---- Part 0 :: Introduction--In this tutorial I shall demonstrate how it is possible to download files from the Tor Network and use them without worrying about possible LE malware concealed from within. Of course you should not be downloading dodgy looking files from mysterious websites, but obviously a LEO operation to spread malware would not be advertising their presence so that it would appear to come from quite legitimate sources e.g. Putting exploits into a PDF press release from the Tor Project or something sneaky like that. Before you roll your eyes, this is the kind of thing that many governments have tried to do before, e.g. redirecting people to fake Tor Project websites, that kind of thing. Don't put it past our Western governments to be playing similar tricks, they're not really getting any better at putting restraints on their behavior, just usually more subtle and far better than most one party states at using damage control propaganda when they goof up.I intend for this tutorial to be used when you want to safely open things like compressed zip files or view PDF files, that is the scope of it so please don't extrapolate too much more beyond that.---- Part 1 :: Some basic questions--1. What is a VM or Virtual Machine?The wiki says it is a "completely isolated guest operating system installation within a normal host operating system".In colloquial English, a VM makes your machine temporarily think it's another machine. Your computer is roleplaying! Awesome.2. Ok, that's weird, but why would I want a sandbox?You may remember the advice of the good folks of the Tor Project when you have downloaded files from before now, or when you read the instructions on their website.It went something like this: QuoteLoad external content?An external application is needed to handle:http://www.example.com/suspectfile.pdfNOTE: External applications are NOT Tor safe by default and can unmask you!If this file is untrusted, you should either save it to view while offline or in a VM, or consider using a transparent Tor Proxy like Tails LiveCD or torsocks.Remember?! Ok, so this tutorial will show you how to view a file in a VM.---- Part 2 :: Step by step instructions--1. Download VirtualBox for your machine's Operating System: https://www.virtualbox.org/wiki/Downloads2. Obtain an operating system ISO. I strongly suggest using Linux. This tutorial will use a version of Linux called Lubuntu: http://www.lubuntu.net/3. Exit Tor. Install VirtualBox, go through the installation with all the default options, just click next until it is finished.4. Run VirtualBox. Up pops a window labelled as "Oracle VM VirtualBox Manager". You are good to go.5. You see a button called 'New'. Clicky.6. Click Next and; 6.1 Call your VM something e.g. Lubuntu OS or topsecretstuff or whatever. 6.2 Set "Operating System" to Linux. 6.3 Set "Version" to Ubuntu. 6.4 Click next.7. The next screen asks how much RAM to allow the VM to use. Just leave it at the default and click next.8. The next screen asks how much Hard Drive space you want for your VM. Leave at default settings and click next.9. The next screen asks what file type to use for your new VM 'HD'. Leave at default and... you may be sensing a theme here.10. Next screen, leave settings at "Dynamically Allocated" and click next.11. Virtual Disk File Location and Size. Leave at defaults, click next.12. Click "Create", and again. Now you're back at the original window. Select your new powered off VM and click 'Start'.13. The First Run Wizard pops up. Use it to find that the Lubuntu ISO you prepared earlier. Click next and then Start. A 'Summary' dialog box will appear for no reason. Click Start yet again to prove to the machine you are in control. The machine respects a firm handler, if you keep second guessing yourself it'll just crash when it feels like it, mooch around the house all summer, come in late after curfew and even hide your socks so you never find matching pairs. That's just how it is.14. Suddenly your mouse is captured. It is toying to see how far it can push you around. Press Right Ctrl to liberate your mouse from its clutches. Not because you need to, but because you can. The screen should read "Language" and show a list of Languages with English being the default. Click back on the screen, choose your language with the arrow keys and press the Enter key (See! It captured your mouse for no reason at all!)15. Now you're back at the Lubuntu installation screen. Use the arrow keys on your keyboard to select "Install Lubuntu" and press Enter.16. Wait for a moment. A blue screen appears. Wait longer. Sometimes the screen will say technobabble gibberish or change color. The machine now wants to impress you, so things are going as they should be.17. While the VM is doing its technowizardry, make yourself a nice pot of coffee. Pine recommends using real coffee because although I once could not tell the difference between instant and power coffee, I have come to realize that the fastest way to wish for a premature demise is to suffer the stench of granulated coffee every morning. As such consider using good real coffee as an investment in your future health.18. Lubuntu will now request a language setting. Click what you want and continue on. Another screen tells you about something called "best results". Just leave everything at the default and click continue.19. The Installation Type screen appears. Keep the default option which is: "Erase disk and install Lubuntu" and click continue. Don't worry, it isn't referring to your real machine's hard disk to be completely wiped. It is playing with you again! Click Install Now.20. Sip your coffee while the OS installs. It requests your location. It's