW: Why was that not the case. Why did people go for the Mac and the Vista box over the Ubuntu box even when they had the opportunity to install all those things.
GB: The frustrating thing is we don't really know and this is why it's not really telling us much about the scurity of the platforms.We don't know how many people had a go at the Ubuntu laptop and what sort of security back grounds they had. It doesn't really tell us anything is what I'm saying.
TW: But isn't sytem security always a case of not been totally uncrackable, nothing is totaly uncrackable. It's just a case of being tougher than the other people. So people go after the easier targets. Which is usually the Windows PC or whatever.
GB: Yeah that's fair enough. The point I've been trying to make is that people in the Linux and Unix commuities do to seem to have an atitude that something about the platform makes us more secure.We don't have to worry about viruses is what I hear people say all the time. There are Linux viruses in the world. They're just not very common.
DW: Are you saying the community could potentially be getting a false sense of security over this. If that's the case, how can we avoid this?
GB: We are lulling our selves into a bit of a false sense of security, yes. How many of use would consider running a Windows box with out a virus scanner.But, how many of us would consider running a Linux box with out a virus scanner and I think many more of us would be happy running say Ubuntu with no virus scanner. I know I do it, myself and I know many other people do it. We wouldn't do the same thing with a Windows box
AP: What should we be doing with our Linux machines to make them to make them as secure as... This sounds wrong... But as secure as a Windows Machine that has all the relevent patches, the antivrus and the firewall, and the malware detection and that kind off stuff
GB: At the moment we're in a situation where most Linux users. Most users of, for example, Ubuntu, Debian and things like that.They're fairly cautious people any way and they tend to be highly skilled. But, these days you're attracting a different user profile on to the platform.I think any increase in popularity and any increase in the number of less experienced users will make Ubuntu, or Linux in general, a more attractive target.One of the things you might consider doing is in the way Ubuntu ships with automatic updates turned on, virus scanning should be integrated into your email client and the updates for virus scanning turned on by default.
AP: A lot of people that migrate from Windows to Linux, one of the first questions they ask is where do I get the anti-virus software. Because it's drummed in to them, that on Windows, you absolutely need an anti-virus product.
GB: One thing I'm particular pleased to see with the new Ubuntu Hardy release. They are actually shipping a firewall. I thinks it's great. Because previously there was an ethos going around the community it wasn't required because there wasn't any services switched on by default.
AP: Theres nothing listening, nothing opening connections.
GB: Of cause there is outbound stuff happening. I'm quite pleased to see the new distribution, the long term release as well, is going to have a firewall built in.
AP: Arguably it's always had a firewall, because iptables is part of the Linux kernel.
AP: It's just a case of configuring it.
TW: Is this just a new GUI for configuring the file?
AP: Actually it's not a GUI, it's command line. It's called uncomplicated firewall.
GB: I think one of the things there is, are they going to deal with the problem of, I installed my Skype and it doesn't work, in sensible way. That sort of usability problem that just leads to people turning the thing off.
AP: Which is exactly what windows users do. Although a lot of the Mickey Mouse desktop software firewalls that people use have Skype is trying to make a call, would you like to allow this and allow it permanently and just go yes! and that's it.
TW: The difficulty is, people then get in to the habit of saying yes to anything that pops up because if they say no and it dosn't work, they're put of say not to things in the future.
AP: Absolutely. When an email client spawns a nasty child process and then, when the firewall pops up and says your email is trying to contact, they'll let it through.
<: Yeah, Sure.
AP: Then are we going to get to that same point with Ubuntu. If we add these protection measures, like anti-virus and a graphic firewall. Aren't we just going to lead our users down the same path of, just ticking yes.
TW: This is the same sort of thing that Fedore users have had with SELinux. In that, it's designed to restrict what applictions can do. Whether they can open poorts, what they can address, what devices they can use. Things like that.But, because it was so complex in the past to get in up and running. One of the most frequently asked questions about Fedora was, how do you turn SELinux off?
DW: (Laughter)
TW: Now App Armour is in Ubuntu, and I think it's on by default. Things like that seem very appropriate tools for stopping things like malware on Linux if it was to propagate. But because they are so complex to manage, people will just turn them off or ignore them and live with the risk.
<: What is the risk? This is one of the things that is always spoken about in these discussions. If as a user on my Linux system I get a virus and get infected. So what. I've just infected that one user. Delete the user, make a new user, carry on.
AP: What's the most important thing on your computer?
AP: Your data, in your home directory and you have rights to change that. Therefore any programs to run has rights to change and corrupt and delete it.Whilst you may well get to a situation where you install something or you run something that can't propagate it's self because it can't install it's self as a service and run it's self over and over again every time you boot the machine up.It can completely hose all of your data, or pick up all of your passwords from your instant messenger and email them out to some one else.
TW: The most important thing on my system is my data. It's my photographs, my documents, whatever. Obviously I'm a sensible user and I run back ups. If my system was compromisedhalf an hour with an Ubuntu CD I can have a base install back up. An other perhaps installing a few additional applications on there. Getting my photographs back if I've not backed those up is impossible.
CD: What about wider reaching things. Virus that are going to try and do system level damage. Obviously you need root permissions to do that.
AP: No, you don't really because you can elevate with tools like sudo.
GB: It's trying to get out of peoples way when they're doing administrative tasks. So they have, say 30 minutes or 15 minutes off potential to use sudo to escalate your privileges.If I were, theoretically, to try and write some malware to target Linux users. The first thing I'd try run something through sudo to see if a could.
