Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 243 244 [245] 246 247 ... 249
3661
Security / Re: What is the point of VM's?
« on: January 17, 2012, 03:22 am »
So I talked with some computer security experts regarding this matter. I hold all of them in as high of regard as Theo, they are true experts . In general, they all seemed to agree with what Theo was saying about the inherent security issues related to using full hardware virtualization, however they did not in general come to the same conclusion as he did (that you are better off to not isolate firefox from external IP address than to use full hardware virtualization to do it).

The summary boils down to this: using full hardware virtualization does (very likely) have some security consequences, which could be significant or could be minor. I need to do more research to fully grasp the security implications of using full hardware virtualization, but the people I talked with have at least decent understandings of the issues. Many of the people I talked with suggested using full hardware virtualization to isolate network facing applications from Tor, saying that the security benefits this certainly brings will likely outweigh the security issues involved with full hardware virtualization. However, parvirtualization such as Xen offers the same isolation benefits as full hardware virtualization does, and it indeed does not have as much potential (probable?) security risk associated with it.

If the user is able to configure and use a paravirtualization system for isolation, they should use it instead of full hardware virtualization. Additionally, OS virtualization such as jails, zones etc offer much of the same isolation benefits without any of the risk associated with hardware virtualization (full hardware or paravirtualization). OS virtualization is probably easier for an attacker to break out of than hardware virtualization (either full or paravirtualization) but it avoids the risks that Theo is talking about with architecture virtualization security issues. Regarding my hacker friend who had previously told me that hardware virtualization offers stronger isolation, I misunderstood what he said because I didn't have a good enough understanding of virtualization when he was talking about it. Paravirtualization is also hardware virtualization, just not full hardware virtualization. full hardware virtualization probably is harder to break out of than OS virtualization, but paravirtualization is also probably harder to break out of and it greatly reduces potential security risks that are present with full hardware virtualization (due to the architecture issues that Theo was discussing).

These virtualization techniques can be layered, however using full hardware virtualization may not be a good idea if you are already using paravirtualization / os virtualization for isolation, because full hardware virtualization may have implementation flaws (including in the hardware that supports it) that could be used as an attack vector. This potential attack vector will not be present if you are not using full hardware virtualization.

So in short, if you can only be bothered to use the easy to configure full hardware virtualization solutions like Virtualbox, you should still use them to isolate network facing applications, instead of not isolating network facing applications at all. However, if you can configure the same thing using paravirtualization or OS virtualization you should use them instead and probably should avoid using full hardware virtualization as an additional layer. However, it is possible that using full hardware virtualization as an additional layer will add more security. It also may make you more insecure than only using OS virtualization or paravirtualization. However, attackers who can penetrate one layer of virtualization based isolation can likely penetrate other layers, using more than one layer may technically increase the 'depth' of the isolation but it will likely only be slowing an attacker down if they are capable of breaking out of isolation at all. Also, using full hardware virtualization may give attackers an additional vector that they otherwise would not have.

The general theme I saw was "many attackers can not break out of virtualized isolation, however the attackers who can break out of virtualized isolation can probably break out of as many layers of it as you use". And using full hardware virtualization does have potential/probable negative security implications that are not as much of an issue with paravirtualization and I don't think are issues at all with OS virtualization. But the risks of using full hardware virtualization do not out weigh the benefits of isolating Firefox from your external IP address, so if you don't plan to use anything else you should still be using full hardware virtualization based isolation . But there are safer ways to isolate Firefox from external IP address than using full hardware virtualization that should be used instead, if you have the skill to configure them.

Also, if you have enough extra machines it is probably more secure to use them to isolate firefox from the external IP address than to use a virtualization based solution. However, this doesn't mean you shouldn't use virtualization to do the same thing if you do not have extra machines or the skill required to isolate Firefox in this way.


here are some quotes:

Quote

"It is clear that you should try to keep network facing applications away from your external IP address"

"Using full hardware virtualization is better than not isolating Firefox, and it is much easier to configure than anything Theo would approve of"

"If they want to argue that full hardware virtualization is worse than not isolating Firefox away from your external IP address, ask them for an exploit that works against a full hardware virtualized system and not on an unisolated Firefox. They will not have one."

"Or ask for an easy to configure Theo approved solution for keeping Firefox isolated from the external IP address."

"One of the main things to keep in mind is that it is much easier to configure full hardware virtualization isolation than to configure any of the potentially better systems"


So there are some quotes from other people who are all security experts of the same caliber as Theo. Theo is also a security expert. They have different opinions. My personal feelings are that you should use paravirtualization or OS virtualization to isolate network facing applications from external IP address. If you can't be bothered to use paravirtualization or OS virtualization, you should still be using the easy to configure full hardware virtualization solutions. If you should use full hardware virtualization as an additional layer on top of OS virtualization or not is open for debate, it certainly has highly probable negative security implications, but it will also add an additional layer of isolation.

I hope that this helps to clear things up, or at least show another perspective on the issue. In the end nobody I talked with really disagreed with anything Theo said, they just think the risks of not isolating network facing applications from external IP address outweigh the risks of using full hardware virtualization to do so. Of course, they also all think that there are better solutions than using full hardware virtualization, they are just much more difficult to implement.

