Re: [qubes-users] Qubes VM compromised? - Follow up
On Saturday, August 27, 2016 at 2:49:52 PM UTC, johny...@sigaint.org wrote: > >> Whether using an "isolating proxy" (multiple machines) or not, using a > >> white-listing proxy like Corridor can help ensure all of your traffic > >> passes through Tor (Entry Guard, at least). > >> > > > > That's right. Also, using Firefox with those extensions is *not* the same > > as > > using Tor Browser: > > Understood. I do take a few more precautions (with iptables, bridges, > etc.) but Torbrowser certainly does take care of a lot of important things > for you. > > > https://www.torproject.org/projects/torbrowser/design/ > > Wow, that's a great resource, thanks! > > I think I still prefer to "roll my own" versus using TBB. (And that link > is great for tips on doing that.) > > There are four (probably reasonable and legitimate) things about TBB (and > tails) that are red flags to my overly-paranoid mind: > > 1) Not a problem in Tails (being a bit "read-only), but the normal > Torbrowser Bundle is very stubborn about doing an update check every time > it starts. I understand the reasoning behind it, keeping up with 0days as > they're discovered, and at least one exploit in the past would have been > avoided by anybody who stayed updated. > > Sure, notify me, but forcing that "phone home" on every start is a bit too > much like MS-style tracking to me. > > I could be wrong (I often am), but even turning off the update check in > settings didn't seem to work for me. Although I might have screwed up > somehow or it might have been an artifact of non-persistence in an AppVM. > Having that update check/download on by default, I don't like. > > Finding the actual tor browser binary to launch is a major pain. It > almost seems intentionally hidden. :) > > 2) JavaScript on by default. I understand the convenience for the general > public, but TBB isn't really for the general public but the > security-conscious. And the security-conscious shouldn't turn on JS > unless necessary. (And with Qubes, one can keep their JS-dependant sites > to a separate VM, whoohoo!) > > In Tails, having JS on plus automatically loading Tails home page (which > could be subverted by someone with CA ability) is a bit of a risk, IMO. > To avoid having a JS-enabled load of the Tails home page, you have to > start it without networking, disable things, then enable networking. > Blah. > > 3) Default search engine set to Disconnect.me. And disconnect.me seems to > do nothing but redirect your search to duckduckgo. Why are they even in > the loop then? Supposedly they financially support the tor project. So a > company founded by a former NSA person paid money to be able to capture > all the searches that are eventually done by DDG in TBB/Tails. Oky... > > Whenever I do launch Torbrowser, the first two things I do is disable > global javascript, and change the default search provider. > > 4) It's not really fair to include this one, as I have nothing to back it > up with, but I remember something in the past that made me a bit uneasy > about Torbutton. I'll follow up if I can remember/find my concern. > > Interested in hearing others opinions on those points. > > Cheers. > > JJ Those are fair points. In fact, I deal with those complaints every time I install a new Tor Browser. 1. Automated updates: I set it to notify only - just because I don't want to be interrupted / surprised - not because I don't trust TPO or the update process. If you're worried about eavesdropping or metadata scavenging, this is not the same as MS phoning home because you can check the source and build it yourself. 2. Javascript on by default. I turn it off or set security to 'high'. 3. Disconnect.me default search. I change it to something else. 4. Not sure if this is your concern but TorButton works through Tor's Control Port. There exists a Tor control command called GETINFO that will retrieve the real public IP of your Tor client. In Whonix, these commands are filtered by the Control Port Filter Proxy. The control port can optionally be disabled entirely. This approach is much safer than using the Tor Browser Bundle on its own. I don't know how Tails addresses this. As to your inclination to "roll your own" privacy browser, there are 2 things you might want to consider: 1. In general, security software (and anything involving cryptography) is best tackled as a community. No matter how brilliant you might be, one error is all it takes to render the whole solution dangerous. More eyes the better. 2. Unless you replicate Tor Browser *exactly* (why roll your own if you're going to do that?), you will likely have a fantastically unique fingerprint that will identify you anywhere you go on the Internet, regardless of however many anonymous proxies you sit behind. Browser fingerprints can not be eliminated completely. Instead of trying to hide, Tor Browser sets a public fingerprint that all users can share. As in #1, having a
