ra's fnord: Easy and secure anonymous internet usage

[rudyl]

I'm just going to quote the "Short version" from ra's fnord:

Quote:

An easy and secure way for anonymous internet usage:

1. Install and start Virtualbox (at least version 4).
2. Download two VM images: Tor gateway and Tor workstation
3. Import the images (in Virtualbox File->Import Appliance)

To start using the internet anonymously you just have to start both VMs Tor gateway VM and Tor workstation VM. As soon as they they finished booting, you can use the anonymous internet access through the Tor workstation. If you want to stop using the internet anonymously, just power down both VMs.

If VirtualBox won't import the OVA packages, you may need to rename each one to match its OVF component. They're TAR archives. In Linux, just run "tar tvf" to get the names.

All you really need from ra is the Tor gateway VM. You can use it with any VM by connecting to the VirtualBox internal network "tor" (which the gateway VM creates).

[caspian]

I assume that if you fire up a good VPN and then start Virtual Box you would being anonymous as well. But I have always wondered, does Virtual Box leave personal data about what you do on your computer?

[rudyl]

Safe bet = yes. It's best to run hosts with full disk encryption. I don't use Windows. I use Ubuntu with crypto LVM. Everything except boot is encrypted.

[DasFox]

Why do you think you need to run Ubuntu encrypted?

By the way there's a new version that just came out...


THANKS

[x942]

To prevent artifacts from being left over on the host machine. If you don't use FDE chances are forensics can reveal what you were doing before hand in the VM. This would defeat anonymity.

[DasFox]

What level of forensics, who are you trying to protect against?

Just to say FDE without understanding what threat level this is, doesn't do much...

[DasFox]

Sorry I was hoping just to edit my post, but I wanted to further expand on this...

Full Disk Encryption is not going to give you any greater security, anonymity, or privacy, the reason, is because drive encryption on mounted drives won't do a thing as the encryption is transparent as long as the drive is mounted.

We are also talking about VB images here similar to Tails, with one slight difference Tails is a live boot cd/usb these are VB images and this Ra Fnord's VB image, if it was developed properly will not leave anything on the system.

Running regular programs on the VM would leave traces, so for now we have to assume this developer knows what they are doing and if this is the case, like Tails, then this will not leave behind traces.

Also erasing and deconstructing the VM when you're done is the way someone should really go about this if you're paranoid.

The only type of encryption needed in this situation we are talking about here that does anything is SWAP.

Putting on full disk encryption in regards to this discussion does nothing...

[MrBrian]

Thank you for posting about this . It seems to be a good alternative to JanusVM. It has Opera, Chromium, and Firefox with Adobe Flash. It passed a few anonymity tests that I tried.

Also available is Tor Fast Gateway which "reduces anonymity in favor of speed."

Note: one needs to unzip the .OVA files before importing into VirtualBox.

[x942]

Quote:

Security issues

When running Tails inside a virtual machine, both the host operating system and the virtualization software are able to monitor what you are doing in Tails. Moreover traces are likely to be left on the local hard disk.

That's why Tails warns you when you are running it inside a virtual machine. Do not expect Tails to protect you if you run it in a virtual machine if you do not trust the host computer, Tails is not magical!

If you read this warning while you are not aware to be using a virtual machine: there could be a bug in the virtualization detection software Tails uses... or something really weird is happening.

If you are unsure, and if you can afford it, just run Tails from a CD or USB stick.

More or less SWAP isn't the only issue here. Are you using a journaling files system like NTFS, EXT3, EXT4, etc? Well chances are some snapshot is stored somewhere.

Using Full Disk Encryption is the best way. Why? Because as soon as the system is off it IS IMPOSSIBLE to retrieve that session.

Reading your posts shows you don't fully understand how Virtual Machines work. If I run something in a virtual machine it can NOT control what the hosts stores by default. at some point or another it is VERY likely that part of the session (at least) will be written to the host OS filesystem (i.e Swap, etc.) it is then very possible for it to be stored else where on a journaling filesystem.

Just because TAILS works perfectly as a boot disk doesn't mean it can magically make windows/ubuntu stop recording data to swap and the harddrive.

[caspian]

Quote:

Originally Posted by x942

Using Full Disk Encryption is the best way. Why? Because as soon as the system is off it IS IMPOSSIBLE to retrieve that session.

I have a couple of questions if you don't mind.

1. I have been thinking about giving it a try. I am a little nervous about it though. Would it work on a desktop with a huge hard drive as easily as it would on a laptop?

2. Once it is encrypted, does it run as easily as it would otherwise? I mean is there a lot of extra bother?

3. I have HP computers that have the option of reinstalling by simply restarting the computer and tapping F11. Will encrypting the HD interfere with my ability to reinstall this way?

[mirimir]

@caspian

Do you have an old computer that you could dedicate to private work? Installing Ubuntu 10.04.3 with encrypted LVM is very easy. Everything (root and swap) except boot partition is encrypted. That's a standard install option.

Using full disk encryption on your main computer, where most data doesn't need encrypted, is pointlessly risky. That's my opionion, anyway.

[J_L]

How does it compare to JanusVM?

[x942]

Quote:

Originally Posted by caspian

I have a couple of questions if you don't mind.

1. I have been thinking about giving it a try. I am a little nervous about it though. Would it work on a desktop with a huge hard drive as easily as it would on a laptop?

2. Once it is encrypted, does it run as easily as it would otherwise? I mean is there a lot of extra bother?

3. I have HP computers that have the option of reinstalling by simply restarting the computer and tapping F11. Will encrypting the HD interfere with my ability to reinstall this way?