Another thing I would like to mention is that virtualization being used to isolate applications from external IP address has in practice prevented at least one hidden service from being traced after the feds pwnt it. I don't know the sort of virtualization that was used, but I think this is a clear example that there are serious benefits to using *some* sort of virtualization to isolate network facing applications from external IP address.

3662
Off topic / Re: Here's my theory .....
« on: January 17, 2012, 02:38 am »
I thought the whole point of BTC was that it was anonymous, though. I thought you didn't have to send that shit all over the place to make it anonymous; it just was.

In addition to not being inherently anonymous, Bitcoin is inherently linkable because the entire transaction history of the entire network is public for anyone to look at. If you are not using a *real* mixing solution (preferably with blind signatures) or obtaining the bitcoins anonymously (paying with cash in the mail, for example) then you are not anonymous. Bitcoins are as anonymous as the method used to pay for them unless you take steps to further anonymize them.

3663
Off topic / Re: Here's my theory .....
« on: January 16, 2012, 01:54 am »
Also I still have not fully ruled out the possibility that SR is run by a federal agency for the purposes of intelligence gathering, however I am leaning against this idea because of the technologies used and the techniques suggested. As long as SR allows Tor and GPG and Bitcoin I think it is trust worthy, although to be fair almost all of the users here are using bitcoin incorrectly and can probably be deanonymized by financial network analysis. DEA might have realized that more people would use bitcoin incorrectly than correctly. However security is in the hands of the user no matter what. It is also possible the FBI or another agency found a zero day exploit in Tor or some other program and decided to launch a massive intelligence gathering operation against the drug using and dealing community (ability to identify 100k drug users and dealers around the world would be a world record setting law enforcement intelligence operation...people would be put in the law enforcement hall of fame). I know of one Tor zero day vulnerability and there is some research team that is claiming to have another although I think they have made extremely overstated claims in the past and are not being taken very seriously as they have not yet disclosed it in technical detail.
I don't think LE are smart enough to do these things though, although users on SR really need to start anonymizing their bitcoins and not by using SR's mix either.

3664
Off topic / Re: Here's my theory .....
« on: January 16, 2012, 01:42 am »
The US government running this sounds like a dream come true. Enabling and facilitating the exchange of substances world wide would make me proud to be an American.

I have day dreamed that it might have non-malicious ties to the US government, perhaps they discovered they can effectively tax the sales of illegal drugs (one of the main reasons statists give for why the government hasn't been in a hurry to make drugs legal). Then I remember that they don't have a monopoly on the market so can't tax it forever with the SR model unless they still bust everyone else who attempts to sell drugs that are untaxed. And then I remember that they dont need to tax drugs because they are already making a fortune via taxing people in the name of fighting the war on drugs and selling us all to the prison industrial slave traders (myself not being a statist and thinking the government wants drugs to be illegal to keep us slaves for their own massive financial and political and other power). IMO it is more likely to be run by the C.I.A. to covertly fund some operation that they don't want the rest of the government to know about, they do need to get funding for their black operations somehow after all. I think the C.I.A. would make a more secure site than SR has though. So most likely it is run by some dude with a bit of technical know how who used to be a small time drug dealer, probably with some business and marketing schooling or experience, who saw the potential of bitcoin and wanted to further the agorist agenda and put some extra cash in his pockets.

3665
Security / Re: What is the point of VM's?
« on: January 16, 2012, 12:30 am »
Quote
like a chrooted Tor daemon

It is funny that you say this because virtualized solutions are widely recognized as more secure isolation than chroot. On most operating systems chroot ships with known jail breaking vulnerabilities. I hope you don't scare people away from using security enhancing solutions into using less secure solutions simply by quoting the opinion of one expert who just happens to be rabidly against almost any form of security that doesn't come from having absolutely perfect code. The fact that you suggest using chroot over using a paravirtualized system seems suspicious to me because it is widely thought that chroot is flawed and paravirtualized solutions offer stronger protection.

Also I am not certain if you can use chroot by itself to isolate firefox from external IP address, but I know you can use paravirtualization and full hardware virtualization to accomplish this goal. OpenBSD has a more secure version of chroot than most operating systems but it is even recognized that the OpenBSD version of chroot has inherent issues which are not present if you use paravirtualization or full hardware virtualization. I will wait for a detailed technical reply from Theo regarding the inherent security risks of using full hardware virtualization before I come to my final conclusion on the matter, but even if he talks poorly about paravirtualization (which avoids many of the issues he mentions when he talks specifically about the full hardware virtualization solution virtualbox, in the quotes you misconstrue as discussing virtualization based isolation in general) I will still be using it because I know it is a technique suggested by a number of very skilled security researchers, with Theo being (potentially) opposed to it but also not being the final authority regarding computer security.

For example, Qubes gains much of its security by automatically putting every launched application in an isolated virtualized environment, and FreeBSD ships with jails which also allow you to isolate applications with a layer of virtualization. Also Open Solaris has built in support for virtualization for security, Open Solaris Zones. Qubes, Jails and zones use virtualization that doesn't virtualize all of the hardware. Also Inferno uses virtual machines although I am not sure which type, I don't know much about inferno.

