Quote from: kmfkewm on August 24, 2012, 10:49 amI still advocate for air gaps they are an insanely powerful security technique. If your plaintexts / private keys / passphrases are never exposed to the internet then you don't have very much to worry about malware. You also do not need to type over every character, you can use disposable one time use media such as a CD to copy over from the machine without internet connection to the machine with internet connection, *pine faints from relief* :DQuote from: kmfkewm on August 24, 2012, 10:49 amthe only copying you need to do is to bring public keys from the internet connected machine to the isolated by air machine, as if you expose it to a CD that has been exposed to the internet it could be bugged and transmit back via the CD you use to transfer ciphertexts from it.That gave me an idea, probably not an original one.What if you collect your encrypted messages and public keys et al, and sum up the total number of bytes for each plain text file. Then you burn to CD. If the CD has > the total number of bytes burnt to it, then a sneaky piece of malware is trying to hop along for the ride.There's probably some caveats, but this seems fairly foolproof to me. You could pop all the plain text files into a compressed folder and then do a SHA hash or checksum of it, but the problem there is that you might be counting/adding the malware along with the plaintext files without being aware of it (this is all on the internet machine, with any checks to be done at the air gapped machine). Do you have any better ideas than mine for detecting malware stowaways on these read only disks?Also, this air gapped machine. It can't be just any machine. If you're to take this seriously, then you need a machine that physically does not have networking capability, whether wi-fi, Ethernet, or Bluetooth, absolutely anything.Quote from: kmfkewm on August 24, 2012, 10:49 amUsing a live CD is not particularly helpful against malware, sure it protects from persistent malware but it doesn't do shit to stop an attacker from deanonymizing you or temporarily being able to eavesdrop on your keystrokes. How is that possible if it's impossible (in some cases live CD setups) to save any files? How can this be possible without making some manner of change to the client end? Or perhaps I misunderstand you, and you mean many situations in which an live-CD or live-USB may have access to the hard disk. e.g. installing a malware to Liberte's ~persist directory?Still, I would have thought that this isn't really possible when you have an entire Operating System as being read only with a severely controlled list of possible changes (e.g. like switches on a dashboard, but no alterations to permissions, Liberte if I remember correctly does not allow any permissions changes, unless you quickly enter a certain command/series of steps the second the OS loads, and after a couple of minutes it is impossible to even do this).Please explain more explicitly how an exploit can occur in the typical environment of a live-USB or live-CD, because we're all interested in preventing just that.Quote from: kmfkewm on August 24, 2012, 10:49 amA live USB could even have persistent malware installed to it. The best solution is to layer isolation I believe, I am thinking that SElinux is the way to go about this. Of course making sure that you are taking full advantage of ASLR , and hardening your OS and browser, will also go a long way towards protecting you from malware. Most live-USB OS that people will be running is Linux, open source. So if a live USB could have a persistent malware, then so could the Tor software. At some point you have to trust that something works or you'd never get anything done. I would agree though, that specific distributions tailored to the security conscious ought to be closely watched for any red flags. e.g. Liberte, hardened Gentoo, Tails. I tried using SELinux stuff once. I have to say, it was not exactly accessible and it was a struggle to get anything useful done, even to a geek. Maybe you could point to a tutorial or something that would be the most relevant for what we do here in our situation. Ima practical animal, or at least I try to be.I must admit, I've never even heard of ASLR until now (it randomly pushes your data stuff/programs about in memory folks, so a hacker has trouble pinpointing where to exploit). How do you optimize this ASLR stuff best? Does it just mean having the latest OS? By hardening your OS/Browser, I'm assuming you're talking about using SELinux, and that by Browser you mean the Tor browser. If you modify the TBB or however you've setup the Tor software on your computer, isn't it possible you'll separate yourself from the crowd on the Tor network. e.g. could change your browser settings to ones that are relatively unique, potentially deanonymizing you. Maybe I misunderstand this, but I like to be sure.tldr to lurkers; just use linux, safe against 99.9% of the general malware floating around out there. Quote from: kmfkewm