1) It would work perfectly fine. Just like any laptop.

2) Once it is encrypted it will run perfectly. Just like before. I have never noticed any lag or anything.

3) That depends. My acer has the recovery partition hidden from the OS (on the Host Protected Area) and TC/PGP can't touch it. Linux can remove it though and I always do. If it is on the HPA then yes you can use F11 to reinstall (that's how my acer worked anyways) if it's just on a normal partition you can choose not to encrypt it or to encrypt it. If you choose to encrypt it you can't use it.

Personally I would just create a back up CD and Re-install disk. Than delete that partition and encrypt the whole drive.

[caspian]

Quote:

Originally Posted by mirimir

@caspian

Do you have an old computer that you could dedicate to private work? Installing Ubuntu 10.04.3 with encrypted LVM is very easy. Everything (root and swap) except boot partition is encrypted. That's a standard install option.

Using full disk encryption on your main computer, where most data doesn't need encrypted, is pointlessly risky. That's my opinion, anyway.

Thanks for that. I will try it on a laptop. I may just buy a cheap laptop at Walmart for $300 or whatever when I have a little extra cash. I've never used Ubuntu. Can you install it on a Windows computer and still keep Windows?

[caspian]

Quote:

Originally Posted by x942

1)
3) That depends. My acer has the recovery partition hidden from the OS (on the Host Protected Area) and TC/PGP can't touch it. Linux can remove it though and I always do. If it is on the HPA then yes you can use F11 to reinstall (that's how my acer worked anyways) if it's just on a normal partition you can choose not to encrypt it or to encrypt it. If you choose to encrypt it you can't use it.

Personally I would just create a back up CD and Re-install disk. Than delete that partition and encrypt the whole drive.

I am hoping that Acer and HP are the same. I think I will get a small laptop and try it out. If it works out well I may use it on my desktop as well. I don't have a lot of sensitive stuff on my desktop but I really like the idea of having complete control. Thanks for the input.

[mirimir]

Quote:

Originally Posted by caspian

Thanks for that. I will try it on a laptop. I may just buy a cheap laptop at Walmart for $300 or whatever when I have a little extra cash. I've never used Ubuntu. Can you install it on a Windows computer and still keep Windows?

People commonly do that. I don't. Windows and Linux have very different ideas about how disks should look, and Windows is very picky. If you really need Windows, which I do sometimes, just run it as a guest in VirtualBox. Then you are also set to run Ra's Tor gateway and workspace. You can run TAILS as a guest in VirtualBox as well. If host machine is Ubuntu x64 with encrypted LVM, everything, including everything leaking from guests, is encrypted.

[MrBrian]

Quote:

Originally Posted by J_L

How does it compare to JanusVM?

If I remember correctly, with JanusVM everything on your real computer is routed through the provided virtual machine. With the method in this thread, you use the software already provided in one of the virtual machines, whose traffic is routed through another virtual machine. The comments indicate that you can use a virtual machine of your own choosing instead, but I didn't explore that.

[Izzle]

Are artifcats left behind if you use different disk images, such as one created in acronis?

For example, loading and using an disk image with VMWare or Virtualbox.

And later, deleting that VM or VB image and switching to a disk image of another flavor, say a regular image created when the computer was new.

On a forensic exam, would artifacts from the VM/VB image be left behind somewhere, even though a different disk image is now being used?

[mirimir]

@Izzle

Safe bet is that traces from VMs are left behind on host machines. So you just use full disk encryption on hosts. But of course, disks are decrypted while in use, and passphrases are in memory. Unless you're hot stuff, standard practice is shutting down machines to preserve evidence, and they'll just ask for passphrases. Then you pretend Alzheimer's

[J_L]

Quote:

Originally Posted by MrBrian

If I remember correctly, with JanusVM everything on your real computer is routed through the provided virtual machine. With the method in this thread, you use the software already provided in one of the virtual machines, whose traffic is routed through another virtual machine. The comments indicate that you can use a virtual machine of your own choosing instead, but I didn't explore that.

Intriguing. Thanks for the explanation.

[mirimir]

Quote:

Originally Posted by J_L

How does it compare to JanusVM?

Both Ra's Tor gateway VMs and TorVM run OpenWRT. I think that JanusVM does too.

[caspian]

Quote:

Originally Posted by mirimir

@Izzle

Safe bet is that traces from VMs are left behind on host machines. So you just use full disk encryption on hosts. But of course, disks are decrypted while in use, and passphrases are in memory.

If you get a keylogger after you login in, can it see the passphrase that you entered to mount the encrypted laptop?

[mirimir]

Quote:

Originally Posted by caspian

If you get a keylogger after you login in, can it see the passphrase that you entered to mount the encrypted laptop?

Keyloggers see what you type, not what's in memory. If there's a keylogger on the host when you login, it may get the LUKS passphrase. But it would need to load from the boot partition.

You can reduce the risk by using hosts only for running VMs. Disable shared clipboard and guest USB, and don't install guest additions. Only use shared folders for fresh installs.

[caspian]

Quote:

Originally Posted by mirimir

Keyloggers see what you type, not what's in memory. If there's a keylogger on the host when you login, it may get the LUKS passphrase. But it would need to load from the boot partition.

You can reduce the risk by using hosts only for running VMs. Disable shared clipboard and guest USB, and don't install guest additions. Only use shared folders for fresh installs.

Thanks for that. If Returnil would work on an encrypted laptop I that could be another bit of protection. I don't know if it would work though.