Again, I need to hear specific security risks from Theo before I come to my final conclusion on using full hardware virtualization, but right now I am leaning against it and towards using paravirtualization / OS virtualization solutions simply from what I have heard (from Theo, from other hackers who suggest not using Virtualbox or VMware due to code complexity and incorrectness of the hypervisor) and from what I have seen (Qubes, Open Solaris and FreeBSD use non-full hardware virtualization based isolation, although I am not sure if this is for security or for the other benefits it brings). I am still not convinced that it is actually a security risk to use full hardware virtualization systems, and I doubt I will ever be convinced against using virtualization based isolation at all.



Quote
vnconfig and virtual drives are essentially the same as using a VM for what we want (conceal your IP if anybody breaks in) except the difference is this virtual partition isn't being booted over buggy emulated hardware that hasn't been security audited whatsoever. vnconfig is integrated into OpenBSD and has been audited. Should an attacker breach tor somehow, they're now stuck on an encrypted virtual disk, on a separate partition in a chroot behind a firewall/NAT ect. so they'll only ever see internal IP addresses should they break out of chroot (which is incredibly easy to do.. chroot basically prevents applications from overloading mem and other problems, it's not really used for 'security' per se as anybody getting into a chroot can break out of it in a few easy steps according to these developers http://kerneltrap.org/Linux/Abusing_chroot)

Tor knows your real IP address so if they pwn Tor they have located you. If they can pwn Firefox they can configure it to go around Tor or use other techniques to determine your IP address, unless you take active measures against this happening. I don't think chrooting Firefox, by itself, can be used to prevent this. Explain in technical detail how to isolate an attacker who pwns firefox from being able to determine your external IP address by using vnconfig/chroot because I currently don't know how to do this. I will look over your solution and have some friends look it over as well. I am not saying it wont work, I just am not sure how to do it, or if it will work. I do know you can run Tor on a dedicated machine and firefox on another machine with only an internal IP address though, and I think this should be able to give isolation as well.

Yes chroot on most OS is easy to break out of but OpenBSD has a more secure version. However, most security people I talk with suggest using virtualization techniques for isolation over chroot because of how historically insecure chroot is.

Quote
After experimenting around with vnconfig making encrypted virtual disks and secure partitions I think I've managed to set up a pretty bulletproof tor session should the worst case scenario happen: NSA or Chineez government cracks/hax00rs tor, somehow the feds learn this method and use it to round us all up. Or worse my competitors find out this method and come after me :X

This indicates to me that you don't know what you are talking about, because it isn't Tor that you should be isolating so much as it is your network facing applications. If Tor itself is pwnt you are fucked no matter how many layers of isolation you are using.

Quote
and I can't believe I wasted so much time using X.

I can agree with this to an extent, I use command line for most things now. I only use command line for servers.

Quote
Loïc Duflot an expert in smashing out of X has basically said for a decade that X is not secure whatsoever no matter what tricks you do to isolate it.

X is insecure but there are various isolation tricks you can use. Qubes offers x isolation. You can also get your own x isolation by using virtualization. BTW OpenBSD with x windows is just as insecure as any other OS, if a single application is pwnt the attacker can EOP to root because there is NO GUI ISOLATION WITH X WINDOWS. The attacker can spy on ALL of your keystrokes and steal your password when you SU to root in a windowed terminal. This can be fixed by using virtualization. I wonder if Theo is aware of this.

Quote
Problem with computer security is the people that actually really know about it ....and allow misinformation like using Virtual Machines as a security barrier to exist unchallenged

This is cherry picking. There are numerous security experts who are strong advocates of using virtual machines for isolation. I am not certain if they would advocate the use of full hardware virtualization though (I will ask, and I also eagerly await some technical details from Theo explaining how full hardware virtualization is not only completely worthless but also horribly insecure), but I know the FreeBSD devs and the Qubes devs and the Open Solaris devs and the SEL4 devs are advocates of using virtualization for isolation. So are many other security experts. You have a biased opinion on virtualization based isolation if you are basing your opinion only on what the OpenBSD devs say. They are very against virtualization and imo seem to be against security via isolation in general, instead hoping that you use *only* code that has been audited by them for the past decade, because *only they* know how to write anything that isn't totally insecure shit.

Quote
At least Theo De Raadt and RMS are telling people they're utter fools for using a VM for security. Nobody else is, although if you ask any developer they'll immediately tell you he's right from what I've been researching around IRC on dev channels. Sure these guys are abrasive complete neckbeard assholes, but it's their near religious conviction to freedom that makes them stand out from the legions of corporate drones and technocrats that typically infest the field of security.

First of all things are not as cut and dry as you make them seem. There are numerous people who are widely recognized as security experts who advocate the use of virtualization based isolation. I may have fucked up by advocating for full hardware virtualization over / in addition to other sorts though, I need to do a little more research on this before I come to my final conclusion. Anyway, the three primary 'philosophies' of computer security are correctness, isolation and randomization. OpenBSD devs are religiously commited to security via correctness (although they do have very sophisticated randomization systems and have before pretty much anyone else, and they do have two tools for isolation but none of them use virtual machines or MACs) Others prefer security via isolation, knowing that only formally verified software is perfectly correct and that very very very little software has been formally verified, and that randomization can't protect from everything. It is a lie to say that any developer will immediately tell you Theo is right about this, many will immediately tell you that he is wrong actually. Most of the people who are big on security via isolation will tell you that he is wrong. Ask the Qubes devs or the FreeBSD devs or the Open Solaris devs or the SEL4 devs

Quote
I think Theo is right, the large corporate mass of security consultants are mainly con men who expertly fool people into thinking running 3 O/S's in a Virtual Machine is more secure than actually setting up 3 servers like you're supposed to so they can bid lower on contracts and keep most of the money for themselves. This is why Antisec, Anon, LulzSec, Carders and spammers have so much success is because of these con men fooling everybody into drinking snake oil.