tempting to choose Longyearbyen because it sounds so completely made up, but you can choose anything you like as long as it isn't actually your time zone. New York is the default, it's fine to leave it as that for everybody. Continue!21. Lubuntu now requests a keyboard layout. Marvel at the number of "Englishes" and leave at defaults.22. Lubuntu now requests: 22.1 Your Name. Do not enter your real name or any online handle. Anything else is fine. 22.2 Your Computer wants a name too. Give it a name, but not your machine's real name. 22.3 Your password. Choose anything, but not any password you use elsewhere. Click continue.23. Wait while the OS continues to install. If you are a geek, feel overwhelming relief when you realize Lubuntu doesn't use Unity.24. At long last it is finished and you click "Restart Now". If you get a blank screen or nothing happens, hammer on the Enter key a few times.25. After restart, up come the login screen. Login. Might be slow the first time.---- Part 3 :: Setting up a Folder Share--1. Logout of the VM. Logout is located in the bottom left menu button just as with standard windows operating systems.2. Create a special folder on your real machine. Ideally this should be on an encrypted memory stick or similar. This folder is not to be used for anything except passing files to your Virtual Machine, so don't use it for anything else and put it somewhere out of the way. 3. Go back to the "Oracle VM VirtualBox Manager" control panel and select "Shared Folders". Select "Add Shared Folder" (small icon with a '+' in the top right). Set the Folder Path to your special shared folder (should be a 'machine folder'). Tick "Read Only" and "Automount".4. Power on your VM again. After login, click on the "Devices" menu at the top of the the VM. Then at the bottom of the menu is a option called "Install Guest Additions". Click on that. A dialog box will pop up saying "Removable medium is inserted". That's fine, click Ok.5. A folder should appear. Now follow these command line using instructions (if you are a non terminal using windows user say "Unto the valley of death, but I fear no evil..."):Open the command line (it is called LXTerminal and it lives inside the little blue 'Start' button at the bottom left. Click that and then choose Accessories and then LXTerminal).First you need to get some software that hasn't been installed by default:Type this in:sudo apt-get install build-essential // type in your password upon being prompted for it (you won't see the keys being typed appearing on the screen).// Follow any instructions. Select Y for yes when prompted. Wait until the install is finished.Type this in:cd /media/VBOXADDITIONS_4.1.20_80170We are unlikely to all have the same version of VBOX Additions over time, so if you just type in cd /media/VBOXADDITIONS and then press your Tab key the terminal will fill in the appropriate directory for you.// Now you are in the correct directoryType this in to make sure:ls// You should now see a list of files on the screen. One of them is called VBoxLinuxAdditions.run--UPDATE: blurbleep says VBoxLinuxAdditions.run may be hiding out elsewhere! Quote from: blurbleep on December 13, 2012, 06:26 pmI believe that one change needs to be made to the tutorial. On my machine when looking for the VBoxLinuxAdditions.run it wasn't found in /media/VBOXADDITIONSVERSION, but instead /media/USERNAME/VBOXADDITIONSVERSION. --Type this in:sudo ./VBoxLinuxAdditions.run// A message will appear "[sudo] password for YourUserAccountName:"Type in your password that you use to login to Lubuntu. You won't see the characters appearing onthe screen when you do this. This is normal. Enter the password correctly and press Enter.// You should know see a bunch of stuff happening on the terminal. Wait until it finishes.Type in: exit// Final command line/terminal note. If you get stuck, carefully repeat your steps.Now reboot the Virtual Machine.6. Login and click the little blue 'Start' Button again. Go to System Tools -> Users and Groups.7. Select "Manage Groups" and in Group Settings scroll down until you find "vboxsf". When you find this, click on it and select Properties. Tick your username in the Group Members box and enter your password to confirm this.8. Open the file manager. This is either the picture of a folder next to the blue 'start' button, or else it is in Accessories.9. Back in the real machine, put a experimental PDF file into your shared folder on the encrypted memory stick or wherever you have it.10. Go back to the file manager in the virtual machine and navigate to /media/sf_shared. You should see your test PDF file :)---- Part 4 :: Battening down the hatches--We are not yet finished. For this tutorial to have a point the Network Connection has to die and we should change the kind of permissions we have currently.1. Turn off the VM machine and go back to the VirtualBox Manager window. Select "Network" for your VM. Deselect the tick mark on "Enable Network Adapter".Double check that it reads "disabled" in italics under the "Network" link in the VirtualBox manager.2. Start up the VM. Login and then go to "System Settings" -> "Users and Groups". Set your account's type to "Desktop User". Now go to "Advanced Settings" and look at the "User Privileges" tab."Connect to wireless and ethernet networks" and "Share files with the local network" should already be unticked.Untick these other options too:[ ] Connect to Internet using a modem.[ ] Send and receive faxes.