Re: [qubes-users] Qubes VM compromised? - Follow up
>> Whether using an "isolating proxy" (multiple machines) or not, using a >> white-listing proxy like Corridor can help ensure all of your traffic >> passes through Tor (Entry Guard, at least). >> > > That's right. Also, using Firefox with those extensions is *not* the same > as > using Tor Browser: Understood. I do take a few more precautions (with iptables, bridges, etc.) but Torbrowser certainly does take care of a lot of important things for you. > https://www.torproject.org/projects/torbrowser/design/ Wow, that's a great resource, thanks! I think I still prefer to "roll my own" versus using TBB. (And that link is great for tips on doing that.) There are four (probably reasonable and legitimate) things about TBB (and tails) that are red flags to my overly-paranoid mind: 1) Not a problem in Tails (being a bit "read-only), but the normal Torbrowser Bundle is very stubborn about doing an update check every time it starts. I understand the reasoning behind it, keeping up with 0days as they're discovered, and at least one exploit in the past would have been avoided by anybody who stayed updated. Sure, notify me, but forcing that "phone home" on every start is a bit too much like MS-style tracking to me. I could be wrong (I often am), but even turning off the update check in settings didn't seem to work for me. Although I might have screwed up somehow or it might have been an artifact of non-persistence in an AppVM. Having that update check/download on by default, I don't like. Finding the actual tor browser binary to launch is a major pain. It almost seems intentionally hidden. :) 2) JavaScript on by default. I understand the convenience for the general public, but TBB isn't really for the general public but the security-conscious. And the security-conscious shouldn't turn on JS unless necessary. (And with Qubes, one can keep their JS-dependant sites to a separate VM, whoohoo!) In Tails, having JS on plus automatically loading Tails home page (which could be subverted by someone with CA ability) is a bit of a risk, IMO. To avoid having a JS-enabled load of the Tails home page, you have to start it without networking, disable things, then enable networking. Blah. 3) Default search engine set to Disconnect.me. And disconnect.me seems to do nothing but redirect your search to duckduckgo. Why are they even in the loop then? Supposedly they financially support the tor project. So a company founded by a former NSA person paid money to be able to capture all the searches that are eventually done by DDG in TBB/Tails. Oky... Whenever I do launch Torbrowser, the first two things I do is disable global javascript, and change the default search provider. 4) It's not really fair to include this one, as I have nothing to back it up with, but I remember something in the past that made me a bit uneasy about Torbutton. I'll follow up if I can remember/find my concern. Interested in hearing others opinions on those points. Cheers. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d21ff94ceb2ed97c456bc3e127f1318a.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org: > >> While it's a bit slower, I prefer booting from DVD, a read-only medium. > > There are verifyably hardware-controlled (physical switch) unwritable > USB storage devices. A bit expensive but you can get one. I might look into that, it would be a lot more convenient (and faster) than DVD. In case anyone's not aware, the slider on "secure" digital media cards is just an advisory for the software to not write to the SD card, and not enforced by hardware, so very easy for malware to bypass. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d85ce7a951b0b438891c9f46aaa3f5b.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org: > While it's a bit slower, I prefer booting from DVD, a read-only medium. There are verifyably hardware-controlled (physical switch) unwritable USB storage devices. A bit expensive but you can get one. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7362495-014d-3b77-b62d-17a06366ac49%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-25 21:49, 3n7r0...@gmail.com wrote: > On Thursday, August 25, 2016 at 7:34:01 PM UTC, johny...