I will concede that using full hardware virtualization MAY not be the best solution, it may be better to use other sorts of virtualization which will avoid all of the potential (although unsubstantiated and unexplained in technical detail) problems that you/Theo have brought up (well, IOMMU is also needed to fix some of them). I need to do more research before I conclusively say that full hardware virtualization should be abandoned in favor of using other sorts exclusively.

I personally am not convinced that you know what you are talking about and are not cleverly cherry picking opinions of certain people (none of which have yet said anything about anything other than full hardware virtualization, and I am not even sure I agree with his opinion on this yet I need to hear technical details and I need to talk with other security professionals including people who are fans of security via isolation) in an attempt to scare people away from more secure solutions. For one I don't think anyone other than maybe the OpenBSD devs would suggest using chroot for isolation over using jails for example. I will concede that you / Theo may be correct about the risks of full hardware virtualization though, I just need more time to research the matter. I also already know that the potential risks will not apply nearly as much if at all to other virtualized isolation solutions as they will to full hardware virtualization solutions.

Also I have heard from one hacker who I respect that breaking out of full hardware virtualization is actually more difficult than breaking out of other types of virtualization...I will ask him for his opinion on this issue as well. Essentially I need to do more research on this before I can make a more educated and conclusive reply to Theos comments on full hardware virtualization, but in short I am not sold on what he says and even if he turns out to be correct what he is talking about will apply much more strongly to full hardware virtualization than to other sorts.

edit: fixed technical error in what I wrote calling some systems that are not paravirtualization paravirtualization. Again, i am not an expert on virtualization and wish I had a few days worth of free time to read up on it in depth before I made a reply to this thread.

3666
Security / Re: What is the point of VM's?
« on: January 14, 2012, 12:32 pm »
Also you make it seem like your quoted responses from Theo are responses to you in particular, in relation to things that I in particular am saying, but I found those same exact quotes from him on a number of security and virtualization related discussion forums. I really would need to see the original questions asked to him to better understand his responses.

3667
Security / Re: What is the point of VM's?
« on: January 14, 2012, 11:33 am »
Quote
While x86 hardware has the same page-protection hardware that an IBM
390 architecture machine has, modern PC machines are a mess.  They are
architecturally so dirty, that parts of the video, keyboard, and other
IO devices are interfaced with even to do simple things like context
switching processes and handling interrupts. 

Has Theo never heard of IOMMU? From Wikipedia:

Quote
An input/output memory management unit (IOMMU) enables guest virtual machines to directly use peripheral devices, such as Ethernet, accelerated graphics cards, and hard-drive controllers, through DMA and interrupt remapping. This is sometimes called PCI passthrough.[30] Both AMD and Intel have released specifications:

    * AMD's I/O Virtualization Technology, "AMD-Vi", originally called "IOMMU".[31]
    * Intel's "Virtualization Technology for Directed I/O" (VT-d).[32] Included in most but not all Nahalem based processors. [33]

I know Qubes uses IOMMU and that it is supported by Xen, not sure if it works with virtual box or full hardware virtualization though. I think this should offer isolation on the layer that Theo is currently bitching about. Also lack of IOMMU with SEL4 is one reason the Qubes dev gave with why they went with Xen instead of SEL4, even though SEL4 is provably correct at what it does.

This is really fairly cutting edge computer science / computer security shit and I can't claim to be an expert on these matters, but it is the stuff I am currently researching and trying to understand. In the past few months I have come to one conclusion though and it is that I was wrong to suggest Virtual Box be used for isolation, I should have suggested Xen and I will personally be switching from Virtualbox to Xen. Last I checked Xen is much more difficult to configure and use than Virtualbox is, for the average user. If this is still the case, if you decide to go with virtualbox or nothing, I would still suggest virtualbox and isolating network facing applications away from Tor with it. The feds are not the caliber of attacker that Theo is worried about when he discusses security issues, and I am not convinced of his apparent claims that using virtualization is not only worthless but also a huge security threat in and of itself (I would really love for him to explain this in deep technical detail).

3668
Security / Re: What is the point of VM's?
« on: January 14, 2012, 10:55 am »
Please give me a link to the thing about virtual machines and truecrypt because I can't find a single thing about it despite lots of google.

3669
Security / Re: What is the point of VM's?
« on: January 14, 2012, 05:53 am »
Also keep in mind when you talk with security researchers like Theo and others, that they are quite probably imaging the adversary as being on the level of an intelligence agency. My opinion is that just because the NSA can pwn your isolation layers doesn't mean you shouldn't use them when they will prevent the feds from pwning your ass.

3670
Security / Re: What is the point of VM's?
« on: January 14, 2012, 05:50 am »
I need to read about the truecrypt and  VM security thing before I comment on it.

