Let me put my tinfoil hat on

Have you increased video RAM in VBox setup? That will permit higher resolution.

Also, have you installed guest additions? That also improves performance.

 

@noone_particular
I continue to repeatedly search, approx monthly. Yes, a GUI app offering ability to marshal outbound net access, per-application, is still a dead end.

Gaining the ability to monitor per-application isn't enough though.
Many contemporary linux apps are writing to communal datastores.
Bear in mind that if you enter sensitive data to any app which stores to gvfs, any other app running as your user is permitted to read that data.
-=-
Similarly, I am steering clear of any/all apps which require akonadi/nepomuk (I'm refusing to install akonadi, period) and am fairly intent on avoiding "suites" or sibling apps (e.g. Firefox + Thunderbird) in general.

Heh, me too. Or so we think...

Open "about:config" in firefox/iceweasel. Search for "aitc", for "service", and for "persona".
You'll probably want to change, or null out, the values stored in those keys.
Mozilla wants to have a me-too "Marketplace" (er, "app store") along with oAuth centricity, and apparently we're in tow (with, or without our consent). Search the config for every instance of "google" (safebrowsing/phish) and "mozilla." (mozilla.dot, as in dot com, dot net, dot whatever). FF, since around v.17, has been ignoring "don't check for updates" etc settings applied via its UI ~~ silently calling out "for this, and that" way, way too often. Even after nixing the config keys, you can apply a block, or redirection, via a DNS proxy block... (doing so doesn't interfere with surfing, in my experience) and watch your traffic to see how often ff "screams" (bursts of 50+ requests) trying to connect to the mozilla mothership. Obviously some of this "shite" is embedded within the source code, beyond the reach of config settings. In light of this behavior, there's NO WAY I'd consider using another mozilla product. (Thunderbird pales in comparison with ClawsMail anyhow.)

In the spirit of tinfoil hats... what else? How about SSL, er "https":
For yOUR SAFETY, we're being sheeple'd into having our browser place requests via https WAY more often than is reasonably necessary.
ref:
"chained certificates"
http://support.wpengine.com/how-doe...certificates-ca-public-and-private-keys-csrs/
"collusion"
http://blog.torproject.org/blog/det...thority-compromises-and-web-browser-collusion

Beyond availability of an "accessible to the common man" GUI app,
another area "lacking" (interest, and GUI app) under linux:
local (client-resident) ssh-enabled MITM proxy

^---Several exist for Android
http://intrepidusgroup.com/insight/...is-with-proxydroid-burpsuite-and-hipster-dog/
Has anyone ported similar to Linux? If so, I sure haven't found 'em


What else? How about IPv6 ~~ second half of the IPv6 address is yer MAC address.
Oh wait, we can feel safe in knowing that our O/S spoofs and randomizes this...
...ah, but I'm connecting via NAT router.
It's not capable of randomizing (and I'm not aware of ANY consumer router which is)

and here's my final "what else" for today":

yOUR chosen O/S is moot.
They're in our hardwarez, got us by the 'nads...
on-demand "out of band" SoC backdoors embedded into our PCs.

Didja notice how AMD processors "fell out of favor" a while back?
Ever wonder whether the prejudice against them (bad press or silence) was justified?
Essentially every Intel processor since Core 2 Duo E8500 ( 2008 ) has been vPro-enabled.
Check the dates/timing and note that AMD didn't agree to play ball and begin backdooring us until 2009
(and didn't have SoC-backdoored product in place in the retail channel until 2012)
article "Intel vPro: Three Generations Of Remote Management (Sept 2011)"
as of Sept 2011, no "consumer -purchasable" amd DASH-enabled hardware/board is available

Here are a few of the terms you might care to research:
Intel "vPro" and "AMD-V"
Intel "AMT" (Active Management Technology)
AMD "DASH"
"Broadcom TruManage"
(BIOS support for) Computrace®

Here's a wonderfully strange coincidence for ya:

One of the scant few "mainstream/geek press" articles on the subject
(one in which the author CLEARLY indicates he was "given the runaround" when requesting details from Intel/AMD reps)
is not easily found ~~ it has a bizarre redirect

tomshardware.com/reviews/vpro-amt-management-kvm,3003-13.html
^-------v not found. Search tomshardare for "amt vpro"
tomshardware.com/reviews/command-conquer,1591.html
Remote PC Management with Intel's vPro (2007)
and
tomshardware.com/reviews/vpro-amt-management-kvm,3003.html

Wait, here's another:
The article titled "AMD gives Intel's vPro worthy competition"
was fairly enlightening (enlighteningly detailed) but it TOO has become unavailable.
http://searchvirtualdesktop.techtarget.com/news/1520484/AMD-gives-Intels-vPro-worthy-competition


Below, I'm citing references. PLEASE check 'em.

