Whats more secure/private?

Discussion in 'privacy technology' started by Chilipepper, Feb 6, 2014.

  1. Chilipepper

    Chilipepper Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    7
    I wasn't sure if I should post this under security or privacy so sorry if it's the wrong spot.

    I do anything that requires anonymity through a Whonix VM (or Tails), private VPN and Tor. I was just wondering if its any less secure that I keep all my VMs in a Truecrypt partition as opposed to doing full disk encryption and adding a decoy OS. Seems like a tad over kill. I figure my VMs are encrypted either way, no?
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    1. Spyware on your host computer could spy on the virtual machines.

    2. By not using full disk encryption, a person with physical access to your host computer could plant spyware on your host computer.
     
  3. detritus

    detritus Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    1
    Even FDE is vulnerable to the Evil Maid attack.
     
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    These problems plague both approaches suggested by Chilipepper, unfortunately...
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes that's right. Full disk encryption might make #2 more difficult though, depending on the knowledge/skill level of the adversary.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Physical security for the host is essential. Even with totally secure FDE, adversaries could install a keylogger anywhere between the keyboard and motherboard. The NSA, for example, has many such devices that are readable remotely via passive microwave echoing.

    FDE protects data at rest. With FDE, adversaries can't reset passwords. Unless they keep machines hot and get passphrases from RAM, the data is safe.

    Using TrueCrypt with a hidden OS may provide deniability that's somewhat plausible. But it can't do that on Linux, as far as I know. So you have the trade-off between Windows (or OS X?) with FDE and hidden OS, and Linux with dm-crypt/LUKS for FDE and no hidden OS. I go with Linux.

    It may be possible to roll your own hidden OS setup using Linux and dm-crypt, without LUKS. But it would be hard to set up, and hard to use.

    Spyware on the host is also a risk. But there's one simple solution for that. Just don't use the host for anything except running VMs. Once it's set up, it should do nothing other than running VMs and updating itself.
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I haven't been able to post much lately, but I thought I would chime in to echo the statement above. There was a reason mirimar wrote the bolded part above first. The essential way to keep out the "evil maid" (in most scenarios) would be to never allow the evil maid to come close and have potential access to the physical computer. And this goes for so many other protections as well.
    Physical access must be maintained. Period. Yet, it is easily the most overlooked key to security/privacy.
     
  8. Chilipepper

    Chilipepper Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    7
    Yeah my host computer is primarily used for VMs but as I see more and more crazy privacy invasion stories I've decided I want to come up with as solid anonymous/private/plausible deniability system as I can.

    Should I look into something like Qubes perhaps? Keep sticking with Tails and a hardware encrypted USB key that's locked in my file safe? Strengthen my Linux skills a bit more and run Windows in a VM when needed? (Use dm-crypt obviously)

    Whonix gives me a bad gut feeling if my computer was to be seized. Having that sitting in VirtualBox.

    If I decided to go the hidden/decoy OS route I would need a new reformat right? Can't use current Windows set up as the decoy? Nothing too shady on here. I guess I could always create a disk image.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If there's something that you really need to do on hardware, it's far better to use different hardware. Running a few VMs only takes a low-end i5 with 4-8 GB RAM.

    Qubes would be a learning experience ;) And you would need dedicated business-class hardware. Tails and encrypted USB flash is OK. But a Debian-family host with dm-crypt/LUKS is far more flexible, and easier to learn than Qubes.

    Yes, I want my VMs in a FDE-enctypted host :)

    Yes, you want to reinstall clean. I don't know anything useful about TrueCrypt, though.
     
  10. Chilipepper

    Chilipepper Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    7

    Yeah I have an i7 with 16gb of RAM so I'm good. I also have a Chromebook I could use for clean surfing (don't care much about Google tracking the minor stuff I do on that account)

    Yeah. I just looked into Qubes. I think I'll stay away for a while from that one haha. Little over my head.

    What do you think about running a Windows 7 VM on Debian from time to time to use certain programs (not very familiar with Wine). Wouldn't be using it for browsing, downloading or anything.

    Sounds like the route I will go. Not looking forward to backing up all my media :(

    EDIT:

    Thanks alot man, excuse my newbishness if I hit you up with some questions along the way.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Windows 7 as a VM is OK. But then you can't run a VPN client on the host, because you probably don't want it and other VMs to be using the same VPN exit. You could run VPN clients in Linux VMs, or use pfSense VMs as VPN routers.

    De nada ;)
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    You guys can't imagine how much I struggle with something on this thread. Mirimir touched on it and after years of dealing with the subject I STILL cannot come to a decision that lets me sleep the best at night. So here it is and I hope members chime in on this because it totally supports the OP's concerns as well:

    Which approach is better considering the ENTIRE situation, including the legal climate?

    Option1 - I am expert level with TrueCrypt and I love the hidden OS features. However; in order to use them I am limited to the Windows platform. Following this thread; that means that my host OS would be windows. My VM's can be linux/Whonix/etc... but still the host is Windows. if I want a hidden OS. The use of a hidden OS does provide for a very very plausible deniability since my box is squeaky clean and I cover my steps flawlessly with "physical" security. Should I ever be confronted by a strong adversary I can appear cooperative by providing passwords to all encrypted areas on my computer, which of course will not reveal my hidden OS. My outer volume is extremely convincing.