3671
Security / Re: What is the point of VM's?
« on: January 14, 2012, 05:49 am »
I will make a more detailed response to this soon, but for now just let me say that it is pointless to argue with the OpenBSD devs because they are religiously devoted to their security philosophy, but just realize that their ideas are not shared by at least some number of other security researchers who are just as validly called leading experts. For example, I would love to see what the Qubes team has to say in response to this. I like to use OpenBSD for the guest because it has 64 bit ASLR, nx bit, and a bare bones highly correct base install.

Quote
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

He is absolutely deluded to think that you shouldn't add layers for an attacker to go through, that they otherwise wouldn't have to go through, simply because they may be able to get through them. Of course most hypervisors are not perfectly correct (other than maybe SEL4 if it counts as a hypervisor), but that doesn't change the fact that they add an additional layer for your adversary to penetrate.

Is Theo aware that this discussion is in regards to hiding your IP address from an attacker? He really should be aware of the wider topic of discussion before he comments on the technique.

Anyway the argument I am seeing here is "virtualization isolation is worthless because virtualization technology is not perfectly correct, and only correctness matters". This is such a shitty way to look at things. OpenBSD hasn't been formally verified so you shouldn't use it because it may have security vulnerabilities that an attacker can exploit if they spend enough time looking for them. I wonder what he has to say in reply to that.

Quote
if the actual hardware let us do more isolation than we do today, we would actually do it in our operating system. The problem is the hardware DOES NOT actually give us more isolation abilities, therefore the VM does not actually do anything what the say they do

First of all this sentence makes little sense to me so it is hard to reply to it. I know little about hardware isolation so I can not really comment on this yet I need to read some papers on it that I have but have not had the time to read. I am thinking of things like the Tor routers that run Tor on a purpose specific device rather than requiring the user to run it on their operating system, however I think he is probably talking about things like AMD-v. Please ask him to clarify this sentence and go into technical detail.


Quote
While x86 hardware has the same page-protection hardware that an IBM
390 architecture machine has, modern PC machines are a mess.  They are
architecturally so dirty, that parts of the video, keyboard, and other
IO devices are interfaced with even to do simple things like context
switching processes and handling interrupts.  Those of us who have
experience with the gory bits of the x86 architecture can clearly say
that we know what would be involved in virtualizing it, and if it was
so simple, we would not still be fixing bugs in the exact same area in
our operating system going on 12 years.

I need more time to think on a response to this than I have right now, but I would like to mention that I am not even talking about virtualizing the x86 architecture but rather x86-64, although what he says may very well still hold true for that. Also now is a good time to mention the distinction between virtualization solutions like virtual box (full hardware virtualization) and systems like Xen (paravirtualization). I think that paravirtualization will avoid all of the potential problems Theo mentions here, and this now further strengthens my belief that Xen should be used over Virtualbox or VMware.

Also allow me to say that I am not an expert on virtualization or even on computers especially as compared to people like Theo, but I can recognize that as good at security as he is other people who are just as good as him or possibly even better (I can not tell) use different strategies than he does.




Quote
We know what a VM operating system has to do to deal with the PC
architecture.  It is too complex to get perfectly right.

Well I am not an expert on this matter, but I think sel4 offers a provably correct layer of isolation in addition to using paravirtualization. I need to research this more before I make any definitive claims though.

Quote
And now you've entered into the layered approach where *any error* in
the PC model exposed to the client operating system is not just a
crashing bug -- it is now exploitable.

I don't follow his logic of how everything is now an exploitable bug please ask him to clarify for me. Layered approach aka defense in depth is favored by many security professionals. And again please inform him that this discussion is related to a technique for hiding your IP address from an attacker who roots your firefox VM, while using Tor in another VM and host only routing with firewall rules on the host.

Quote
It might be nice, but it is stupid.  And anyone who thinks there is
any security advantage at any level knows nothing about PC
architecture..

That is a pretty big claim to make considering there are a ton of world leading security research teams who are focusing on using virtualization in this way for security advantages. Then again, Theo is a world leading security expert. He knows more than I do about computer security. So do people who disagree with him.

Quote
This massive move towards VM use is a worrying trend and I am scared
of the side effects we will face from so many people (essentially)
choosing to run 3 operating systems instead of 1 ... and doing this
when their guest choice is 'OpenBSD for security'. I really wonder
how people arrive at such a position... without logic or technological
understanding, I suppose.

He thinks it is a worrying trend. The people doing it think it is the future of computer security. I see Theos logic as being that virtualization being used for isolation like this is a bad idea because the virtualization technology is not perfectly correct and can be broken out of. My response to this sort of logic is that people should work on making a correct hypervisor then. Or that you shouldn't use OpenBSD because it isn't formally verified, sarcastically of course.

I will make a better more detailed response to this post soon I don't have time right now to spend the time required to think and research on a better post. Arguing with people of this caliber is a good way to look like a dumbass because they are widely recognized as leading experts, but I know that I have logic in my arguments and that others who are equally as impressive as Theo would also argue against him in similar ways as to how I have. However, I wish he was having this debate with the Qubes research team or the SEL4 people instead of me.