To me, it seems pretty straightforward:
A hardware-based, SoC webserver... accessible REMOTELY (onboard wifi? wake-on-LAN? rdif?) to accept command-and-control instructions even while the PC is powered off... and, upon boot, can ping its command server (out of band, independent of O/S) for instructions.

Ping. Pong.
game over

 

I stopped looking for such a firewall. It's been months since I've fired up linux at all. There's more to learn and sort through than I have time for.

Regarding browsers and all the call home behaviors, I noticed that when I tried the current version of Palemoon on XP. I use a local file for my homepage. Even when opening a local file at start up, Palemoon kept wanting to connect out. When I started digging around in about:config, I found a lot of the items you listed. Right off I removed everything with Google in it. No matter what I disabled, Palemoon kept trying to connect out at startup. I gave up on that version. So far, I have not seen this behavior from SeaMonkey. It appears to respect its own settings, so far. On my primary system, I can't use the latest versions. The legacy version of Palemoon (3.6.32) appears to behave properly.

We've reached a strange and very undesirable point regarding security and privacy in applications, one that mirrors the real world. While the newer versions are (allegedly) more secure, they've introduced behaviors that are hostile to user privacy. We're at the point where upgrading, be it hardware, operating systems, or installed software, is a tradeoff with privacy on the losing end. A lot of linux looks to have made that trade, as have many Windows security apps.

That's quite a list you posted regarding hardware. I haven't looked that deep into hardware and have barely glanced through a lot of those links. That said, I'm glad my hardware is older and predates a lot of that stuff. There were many times I'd read about new hardware and the speed/performance increases it could offer, but couldn't afford it. In hindsight, I'm glad that was the case. This definitely has me rethinking upgrading my hardware at all, unless it physically dies.

Another "tinfoil hat" specualtion. I've long believed that modern operating systems are designed to wear out hardware, helping to force users into this constant upgrade cycle. IMO, journalled file systems are contributing to this problem. Windows intensive logging of user activities is responsible for a lot of additional writing to hard drives.

 

Other way around, chief.

(It's called an "internet search", and takes literally 2 seconds )

https://en.wikipedia.org/wiki/Chromium_(web_browser)

Why Firefox’s Move To a Rapid Release Schedule Is A Good Thing

Of course, if you insist on moving slow...

Mozilla's not-so-rapid-release Firefox

 

From a privacy standpoint, how good is Ubuntu compared to Windows or OS X?

I am talking about default installations with no tweaking.

 

According to Schneier, "they're all equally mediocre."

http://youtu.be/R4dk13PCeEE?t=3m56s

 

Andz, as far as Im concerned, whether Mac or PC it's an ongoing minefield. Heres a little sample from each in my experience:

Apple loves their SW to phone home. I was very annoyed to find a (Pro) program I was using wanted to FORCE me to register by showing a nag screen every 5th time the program was opened. I had no need to register it, I had fully paid for it with verification, there was no need for this to phone home. Im not one generally to get under the hood like doing Terminal stuff but this sufficiently annoyed me to do just that. I was able to obtain a script from a reputable source and disable it. NO MORE NAG SCREENS!

SOme years ago (Im on XP) we had WGA (Windoze genuine (dis)advantage tool) At the time I remember the internet was buzzing about how this spyware was forced on people by M$. It was essentially a backdoor in the guise that M$ wanted to verify that your OS copy was legit. Once it's been verified why keep doing it? Anyway, I found a way to permanently get rid of it.

NO system should surreptitiously phone home without the user first allowing it by having an informed choice. Of course the nature of programs like AV's must phone home and Im not talking so much of them.

 

Had it backwards, thanks.

One persons opinion, an opinion a lot of people don't share. I've been trying different versions of Firefox since it was Firebird. I've seen enough of their changes to decide that I don't want it. Seamonkey suits my needs just fine.

 

Windows 8 supposedly has NSA accessible backdoor. So there is that.

 

It depends on what you mean by "privacy".

Windows and OS X clearly want to know more about what you're up to than Ubuntu does. There is that Dash home search leak, but you can disable it, and other reporting. Still, the Ubuntu repository does potentially know everything that you've installed. And using cloud anti-malware etc services will leak information in any OS. Overall, though, I trust Ubuntu more than Windows or OS X.

Every OS logs stuff by default, because that helps when something goes wrong. But the Ubuntu logs are all more-or-less documented, in contrast to Windows (and probably OS X, which I know little about).

For me, the key distinction between free software (Ubuntu, other free Linux, etc) and non-free software (Windows, OS X, Red Hat, etc) is the money trail. With no money trail, privacy in the sense of tracking doesn't matter as much, as long as you're (1) using Tor and/or a few nested VM chains, and (2) not mixing true name activity and pseudonymous activity in the same machine.