    Option 2 - I also use DMCrypt/Luks on a fully encrypted Linux host machine. Again, the VM's can be anything but specifically Linux VM's with TOR as desired. My perception is that Linux operating as a mostly unused host would be safer than windows from the "inside". However; by using this approach there is no deniability at all. Your machine has encrypted volumes and an adversary may want you to open it, or else! In theory you have a right to remain silent where I live, but that is theory. If you stand defiant and refuse things can go to a different level.

    So that is the dilemma, which scenario plays out better? Be safer from malware attacks by running a linux host, or be a little more exposed to malware attacks with windows? BUT with Windows you ADD the situation diffusing "smile" that providing fake passwords on a hidden OS allows! Again, I really struggle with the answer for this and I would love to hear your thoughts. If you are in a situation where opening 100% of your drive space to an adversary would not make you uncomfortable, then your opinion might not come from one of deep reflection. Still, I do want to hear opinions on this subject.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    @Palancar

    I've also struggled with that issue for years.

    Going the hidden OS route just isn't viable for me, for at least three reasons. One, I just don't want to use hosts running Windows. Two, keeping secure backups is hard. You either need a bunch of small FDE-encrypted USB flash or HDD devices that you physically hide, or you have a bunch of HDDs with hidden partitions, that seem mostly empty.

    Third, I just don't think that TrueCrypt hidden partitions are all that deniable. Indeed, even using TrueCrypt without hidden partitions will raise suspicion, even if you truly have given up your passphrases.
     
  14. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I have not done this, or even looked into it, but...

    I agree with Palancar - it's a dilemma. If dm-crypt/LUKS had Hidden OS, boy would the world be better :D But the cryptsetup guys think it is ridiculous. They also think self destruct is ridiculous, yet Kali said "whatever, we're doing it". I think Linux needs both - the devs are wrong.

    Now, is it possible to completely prevent the Windows Hidden OS from communicating with the outside world, yet have a Linux VM *able* to communicate? Because that's the problem. Windows sending info, or being able to receive it. If one could just say "no" to Windows, but "yes" to a VM - that would go a long way to solving this problem.

    It would seem to be a firewall config, or a way for only the VM to have the drivers for the internet adapter, while Windows does not.

    Just some thoughts.
     
  15. Chilipepper

    Chilipepper Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    7
    Combined that with full disk encryption and keep the VM on a hidden partition. Might actually be worth looking into.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    That makes sense that they could add a physical keylogger. I just read about that evil maid attack. I really don't understand it. If your OS is encrypted, then how could they do anything to it?
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I guess if a keylogger can see your VM's they could see Qubes too.

    With tails you are running a totally separate os so I don't guess an installed keylogger would matter. But with Tails you can't tunnel it through a VM so you couldn't hide the fact that you were using tor.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay I just read some more and I guess I just don't have an understanding of how a computer works. I don't understand what a bootloader is and I don't understand an MBR. But anyway you are not installing a keylogger on the OS, correct?

    Two questions:

    A friend of mine loaned me a laptop once. And when I turned it on it wanted a password. It had something to do with the power source. The power supply. It would not power up the computer unless the password was entered. Could this protect against the evil maid?

    A new version of Shadow Defender is suppose to provide MBR protection. Could this protect against the evil maid?
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Because the "booting bits" are not encrypted. See https://www.wilderssecurity.com/showthread.php?t=256545.
     
  20. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    "Good" Bootloader defeats "Evil" Maid :D

    Always carry it around your neck.

    Although I have to wonder- it seems hardware key loggers would be a lot easier?


    So none of you VM users can think of a way to prevent a Windows host from accessing the network 'at all'- but having a VM running on it, able to? Seems like the Holy Grail - A TC Hidden OS running a Linux VM, with Windows unable to do anything at all.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Perhaps a HIPS on the host like Comodo that allows only the virtual machine's exe(s) to use the Internet, with those same virtual machine exe(s) hardened by the HIPS against DLL injection, etc.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    For Linux with dm-crypt/LUKS, you need to wipe the LUKS header. You can store a backup in the /boot folder that you're carrying. Micro SD chips can be chewed and swallowed ;)

    Yes, they are very hard to defend against. The best strategy is using a notebook set up for tampering to be evident. Recently, I've read about using glitter nail polish for that. Maybe it was here. You take photos with your phone, and then compare before using the notebook. Of course, you're hosed if your phone's been compromised too :(

    If an adversary has root on your machine, you've lost :(
     
  23. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I just want to know if it can be done. I can't be the only one that would like to run a Linux VM on a TrueCrypt hidden OS - where Windows can't communicate at all?
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    In bridging mode, VM network adapters access host NICs directly, using not much more than host OS firmware and maybe drivers. VMs get their IPs from the local LAN or WiFi AP. So you might be able to cut off Windows without affecting VMs. However, there might be low-level system stuff that's beyond the reach of userland.

    But hey, testing beats guessing ;) You'd need a suitable router for monitoring network traffic.
     
  25. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Agreed! :D - have to find the time.
     
Loading...