3672
Security / Re: What is the point of VM's?
« on: January 13, 2012, 10:57 pm »
Quote
how does it all matter. using VMs is completely impractical. it is I would say suicidal to have such kind of things on your hard disk. for example, you going to travel, your notebook can be detained for 2-3 days in airport, just because they don't like you. your Linux on pen drive is far more simple and leaving you with much less security concerns. Encrypted disk suppose to save you from trouble - encrypted disk means you are in big troubles.

You don't know what you are talking about. If you are worried about what is practical instead of what is secure then you are in the wrong line of work. Also encryption is your friend and it works just as well on a hard disk as it does on a USB. Linux on a pen drive is a good idea but all of the preconfigured live operating systems I have seen are toys when it comes to security. There are a lot of security toys. Not having an encrypted disk means you are in big troubles.

Quote
I have 3 computers in my office and one day, when I saw that virtual machines start mashrumig I said myself, - that is enough. I want my life back.

You wont have a life when you are traced by the DEA when they exploit a firefox vulnerability. If the same attacker couldn't break out of your virtualization systems hypervisor or pwn the Tor application you will really be kicking yourself in the ass when you are in prison.

Quote
my point is that if you have an option which is more simple, which will keep you less concerned, more secure, then what for do you need all those VMs.

No your solution of using linux on a pen drive is not inherently more secure. Of course you could have a pen drive that has a linux host on it and still use layers of isolation.

Quote
Obviously for SR purposes you would not want your VM stored on a local HDD

Why not, you encrypt your HDD don't you?

Quote
this of course would be stupid however on a USB drive it's quite practical and gives you a reasonable level of isolation preventing potentially incriminating data from residing on the hosting machine which is the entire purpose.

I fail to see the difference between an encrypted HDD and an encrypted USB drive that you mention. There are differences with security implications, but in these cases HDD is more secure. If you know what you are doing, encryption used on HDD and on USB drive will offer the same security, there is no 'of course this would be stupid' about it.

Also you are correct in your description of isolation, but the goal of virtualization being used in the way I mention is not so much to prevent incriminating data from being stored on the host system (lthough it will help with this also) but rather to prevent an attacker who pwns one of your internet facing applications from spreading to other applications or items of interest / getting to the host OS. That is the main security benefit of using virtualization like this imo. Encryption and data destruction programs have the main goal of preventing incriminating information on your HDD from being gathered by an attacker.


Quote
The purpose isn't to make the machine more secure from some sort of hacking threat, it's to contain incriminating data and make it easily disposeable in the unfortunate event that you feel you may be under threat by LE or in the other case where they are able to obtain said USB drive to make the data forensically impractical (or impossibe) to retrieve. A VM with high levels of encryption accomplishes that goal quite easily and in a practical manner. The other piece is the practicality of cracking down on on buyers/vendors (see below for more on this).

No the main purpose of using isolation like this is to protect from hacking threats. There is an added advantage that it contains incriminating data, but you should be using encryption and data destruction programs for the purpose you mention.


Quote
What are you protecting against? This isn't a literal question but one that should always be asked and used to determine the practicality of using a solution like this. Sure there are people looking to maliciously attack the average user for things like credit card fraud and access to personal data for identity theft and other various things, corporate espionage etc the list is endless however for the purposes of SR this is completely impractical. This security threat is not in any way unique to the community here, it exists for all of the internet users.

You are protecting from hackers. It is just as likely users of SR will be targeted as it is that users of a given carder or any other illegal forum will be targeted. Carders say the same shit about drug forums. Everyone uses cognitive defense mechanisms when they are putting their life on the line, but a truly smart person will try to not do this because it weakens security. Yes the threat exists for all internet users but the users here are far more likely to be targeted with sophisticated technical attacks than the average internet user is.

Quote
Secondly and more importantly nobody is going to waste their time to go after buyers who buy for personal use. Why you say? It's VERY simple.

Sure they will a statistic is a statistic. Plus buyers here are probably parts of IRL drug networks.

Quote
Assuming there are 150,000 users on SR (round numbers) that equates to less than %0.003 of the worlds population not only is this an extremely small amount but the 'reward' for busting or otherwise cracking down on this percentage is minimal at best. Think about how many people order an once of weed here and there and use SR for very little else. What goverment agency is going to spend the kind of resources it would take to make that arrest? None it's simply not practical and exceptionally difficult in the first place.

Government agencies exist to fund themselves. The agents get pay checks regardless of who they bust. They are looking for numbers. SR has a large number of drug users on it and it offers a conveniant way to target large numbers of people because it is centralized in many ways. Please get out of your cognitive defense mechanisms and your distorted view of government and police before it lands your ass in jail. Government agencies don't spend resources they steal resources from the people. The government will be very happy to say they need to steal a few extra million tax dollars to bust the users on Silk Road and the personal users who are busted will be talked about as international drug traffickers who are part of a major drug network that uses military grade technology to evade police and launder money etc. When you read of big busts in the news etc in many of those cases the people actually busted are fairly small time but the stories are played up so much and so dramatized that it paints a false picture.

Quote
So we move on to the vendors, who would be much more 'rewarding' targets however there are less than 250 vendors on SR! This equates to less than %0.000004 of the worlds population so bearing this in mind again WHO would bother? It would be a largely unrewarding waste of time to attempt to make this sort of bust.

