Andrew Lewman wrote: > On 01/29/2010 08:20 PM, 7v5w7go9ub0o wrote: >> As we slowly transition to web 2.0, probably the next step is >> putting the TOR browser in a VM full of bogus, randomized >> userid/sysid/network information - carefully firewalled to allow >> TOR access only (TOR would be running somewhere outside the browser >> VM). > > Already working on that, https://www.torproject.org/torvm/ or pick a > live cd with tor integrated into it. >
Good to see these projects being developed. IIUC, the TORVM is a tor client; so the TORVM is designed for easy installation, and perhaps to contain any exploit of TOR!? Guess I was thinking of a different approach: putting Firefox in a VM and just letting it go ahead and get crazy with flash, JS, cookies (.. I have tired of tweaking NoScript, RequestPolicy, and CS Lite all the time.....). TOR is running in a chroot jail on the "regular" OS, connected by network. JS/Flash will presumably look for unique or geographic information within the VM and will get only bogus stuff which is cleaned and randomized every few minutes, along with cookies and caches. DNS is "unbound", elsewhere on the internal network, and has protection against many of the "DNS tricks". FWICT the obtainable network information all reflects the virtual Ethernet. Any "infections" would be temporary, as the VM is set to make temporary changes only; am using VNC to control it and to transfer any permanent data back and forth between it and the "regular" OS. I suspect others have similar approaches under way!? It would be nice to have a list somewhere of all of the "compromising" files and data available to flash/silverlight/JS - by OS - so that those running VMs know what to randomize (I presume Linux would be easier to contain than Windows). *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/