 

It increasingly sounds like you guys are trying to hide everything from the NSA just to spite them.

Sure it may yield an uncomfortable feeling knowing some engineer at Quantico or even Verizon knows more about you than your mother, but using all this gear on the daily is likely to put you into the NSA's field of vision (read last post).

Backdoors. Com'on guys. Do you really think the smartest people in the room need to add an exploit to the swiss cheese that is Windows and then leave your precious Qubes alone These guys are smarter than the kids a Vupen--I assure you. So its a moot point even if you code your own OS as the CIA does. It will fall when poked and prodded by the Uncle Samuel.

Anyhow, it seems like you have all forgotten the first rule of underwater calisthenics:

Jason Bourne does not triple encrypt TOR JAP juju when he's ordering a pizza. Because Bourne doesn't care you know about his penchant for pepperoni, reality tv, and the Top Gun OST.

Isolate. You want to be anonymous. You now have an alter-ego. You have a devoted computer for that ego. You do not connect using your IP or anything that can be associated with your real identity including possession of the burner gear.

I could go further, but you get the idea: isolate. So don't order that pizza with the same computer you use to go uber-Snowden on.

So when hot, by the time they burrow through your nodes or just go ahead and slip through malware--you're gone and burning a new updated iso. And if your savvy and financed: using another burner computer of another hopped public WAP.

This is close to the only way to stay exhaustively anonymous. Exploit time and distance. And essentialy use anti-sec strategies.

 

It's a game for me. If I'm hiding something, why would I be OK with (choose your TLA) seeing it? Of course, once I give stuff to another, I can't control what they do with it. Neither can the NSA, it seems

I don't hide my true name activity in any way.

I do have lots of gear. But it's not that obvious remotely, except through my purchasing history. And anyway, it's the same sort of gear that I use in my consulting work.

My ISP etc just see one VPN service, which I've been using for years, and occasionally VPN connections to clients' networks. All the VPN and Tor chaining goes through the VPN service. Nothing to see here, move along

Do you have any evidence for that claim?

I don't hide that stuff either. Except that I wouldn't talk about it as mirimir, or as other pseudonyms.

Yes, that's what I do. Compartmentalize and isolate.

I do my best to avoid being "hot".

Also, cruising for open wifi APs is rather suspicious, I think.

That's good advice

 

mirimir . I wasn't calling you out. Just making sure people realised that using other methods of thinking makes Windows having a backdoor a moot point. Sealing universal backdoors then becomes more of an academic exercise or a point of principle in regard to motivation.

Evidence? Occam's Razor. Well it's much the same IMO. You say a backdoor preinstalled. I say they simply have to power to use a preexisting vuln--not actively adding more. These guys are in the business of national security, so poking more holes in infrastructure may prove pound foolish.

Anyhow, it is close to impossible for me to disprove nonexistence of something; technically it is your burden to prove that NSA has backdoors--not otherwise.

With that said. Most the evidence still points away from backdoors and to vulns, and then, only for directed attacks.

A. Where would the liability fall. MSFT is publically traded and has no legal reason to install such tools for the government. Installing scrapers on Bing is an entirely different story. There are laws clearly on the books and the methods to exercise them.

B. No need. Why create a backdoor when the "locks" that preexist are weak.

C. This backdoor would be on all Win boxes. Why haven't we seen the code making a peep? Why hasn't anyone? In short, the leak could be detected. Too risky and could be used once, or would risk revealing itself. So its either never used or doesn't exist--effectively the same as far as I'm concerned.

D. Stuxnet, Duqu, Flame. Why do I need to design such things if I have a backdoor? And going back to point B--if these things can and do exist--why build a backdoor that creates liability for MSFT, NSA, and the user. Using vulns creates less liability for everyone included and still allows for deep directed exploits.

E. The NSA doesn't need nor really want all that computer data which may not even be networked or is encrypted. Meanwhile, the have most of what they need from VZ and ATT. They are using the vulns (or backdoors) for strategic attack likely carried out by another gov branch. This is not broad scale--the reconnaissance at the data points is. So on the day to day worries, use a VPN at most and save the Bourne stuff for when you really need it!

 

Is this a joke? It reads like satire.

What evidence? The razor?

Legal compulsion, maybe. But reasons abound.

...until it's not.

What's the difference between "building a backdoor" and "leaving a vuln"? Seems like we're just getting into semantics now.

 

"The razor"

Teehee.

Yeah, the post makes tons of sense when you remove points and substitute them with a section of an opening statement. Brilliant! Or was that just for humor. I hope for the latter.

"Is this a joke? It reads like satire."

