Suggest a PC Privacy Setup

[SafetyFirst]

How would you organize a 1TB Windows7 Ultimate x64 system HDD with TrueCrypt FDE and hidden OS on it?

My plan is this:

C: 200GB system partition
D: 600GB partition with outer TC volume and Hidden OS inside the hidden volume
E: 65 GB encrypted partition with virtual machines intended for the internet use
F: 65 GB encrypted partition with some decoy files and hidden volume with sensitive files to be operated with from within the hidden OS

What do you think? Should I set it up in a different way and why? Is it necessary that internet facing VMs have all usual security software installed (firewall, AV, HIPS, anti-keylogger etc.)?

[mirimir]

I wouldn't use Windows as a VM host, because it records too many things in too many places. I also wouldn't use Windows as a VM for anonymity, because it tells Microsoft who you are. While I suppose that one could create a fake identity for that, I would need a good reason to bother.

[CasperFace]

Quote:

Should I set it up in a different way and why?

For performance standpoint, I would try to avoid running virtual machines on the same physical disk as the primary OS, if at all possible. The way you have it set up now (with the data partition in the middle of the disk and the VMs at the end), the read/write head is going to have to continuously jump back and forth between the beginning and end of the disk whenever you are running 2 or more concurrent operating systems.

If having separate HDDs is not possible, the next best thing (I think) would be to move the partition containing the VMs closer to the beginning part of the disk (near the system partition) so that disk I/O operations don't take as much of a performance hit.

Quote:

Is it necessary that internet facing VMs have all usual security software installed (firewall, AV, HIPS, anti-keylogger etc.)?

Yes. Your system security software on your primary OS isn't going to do anything to protect you from what goes inside the VMs, since they are separate entities. Unless if you don't care if one of your VMs gets trashed because you have backups and/or can easily clone a new one, then no.

[CasperFace]

Quote:

Originally Posted by mirimir

I also wouldn't use Windows as a VM for anonymity, because it tells Microsoft who you are.

Or, you could just install a 3rd party firewall & a VPN before Windows ever has a chance to "phone home". There are ways around everything. Realistically, however, it doesn't really matter if Microsoft "knows" you happen to have another OS installed somewhere... unless you are ultra-paranoid.

[The Hammer]

Quote:

Originally Posted by CasperFace

Realistically, however, it doesn't really matter if Microsoft "knows" you happen to have another OS installed somewhere... unless you are ultra-paranoid.

In which case a tin hat is called for.

[mirimir]

Quote:

Originally Posted by The Hammer

In which case a tin hat is called for.

Much better => -http://www.lessemf.com/personal.html

[The Hammer]

Quote:

Originally Posted by mirimir

Much better => -http://www.lessemf.com/personal.html

Good call.

[SafetyFirst]

Quote:

Originally Posted by mirimir

I wouldn't use Windows as a VM host, because it records too many things in too many places.

But if the host is encrypted and runs in shadow mode? Can Shadow Defender or another light virtualizer run on TC encrypted system partition?

Quote:

Originally Posted by mirimir

I also wouldn't use Windows as a VM for anonymity, because it tells Microsoft who you are. While I suppose that one could create a fake identity for that, I would need a good reason to bother.

While especially sensitive tasks can be executed in Linux VMs (one can have several VMs simultaneously, right?), what can M$ know about me beside language? I don't register Windows with my real name. Of course, they can trace IP address in case of serious lawbreaking but do they really care that much to spy on couple of billions of users?

Quote:

Originally Posted by CasperFace

For performance standpoint, I would try to avoid running virtual machines on the same physical disk as the primary OS, if at all possible. The way you have it set up now (with the data partition in the middle of the disk and the VMs at the end), the read/write head is going to have to continuously jump back and forth between the beginning and end of the disk whenever you are running 2 or more concurrent operating systems.

If having separate HDDs is not possible, the next best thing (I think) would be to move the partition containing the VMs closer to the beginning part of the disk (near the system partition) so that disk I/O operations don't take as much of a performance hit.

It's a TrueCrypt requirement that the Hidden OS partition be the first partition after the system partition (and it must be at least 2.1 times larger than the original system partition if you want them to be NTFS formatted).
That's the reason why VMs can't be closer to the beginning of the disk. But if it is really that important I could add another hard drive.

Quote:

Originally Posted by CasperFace

Or, you could just install a 3rd party firewall & a VPN before Windows ever has a chance to "phone home". There are ways around everything. Realistically, however, it doesn't really matter if Microsoft "knows" you happen to have another OS installed somewhere... unless you are ultra-paranoid.

What do you mean? You think I should disable Windows automatic update or do you have something else on your mind?

Quote:

Originally Posted by mirimir

Much better => -http://www.lessemf.com/personal.html

I scrolled down the whole page expecting I'd see an EMF shielded condom - "durable and unwrinkleable, washable too (no bleach); high Silver content inhibits bacteria growth minimizing odor and promotes wound healing. Adequate radiation reduction from 800 MHz to 18 GHz. Two adult sizes: Black = large, Tan = medium".

[mirimir]

Quote:

Originally Posted by SafetyFirst

While especially sensitive tasks can be executed in Linux VMs (one can have several VMs simultaneously, right?), what can M$ know about me beside language? I don't register Windows with my real name. Of course, they can trace IP address in case of serious lawbreaking but do they really care that much to spy on couple of billions of users?

You can run as many VMs as you have memory for. CPU utilization is a soft limit. Your system will just be sluggish. But memory is a hard limit. If you overcommit, the VM in focus will just evaporate.

Are you activating Windows with a product key that you purchased using your real name? If so, Microsoft knows who you are. With non-OEM versions, I gather that one can run for 90 days without activating. But then you need to reinstall Windows every 90 days. I would be surprised if Microsoft didn't retain Windows update logs for at least months, if not years.