@sigaint.org > wrote: >> Setting up Tor and Firefox (with noscript, ssl observatory, adblocker) to >> use it as a proxy is essentially the same effect as Whonix (or tbb). Even >> if tor/firefox are on the same vm rather than separated, you're behind >> sys-net and sys-firewall, so your real world address isn't going to >> leak. >> > > This is incorrect. The primary motivation for separating the Tor Gateway > from the User VM is to prevent a bypass of the Tor proxy. This is one of > the main advantages of Whonix / TorVM over Tails. If a packet reaches your > destination without having been routed through Tor, it will be stamped > with your actual public IP as it's source, regardless of how many NATs / > firewalls might be involved. > > There are real world examples of both malicious and non-malicious cases of > Tor circumvention. An example of the former includes the FBI's > TBB-targeted NIT, called Magneto. In terms of the latter, inadvertent > leaks happen when programs don't respect proxy rules, as has happened with > Flash, Skype, Torrents, WebRTC, etc. > > Whether using an "isolating proxy" (multiple machines) or not, using a > white-listing proxy like Corridor can help ensure all of your traffic > passes through Tor (Entry Guard, at least). > That's right. Also, using Firefox with those extensions is *not* the same as using Tor Browser: https://www.torproject.org/projects/torbrowser/design/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXwQIyAAoJENtN07w5UDAwHtkP/A3kywWti8ZmW2rXJWJ+l+2F O75iNH2iH7bbvJs/+a64ZMQGM38qx79ADd9CTcoYjAXOrnw6SfIUI5HfkiSMf7EF bsOzZSUPlAMzHzaiwzp5rbv8VseDpIr85fy7ptlQk0Dea47WoepkLuDxhv4Cmq1y 1AQ7j2d5K5InPkOEqgrtqhXSzgdiCjnnD7cyDrWxyeeRQnEWMkGIZTXmoICV4JDg cBRnFPPBIpU7EXMJFH+uzTDjX6MycrnyJX0bm3doyA+bJxmf6Repj2PbHOPaXYRQ YaSdm0LUS54MNf/ETFXGPG/d5ZofpvsEmNELsPZxOAWJQ0KQZLC1rtSnxdCDeZFD 2Av4Gv0zDBynf0uw/rtb8j+9sv2qlOLJsf/QqM9Hxcu33Y622v++DKgg5CsWnfE5 tEhd4Dv5LgenVePSZTncO0KEM8gnDvDDKxlCfAvQ9E1KRQFAFA/e6T2jQ6tDAOYp WEmSBt3vI5Ap2RN/ItELk0tf9dKD7rTwWitjcW+otPOKzOqUe/v4jwzJOkFem33/ cPlxHW/X2Fd61blnDXreaHViAy3XxbRPrOyeFd0T3SrOUc+q5kSHNYc0Cv9GcVH5 h4y7F0481q9ObihzeyXM+W0VxLTq7FxDjODXPqN9S+nLi0uBY8o0wqjse3jODF5m 79r+DNlsM6DqqiaQ0ksR =uu+p -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20544614-5419-efa4-41b8-2c776a5e15b0%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
johnyju...@sigaint.org: > >> I just use Whonix within Qubes and I like it. I'm glad it comes out of >> the box since 3.1 > > I've retreated to only using Fedora. Setting up Tor and Firefox (with > noscript, ssl observatory, adblocker) to use it as a proxy is essentially > the same effect as Whonix (or tbb). Even if tor/firefox are on the same > vm rather than separated, you're behind sys-net and sys-firewall, so your > real world address isn't going to leak. Another two VM's on top of that > (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig. Running Tor in the same VM as the browser won't keep your public IP from leaking to the same extent as using Whonix. For example, if Firefox gets pwned, it can simply generate a request to whatismyip.com without going through Tor, and then send the result to whoever it likes. (Unless I'm misunderstanding what you're doing.) Cheers, -Jeremy Rand -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/204c1635-520a-e9c4-aa87-edc40e59b59f%40airmail.cc. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes VM compromised? - Follow up
> I am too paranoid for using tails other than the reccomended method (two > usb drives updating each other - I have two pairs of three). No aware of the two drive method. Is that just updating to the next version from the previous version, onto another USB drive? While it's a bit slower, I prefer booting from DVD, a read-only medium. (A bit of a pain to update, having to boot to a USB stick to write the newer version, but it has to be done infrequently.) There's peace of mind in a true read-only medium, that you keep with you. > I just use Whonix within Qubes and I like it. I'm glad it comes out of > the box since 3.1 I've retreated to only using Fedora. Setting up Tor and Firefox (with noscript, ssl observatory, adblocker) to use it as a proxy is essentially the same effect as Whonix (or tbb). Even if tor/firefox are on the same vm rather than separated, you're behind sys-net and sys-firewall, so your real world address isn't going to leak. Another two VM's on top of that (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig. (I've wondered if it might be more natural to have tor running in sys-firewall; it is kind of a fire-wall-ish thing. But having the firewall separate is a nice additional barrier in case of compromise.) > Also, I would never use tor for banking, unless the banking wouldn't > involve my real world name - understand that one how you want. Yeah, exit nodes are too scary. Okay to keep reduce cyberstalkers, but for financial transactions, it seems a bit risky unless you got a solid HTTPS connection (and trust the govt and crooks not to abuse CA's; I guess that's not something seen in the wild much. For a high value target, maybe; for someone being harassed by an ex, less likely.) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a51f2eb8dd6a8744cf6411ed09cae47.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