GB: ...and schedule it to run every fifteen minutes as user based cron job
GB: Just loop in the back ground and wait until the sudo privileges are available.
AP: Obviously for listeners that don't know, we've just babbled on about sudo. In Ubuntu when you go to System Administartion, any thing under that menu requires administrative access. So that invokes sudo, which escalates your privileges and there are other commands you can run using sudo. There's no way for you to press a button in Gnome or Ubuntu to say kill my suso privileges, I no longer want that time span. But you could create a short cut.
TW: If listeners are aware of a way of doing that.
AP: Email in.If we're all completely wrong, especially Graham.
CD: OK we've spoken about most things. What about untrusted software. I've just downloaded a rather nice program for down loading GPS software, but it's from an untrusted source. Should I be worried, what should I be worried about with untrusted packages.
AP: Define trusted.
DW: If you've got the GPG key Apt won't moan and as far as you're concerned it's a trusted source.
GB: Do we actually believe that the Ubuntu and Debian developers are auditing the source code to make sure there''s nothing dodgy in there.I don't believe that. What the GPG key tell us is that the package matches what was uploaded by the developer. It doesn't really tell us whether the software is safe or not.
TW: Isn't that the developers job. Can developers, reasonably, be expected to audit code for security.
TW: It does happen. Apache and SSH and things like that. They do quite tight security code audits. There's probably 100 applictions, for every one thet is heavily audited that isn't, and developers just take the source could from the original site, package it up, tweak it for the Debian packaging guide lines and of they go.
GB: I think it's a bit unreasonable to expect a Debian developer or the Master of the Universe for the Ubuntu Uninverse repository. For them to actually know the software inside out to see security issues.
GB: We know that people have, for example tried to introduce a back-door into the Linux Kernel. There was the famous case a while ago were TCP wrappers was compromised for several months. They simply installed a back door and watched as people down loaded it
CD: So, if we've got your security heads on, then really, we can't trust anything. So, how do we keep a check on your systems, how do we watch tomake sure something untoward isn't going on. What can I do to make sure my system isn't emailing passwords and things back out to somebody on the other side of my fire wall.
AP: Part of that would be having a decent firewall
DW: Outbound as well, checking, as most people do NAT as a firewall and that's checking inbound only
TW: It's who you trust. I have to trust Canonical and the Ubuntu teams, that they do a good job of packaging the core applications.I have to trust that Linus and his team can develop the kernel properly. I have to trust the open SSH team that they do a good job.I'm not a programmer. I couldn't start to sit down and look at the source code for all these applications let alone understand what the implications of every single line and every single function might be.To say yes this is written in a reasonably sane way. No matter how good they are there is always going to be seurity vulnrabilities. You've just got to put your faith in certain groups and certain bodies, in certain organisations and just say I'm going to trust you with the security of my system. The question you've got to ask as a user, I think, is do you trust Canonical and those people over, say Microsoft or Apple.
DW: Launchpad now makes it really easy for you to package and actually have your own repository on Launchpad and it's called PPAs. Which is Personal Package Archive. I think we've talked about them before. I'm actually quite suprised we haven't and more problems with malicious software going into them. The thing is I could package something up which could potentially have some thing harmful in there.I'm suprised we haven't had more problems with that.
AP: Maybe as the platform becomes more popular, it will. As graham says. Part of the reason this isn't happening is we don't have the mass of people using it.
CD: It's safe to assume that we shouldn't be complacent, just because you're running Linux it's secure. I know there are loads of experts out there and I really hope we get stacks of feedback about this. I'd like to see what people are doing to secure their systems. Let us know.
No Speaker: (Music)
<: I’ve ben away for a couple of weeks and I’ve not been on the internet very much, I’ve missed all the news. What’s been going on?
<: Red Hat have pulled out of the desktop Linux market
<: Again?
<: Did they ever actually enter it?
<: What’s all this mean for Fedora?
<: Who cares
<: <Unknown> have announced, that in the enterprise version there’s going to be some proprietary componants that won’t be in the community edition.
<: That’s Sun getting open source again then.
<: So are Sun evil
No Speaker: <Music>
<: There’s a new feature on the Hardy CD, that’s recently been introduced. It allows you to install free software only desktop.
<: Isn’t that what Gubuntu does?
<: Yes, but it’s not as free as Gubuntu
<: It’s only a bit free.
<: So, are you telling me I get the normal Ubuntu desktop, the only difference is I can’t use my wireless.
<: Related to that. On the Gubuntu development mailing list, there’s currently a lengthy, kicked off by Mark Shuttleworth, of rethinking Gubuntu and it’s relationship with the community and it’s relationship with the GNU sense distribution.
<: Does it have relationship with the community.
No Speaker: <Music>
<: Ubuntu 8.04 Long Term Support, is being released on Thursday 24th April
<: On the same day as the Hardy release, there’s a Hardy release party. There’s one in London at De Hems in Soho.
<: From the 16th May for a week there is two events, Fosscon followed by the Ubuntu development summit
<: Where is that?
<: Prague
<: There’s also Ubuntu Live coming up on July 21-22 at the Oregon Covention Center in Portland Oregon America
No Speaker: <Music>
<: Wwe have MArk Shuttlewortyh on the line. Hello Mark
MS: Hi there, how are you guys
<: Not bad at all. We want to get you on to have a little chat about Ubuntu in the UK. We want to ask you a few questions. We’ve got a ne release commiing up, Hardy.
<: Which I’m sure he actually knows about.
<: I think Mark’s aware of that. How are things going from your side of the fence