Silk Road forums
Discussion => Security => Topic started by: pine on August 28, 2012, 11:20 pm
-
--
-- Part 0 :: Introduction
--
In this tutorial I shall demonstrate how it is possible to download files from the Tor Network and use them without worrying about possible LE malware concealed from within. Of course you should not be downloading dodgy looking files from mysterious websites, but obviously a LEO operation to spread malware would not be advertising their presence so that it would appear to come from quite legitimate sources e.g. Putting exploits into a PDF press release from the Tor Project or something sneaky like that.
Before you roll your eyes, this is the kind of thing that many governments have tried to do before, e.g. redirecting people to fake Tor Project websites, that kind of thing. Don't put it past our Western governments to be playing similar tricks, they're not really getting any better at putting restraints on their behavior, just usually more subtle and far better than most one party states at using damage control propaganda when they goof up.
I intend for this tutorial to be used when you want to safely open things like compressed zip files or view PDF files, that is the scope of it so please don't extrapolate too much more beyond that.
--
-- Part 1 :: Some basic questions
--
1. What is a VM or Virtual Machine?
The wiki says it is a "completely isolated guest operating system installation within a normal host operating system".
In colloquial English, a VM makes your machine temporarily think it's another machine. Your computer is roleplaying! Awesome.
2. Ok, that's weird, but why would I want a sandbox?
You may remember the advice of the good folks of the Tor Project when you have downloaded files from before now, or when you read the instructions on their website.
It went something like this:
Load external content?
An external application is needed to handle:
http://www.example.com/suspectfile.pdf
NOTE: External applications are NOT Tor safe by default and can unmask you!
If this file is untrusted, you should either save it to view while offline or in a VM, or consider using a transparent Tor Proxy like Tails LiveCD or torsocks.
Remember?! Ok, so this tutorial will show you how to view a file in a VM.
--
-- Part 2 :: Step by step instructions
--
1. Download VirtualBox for your machine's Operating System: https://www.virtualbox.org/wiki/Downloads
2. Obtain an operating system ISO. I strongly suggest using Linux. This tutorial will use a version of Linux called Lubuntu: http://www.lubuntu.net/
3. Exit Tor. Install VirtualBox, go through the installation with all the default options, just click next until it is finished.
4. Run VirtualBox. Up pops a window labelled as "Oracle VM VirtualBox Manager". You are good to go.
5. You see a button called 'New'. Clicky.
6. Click Next and;
6.1 Call your VM something e.g. Lubuntu OS or topsecretstuff or whatever.
6.2 Set "Operating System" to Linux.
6.3 Set "Version" to Ubuntu.
6.4 Click next.
7. The next screen asks how much RAM to allow the VM to use. Just leave it at the default and click next.
8. The next screen asks how much Hard Drive space you want for your VM. Leave at default settings and click next.
9. The next screen asks what file type to use for your new VM 'HD'. Leave at default and... you may be sensing a theme here.
10. Next screen, leave settings at "Dynamically Allocated" and click next.
11. Virtual Disk File Location and Size. Leave at defaults, click next.
12. Click "Create", and again. Now you're back at the original window. Select your new powered off VM and click 'Start'.
13. The First Run Wizard pops up. Use it to find that the Lubuntu ISO you prepared earlier. Click next and then Start. A 'Summary' dialog box will appear for no reason. Click Start yet again to prove to the machine you are in control. The machine respects a firm handler, if you keep second guessing yourself it'll just crash when it feels like it, mooch around the house all summer, come in late after curfew and even hide your socks so you never find matching pairs. That's just how it is.
14. Suddenly your mouse is captured. It is toying to see how far it can push you around. Press Right Ctrl to liberate your mouse from its clutches. Not because you need to, but because you can. The screen should read "Language" and show a list of Languages with English being the default. Click back on the screen, choose your language with the arrow keys and press the Enter key (See! It captured your mouse for no reason at all!)
15. Now you're back at the Lubuntu installation screen. Use the arrow keys on your keyboard to select "Install Lubuntu" and press Enter.
16. Wait for a moment. A blue screen appears. Wait longer. Sometimes the screen will say technobabble gibberish or change color. The machine now wants to impress you, so things are going as they should be.
17. While the VM is doing its technowizardry, make yourself a nice pot of coffee. Pine recommends using real coffee because although I once could not tell the difference between instant and power coffee, I have come to realize that the fastest way to wish for a premature demise is to suffer the stench of granulated coffee every morning. As such consider using good real coffee as an investment in your future health.
18. Lubuntu will now request a language setting. Click what you want and continue on. Another screen tells you about something called "best results". Just leave everything at the default and click continue.
19. The Installation Type screen appears. Keep the default option which is: "Erase disk and install Lubuntu" and click continue. Don't worry, it isn't referring to your real machine's hard disk to be completely wiped. It is playing with you again! Click Install Now.
20. Sip your coffee while the OS installs. It requests your location. It's tempting to choose Longyearbyen because it sounds so completely made up, but you can choose anything you like as long as it isn't actually your time zone. New York is the default, it's fine to leave it as that for everybody. Continue!
21. Lubuntu now requests a keyboard layout. Marvel at the number of "Englishes" and leave at defaults.
22. Lubuntu now requests:
22.1 Your Name. Do not enter your real name or any online handle. Anything else is fine.
22.2 Your Computer wants a name too. Give it a name, but not your machine's real name.
22.3 Your password. Choose anything, but not any password you use elsewhere. Click continue.
23. Wait while the OS continues to install. If you are a geek, feel overwhelming relief when you realize Lubuntu doesn't use Unity.
24. At long last it is finished and you click "Restart Now". If you get a blank screen or nothing happens, hammer on the Enter key a few times.
25. After restart, up come the login screen. Login. Might be slow the first time.
--
-- Part 3 :: Setting up a Folder Share
--
1. Logout of the VM. Logout is located in the bottom left menu button just as with standard windows operating systems.
2. Create a special folder on your real machine. Ideally this should be on an encrypted memory stick or similar. This folder is not to be used for anything except passing files to your Virtual Machine, so don't use it for anything else and put it somewhere out of the way.
3. Go back to the "Oracle VM VirtualBox Manager" control panel and select "Shared Folders". Select "Add Shared Folder" (small icon with a '+' in the top right). Set the Folder Path to your special shared folder (should be a 'machine folder'). Tick "Read Only" and "Automount".
4. Power on your VM again. After login, click on the "Devices" menu at the top of the the VM. Then at the bottom of the menu is a option called "Install Guest Additions". Click on that. A dialog box will pop up saying "Removable medium is inserted". That's fine, click Ok.
5. A folder should appear. Now follow these command line using instructions (if you are a non terminal using windows user say "Unto the valley of death, but I fear no evil..."):
Open the command line (it is called LXTerminal and it lives inside the little blue 'Start' button at the bottom left. Click that and then choose Accessories and then LXTerminal).
First you need to get some software that hasn't been installed by default:
Type this in:
sudo apt-get install build-essential
// type in your password upon being prompted for it (you won't see the keys being typed appearing on the screen).
// Follow any instructions. Select Y for yes when prompted. Wait until the install is finished.
Type this in:
cd /media/VBOXADDITIONS_4.1.20_80170
We are unlikely to all have the same version of VBOX Additions over time, so if you just type in
cd /media/VBOXADDITIONS and then press your Tab key the terminal will fill in the appropriate directory for you.
// Now you are in the correct directory
Type this in to make sure:
ls
// You should now see a list of files on the screen. One of them is called VBoxLinuxAdditions.run
--
UPDATE: blurbleep says VBoxLinuxAdditions.run may be hiding out elsewhere!
I believe that one change needs to be made to the tutorial. On my machine when looking for the VBoxLinuxAdditions.run it wasn't found in /media/VBOXADDITIONSVERSION, but instead /media/USERNAME/VBOXADDITIONSVERSION.
--
Type this in:
sudo ./VBoxLinuxAdditions.run
// A message will appear "[sudo] password for YourUserAccountName:"
Type in your password that you use to login to Lubuntu. You won't see the characters appearing on
the screen when you do this. This is normal. Enter the password correctly and press Enter.
// You should know see a bunch of stuff happening on the terminal. Wait until it finishes.
Type in: exit
// Final command line/terminal note. If you get stuck, carefully repeat your steps.