If you make any subset of drug dealers based on any characteristic you can say that they are a small percentage of the total drug dealing population, but obviously drug dealers are targeted and sent to prison. So your entire logic is flawed.

Quote
I'm not saying that VM's are the most secure out there but they do offer an additional layer of security from a data protection standpoint as it relates specifically to SR and LE. While all valid security concerns in this thread they are not unique to SR nor are they less of a threat anywhere else. While I am certainly in favor of being secure there is a point at which you are doing it for the sake of doing it as it adds less and less practical value. Sure is it 'cool' to have a truly unhackable secure setup? Absolutely, and really quite fascinating, but at the same time what do you really gain? Once you pass that point where you've done 'enough' to secure things in a reasonable fashion all you are doing is increasing your bragging rights because nobody will bother trying to attack you anyways.

Don't underestimate your adversary.

3673
Security / Re: What is the point of VM's?
« on: January 13, 2012, 10:36 pm »
You can also go total neckbeard commando text only and just dual boot OpenBSD 5.0 + something else (Debian? Win7?).
Your encrypted OpenBSD 5.0 partition does nothing but drugs business, hacking, sending threats to the NSA ect. You don't need Xorg you can do everything command line like encrypting/decrypting emails and sending them through Tor from your @tormail account. Type 'mail' in the command line and get used to working with it (now you have zero email exploits). Then you have persistence, and aren't constantly grabbing new guard nodes which is a slight anonymity flaw of using Live CDs like Tails/Liberte. For internet use lynx in your business only O/S. This forum doesn't look as nice using lynx but still works. If the NSA ever (unlikely/tinfoil hat) compromised it and hid 0day firefox, IE and Aurora exploits it wouldn't effect you in your bomb shelter operating system from the past nobody can break.

Since BSD is transparent you can cron job to nuke absolutely all evidence (history, emails, whatever) there's no bullshit MS page file or system restore backups saving critical information. Then reboot back into your Win7 machine to look at porns, play games, whatever you want.

This is a good softraid tutorial on setting it up
http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption

Then of course encrypt the entire HDD for fun an profit with truecrypt, and use truecrypt containers for crazy sensitive stuff like ordering info or use LUKS, or keep it on a separate USB encrypted key

Not having persistent entry guards is actually a major anonymity flaw there is nothing slight about it. I think liberte actually does have persistent entry guards but amnesia doesn't.

3674
Security / Re: What is the point of VM's?
« on: January 13, 2012, 08:21 pm »
Quote
His answer for Virtualization (Virtualbox/VMware/QEmu/Xen ect) is that it's completely insecure as fuck, and if you use it, you're a complete fool. The received security knowledge is that by using VMs, an attacker needs to do the following in order to compromise your security

Theo and the OpenBSD people have never been big fans of virtualization or mandatory access control systems being used for security. This is their opinion and it isn't shared by all expert level security researchers, it is actually fairly controversial in security circles that OpenBSD has no MAC system and I personally find it annoying that they have very little virtualization support. Qubes is an OS that was also made by expert level security researchers and they focused on the isolation route.

Quote
-break into user account
-escalate to root
-break out of jail to Virtualbox
-root the host system

Really that is all that you need to do? To hack the system all you need to do is compromise the system? That list of steps adds no additional information and is inherently obvious. The thing is to break out of the jail to virtualbox, or to break out of virtualbox to the host system, the attacker needs to find an additional vulnerability. Finding an additional vulnerability in the hypervisor of virtualbox or vmware may not be an extremely difficult thing to do because they use overly complex code bases. The Qubes people went with Xen and I think it probably has a less complex and more correct hypervisor that will be harder to break out of. SEL4 is a formally verified microkernel, some security experts have said that microkernels are essentially hypervisors, so if the assumptions the SEL4 proof is based on hold to be true and everything was correctly formally verified, it is (I think) provably impossible to break out of the isolation provided by SEL4. That goes back to what I said before about having a correct hypervisor. The only real argument against using virtualization in this way is that an attacker can break out of the isolation if they find an additional vulnerability, but guess what they still need to find/spend an additional zero day which buys you time in which to detect them and if you use a correct hypervisor they wont be able to break out of it anyway.

Quote
But that is not the case. Because VMs are primarily for testing and application meddling before deployment, they are coded quickly and definitely not for security. OpenBSD is guaranteed security when running on the supported hardware directly because they've already audited how the software interacts with that hardware and confirmed there are no exploits.

VMs are coded with security in mind as one of the potential uses. Sandboxes are a wide known security technique. Java uses a VM that gives it security advantages over non-interpreted languages. VMs and security go hand in hand actually. VM are also used for analysis of viruses and they are used so the virus can not effect the host system. VMs are also used in hosting environments so if one customer is pwnt the attacker can not as easily damage other customers.

OpenBSD is not guaranteed security, it hasn't even been formally verified so there is not a proof of correctness. It is highly correct though because it has been audited in depth by a large number of security experts and really good coders. OpenBSD probably has  less vulnerabilities left in it than anything else that hasn't been formally verified. Of course when you use OpenBSD you will be installing all kinds of additional things that have not been nearly as highly audited and could still contain remote code execution vulnerabilities, such as firefox. OpenBSD gives an additional layer of protection from these applications being attacked in the form of ASLR and it has two tools for isoation Systrace and chroot, but it doesn't have a mandatory access control system and it doesn't support much virtualization technology. This is why I prefer to run OpenBSD as a virtual machine guest instead of the host system.


