On Wed, Mar 04, 2020 at 11:38:40AM +0000, Ottavio Caruso wrote: > On Wed, 4 Mar 2020 at 01:06, <whistlez...@riseup.net> wrote: > > > > Hi, > > in the following message: > > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > > Theo discourages to use unveil instead of chroot. > > I asked if he suggests the same for the browser but he asked that chroot > > Probably not what you were looking for but, back in the days when I > was ultra paranoid about my web browsing, I used to use stripped down > live usb installations of Linux distros (DSL was one of them that I > remember). I ignore if OpenBSD comes with such a solution out the box, > but I'm sure it wouldn't be difficult to make your own read-only > install. Then, you could either reboot from it or run it through an > emulator. >
My opinion is that in the last 10 years the world of hackers groups was deeply changed. Deface or big worms that make big damages are not in fashion anymore. Today the hackers group want just only be as hidden as they can. Then today the biggest problems are the uefi/bios malware, if you use a read only live cd or usb don't stop someone infect your firmwares. And when you reboot your machine you are hacked. Maybe with an hypervisor that can isolate processes and kernels the job is more hard. One of the biggest criticism I make to openbsd is that the everyone processes are visible to everyone. So that if you use muliple account for multiple application you don't stop an infected process to see if you run a browser, a irc session and maybe what network you are connected, if you opened pdf, if you used vim for code and what code and so on. And the last but first for importance if you are sniffing your traffic to search a covert channel. If my browser is infected with a malware the first thing I do is try to sniff the traffic to detect strange destinations, but if the infected process can see if I'm running a sniffer all my investigations are absolutely unuseful. If a very skilled hacker exploit your browser, take the root and infect your uefi, you must trash your laptop. And of course if you discover it, because if someone infect your uefi most problably you will never know it!