Now reboot the Virtual Machine.
6. Login and click the little blue 'Start' Button again. Go to System Tools -> Users and Groups.
7. Select "Manage Groups" and in Group Settings scroll down until you find "vboxsf". When you find this, click on it and select Properties. Tick your username in the Group Members box and enter your password to confirm this.
8. Open the file manager. This is either the picture of a folder next to the blue 'start' button, or else it is in Accessories.
9. Back in the real machine, put a experimental PDF file into your shared folder on the encrypted memory stick or wherever you have it.
10. Go back to the file manager in the virtual machine and navigate to /media/sf_shared. You should see your test PDF file :)
--
-- Part 4 :: Battening down the hatches
--
We are not yet finished. For this tutorial to have a point the Network Connection has to die and we should change the kind of permissions we have currently.
1. Turn off the VM machine and go back to the VirtualBox Manager window. Select "Network" for your VM. Deselect the tick mark on "Enable Network Adapter".
Double check that it reads "disabled" in italics under the "Network" link in the VirtualBox manager.
2. Start up the VM. Login and then go to "System Settings" -> "Users and Groups". Set your account's type to "Desktop User".
Now go to "Advanced Settings" and look at the "User Privileges" tab.
"Connect to wireless and ethernet networks" and "Share files with the local network" should already be unticked.
Untick these other options too:
[ ] Connect to Internet using a modem.
[ ] Send and receive faxes.
[ ] Use modems.
Why are we taking away functionality from ourselves? Because the philosophy of Linux’s superior security is that you should only use those powers you need, when you need them, and never otherwise. Strictly speaking my last instruction just above is almost certainly redundant, but pine is a cautious platypus and so should you be too.
3. Maybe getting to the shared folder is annoying you.
For ease of getting to the shared folder, open up the terminal and type this:
cd ~/Desktop
ln -s /media/sf_shared/ ./shared
Now there ought to be a shortcut on your Lubuntu desktop which takes you directly to the shared folder with a click.
--
-- Part 5 :: Possible Issues
--
Q: This seems more complicated than it should be. Is there an easier way?
A: Yes. No.
Q: I downloaded the file to the correct folder on my real machine, but I cannot see it in the shared folder on the virtual machine.
A: You need to refresh the file explorer. Go to the shared folder in the virtual machine and press Ctrl-R to refresh.
Q: I have an error that says there's a problem mounting/unmounting the Guest Additions CD thingy.
A: There are two ways. The fastest is to turn the VM off, and then turn it on again.
Q: I only have granulated coffee, can I continue the tutorial?
A: You can, but have you considered the long term implications?
Q: The VM seems awfully sluggish and slow.
A: If this a persistent issue over a couple of boots, you need to give the VM more RAM to use. Don't give it much more than half of your physical RAM otherwise your real machine will start becoming the slow one. Turn off the VM and change the RAM setting in the VirtualBox Manager. Also while you're not using your VM you can always pause it to converse resources for your real machine.
Q: You don't need to use apt-get install build-essential, you could just request the gcc directly.
A: True. But there can be complications with dependencies and I don't care. This works and is straight forward.
Q: Why don't characters appear on the screen when I type my password?
A: If you're sure you've clicked on the VM window, then it is that the terminal doesn't "echo" typed characters for a password. This is a security feature that prevents a shoulder snooper from seeing the length of a password. Yes, *unix people are more paranoid by default.
Q: There's something wrong/inefficient with the tutorial!
A: Very likely! Tell us what it is then.
Q: I have a issue that isn't addressed here.
A: Speak up on the thread, maybe we can help :)
--
-- Part 6 :: Important Notes
--
In this example I use a lightweight Linux operating system (Linux comes in many different forms/packages called distributions or just distros) called Lubuntu. I chose this particular one for two characteristics:
1. It is free and I won't have to register a OS license like you would with Mac/Windows.
2. It is a very fast OS. We don't need nine zillion features, we just need a responsive environment with which to read files.
-> You put files into the shared folder. Then you read them from the virtual machine. Don't get confused!
-> Do not move files from the VM to the real machine. If there is malware it could infect one of those files you move back into your real machine.
-> Make sure that shared folders are read only.
-> Any files that go into a shared folder should be considered infected by malware. Why?
The shared folder at the real machine's end should be thought of as a black hole. Information goes in. Information does not come out. The reason for this is simple: if malware in a VM manages to infect a file in the shared folder then the malware will be triggered when you execute/view that file from the real machine. Files you put into the shared folder become untouchable the moment they are placed inside it + the VM is switched on.
Finally; some last words.
Ideally you should be doing validation on files you download, double checking MD5, SHA hashes, verifying PGP signatures etc so that you're sure you've downloaded the thing the website owners intended you to receive. However there's two fairly basic problems with that kind of approach:
1. 80% or so of the people on here probably have never checked or even heard of a SHA hash, let alone understand how they work. I mean this is ok. We cannot seriously expect everybody to take COMP101 or its equivalent, in the same way that we can't expect everybody to take ECON101 in order to use Bitcoin. Using PGP is a must have, other things less so.
2. Although there are clever ways of compromising your machine (e.g. the redirection to a fake Tor website by screwing around with DNS [this is why you should only download Tor, through Tor itself since Tor can't be fooled by this as it doesn't even use DNS...]), there is the much more basic problem of LE agents forcing the website owners to do a switcharoo with their modified version of the software.
Creating and using a sandbox in the manner I describe is proof against all those scenarios. You don't need to verify a hash (indeed, the majority of files you download don't have them anyway) and it does not matter if you do actually download malware.
This is not a panacea, it is not as secure as having a dedicated machine* exclusively for reading files from the Internet but it is a 'one time investment' and it will produce more practical security for nearly everybody because it is infinitely better than downloading files via Tor and hoping your virus scanner catches any malware before you open/view those files.
* It would receive them via read only CD/DVD, have no physical net connection, this is called an "Air Gap" i.e. what the Iranians were supposed to be maintaining until Stuxnet got around it). This is going a bit too far for most of us! Kmfkewn said he might make a SELinux (secure enhanced Linux) tutorial. We could use that to bring this tutorial to the next level (called 'hardening' in security jargon) just slightly below utilizing an Air Gap because SELinux was invented by the NSA itself.
-
Way to go Pine! Once again she delivers the goods to us self-respecting anonymous Internet minions. Pine will you marry me? Can't wait to try this out tomorrow; plus, I have ground coffee AND a drip machine to make it. Boo-Ya!
-
Having a shared folder between guest and host breaks the isolation
-
Having a shared folder between guest and host breaks the isolation
A physical airgap is superior (like Stalin says, no cable, no problem) but after trawling the net for information on virtual machine security it seems pretty clear that without the use of zero day exploits to break out of the VM or the user carelessly taking files from the guest VM and executing or viewing them on the host, the odds of a malware getting through to the real machine is extremely slim. The VM people I spoke to say they've never had a problem, or even heard of a incidence where malware escapes a shared folder without some user interaction from the host. In fact it seems much more likely that malware from the real machine would compromise the VM instead. So while it is true that technically this breaks isolation, this is the 'next best thing' in comparison to simply downloading files from Tor and opening them without any protection. Contraception isn't 100% either! I guess virginity is also a kind of air-gap, haha! :D
Alternatively of course, one could run Tor from a VM itself, there would be no shared folders then. But then you have a net connection that a malware could exploit, and I thought that a much bigger source of trouble than using read only shared folders as a "black hole".
Do you have any thoughts on improving the above setup ^ in my tutorial (apart from complete physical isolation or feeding the virtual machine read only CDs)? There is always something :)
I should also say to any computer newbies that are reading this post: I have endeavored to make it a user friendly guide, but it is always possible I miss some step by assuming you what comes in between, especially in a long tutorial like this, so speak up if you don't know something. Ignorance is nothing to be embarrassed of, there is a always a ready remedy for it.
Also, kmfkewn, tell us more about SELinux, I think it is an idea with a lot of potential to improve security, whether it is on the host machine or the guest VM. I don't know much about SELinux at all apart from the name and a general idea of more rigorous access permissions.