On 08/25/2016 01:54 AM, johnyju...@sigaint.org wrote > (Although accepting the password change on a Tor exit, and then refusing > that on a non-Tor https: connection was rather weird. Would they silently > fail a password change? Oh well, I won't stress over it, but will keep a > close eye on things, for sure. Ever vigilant...) Not weird at all, could be just the lag between the red flag raising for a given account (yours) and someone manually deciding to block your account "for security reasons" - read that as: "we crap our pants when we see tor, and we rather block your legitimate attempt to login to risk accepting a real world account hijacking". > Worst case, I could (and have successfully) just run Tails inside Qubes, > and it should be no worse (safer, actually) than Tails standalone, for > banking or email. (I was reading that the IOMMU protection prevents DMA > attacks, which is sweet.) I am too paranoid for using tails other than the reccomended method (two usb drives updating each other - I have two pairs of three). I just use Whonix within Qubes and I like it. I'm glad it comes out of the box since 3.1 Also, I would never use tor for banking, unless the banking wouldn't involve my real world name - understand that one how you want. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1982b061-15a5-c452-b9b2-f2327f0cfe4e%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> My guess is that Paypal is giving you a hard time just because of the > tor exits you use to interact with their website. Could be. At first I didn't see how/why, but I guess refusing a legit password from what they judge as a dodgy IP address is a possibility. (Although accepting the password change on a Tor exit, and then refusing that on a non-Tor https: connection was rather weird. Would they silently fail a password change? Oh well, I won't stress over it, but will keep a close eye on things, for sure. Ever vigilant...) > So it seems to me all that you are saying is really related to > using tor via sys-whonix or manually trough the traditional means. Yes. I guess it really isn't necessarily anything to do with Qubes, unless there is some dom0 compromise somewhere. That's probably pretty unlikely, and I've only seen weirdness in Tor-based VM's, so I won't give up on Qubes. I've been using Tails for awhile, and never had strangeness like this; but the new factors aren't necessarily Qubes, but the TorBrowser bundle (not the Tails-reviewed/tested one) and Whonix. Worst case, I could (and have successfully) just run Tails inside Qubes, and it should be no worse (safer, actually) than Tails standalone, for banking or email. (I was reading that the IOMMU protection prevents DMA attacks, which is sweet.) > The sigaint episode is easily explained through the e-mail you provided. Certainly. > But yes, the Paranoia is our shepherd and nothing shall lack. > Paranoia is what justifies the development of a operational system > of this nature, it shall never die. Beautiful. I think I'll put that on a plaque for my wall. Respect for paranoia, awesome. I guess a mailing list for a security-focused operating system is a bit more sympathetic to my concerns than the general public. Feels like home, man. :) If I tell family and friends about the sad state of computer/network security these days, the hacks I've seen, and the Snowden stuff, they think I'm bonkers. Now why I didn't receive your response (posted a few hours ago) via email but only see it on the Google Group's page. . . I'll just assume SIGAINT is still dealing with some capacity issues. :) (I wonder if their surge in signups is possibly a denial of service. They've been targeted with at least one significant exit-node attack in the past. https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html ) Thanks for your reply. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/871a2a68cefc1b3ebf7af8df53bc5ffb.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
My guess is that Paypal is giving you a hard time just because of the tor exits you use to interact with their website. So it seems to me all that you are saying is really related to using tor via sys-whonix or manually trough the traditional means. The sigaint episode is easily explained through the e-mail you provided. But yes, the Paranoia is our shepherd and nothing shall lack. Paranoia is what justifies the development of a operational system of this nature, it shall never die. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd3c3f0a-6a20-7f99-e486-3dc9393a5c54%40gmail.com. For more options, visit https://groups.google.com/d/optout.