on August 24, 2012, 10:49 amQuoteI agree it's important, but at the same time it's a last resort defense, your primary defense should be your anonymityAnonymity doesn't protect you from malware (generally speaking, although in some cases it can make life harder for an attacker), and malware can deanonymize you. I imagine you have heard of CIPAV?? You can use the best encryption algorithms in the world and the best anonymity network around and it is all going to do jack shit to protect your plaintexts or identity if an attacker roots you. Having strong data and location security without strong defenses from malware is similar to having a fortified door with an open window next to it. I have heard of CIPAV, it is the FBI software used to obtain ip addresses and I think, to keylog information. I think it was most famously used in a project called Magic Lantern, to compromise some Mafia dudes. And some kid threatening to bomb a school or something equally stupid (although every kid wants this really :D), as per one of your intel reports.I agree hardening security against malware is important, but I think you're overstating the case to illustrate the point. I'm pretty sure anonymity does protect me from malware to some extent, otherwise I doubt I would be typing this. In order for an attacker to place a rootkit on my machine, they must first put it on my machine. They cannot do that, unless A: they find my machine or B: they rootkit everybody (I think we call this the Chinese approach, lol).Quote from: kmfkewm on August 24, 2012, 10:49 amQuoteIn order to compromise a machine, they first need to know where it lives.This is 110% wrong. In fact, they can find where a machine lives by compromising it. An attacker who manages to root SR and finds a multi-platform exploit for firefox could theoretically take over the computers of everyone using firefox to surf SR, by for example adding malicious javascript to it that exploits a vulnerability in firefox to take over its permissions, which (in most configurations) includes the ability to stop routing through Tor and deanonymize you, and very likely to spy on your plaintexts prior to encrypting them with GPG (through lack of isolation in X for example). In practice it might be more difficult for them to simultaneously pwn every single person here, because some might be using different browsers, some may have javascript turned off, some may be protected by default OS features like ASLR, etc...but it is entirely possible in theory for such an attack to be carried out. So far such things seem like they are far more common for intelligence agencies to do than police forces though.Ok. But SR does not need JavaScript and many of us don't have it enabled by default. Unless your rootkit is somehow able to manipulate a scriptless browser. On that subject, I wanted to ask you from before. Can you physically remove the ability of the Tor browser to use scripts? I mean, removing the actual code that would allow an extension, allow a script to be run etc. Seems to me, if you remove that kind of stuff, the odds of exploitation are zilch. My concern would be that such modification might alter the browser signature though. So I was hoping for some input on that idea, whether it's realistically possible and what the ramifications might be.--Question. If the malicious JavaScript stops you routing through Tor, then how exactly does this help the enemy? I mean, once you stop routing through Tor, you're on clearnet right, so it's not as if you're going to reach a url like http://dkn255hz262ypmii.onion with this newly clearnetted browser, right? I don't get how stopping Tor routing will deanonymize me. Seems like it just kicks me off the Tor network.And how the hell is a JavaScript, any JavaScript, going to influence the X window system? JavaScript cannot modify the Operating System. JavaScript can't go about editing configuration files since it can't access the local directories and write to the hard disk. So how in the name of fuck it is possible to spy on GPG software via the X Window system? I am seriously dubious in case you couldn't tell. :D You have surely got to be missing a few steps there. :pAnyway, I'm not trying to be the Grand Inquisition here, just trying to distill your noggin into a potential series of helpful pint sized tutorials that make sense to anybody, that would be good. Share the wealth! :)Hardening your machine stuff might be good, but hardening some people out of everybody is better, increases the Anon-Set.Lastly; isn't there a special piece of hardware, a particular kind of CPU that makes it really tough to compromise encryption? It might have been while it's being done. Your reference to ALSR reminded me of it but I can't remember the name now.P.S. Who is the author of PolyFront, was that yourself or some other fellow? Curious mammal is curious. Reply by PM if necessary. Actually PM me anyway, I have some interesting shiny new factoids that came my way I'm pretty sure you'll be salivating over or something. :D