I don't think I'd include SELinux info on this particular tutorial, this tutorial is just for users of adept to proficient computer skills (with appropriate security level), but I would have it as a 'expert upgrade module' addition to a tutorial such as this. I must reply to some of the things you've been saying recently, in fact I've a lot of other forum posts to catch up on too, esp. poor PGP Club on which I've been a bit lax (but am pleased to have completed several security projects I've been meaning to do squirreled away). I am coming back to you patient PGP comrades, fear not! :)
-
SElinux has nothing to do with virtual machines. It takes a lot of work to write profiles for it, in the near future I plan to write some profiles to isolate firefox and other applications. But unfortunately my time right now is being consumed doing other things. In short I would say that SElinux is best thought of as application specific restrictions. Ideally you would explicitly define everything that firefox can do, and then the mandatory access controls will prevent it from doing anything else. Now when an attacker takes over firefox they do not obtain the abilities of the user that runs it, but rather of the MAC profile created for firefox, which should be very restricted. Of course how much security this affords you depends on how well you have defined what firefox should be able to do. It might be appropriate to think of mandatory access controls as a sort of application level firewall. There are even techniques for getting around this sort of protection though :(. One neat thing about SElinux is that it has a default functionality that allows you to isolate applications to their own x window environment. This removes the ability to copy paste between isolated windows, but it also removes the ability of an attacker who has pwnt one of the windows from using the lack of default isolation to spy on keystrokes to all other windows. Ideally you would isolate applications with this SElinux feature called simply SElinux sandbox, and then you would write further rules to restrict the individual applications, for example remove firefoxes ability to send traffic except over Tor, etc. SElinux can restrict an application from doing anything that you have not specifically allowed it to do , as well as allow an application to do anything you have not specifically prohibited it from doing. It also has a learning mode where it lets the application do anything but keeps a log of everything the application has done, to aide you in creating rule profiles. Using SElinux for isolation is beyond a doubt seen as the superior choice over using virtual machines, at least by the majority of security researchers. Of course Theo of openbsd things mandatory access controls are stupid as well, but I think he would say they are vastly superior to using virtualization. Also one exception is the creator of Qubes, who seems to be pretty fond of using xen based virtualization for isolation.
As far as attackers being able to break out of virtualization....
http://www.neowin.net/forum/topic/1084015-us-cert-warns-of-guest-to-host-vm-escape-vulnerability/
http://seclists.org/fulldisclosure/2010/Mar/550
http://www.slideshare.net/kbour23/d1-t2-jonathan-brossard-breaking-virtualization-by-switching-to-virtual-8086-mode
-
My computer has blue screened and restarted randomly recently. Does this mean that it's been infected?
Edit: I should note that the only things I've downloaded from tor have been updated versions of tor itself (from the normal tor website) and GPG software. Is it normal for an application called gpg-agent.exe to be running in the background after use (and closure) of the application?
-
Bumping.
@GGG, No, although some of us consider Windows to be a complex form of malware. Yes, most likely. It'll disappear after a while. It's common for applications to do this, Adobe Acrobat, GIMP, OpenOffice/Microsoft Office frequently do it as well for a variety of reasons. If the process is taking up a whole bunch of CPU, then that's weird alright (but probably still nothing to be concerned about, things like out of control looping or memory leaks are not rare in software, far more likely to be a bug than a virus). Logically most viruses try to evade detection for as long as possible to prolong the incubation process of copying themselves to everywhere else. LE malware on the other hand is probably aimed at deanonymization, in which case what you want to be looking for is peculiar connections that aren't authorized. This is not usually simple to detect though, malware authors do not usually make their handiwork obvious (and this is why an isolated environment like a VM is great to use as a sandbox to detect malware if you're a security person).
--
For everybody here is information from the Tor website itself: https://www.torproject.org/download/download-easy.html#warning
Don't open documents downloaded through Tor while online
The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
-
pine = le fact
-
SElinux has nothing to do with virtual machines. It takes a lot of work to write profiles for it, in the near future I plan to write some profiles to isolate firefox and other applications. But unfortunately my time right now is being consumed doing other things.
That's ok, I understand completely. I never seem to have enough time for all my projects either. I was pleased to complete a recent batch of them though :)
In short I would say that SElinux is best thought of as application specific restrictions. Ideally you would explicitly define everything that firefox can do, and then the mandatory access controls will prevent it from doing anything else. Now when an attacker takes over firefox they do not obtain the abilities of the user that runs it, but rather of the MAC profile created for firefox, which should be very restricted. Of course how much security this affords you depends on how well you have defined what firefox should be able to do. It might be appropriate to think of mandatory access controls as a sort of application level firewall. There are even techniques for getting around this sort of protection though :(.
There's a hack for everything, but we accept that you can't reduce the risk of an exploit to zero. Even the Air Gaps have frequently fallen to clever social engineering tricks and Stuxnet-like swamping. For example I faintly remember that a bunch of air force jets were grounded when a pilot put some software into them (I think it was actually some protection software like an AV or something, but whatever it was it had malware in it).
One neat thing about SElinux is that it has a default functionality that allows you to isolate applications to their own x window environment. This removes the ability to copy paste between isolated windows, but it also removes the ability of an attacker who has pwnt one of the windows from using the lack of default isolation to spy on keystrokes to all other windows. Ideally you would isolate applications with this SElinux feature called simply SElinux sandbox, and then you would write further rules to restrict the individual applications, for example remove firefoxes ability to send traffic except over Tor, etc. SElinux can restrict an application from doing anything that you have not specifically allowed it to do , as well as allow an application to do anything you have not specifically prohibited it from doing. It also has a learning mode where it lets the application do anything but keeps a log of everything the application has done, to aide you in creating rule profiles.
Sounds interesting and the functionality very useful indeed to the security conscious, but difficult to use. I did try to use SELinux on my own machine once, but it was so incomprehensible I immediately gave up. It is clear you, that like PGP, you ideally need to understand the basic principals of how/why it operates, it's not just a matter of flipping a few switches so to speak.
Using SElinux for isolation is beyond a doubt seen as the superior choice over using virtual machines, at least by the majority of security researchers. Of course Theo of openbsd things mandatory access controls are stupid as well, but I think he would say they are vastly superior to using virtualization. Also one exception is the creator of Qubes, who seems to be pretty fond of using xen based virtualization for isolation.
As far as attackers being able to break out of virtualization....
http://www.neowin.net/forum/topic/1084015-us-cert-warns-of-guest-to-host-vm-escape-vulnerability/
http://seclists.org/fulldisclosure/2010/Mar/550
http://www.slideshare.net/kbour23/d1-t2-jonathan-brossard-breaking-virtualization-by-switching-to-virtual-8086-mode
Yes, but we're not assuming VMs are perfect as an isolation technique, that's acknowledged from the onset. This is (much) 'better practice', not perfect or even best practice. Best practice would be to be using SELinux to harden your system in addition to everything else.
I would claim though, that if you get the 'human factors' correct, then you've solved the majority of the security problems with opening files safely in practice. Or to put it another way, the problems you're tackling above are technical ones, but the real problem is that most people are opening files downloaded from Tor without any protection whatsoever. Today's darknet is all 1970s and free love about downloading files from what I can see.
I do think in practice that there are very few pieces of malware in the wild, as opposed to a security researcher's lab, that are capable of breaking out of a VM without aid from the user. I mean, I bet you weren't able to find actual incidences of companies getting busted because malware broke out of their VMs. There is a good deal of incentive for virus writers to produce malware with that ability, since a lot of these VMs are stacked together in the cloud, and if you compromise a few machines you could suddenly run riot over dozens of corporate networks. I'm not a VM expert, but that much seems obvious.
Having a shared folder between guest and host breaks the isolation
http://pz65gyca5nrafhrf.onion/PolyFront_2/computer@20security.html
(You did a good job)
That's true, it's a bang up job kmfkewn, you can be proud of it. For one thing I keep quoting the bit on anonymity, it works on so many levels. I think that will live into infamy. I see this entire project from SR to Tor/Bitcoin itself as just the beginning of something extremely big indeed. Guru is worried about another crypto-anarachic false dawn, but I'm more optimistic. The most important thing to me isn't so much the tutorials, but imparting this sense of rationality/rigor to people. The darknet markets, and in some ways the black market in general, don't do their due diligence, don't do their research in the way that they should. Some particular organized crime groups do adopt the latest ideas and technology with extreme alacrity. These ones are responsible for 90% of all progress, but those represent a tiny fraction of the overall marketplace participants. The majority take a frankly pissent approach that would never be put up with if they were in a corporate or even government environment. The interesting thing is that there *is* a lot of innovation that does come from black markets in various ways (invented half the drugs/more efficient synths, lol), but it's the ability of the few combined with outsize funding that makes it so, and not everybody else.