Quote
With VM software, you have no clue how it will interact because now your hardware is shit emulation that can be escalated. He claims they get OpenBSD security breaches all the time reported from people using Virtualbox and his answer is 'we don't support x86 shit stacks upon already shit x86 platforms' and the same problem can never be recreated using identical hardware. The bug/security hole isn't in OpenBSD, it's in the VM emulation of that particular hardware device which allows for escalation. In fact he doesn't even recommend chrooting as it's basically useless to advanced attackers and a fall sense of security when clever partitioning and multiple systems can be used.

Well you can virtualize a 64 bit OS if you have a CPU that supports hardware virtualization. Of course OpenBSD isn't as secure on 32 bit systems, ASLR on such such systems can be brute forced. The same exact problem is created by using a 32 bit OS in any case, ASLR on 32 bit OS is not secure. OpenBSD has a more secure version of chroot than most other operating systems. And yes if you are up against the CIA or NSA they will cut through all the layers of isolation that you throw at them probably near instantly and without being detected, but if you are up against script kiddies to intermediate hackers a single layer of isolation with virtual machines will imo probably be enough to prevent them from breaking out of isolation. If you are up against advanced hackers who are not CIA or NSA level they will still probably eventually be able to break out of all layers of isolation that you throw at them, but in this case isolation still buys time in which you can detect them with intrusion detection software.

Quote
So theoretically it sounds awesome confining all your  stuff into compartmentalized bubbles to isolate internet facing applications but in reality you are making yourself even more insecure since you now are using unaudited hardware emulation and relying on that for security. Encryption is also not safe while running in a virtual machine.

Please provide me with logs from Theo or any citation that claims it is not safe to use encryption in a virtual machine. Also I have never heard of virtualization decreasing security before, although I have heard from a number of security experts that vulnerabilities in hypervisor and other things can allow an attacker to break out of the isolation if they can discover and exploit the vulnerabilities. I have also heard from security experts that isolation is the best current technique for security and correctness and randomization are not currently at a state where they can be relied on. I have also heard from security experts that isolation like this is worthless and correctness is the only way to go (of course I guess we just need a correct hypervisor for virtualization based isolation like this to be the way to go then).

Quote
To properly isolate applications you need different machines running real hardware. Since OpenBSD just needs 64megs mem to run Tor/Arm or even less to act as a firewall you could buy shitty old used server racks and stack them to host your internet facing applications behind a properly configured firewall that basically jails them the correct way preventing escalation like how most banks operate with critical applications like databases all on different servers. A 2.6ghz  1G ram old dell server is $40 where I live which I configured to pf firewall/router. Behind that my regular OpenBSD laptop running softraid0 encryption with truecrypt containers. Sensitive internet applications like Tor simply put on a new partition with zero access rights.

Yes I agree that hardware based isolation is better but ignoring virtualization based isolation is a bad mistake imo. Banks use hardware chips with isolation layers and they have still been penetrated by hackers. But just because the most leet hackers in the world can pwn banks doesn't mean they should throw in the towel and use no security technology at all.


Quote
No emulation that relies on the security of Xen or Virtualbox developers running unaudited code, no virtual machine encryption leaks, no root escalation through OpenBSD zero day (does OpenBSD 0day even exist?) as the pf firewall and intrusion detection system catches it before it can be deployed. Compile everything through ports for stability and security audited guarantee.

This of course for Julian Assange type maximum security if you're concerned motivated agencies may come after you

Yes there have been OpenBSD zero days before and no there is no mathematic proof that there never will be again. Also you run unaudited applications in OpenBSD all the time. Also if you add layers of isolation you buy more time in which to detect an intrusion, intrusion detection software and isolation go hand in hand. Show me any citation about virtual machines and encryption leaks. Also there could be a vulnerability in the code of the pf firewall, so it shouldn't be used because a leet hacker might be able to break out of the isolation is provides ;).

3675
Security / Re: What is the point of VM's?
« on: January 13, 2012, 07:52 pm »
Theo De Raadt is one security researcher and his views on virtualization being used for isolation / security are not held by all security professionals, for example the team that made Qubes would obviously disagree with him. My favorite thing to say to people who are rabidly against virtual isolation is that if correctness is the only way to be secure people should make a correct hypervisor because then the attacker wont be able to break out of it ;). Also OpenBSD is big on correctness via constant code audits by professionals, but a significant number of security experts will be quick to point out that OpenBSD has pretty shitty support for security via isolation, it is kind of controversial that they have no mandatory access control systems and its support for virtualization technology is shitty as well. Don't discount the real security advantages of virtualization being used for isolation based on the words of one person, even if he is a world leading security expert, because others of the same caliber disagree with his position.. Defense in depth is imo the best strategy and it is a shame that the openBSD team thinks they can ignore isolation in favor of code correctness, OpenBSD may have very few remote code executions and a history of high correctness but when you run OpenBSD you will be running other non-audited applications that have plenty of zero day vulnerabilities. It would be nice if you could isolate them with mandatory access control systems and virtual machines, but good luck doing that on OpenBSD.

Pages: 1 ... 243 244 [245] 246 247 ... 249