Quote from: kmfkewm on August 29, 2012, 11:06 amHaving a shared folder between guest and host breaks the isolationA physical airgap is superior (like Stalin says, no cable, no problem) but after trawling the net for information on virtual machine security it seems pretty clear that without the use of zero day exploits to break out of the VM or the user carelessly taking files from the guest VM and executing or viewing them on the host, the odds of a malware getting through to the real machine is extremely slim. The VM people I spoke to say they've never had a problem, or even heard of a incidence where malware escapes a shared folder without some user interaction from the host. In fact it seems much more likely that malware from the real machine would compromise the VM instead. So while it is true that technically this breaks isolation, this is the 'next best thing' in comparison to simply downloading files from Tor and opening them without any protection. Contraception isn't 100% either! I guess virginity is also a kind of air-gap, haha! :DAlternatively of course, one could run Tor from a VM itself, there would be no shared folders then. But then you have a net connection that a malware could exploit, and I thought that a much bigger source of trouble than using read only shared folders as a "black hole".Do you have any thoughts on improving the above setup ^ in my tutorial (apart from complete physical isolation or feeding the virtual machine read only CDs)? There is always something :) I should also say to any computer newbies that are reading this post: I have endeavored to make it a user friendly guide, but it is always possible I miss some step by assuming you what comes in between, especially in a long tutorial like this, so speak up if you don't know something. Ignorance is nothing to be embarrassed of, there is a always a ready remedy for it.Also, kmfkewn, tell us more about SELinux, I think it is an idea with a lot of potential to improve security, whether it is on the host machine or the guest VM. I don't know much about SELinux at all apart from the name and a general idea of more rigorous access permissions. I don't think I'd include SELinux info on this particular tutorial, this tutorial is just for users of adept to proficient computer skills (with appropriate security level), but I would have it as a 'expert upgrade module' addition to a tutorial such as this. I must reply to some of the things you've been saying recently, in fact I've a lot of other forum posts to catch up on too, esp. poor PGP Club on which I've been a bit lax (but am pleased to have completed several security projects I've been meaning to do squirreled away). I am coming back to you patient PGP comrades, fear not! :)