[ ] Use modems.Why are we taking away functionality from ourselves? Because the philosophy of Linuxs superior security is that you should only use those powers you need, when you need them, and never otherwise. Strictly speaking my last instruction just above is almost certainly redundant, but pine is a cautious platypus and so should you be too.3. Maybe getting to the shared folder is annoying you.For ease of getting to the shared folder, open up the terminal and type this:cd ~/Desktopln -s /media/sf_shared/ ./sharedNow there ought to be a shortcut on your Lubuntu desktop which takes you directly to the shared folder with a click.---- Part 5 :: Possible Issues--Q: This seems more complicated than it should be. Is there an easier way?A: Yes. No.Q: I downloaded the file to the correct folder on my real machine, but I cannot see it in the shared folder on the virtual machine.A: You need to refresh the file explorer. Go to the shared folder in the virtual machine and press Ctrl-R to refresh.Q: I have an error that says there's a problem mounting/unmounting the Guest Additions CD thingy.A: There are two ways. The fastest is to turn the VM off, and then turn it on again.Q: I only have granulated coffee, can I continue the tutorial?A: You can, but have you considered the long term implications? Q: The VM seems awfully sluggish and slow. A: If this a persistent issue over a couple of boots, you need to give the VM more RAM to use. Don't give it much more than half of your physical RAM otherwise your real machine will start becoming the slow one. Turn off the VM and change the RAM setting in the VirtualBox Manager. Also while you're not using your VM you can always pause it to converse resources for your real machine.Q: You don't need to use apt-get install build-essential, you could just request the gcc directly.A: True. But there can be complications with dependencies and I don't care. This works and is straight forward.Q: Why don't characters appear on the screen when I type my password?A: If you're sure you've clicked on the VM window, then it is that the terminal doesn't "echo" typed characters for a password. This is a security feature that prevents a shoulder snooper from seeing the length of a password. Yes, *unix people are more paranoid by default.Q: There's something wrong/inefficient with the tutorial!A: Very likely! Tell us what it is then.Q: I have a issue that isn't addressed here.A: Speak up on the thread, maybe we can help :)---- Part 6 :: Important Notes--In this example I use a lightweight Linux operating system (Linux comes in many different forms/packages called distributions or just distros) called Lubuntu. I chose this particular one for two characteristics:1. It is free and I won't have to register a OS license like you would with Mac/Windows.2. It is a very fast OS. We don't need nine zillion features, we just need a responsive environment with which to read files.-> You put files into the shared folder. Then you read them from the virtual machine. Don't get confused!-> Do not move files from the VM to the real machine. If there is malware it could infect one of those files you move back into your real machine.-> Make sure that shared folders are read only.-> Any files that go into a shared folder should be considered infected by malware. Why?The shared folder at the real machine's end should be thought of as a black hole. Information goes in. Information does not come out. The reason for this is simple: if malware in a VM manages to infect a file in the shared folder then the malware will be triggered when you execute/view that file from the real machine. Files you put into the shared folder become untouchable the moment they are placed inside it + the VM is switched on.Finally; some last words.Ideally you should be doing validation on files you download, double checking MD5, SHA hashes, verifying PGP signatures etc so that you're sure you've downloaded the thing the website owners intended you to receive. However there's two fairly basic problems with that kind of approach:1. 80% or so of the people on here probably have never checked or even heard of a SHA hash, let alone understand how they work. I mean this is ok. We cannot seriously expect everybody to take COMP101 or its equivalent, in the same way that we can't expect everybody to take ECON101 in order to use Bitcoin. Using PGP is a must have, other things less so.2. Although there are clever ways of compromising your machine (e.g. the redirection to a fake Tor website by screwing around with DNS [this is why you should only download Tor, through Tor itself since Tor can't be fooled by this as it doesn't even use DNS...]), there is the much more basic problem of LE agents forcing the website owners to do a switcharoo with their modified version of the software.Creating and using a sandbox in the manner I describe is proof against all those scenarios. You don't need to verify a hash (indeed, the majority of files you download don't have them anyway) and it does not matter if you do actually download malware.This is not a panacea, it is not as secure as having a dedicated machine* exclusively for reading files from the Internet but it is a 'one time investment' and it will produce more practical security for nearly everybody because it is infinitely better than downloading files via Tor and hoping your virus scanner catches any malware before you open/view those files.* It would receive them via read only CD/DVD, have no physical net connection, this is called an "Air Gap" i.e. what the Iranians were supposed to be maintaining until Stuxnet got around it). This is going a bit too far for most of us! Kmfkewn said he might make a SELinux (secure enhanced Linux) tutorial. We could use that to bring this tutorial to the next level (called 'hardening' in security jargon) just slightly below utilizing an Air Gap because SELinux was invented by the NSA itself.