Anyway, point is that a Black Market education is to be taken seriously and the PolyFront document is the first step on the path along with some few other frontier pushers like Strike, Jack Nimble or U.Fester (but they were mostly about clan chem, not this kind of theoretical knowledge). Most criminals have skills in the same sense my waiter and taxi drivers have musical or literary ability. Some few do, the rest are tone deaf or epic procrastinators.
Viva la Revolution Noir! ;)
What if somebody sends the most important messages using Airgaps. And some that are not important are sent to a shared folder. Or one shouldnt use shared folders at all?
It all depends on:
A: Your enemy.
B: Your skill level.
C: Time/Money
Nobody should be downloading files from Tor and just opening them willy nilly. The majority of people, as in 99%, should just use the solution with Virtual Box that I described (or some other VM software) or simply not download files via Tor and open them. This doesn't mean it'll be a good solution in a couple of years time if VM busting malware becomes more commonplace, but for now I think we're good. It's like having 2048 bit PGP keys. You should upgrade them, but right now they're fine, but you ought to upgrade to something larger later. Kmfkewn for example may want something more secure, but it's unlikely the majority of people will be able to adopt similar security policies e.g. using Air Gaps, since it is just impractical if you're a regular vendor or buyer. Different people should have different security policies which should depend mostly on bulletpoint: A, then C, then B by some distance.
-
You definitely don't run files you downloaded through Tor without isolating them in some way, even if the uploaded files are legit you have no idea what the exit node is actually sending to you, if you are downloading from the clearnet anyway.
-
Holy wow, need to read this more closely later. Thanks for the info though!
-
Way to go Pine! Once again she delivers the goods to us self-respecting anonymous Internet minions. Pine will you marry me?
Pick a number dude ! We asked that much earlier :P
Thanks Pine for this really good tutorial..it should help the noobs a lot !
Also we learned a bit from the posts that followed!
Cheers!
-
Lovely information as usual pine; I may try this.
My laptop is something of an antique: 512RAM and 32GB HD. It does what I need: plays pirated films on VLC and let's me mount my true crypt hidden volume containing TOR bundle and GPG4USB.
A while ago I became interested in Linux and and set up a dual boot with Ubuntu; it didn't make it easy as my HD has about 7MB of damage from overheat crashes and so GParted or the default Ubuntu partition manager wouldn't set it up for me, I ended up using EASEUS and manually assigning partition space.
All basic stuff to you I'm sure but a learning curve for me ( I consider myself smart but sadly wasted my considerable intellect abusing heroin among the underclass for much of my peak years. Computers were sadly absent from my life until recently)
I enjoyed playing with Ubuntu greatly and learnt a little but was unable to overcome issues with my NVIDIA graphics card and eventually decided that solving the problem was taking over my life and possibly awakening a manic episode and so removed it and returned to XP, vowing one day to return and conquer Linux on a computer with a more amenable graphics card.
I trust these issues are less likely to occur with Lubuntu? I understand it's a lightweight version of Ubuntu for the less well endowed computer?
Also, I suggest you invest in a coffee grinder, if you don't have one. You will look down on ground coffee like you used to on instant. It's like that smell when you open a bag of ground coffee.... Every day!
I have long wondered how the fuck instant coffee rose to predominance, particularly in the UK. No one drinks inst asnt tea, rightly, BECAUSE IT TASTES NOTHING LIKE REAL TEA. A tea bag is an acceptable substitute but loose leaf tea has the quenching edge. Indeed coffee bags exist and make a drinkable cup but they haven't caught on in the same way. But this freeze dried instant dregs ISN'T FUCKING COFFEE.
While I'm on the subject( which is pretty close to my heart as you can tell) why does coffee from chains always taste so bitter? I will tell you: because it's watered down espresso. For me percolated coffee is the real deal. The boiling water drips through the coffee collecting the deliciousness but not long enough to collect the bitterness. Espresso is blasted with steam at too high a temperature and just blasts accords the whole taste range. It's fine if what you want is an espresso but otherwise;
I just resent paying three quid for a coffee inferior to what I drink at home. I can buy a bag of beans for that.
-
If you had trouble with an Nvidia card with optimus your only option is to use Bumblebee and take a performance hit. No fucking clue what to tell you beyond that, 'trouble with my graphics card' is not enough to troubleshoot a problem.
-
No it's cool mate wasn't after tips. I spent a lot of time searching and asking on forums with the specific details of my card and problem. The installation (I tried 10.10 to 11.10) worked but would only give basic graphics and would slow down when presented with any kind of graphical task ie playing video, whereas XP on same machine can play video while doing few other things too. It would say I needed drivers for NVIDIA card but attempting to install them either crashed completely or crashed the GUI giving me a prompt.
A lot of people seemed to have similar probs with NVIDIA cards especially old ones. I tried loads of stuff but nothing worked.
I was way out of my depth basically. This stuff is probably laughably basic to someone with your knowledge ( Kmfkewn (I may not share your opinions on killing pigs but I recognise your computer skills!) but I was floundering around trying commands at random from people who seemed to be experiencing similar issues. I wish I hadnt wasted so much of my life; at school I was an electronics whizz, I built a simple calculator from logic gates and in BASIC and Pascal was considered quite the candidate for future success.(!) (the Internet was a rumour in my schooldays, I once saw it on a visit to a friend at uni!)
But my life went off the rails and I went from weed and ecstasy into heroin and spent the best years of my life scrabbling around in the gutter. Only in the past year or two I have had an iPhone and old laptop and I'm trying to catch up; but I feel like its learning a foreign language: it's difficult to become fluent unless you start young. And there's so many different aspects to computers; the different coding languages, the operating systems and command lines; HTML etc. Where to begin? So I just kind of lurk round the edge trying to get a handhold, I can usually make them do what I want.
Fuck. Wall of text again.
What was I talking about? NVIDIA graphics card....yeah fuck it I just thought theres only so much time I can spend trying to sort this problem. I sometimes think I learn more from failure than success. I learnt a few terminal commands which sometimes apply on my iPhone.
Might have a look at this Lubuntu VM. I get obsessed with things though so have to be careful!
-
Lovely information as usual pine; I may try this.
My laptop is something of an antique: 512RAM and 32GB HD. It does what I need: plays pirated films on VLC and let's me mount my true crypt hidden volume containing TOR bundle and GPG4USB.
A while ago I became interested in Linux and and set up a dual boot with Ubuntu; it didn't make it easy as my HD has about 7MB of damage from overheat crashes and so GParted or the default Ubuntu partition manager wouldn't set it up for me, I ended up using EASEUS and manually assigning partition space.
All basic stuff to you I'm sure but a learning curve for me ( I consider myself smart but sadly wasted my considerable intellect abusing heroin among the underclass for much of my peak years. Computers were sadly absent from my life until recently)
I think you're downplaying your knowledge/computer skills, probably 1 in a 100 people even know what all the slang and acronyms you just used actually mean. It's a learning curve for everybody, no matter what level of expertise they happen to be at. I'm painfully aware of my lack of expertise in certain areas, and even Guru, who is a real Guru (!) says exactly the same thing. So don't beat yourself up, recriminations can be a crutch that prevents you doing more.
Not a big fan of the physically addictive drugs like h and meth which is why I don't sell them. To those who might query what 'physically addictive' means, it means after (indeterminable) X uses your body will go into withdrawal if you stop i.e. dope sickness, which is possibly one of the most unfunny things you can experience. The majority of illegal drugs are not actually physically addictive but psychosomatically addictive, that is to say you take them because you enjoy the sensation/feeling/change, but this is in no way comparable to meth or h. I am not sure it's possible to be a functional drug taker and also take opiates, whatever the case it certainly is not easy. I just don't see the 'recreational' aspect, maybe at first, but not after.