[themostsecurebrain]

Quote:

Originally Posted by mirimir

Are you activating Windows with a product key that you purchased using your real name? If so, Microsoft knows who you are. With non-OEM versions, I gather that one can run for 90 days without activating. But then you need to reinstall Windows every 90 days. I would be surprised if Microsoft didn't retain Windows update logs for at least months, if not years.

Well it's not necessary to purchase a product key with your real name, unless I'm mistaken; and even if you did, well then you've purchase a key and so you shouldn't feel guilty about downloading a windows 7 crack. Bingo, Microsoft doesn't know who you are and you also didn't "steal" their property.

[ronjor]

Quote:

windows 7 crack

Downloading cracked software is not recommended on these forums for any reason.

[themostsecurebrain]

Quote:

Originally Posted by ronjor

Downloading cracked software is not recommended on these forums for any reason.

My apologies. Well, with the vmware snapshot feature you could just take a snapshot of a clean install setup the way you want and just jump back every 90 days.

[SafetyFirst]

I have legal copy of Win7 which I could use as host and legal copy of XP which could be used in a VM. Another VM could be Linux.

I would like to gather a great deal of advice before I set it up. My first concern now is to merge the 100MB system reserved partition with Windows (C) partition. I am not sure, but I assume it is necessary for the Hidden OS. Is there a software that automates that process? King of Rapture provided a valuable link in another thread -http://www.terabyteunlimited.com/kb/article.php?id=409

CasperFace suggested placing VMs on another hard disk. Is it really that important? How much disk space does an average VM occupate?

How about backups? I suppose backups must be in unencrypted form if you want to be able to restore images in case of system failure because image software's recovery CD doesn't have TC or other program that could decrypt the image (ShadowProtect's own encryption didn't work for me)?

[PaulyDefran]

Quote:

Originally Posted by themostsecurebrain

Well it's not necessary to purchase a product key with your real name, unless I'm mistaken; and even if you did, well then you've purchase a key and so you shouldn't feel guilty about downloading a windows 7 crack. Bingo, Microsoft doesn't know who you are and you also didn't "steal" their property.

I agree that paying cash for a boxed copy at the store is the best way, but like everything else that we extrapolate to the 'nth degree....do you ever plan to use that OS install from your house? Windows can send a ton of info during install...before any firewall or VPN could be installed. Now, do I think it does? no...or there would be a lot more criminals in prison (most of them). We all know how to do it right when we want to be invisible: Open Access Point with a Linux based system...never to be used anywhere else. Anything else gets into the security .vs convenience model and everything is a trade off. Fortunately, having two laptops these days is pretty easy for most, and who needs to 'James Bond' it 24/7? (some do, yes).

PD

[jackrabbit]

Quote:

Originally Posted by PaulyDefran

I agree that paying cash for a boxed copy at the store is the best way, but like everything else that we extrapolate to the 'nth degree....do you ever plan to use that OS install from your house? Windows can send a ton of info during install...before any firewall or VPN could be installed. Now, do I think it does? no...or there would be a lot more criminals in prison (most of them). We all know how to do it right when we want to be invisible: Open Access Point with a Linux based system...never to be used anywhere else. Anything else gets into the security .vs convenience model and everything is a trade off. Fortunately, having two laptops these days is pretty easy for most, and who needs to 'James Bond' it 24/7? (some do, yes).

PD

You don't need a computer attached to the internet to do an install, just pull the cable out of it, easy as that!

[mirimir]

Quote:

Originally Posted by SafetyFirst

I have legal copy of Win7 which I could use as host and legal copy of XP which could be used in a VM. Another VM could be Linux.

I strongly recommend Ubuntu x64 as the host. It works mvery well with Oracle VirtualBox VM. Encrypted LVM is very easy to set up using the alternate installation ISO. Also, Linux software RAID is better than consumer-grade hardware RAID, and desktop machines typically have four SATA ports. Although RAID plus encrypted LVM does require manual partitioning, it's not very hard and there are many tutorials.

Quote:

Originally Posted by SafetyFirst

CasperFace suggested placing VMs on another hard disk. Is it really that important?

I don't typically do that. But I run on fast RAID arrays.

Quote:

Originally Posted by SafetyFirst

How much disk space does an average VM occupate?

pfSense ~250 MB
Ubuntu server ~2 GB
Ubuntu desktop ~5 GB

Quote:

Originally Posted by SafetyFirst

How about backups? I suppose backups must be in unencrypted form if you want to be able to restore images in case of system failure because image software's recovery CD doesn't have TC or other program that could decrypt the image (ShadowProtect's own encryption didn't work for me)?

Make your backups, and store them in Truecrypt.

If Windows was sending information from install back to MS we would of heard about it by now.

As for windows key. you can buy a key from those resellers selling MSDN keys though they have a habit of getting blocked. Though if you buy from a good place they replace for free.

[PaulyDefran]

Quote:

Originally Posted by jackrabbit

You don't need a computer attached to the internet to do an install, just pull the cable out of it, easy as that!

True, so a 'duh' moment for me on that one...but MS Update is given carte' blanche' so lets go with that

PD

[SafetyFirst]

If the host is Windows and only the guest goes online, that means the host never gets Windows updates?

[Warlockz]

Quote:

Originally Posted by themostsecurebrain

My apologies. Well, with the vmware snapshot feature you could just take a snapshot of a clean install setup the way you want and just jump back every 90 days.

It doesn't work that way, the 30 or 90 days to activate goes by the date you installed your windows to the VM, taking a simple snapshot will not circumvent time limits by any means.