I'm not trolling and will add whatever techs you need. Why I'm here: to save you the time. I've already exhausted this one as I think Mirimir has. There is a reason why what I said is far from satirical; actually, it's spot on as the argument was put forth--but you'd rather waste more time and troll me. Hey protect who you want to protect, but don't make yourself look inadequate while doing so.

So rather than me meeting you down there....playing some cheap game...why don't you chin up and write something that actually deems a more respectful response.

Or even ask a question:

"What's the difference between "building a backdoor" and "leaving a vuln"? Seems like we're just getting into semantics now."

Indeed, and I almost remarked on that, but then realised that it's critical to how the problem is served in order to prevent and properly exhaust through problem. Getting back towards moot--one has to assume both backdoors and vulns, unfortunately. Backdoors open a entire new can of worms. One must now use physical exploits. That changes the game/defensive strat a lot.

 

Indeed

But I still won't use Windows or OS X for anything private

I do agree, however, that there's not much point in discussing questions that aren't empirically testable. See -http://plato.stanford.edu/entries/popper/

 

What points? You literally presented a logical principle as "evidence"...and then went on to claim "most of the evidence points to..."

If you actually presented evidence somewhere in there, please help me find it.

I'm sorry if you were offended by my post, but I'm not sure why you think you shouldn't be called out on your resting on a simple principle as a substitute for "evidence".

I did ask that question. That's where you got it from: I asked it.

I don't understand...you almost remarked on something that is critical to how the problem is served, but then didn't because you realized it's critical to how the problem is served?

Then why are you so invested in eliminating backdoors as a possibility?

I'm not sure how you can say that without answering my question and defining the difference between the two.

 

Are we talking about Windows backdoors?:
http://www.heise.de/tp/artikel/5/5263/1.html
https://www.wilderssecurity.com/showthread.php?t=352287

 

Let me take another shot at this.

Are there TLA backdoors (or intentionally unpatched vulnerabilities) in Windows?

That's rather like playing Russian Roulette with a revolver, and asking whether there's a cartridge in the next chamber.

Me, I'd rather not point a gun at my head

 

Adobe Flash is riddled with security flaws, just check security advisories. Some of these will be accidental but other flaws are just too stupid for me to believe these were accidentally created by Adobe. The accidental flaws are purchased by the NSA before being fixed by Adobe.

What I would do is use a Linux box for general work, web surfing, etc. Install another Linux or Windows partition with Steam and Flash for playing games.

 

Hi.

Sorry for the late response.
I don't have the time to go through all answers so thanks to all who posted here, it will be a great reading.

 

Spite would be encrypting cat videos for them. For the most part, a 3 letter agency doesn't care about your pizza order, but others do. An online pizza order will probably get you pizza ads at the very least. The 3 letter agencies aren't the only ones tracking and profiling us. Anything that you implement to interfere with one groups ability to track or profile you will have an affect on the others. There's no realistic way to separate them. One pizza order reveals little besides topping preferences. Repeat orders can show a pattern of behavior. If you always order a pizza on payday, one can determine that you're always at a certain location at a specific time on payday. In itself, that may be innocent enough, but there's no legitimate need for such profiles to exist for the vast majority of people. Corporate greed isn't a legitimate need. Neither is the 3 letter agencies obsession to know everything about everyone. If one of us monitored one of our neighbors in this fashion, we'd be charged with stalking.

Regarding the question:
Is it a backdoor or a vulnerability?
Definitive proof will be very difficult to find when you can't see the source code. The vast majority of the evidence will be circumstantial. The fact that the evidence is circumstantial does not invalidate it. People can get convicted of murder with enough circumstantial evidence. Why should it be different for a corporation or a government?

Barring some big revelation, the best we can do is to look at the individual pieces of evidence and the long term pattern of behavior of the involved parties. We know for certain that MS and the NSA have collaberated, supposedly to secure the operating system. We know that this collaberation did not result in a secure OS, but it did result in the user having less control over that OS. We know that the resulting operating systems have more open ports than they ever did before, some of which can't be closed. Starting with Vista, the user no longer has the option to choose a file system that doesn't hide data (and executables) in alternate data streams. Why is execution even allowed in ADS?

A complete itemized list of lost user choices, and abilities would get quite long, but follows a clear pattern. This pattern mirrors the real world. Users have more choices in regards to eye candy, little features, games, and cosmetic issues. When it comes to the important things, we have little if any control or choice.

Look at the individual pieces, especially the ones of major importance and ask a few questions for each. Is it flawed coding or was it designed flawed? Did they know it was flawed at the time? Was there a better choice? A good example here is SSL and HTTPS.

Look objectively at the pieces for yourself. Then decide if these can all be mistakes and oversights.

 

-http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

That's good enough for me

 

So pretty much any software that is not open source must be considered compromised unless proven otherwise.

 

Yes, that's the safest bet.

And even open-source is suspect, if it's complicated enough.