Quote from: kmfkewm on August 29, 2012, 12:16 pmSElinux has nothing to do with virtual machines. It takes a lot of work to write profiles for it, in the near future I plan to write some profiles to isolate firefox and other applications. But unfortunately my time right now is being consumed doing other things. That's ok, I understand completely. I never seem to have enough time for all my projects either. I was pleased to complete a recent batch of them though :)Quote from: kmfkewm on August 29, 2012, 12:16 pmIn short I would say that SElinux is best thought of as application specific restrictions. Ideally you would explicitly define everything that firefox can do, and then the mandatory access controls will prevent it from doing anything else. Now when an attacker takes over firefox they do not obtain the abilities of the user that runs it, but rather of the MAC profile created for firefox, which should be very restricted. Of course how much security this affords you depends on how well you have defined what firefox should be able to do. It might be appropriate to think of mandatory access controls as a sort of application level firewall. There are even techniques for getting around this sort of protection though :(. There's a hack for everything, but we accept that you can't reduce the risk of an exploit to zero. Even the Air Gaps have frequently fallen to clever social engineering tricks and Stuxnet-like swamping. For example I faintly remember that a bunch of air force jets were grounded when a pilot put some software into them (I think it was actually some protection software like an AV or something, but whatever it was it had malware in it).Quote from: kmfkewm on August 29, 2012, 12:16 pmOne neat thing about SElinux is that it has a default functionality that allows you to isolate applications to their own x window environment. This removes the ability to copy paste between isolated windows, but it also removes the ability of an attacker who has pwnt one of the windows from using the lack of default isolation to spy on keystrokes to all other windows. Ideally you would isolate applications with this SElinux feature called simply SElinux sandbox, and then you would write further rules to restrict the individual applications, for example remove firefoxes ability to send traffic except over Tor, etc. SElinux can restrict an application from doing anything that you have not specifically allowed it to do , as well as allow an application to do anything you have not specifically prohibited it from doing. It also has a learning mode where it lets the application do anything but keeps a log of everything the application has done, to aide you in creating rule profiles. Sounds interesting and the functionality very useful indeed to the security conscious, but difficult to use. I did try to use SELinux on my own machine once, but it was so incomprehensible I immediately gave up. It is clear you, that like PGP, you ideally need to understand the basic principals of how/why it operates, it's not just a matter of flipping a few switches so to speak.Quote from: kmfkewm on August 29, 2012, 12:16 pmUsing SElinux for isolation is beyond a doubt seen as the superior choice over using virtual machines, at least by the majority of security researchers. Of course Theo of openbsd things mandatory access controls are stupid as well, but I think he would say they are vastly superior to using virtualization. Also one exception is the creator of Qubes, who seems to be pretty fond of using xen based virtualization for isolation. As far as attackers being able to break out of virtualization....http://www.neowin.net/forum/topic/1084015-us-cert-warns-of-guest-to-host-vm-escape-vulnerability/http://seclists.org/fulldisclosure/2010/Mar/550http://www.slideshare.net/kbour23/d1-t2-jonathan-brossard-breaking-virtualization-by-switching-to-virtual-8086-modeYes, but we're not assuming VMs are perfect as an isolation technique, that's acknowledged from the onset. This is (much) 'better practice', not perfect or even best practice. Best practice would be to be using SELinux to harden your system in addition to everything else. I would claim though, that if you get the 'human factors' correct, then you've solved the majority of the security problems with opening files safely in practice. Or to put it another way, the problems you're tackling above are technical ones, but the real problem is that most people are opening files downloaded from Tor without any protection whatsoever. Today's darknet is all 1970s and free love about downloading files from what I can see. I do think in practice that there are very few pieces of malware in the wild, as opposed to a security researcher's lab, that are capable of breaking out of a VM without aid from the user. I mean, I bet you weren't able to find actual incidences of companies getting busted because malware broke out of their VMs. There is a good deal of incentive for virus writers to produce malware with that ability, since a lot of these VMs are stacked together in the cloud, and if you compromise a few machines you could suddenly run riot over dozens of corporate networks. I'm not a VM expert, but that much seems obvious.Quote from: StonedEmo on August 29, 2012, 12:38 pmQuote from: kmfkewm on August 29, 2012, 11:06 amHaving a shared folder between guest and host breaks the isolationhttp://pz65gyca5nrafhrf.onion/PolyFront_2/computer@20security.html(You did a good job)That's true, it's a bang up job kmfkewn, you can be proud of it. For one thing I keep quoting the bit on anonymity, it works on so many levels. I think that will live into infamy. I see this entire project from SR to Tor/Bitcoin itself as just the beginning of something extremely big indeed. Guru is worried about another crypto-anarachic false dawn, but I'm more optimistic. The most important thing to me isn't so much the tutorials, but imparting this sense of rationality/rigor to people. The darknet markets, and in some ways the black market in general, don't do their due diligence, don't do their research in the way that they should. Some particular organized crime groups do adopt the latest ideas and technology with extreme alacrity. These ones are responsible for 90% of all progress, but those represent a tiny fraction of the overall marketplace participants. The majority take a frankly pissent approach that would never be put up with if they were in a corporate or even government environment. The interesting thing is that there *is* a lot of innovation that does come from black markets in various ways (invented half the drugs/more efficient synths, lol), but it's the ability of the few combined with outsize funding that makes it so, and not everybody else.Anyway, point is that a Black Market education is to be taken seriously and the PolyFront document is the first step on the path along with some few other frontier pushers like Strike, Jack Nimble or U.Fester (but they were mostly about clan chem, not this kind of theoretical knowledge). Most criminals have skills in the same sense my waiter and taxi drivers have musical or literary ability. Some few do, the rest are tone deaf or epic procrastinators.Viva la Revolution Noir! ;)Quote from: StonedEmo on August 29, 2012, 12:38 pmWhat if somebody sends the most important messages using Airgaps. And some that are not important are sent to a shared folder. Or one shouldnt use shared folders at all?It all depends on:A: Your enemy.B: Your skill level.C: Time/MoneyNobody should be downloading files from Tor and just opening them willy nilly. The majority of people, as in 99%, should just use the solution with Virtual Box that I described (or some other VM software) or simply not download files via Tor and open them. This doesn't mean it'll be a good solution in a couple of years time if VM busting malware becomes more commonplace, but for now I think we're good. It's like having 2048 bit PGP keys. You should upgrade them, but right now they're fine, but you ought to upgrade to something larger later. Kmfkewn for example may want something more secure, but it's unlikely the majority of people will be able to adopt similar security policies e.g. using Air Gaps, since it is just impractical if you're a regular vendor or buyer. Different people should have different security policies which should depend mostly on bulletpoint: A, then C, then B by some distance.