My lack of enthusiasm for opiates also includes the many legal derivatives of the poppy like morphine and morphine substitutes which I don't think people realize the power of across the board, and that includes doctors. The medical establishment uses those like sledgehammers to crack nuts, I hear that a fair majority of opiate addicts come out of hospitals. Opiates are exceptionally powerful drugs at any level. Mao said religion was the opium of the masses (he was a strict prohibitionist who killed tens, maybe hundreds of thousands of people in the Chinese drug trade), but I think you'll find opium is the opium of the masses! All drugs have a place and a purpose, whether medical, recreational or functional e.g. nootropic. That is true, and if people want to use opiates it's their prerogative but I wouldn't go out and recommend them to everybody for recreational use. Just because you support freedom of choice for people to take such things, does not imply you think they should load up on every conceivable drug in existence. I think kmfkewn may have his own opinion on the subject since I think he took/takes h but I may be remembering incorrectly.
Powerful drugs have their place in society. LSD for example, I believe should be used by far more non-recreational drug using people with certain doses for functional reasons. There is nothing more effective at preventing alcoholism for example. I'm not a flower power person one little bit, and it drives me mad that the DEA prohibit this useful substance, throw manufacturers of it into the slammer, while in the meantime it could have been used to prevent literally millions of recovering alcoholics from relapsing. It's a sick joke.
I enjoyed playing with Ubuntu greatly and learnt a little but was unable to overcome issues with my NVIDIA graphics card and eventually decided that solving the problem was taking over my life and possibly awakening a manic episode and so removed it and returned to XP, vowing one day to return and conquer Linux on a computer with a more amenable graphics card.
I trust these issues are less likely to occur with Lubuntu? I understand it's a lightweight version of Ubuntu for the less well endowed computer?
Yes, the OS should only use up half of your RAM max, 250 mb ought to be enough. And of course the HD space is much more than sufficient. I don't know about the NVIDIA graphics card issues, those are very specific stuff. Perhaps your motherboard has a inbuilt GPU onboard? I mean you'll only need a few MB of graphics card to make it function at all. I suggest, instead of going to the ends of the earth to make your NVIDIA card compatible (if it's a problem of course, which it might not be), that you shell out $5.00 for a different basic graphics hardware widget for your laptop (I've never even seen a laptop graphics card! Not a laptop person).
Also, I suggest you invest in a coffee grinder, if you don't have one. You will look down on ground coffee like you used to on instant. It's like that smell when you open a bag of ground coffee.... Every day!
I have long wondered how the fuck instant coffee rose to predominance, particularly in the UK. No one drinks inst asnt tea, rightly, BECAUSE IT TASTES NOTHING LIKE REAL TEA. A tea bag is an acceptable substitute but loose leaf tea has the quenching edge. Indeed coffee bags exist and make a drinkable cup but they haven't caught on in the same way. But this freeze dried instant dregs ISN'T FUCKING COFFEE.
While I'm on the subject( which is pretty close to my heart as you can tell) why does coffee from chains always taste so bitter? I will tell you: because it's watered down espresso. For me percolated coffee is the real deal. The boiling water drips through the coffee collecting the deliciousness but not long enough to collect the bitterness. Espresso is blasted with steam at too high a temperature and just blasts accords the whole taste range. It's fine if what you want is an espresso but otherwise;
I just resent paying three quid for a coffee inferior to what I drink at home. I can buy a bag of beans for that.
Ha, I'm way ahead of you there, I have a nice (inexpensive) coffee blender. And I must have had the same (expensive) dreck from a coffee chain as you did. Now I avoid those places completely, they're like the Carnival of Coffee horrors or something.
-
Yes, the OS should only use up half of your RAM max, 250 mb ought to be enough. And of course the HD space is much more than sufficient. I don't know about the NVIDIA graphics card issues, those are very specific stuff. Perhaps your motherboard has a inbuilt GPU onboard? I mean you'll only need a few MB of graphics card to make it function at all. I suggest, instead of going to the ends of the earth to make your NVIDIA card compatible (if it's a problem of course, which it might not be), that you shell out $5.00 for a different basic graphics hardware widget for your laptop (I've never even seen a laptop graphics card! Not a laptop person).
that hurt my brain
-
Yeah I'm sure it would be fine. Ubuntu was running ok it just wasn't performing as well as XP on the same hardware and I suspected the NVIDIA card was the issue. But part of the problem is there was only just room for the dual boot.
The funny thing is my ancient computer(which I have to prop up on small paint pots to prevent from overheating; I have one of those fan things too) works much snappier in terms of loading pages and program's than any of my family and friends brand new laptops. You try and open anything on theirs and it sits there for like five minutes. When the browser window opens there is a stack of toolbars and seasrch windows fully half the screen. The computer is basically unusasble. They just think thats how computers are! I try and tell them it's because your computer is clogged with shit , to use the technical term. But they won't let me fix it in case I release the millennium bug or a hacker escapes through the screen and steals their purse.
But yeah, doctors in US seem to give out opiates like the oxy and hydro groups and benzodiazepines with gay abandon. In UK you are given paracetamol or aspirin or a slightly stronger NSAID for most things. If you are in debilitating pain you might get codeine. I think there are a fair few long term codeine scripts allowed. To get morphine you basically have to be screaming in agony and cursing a godless universe. It's for broken bones, child birth, and terminal patients.
Whereas in US it seems to be " slight bad back? Here have this OxyContin and be sure to let me know if you need more"
Same with benzos. After some bad judgement in 60's and 70's when they first replaced barbiturates; nowadays doctors will script these for one or two weeks. Diazepam temazepam or nitrazepam only. They tend to have a few legacy addicts who they let get out of hand and now can't be arsed making taper off. But these drugs are fairly tightly controlled.
But in US they seem to give Xanax and ambien and Kpins to any sucker who can persuade them he occaisionaslly feels anxious . Or cant sleep sometimes.
And yet at the same time illicit drug users are treated like peadophiles or terrorists.
Not sure about LSD for treating alcoholics. I have heard anecdotes of various addicts taking LSD and having a "what the fuck am I doing to myself?" type revalation. Can't see the effect being reliable enough though.
Thats not to say it isn't an incredible substance though. The day after my first trip, aged 16 or so I was like " well, things are never going to be the same again." All the trees looked different. William Blake said " A fool sees not the same tree as a wise man sees" I didn't read this till later, but recognised the sentiment straight off. For me, the first indication an acid trip has started working was always the trees. You see them every day but you don't notice them. These solar powered oxygen generators that look like the expression of some arcane mathematical function.
I don't believe acid should be given out wily nily tho. I'm kind of with Aldous Huxley on this one. It should be used sparingly. Similarly MDMA. It is undoubtedly therapeutic; and at a certain point in my life it changed my personality for the better, making me more gregarious even without the drug.
However I have known several people develop temporary psychoses after overdoing ecstasy combined with constant spliff smoking.
Well, I'm rambling off topic somewhat now.... I'm done. I come on these forums because, due to the life choices I outlined above, most of my workmates and friends just aren't interested in the things I am. I try and tell them stuff about, say, that male bees only have one set of chromosomes and this leads to bee siblings being closer relatives than mother/ offspring, hence the best way for a bee to replicate her genes is to get her mother to produce more sisters. Hence the queen.
This to me is utterly fascinating . But people around me say things like " You're full of useless information aren't you? So do you want the honey or not? This is a supermarket"
I don't know why an interest in consuming drugs purchased online should make for more interesting conversation . I suppose the technical ability to use TOR and reach this site acts as a bit of a filter keeping the IQ of members higher.
-
. I suppose the technical ability to use TOR and reach this site acts as a bit of a filter keeping the IQ of members higher.
We would never have come here if it were not for BTC and TOR .
We knew about online markets but always thought of them being to insecure for our tastes..
This Filter is very welcome as the quality of many Discussions on here is just superb.. we really hope we can participate more deeper in the development of P2P black markets and of course philosophical discussions.
(The Writer is looking forward to his first LSD trip in the SUmmer of 2013 8) Thanks SR for that!
-
Enjoy your trip :) Make sure you come back!!
-
coffee
As for me my only favorite drink isnt coffee. I would get to drink coffee if I had no choice other than to sleep like some hibernating animal. Would you like some chifir? It's really good. One matchbox of loose tea per person poured on top of the boiled water. It is brewed for 15 minutes without stirring - until the leaves drop to the bottom of the cup. Then drunk by passing around a single cup. Yea, of course without sugar! The taste of it is bitter. But you will get used to it and will like it after 5 years. :)
It sounds interesting. I must adopt even more 'acquired tastes' to achieve class superiority over my fellow mammals. ;)
Also there is nothing wrong with becoming a hibernating animal, but coffee interrupts the process for me. :)
-- Elite platypus No.1
Also, you may be interested to know that I think LouisCyhere is a LE Agent.
http://dkn255hz262ypmii.onion/index.php?topic=40934.0
-
thanks pine :-* ;D
-
Bumping because more people should be reading this.
-
I've been lurking on these forums for quite a while but now I have some questions that are a little more specific than the knowledge that I can find on the forums here. Specifically pertaining to downloading files which is why I'm happy I found this.
Before I begin some of these may be noob questions or whatnot but I would just like to learn and understand!
In my experiences using tor I have become familiar with tails. A virtual machine based on a version of linux. Would the methods you just discussed here be possible using tails? I have downloaded books in the past and after the fact I am growing more concerned with my security. However there seems to be a lacking amount of literature in this regard. I would like to take the precautions and make sure my machine isn't compromised!
On this note how would we know if our machines our compromised or would we? Is it possible the various ebook vendors are LE? If I have downloaded a pdf from a reputable vendor should I be concerned?
Thanks and hello everyone on the forums (or the people reading this thread)
-
If you are wanting to use a virtual machine and take the associated risks, you should just just run Tor on the host and isolate everything in the VM from it. In virtualbox create a new virtual network adapter vboxnet0, it's internal IP address will probably be 192.168.56.1 now run Tor on the host in its torrc add this
SocksListenAddress 192.168.56.1:9100
now when you make your virtual machine in its networking settings select to use host only routing with vboxnet0
inside the vm configure things using 192.168.56.1:9100 as the socks proxy.
You need to weigh the risk and benefits of one the one hand using a virtual machine which is is likely to be much less secure than the OS would be running on non virtualized hardware, and having such a marvelously simple way of isolating your entire operating environment away from Tor and your external IP address. You are far better off using actual hardware isolation with a dedicated machine for Tor and a dedicated machine for your surfing, and indeed you are far better off using mandatory access controls and such for isolation, however these solutions are not as easy to configure and are much less convenient. For web servers I would seriously consider it since you are more concerned with an attacker being able to get the IP address than you are them being able to root the operating environment the server is running in, if you have plaintext addresses in the virtual machine it will negate the anonymity benefits of having isolated the operating environment from external IP addresses if the attacker manages to root you and deanonymize you anyway. For non root level anonymity bypass attacks though, such as pdfs or docs that phone home without taking unauthorized control of a system through a vulnerability, isolation like this is a simple way to perfectly protect yourself.
-
it's unlikely the majority of people will be able to adopt similar security policies e.g. using Air Gaps, since it is just impractical if you're a regular vendor or buyer. Different people should have different security policies which should depend mostly on bulletpoint: A, then C, then B by some distance.
I feel kind of ambivalent. Getting busted and convicted is impractical.
I concur!
I think you're wrong thinking that the majority of people do not want better security and should get busted because they dont have much to contribute, time/money, or skills.
Yes, but there's a gap between the lip and the cup as they say. Everybody wants super leet security if they think about it for 2 seconds, but there are some problems. A great many people don't know what they need to know (part of the reason for this thread), and a sizable number of people are outside their comfort zones on this network. Even a lot of geeks find things like PGP incomprehensible. Then there's a 3rd group that is aware of what need to be done, knows how to do it, but doesn't do it because of inertia. This can be combated easily by making some operational security into a cultural standard, something that everybody knows in the group, which allows peer pressure to establish a norm. This way you can have large numbers of participants using a technology fluently in a way rarely seen outside of computer science classrooms. Taking inspiration from the carjacking gangs in Brazil and SA, many of their members are very young but you have 7 or 8 year olds with an expertise usually exclusive to electronic engineers and trained mechanics, and often beyond them. I learned about the physics of Faraday Cages and the radio communications spectrum from a member of an ORC team about four or five times my junior. Extraordinary knowledge can be easy to learn if it is passed on by a cultural medium, which is acceptance and respect within the gang. That is the objective of PGP Club for example, to treat cryptography as a hazing ritual and it has been successful (we now have a different problem: scaling up). There are very few businesses and government departments up to the Silk Road's standard for encrypted communications in practice. They have fancier labels, software and so on, but on the basis of actual practical implementation and 'op-sec awareness', they are an easy target for social engineering attacks, they have large groups of employees that resist the training and so on.
Those who wish to help the war against the adversary should endeavor to convert good op-sec practices into something cultural. You should not attempt to pass all the information in your head, because people's brains have different mappings and this intimidates the other person, they get out of depth quickly. Instead you need to pass "the seed", the kernel of the idea. Then they will be motivated to learn what you know, and more, independently of you spending huge amounts of time training them to do x, y, z as part of a program. There is nothing wrong with being rigorous, but that comes later. It's what sticks and what motivates that is the most important, not giving the instructor a feeling of 'progression'. As an example if you do the PGP handshake with somebody. They now have 1) a sense of an accomplishment (rightly too) and 2) when their pals talk about SR, they will show off their PGP knowledge independently of pine telling them what to do. PGP becomes cool, it becomes a meme. That's something the cyberpunks never really achieved but which we are achieving right here and now. All the other stuff: the nature of asymmetric encryption vs symmetric encryption, proper labeling, key length, algorithm choice, signing, verification and so forth, is unimportant, because most of them will pick that up later on the go, they will see something like DPR clear signing a message and they'll work out for themselves what that is about out of curiosity.
bumping!
--
Note to everybody: for security bonus, you could download/install a variety of PDF readers that aren't the default PDF reader on whatever VM OS you're using to create the sandbox.
-
I've been lurking on these forums for quite a while but now I have some questions that are a little more specific than the knowledge that I can find on the forums here. Specifically pertaining to downloading files which is why I'm happy I found this.
Before I begin some of these may be noob questions or whatnot but I would just like to learn and understand!
In my experiences using tor I have become familiar with tails. A virtual machine based on a version of linux. Would the methods you just discussed here be possible using tails? I have downloaded books in the past and after the fact I am growing more concerned with my security. However there seems to be a lacking amount of literature in this regard. I would like to take the precautions and make sure my machine isn't compromised!
On this note how would we know if our machines our compromised or would we? Is it possible the various ebook vendors are LE? If I have downloaded a pdf from a reputable vendor should I be concerned?
Thanks and hello everyone on the forums (or the people reading this thread)
Hello, sorry didn't see your question there before.
Yes, I think you will be able to do this using Tails. However Tails is designed by default to operate as a Live CD / Live USB environment where all data is wiped once you reboot. You can save files to a persistent storage directory or to a USB stick.
To ensure your machine is not compromised is very difficult because virus scanners are largely unable to cope with original bits of malware. Probably the best thing for your peace of mind is to do a clean install of your OS. Yes, it is more than possible that a ebook vendor on SR is LE, it is likely. I don't all of them can be, but anybody selling you something that will be run on your machine (from ebooks to those people selling 'darknet usb sticks') should be treated with suspicion. In the case of the ebooks you can counter it by following the instructions I've made in this thread, but things like the darknet usb sticks should be avoided at all costs. In general somebody from SR offering you hardware or software solutions should be treated with extreme caution, since that is a clear attack vector by LE.
-
Bump
I'm going to use a transparent proxy. Is it okay?
Is there something better? Like two virtual machines. One running Tor. Another one running applications. Can I use something else?
You're ahead of me here Miss Emo, I haven't used one before, ask Shannon or kmfkewm :)
-
I'm seeing a lot of bumps on this page. It wasn't the kind of bump I was originally thinking of. I'm glad that's all cleared up. Erm, I know this is a newb question and I don't even know if you still use this forum that much pine, but is it safe to visit Silk Road and other stuff using onion.to and not Tor launched Onion? Tor is so damn slow, and my computer is fairy new. (It's not low-end either, don't know why so slow.)
btw, someone's using your photo on their username. Ew! Creepy! (In my picture, I can assure you that's really me doing Marge Simpson.)
btw, I tried to view some of your posts and this thread in general to find if you have already answered this question elsewhere, but you've written over 1700 posts or something! At least, there was a 1 in there somewhere. Cheers. Don't forget to eat people! Piece!
-
Um, that should read: don't forget to eat, people, and not, don't forget to eat people.
-
Pine are you on holiday???
-
I believe that one change needs to be made to the tutorial. On my machine when looking for the VBoxLinuxAdditions.run it wasn't found in /media/VBOXADDITIONSVERSION, but instead /media/USERNAME/VBOXADDITIONSVERSION.
It's a small change obviously, but could potentially halt the progress of someone less likely to check the location of the cd/dvd iso. I'm not sure why the location was different from pine's. I tried loading the iso from both the IDE and SATA controller separately, but as I expected that didn't seem to make a difference.
-
I believe that one change needs to be made to the tutorial. On my machine when looking for the VBoxLinuxAdditions.run it wasn't found in /media/VBOXADDITIONSVERSION, but instead /media/USERNAME/VBOXADDITIONSVERSION.
It's a small change obviously, but could potentially halt the progress of someone less likely to check the location of the cd/dvd iso. I'm not sure why the location was different from pine's. I tried loading the iso from both the IDE and SATA controller separately, but as I expected that didn't seem to make a difference.
Thanks, splicing your comment into the tutorial :)
Um, that should read: don't forget to eat, people, and not, don't forget to eat people.
:D
-
bump! Fuck you LE fyi!
-
Thanks, P
I didn't know a tutorial could make for a good read.
-
It is a good tutorial, but I think the super simple way to do this these days is to use Whonix. They make preconfigured VirtualBox images so all you have to do is File -> Import Appliance for each image, then start the Gateway and Workstation. All the hardware parameters are configured for you, and Whonix isolates Tor from the main OS, so you can download the potentially malicious files over Tor directly to the Workstation and not worry about disabling networking or shared folders (which can be a security threat in themselves). Everything can be done relatively safely with a default Whonix configuration.
And if you want disposable VMs, it's simpler and easier to delete and reimport the Workstation after each use, then to go through a full distro installation. I can import the Workstation in like a minute, so I can destroy and create fresh VMs all day with little annoyance or work involved.
Alternatively, you could boot Tails in a VM, which is a truly disposable VM, because nothing is ever installed or saved to disk, and you get a fresh VM each time you boot it with zero work, but it's slightly less safe than Whonix, since Tor runs in the same VM as the potentially malicious files.
An even cooler thing is that you can use the Whonix Gateway with any OS, so you could install Lubuntu or any distro, like in pine's tutorial, but change the networking to work with the Whonix Gateway. Once you have everything configured with all the apps that you might need, you export it as an appliance, so you you can destroy and recreate that VM with minimal effort, and you get the safety of the Whonix Gateway with the comfort and convenience of your own distro (the Workstation is kind of crappy, tbh).
-
An even better bet is to use Qubes OS. It lets you easily configure Tor similar to how Whonix does, and has the option to instantly launch anything you want in a disposable VM. Plus it isolates your hardware with IOMMU. Qubes is configured to launch different applications in different (user defined) security domains that are isolated from each other with Xen virtualization. It also supports windows HVMs and in the next version it will have seamless windows appvms. This means you will be able to seamlessly run Windows applications and Linux applications at the same time, and it will look like they are both natively running on the host OS.
-
And if you have the right hardware you can even game on the windows HVM with only a small (~5%) performance hit, because you can use PCI passthrough with IOMMU to give the virtual machine direct access to the graphics card. This is the same technique that is used to isolate hardware for security purposes, but it can also be used for Windows gaming on a Linux host (by isolating the graphics card to the Windows VM).
-
Qubes looks promising, especially the way you can have an isolated Tor process and configure the networking on a per-AppVM basis to use it (see my "any OS over Tor" guide that I just posted, it's basically the same thing), also the way you can create disposable VMs for opening untrusted files... but it also looks really complicated to use and not newb friendly.
I remember when you first mentioned it a few weeks ago, but sort of forgot about it after that. I'm about to try it out, though.
-
GREAT Thread! Ive got VM set up and lumuntu installed, now working on geting apps installed. Platypii rock!
wp
-
TY!
-
subbing
-
i've been trying this tutorial several times on two different hard drives and i can't get past step 5. my question is that if all i'm just running TOR and downloading any files do I need the VBOXADDITIONS? I can't find them in pines tutorial or with the edit from the other person who said they found them somewhere else.
I just fear the keylogger. How safe am i browsing/ordering from the VM if I can't get through step 5?
-
You don't need the VirtualBox Guest Additions unless you want a shared clipboard and folder between the host and guest OSes, and those create security risks (for example, a password copied into the host clipboard could be read by a malicious app on the guest OS).
You can follow this guide without installing guest additions. You can also just download the Whonix Gateway and Workstation, import the appliances into VirtualBox and start them, no long installation steps necessary and it's safer because Tor runs in a separate VM. Alternatively, you can replace the default Whonix Workstation with the Lubuntu VM that pine describes here, you just have to manually set the networking to:
gateway: 192.168.0.10
netmask: 255.255.255.0
ip address: 192.168.0.50
dns address: 192.168.0.10
More info on running any OS with Whonix can be found here: https://www.whonix.org/wiki/Other_Operating_Systems
That's basically it.
-
5. A folder should appear. Now follow these command line using instructions (if you are a non terminal using windows user say "Unto the valley of death, but I fear no evil..."):
Open the command line (it is called LXTerminal and it lives inside the little blue 'Start' button at the bottom left. Click that and then choose Accessories and then LXTerminal).
First you need to get some software that hasn't been installed by default:
Type this in:
sudo apt-get install build-essential
// type in your password upon being prompted for it (you won't see the keys being typed appearing on the screen).
// Follow any instructions. Select Y for yes when prompted. Wait until the install is finished.
5. A folder should appear. Now follow these command line using instructions (if you are a non terminal using windows user say "Unto the valley of death, but I
fear no evil..."):
Open the command line (it is called LXTerminal and it lives inside the little blue 'Start' button at the bottom left. Click that and then choose Accessories and
then LXTerminal).
First you need to get some software that hasn't been installed by default:
Type this in:
sudo apt-get install build-essential
// type in your password upon being prompted for it (you won't see the keys being typed appearing on the screen).
// Follow any instructions. Select Y for yes when prompted. Wait until the install is finished.
********After this step a folder was opened and under the tools menu i selected an option called *open current folder in terminal*
then i went to sudo ./VBoxLinuxAdditions.run
********
I think it took a while for me to understand what exactly I was doing and opening the folder in terminal was the only way i could install the additions. I hope this info can be helpful.
I definitely appreciate astor and pine taking time to spread the word.
-
Alternatively, you can replace the default Whonix Workstation with the Lubuntu VM that pine describes here, you just have to manually set the networking to:
gateway: 192.168.0.10
netmask: 255.255.255.0
ip address: 192.168.0.50
dns address: 192.168.0.10
More info on running any OS with Whonix can be found here: https://www.whonix.org/wiki/Other_Operating_Systems
That's basically it.
Did some reading on the Whonix site, yet I'm still left with a few questions. Forgive my ignorance...
So I Imported the Whonix gateway and have another VM Distro already in VirtualBox. My thinking is:
Overview: VM Distro<-------------->Whonix Gate<---------------------->Host<-------------------->Router/Modem<--->Tor
Network settings: Internal Adapter<------->[Internal <--->Nat]<---->VirtualBox Host only adapter<---->Router/Modem<--->Tor
Is my thinking here sound? Your settings above... gateway/netmask/ip/dns... I'm assuming those are what the VM distro must have, correct? Not the Internal Adapter or VB Host Only Adapter.
To use, I just start the Whonix Gate VM, let it sit there, take no action, input nothing? Just wait for it to connect to Tor?
And if I understand this correctly, using the VM distro behind the Whonix Gate only protects me from malware I may possibly download, correct? But I was always under the impression that the act of downloading itself would unmask my modem's external IP anyhow?... rendering all this moot. No?
Watching my firewall I noticed VBoxNetFlt.sys connecting to some place in Romania 109.163.234.39 (even when VBox wasn't running) ... I got curious and blocked it. When I do that, it blocks me from accessing even non-tor/TBB/Whonix internet connections... why does it automatically have to route ALL my traffic through this one place in Romania??? Going to my host's network adapter, I unchecked "VirtualBox Bridged Networking Driver". It cost me a BSOD losing this very post I was in the midst of writing... but now with that done, I'm able to surf the clearweb etc. without having to go through that place in Romaina. This makes no sense to me why it's VirtualBox's default. Seems dangerous to me.
Any other settings I'm missing here? Suggestions? (besides get rid of windows)
I feel like I'm flying blind using this... if I miss one setting I can be totally fucking myself. (Romanian IP?) I think this ignorance/lack of familiarity with Linux is what keeps people away.
Thanks in advance.
-
Did some reading on the Whonix site, yet I'm still left with a few questions. Forgive my ignorance...
So I Imported the Whonix gateway and have another VM Distro already in VirtualBox. My thinking is:
Overview: VM Distro<-------------->Whonix Gate<---------------------->Host<-------------------->Router/Modem<--->Tor
Network settings: Internal Adapter<------->[Internal <--->Nat]<---->VirtualBox Host only adapter<---->Router/Modem<--->Tor
Is my thinking here sound? Your settings above... gateway/netmask/ip/dns... I'm assuming those are what the VM distro must have, correct? Not the Internal Adapter or VB Host Only Adapter.
Right, I forgot to mention that when you create the Lubutu (or whatever) VM that will be the Workstation, change the networking to internal bridge and select Whonix, which should be a drop down option after you import the Gateway. Then when you boot Lubuntu or whatever live distro, go to the ethernet network settings and enter that info. Should work instantly.
You don't have to mess with anything on the Gateway.
To use, I just start the Whonix Gate VM, let it sit there, take no action, input nothing? Just wait for it to connect to Tor?
Yes, start the Gateway and 20-30 seconds later, start the Workstation.
And if I understand this correctly, using the VM distro behind the Whonix Gate only protects me from malware I may possibly download, correct? But I was always under the impression that the act of downloading itself would unmask my modem's external IP anyhow?... rendering all this moot. No?
No, the applications or malware running inside the VM see a virtual machine with fake serial numbers for the virtual hardware.
That is why they recommend running the Workstation in a VM even if you use physical isolation, ie running the Gateway on a separate computer.
Watching my firewall I noticed VBoxNetFlt.sys connecting to some place in Romania 109.163.234.39 (even when VBox wasn't running) ... I got curious and blocked it. When I do that, it blocks me from accessing even non-tor/TBB/Whonix internet connections... why does it automatically have to route ALL my traffic through this one place in Romania??? Going to my host's network adapter, I unchecked "VirtualBox Bridged Networking Driver". It cost me a BSOD losing this very post I was in the midst of writing... but now with that done, I'm able to surf the clearweb etc. without having to go through that place in Romaina. This makes no sense to me why it's VirtualBox's default. Seems dangerous to me.
That's a Tor relay: http://torstatus.blutmagie.de/router_detail.php?FP=6225fcfd48db3ddc78405f2e6af4cb15b056d846
It also has the entry guard flag, so it was most likely one of your Tor Gateway's entry guards. Are you absolutely SURE the Gateway wasn't running, because whenever people tell me they are 100% sure of something, it turns out that 95% of the time they are wrong.
Any other settings I'm missing here? Suggestions? (besides get rid of windows)
You are well protected even if you run JavaScript, Java and Flash, but you should still disable them anyway unless you really need them.
It's also a good idea to add NoScript and HTTP Everywhere to the browser, and change the user agent to the same thing as TBB so you don't stick out from the crowd.
I feel like I'm flying blind using this... if I miss one setting I can be totally fucking myself. (Romanian IP?) I think this ignorance/lack of familiarity with Linux is what keeps people away.
Change your start page to check.torproject.org or wtfismyip.com. That way you can always check that it's working, but if it's configured properly, you won't be able to connect to anything except through Tor. Late you might consider using the stream isolation feature for different apps.
-
Also, export your Lubuntu Workstation now as a VirtualBox appliance so you have a clean copy. If it gets fucked up in the future, you can delete it and reimport the appliance. It will take a lot less time than reinstalling Lubuntu.
-
Did some reading on the Whonix site, yet I'm still left with a few questions. Forgive my ignorance...
So I Imported the Whonix gateway and have another VM Distro already in VirtualBox. My thinking is:
Overview: VM Distro<-------------->Whonix Gate<---------------------->Host<-------------------->Router/Modem<--->Tor
Network settings: Internal Adapter<------->[Internal <--->Nat]<---->VirtualBox Host only adapter<---->Router/Modem<--->Tor
Is my thinking here sound? Your settings above... gateway/netmask/ip/dns... I'm assuming those are what the VM distro must have, correct? Not the Internal Adapter or VB Host Only Adapter.
Watching my firewall I noticed VBoxNetFlt.sys connecting to some place in Romania 109.163.234.39 (even when VBox wasn't running) ... I got curious and blocked it. When I do that, it blocks me from accessing even non-tor/TBB/Whonix internet connections... why does it automatically have to route ALL my traffic through this one place in Romania??? Going to my host's network adapter, I unchecked "VirtualBox Bridged Networking Driver". It cost me a BSOD losing this very post I was in the midst of writing... but now with that done, I'm able to surf the clearweb etc. without having to go through that place in Romaina. This makes no sense to me why it's VirtualBox's default. Seems dangerous to me.
That's a Tor relay: http://torstatus.blutmagie.de/router_detail.php?FP=6225fcfd48db3ddc78405f2e6af4cb15b056d846
It also has the entry guard flag, so it was most likely one of your Tor Gateway's entry guards. Are you absolutely SURE the Gateway wasn't running, because whenever people tell me they are 100% sure of something, it turns out that 95% of the time they are wrong.
That VBox Bridge Network driver starts up as soon as I start my computer. If I didn't let it out, I couldn't use the clear-web nor tor. And even the other times I didn't restart, Whonix couldn't have been running since I completely shut down VirtualBox (right?). So apparently VirtualBox changed my host's adapter to only use this tor entry guard? I mean it's fine now that I disabled that driver on my host's lan... that driver just connects to some sort of subnet 255.255 something now, from there idk. But whatever... I'm not worried now, now that you showed me it's tor.
You are well protected even if you run JavaScript, Java and Flash, but you should still disable them anyway unless you really need them.
It's also a good idea to add NoScript and HTTP Everywhere to the browser, and change the user agent to the same thing as TBB so you don't stick out from the crowd.
Change your start page to check.torproject.org or wtfismyip.com. That way you can always check that it's working, but if it's configured properly, you won't be able to connect to anything except through Tor. Late you might consider using the stream isolation feature for different apps.
Thanks... I'll get on those suggestions.
Also, export your Lubuntu Workstation now as a VirtualBox appliance so you have a clean copy. If it gets fucked up in the future, you can delete it and reimport the appliance. It will take a lot less time than reinstalling Lubuntu.
So that'd be better than just taking snapshots? Because I'd be able to easily transfer them anywhere? Or is there another reason?
-
So that'd be better than just taking snapshots? Because I'd be able to easily transfer them anywhere? Or is there another reason?
You can do that too, but I always do it immediately after a fresh install so I have a known clean copy. At some point you may realize your VM is screwed up and you may not be able to determine when that happened.
-
Watching my firewall I noticed VBoxNetFlt.sys connecting to some place in Romania 109.163.234.39 (even when VBox wasn't running) ... I got curious and blocked it. When I do that, it blocks me from accessing
That's a Tor node of Voxility, a Romanian comany which also provides free VPN (vpnbook). They gave VPN log data to the USA which was used against Anonymous. Though that doesn't mean you need to be concerned about it.
Any other settings I'm missing here? Suggestions? (besides get rid of windows)
Have a look at my Xubuntu VM tutorial, where I tried to make a fresh install of Xubuntu almost as safe as the Whonix workstation (but not as safe as using Whonx gateway with Whonix workstation). Especially look at the part about time synching and where the VirtualBox .xml gets edited to anonymize the hardware infos. It also shows how to make a normal Firefox look more like a Windows Tor Browser. to a website gathering infos about the browser Though it only looks like it, Tor Browser is still safer because of patches.
http://dkn255hz262ypmii.onion/index.php?topic=201405.0