Ideas of secure and anonymous system/computer.

I want to introduce you with the idea of secure and anonymous system/computer.

Every system with proprietary software lacks in field of safety and anonymity.
So we must focus on free open source system like Debian. Part of the features listed here are exists in systems like Tails, QubesOS and others. Some software is taken from prism-break.org.

This is how I see this concept:

Base system:
- Debian with kernel patched with grsecurity.

System features:
- Anonymous networks integration: Tor, Freenet, I2P.
- Full disk encryption
with dm-crypt and LUKS.
- Strong security through isolation, similar to QubesOS, (based on Xen, using IOMMU/VT-d ).
- Virtual machines for most buggy solutions, e.g. flash.
- Different users for different uses.
- Torified web applications.
- Email client with PGP encryption.
- Instant messaging with OTR (off the record), e.g.Pidgin.
- Bitcoin client and other cryptocurencies.
- RAM cleaning on shutdown, panic button (cold boot attack protection).
- MAC Changer.
- User anonymity and safety education utility (community support).
- Safety alerts (community support) - inform the user about recently founded security problems that may influence .
- System entropy generator (if not hardware), like haveged.
- Web browser (Firefox) with profiles for different uses and plugins enhancing anonymity/security (Adblock Edge, HTTPS Everywere, NoScript, Disconnect).

Every closed hardware is potentially dangerous to safety, that's why initiative like OpenCores are very important. In the not far future every element of secure computer may be assembled using only open hardware solutions. System should have specific version for open hardware decreasing size and complication of kernel.

Hardware features:
- Preferable open hardware.

- Closed hardware with open source firmware if possible.
- Random number generator for increasing system entropy.
- Some special, physical crypto-token needed to unlock the system.

Would you like this idea? What elements would you like to add, change?

You should start with describing threats, and only then - defence measures.

Who are you hiding from? What are you doing?

There is no such thing as "perfectly secure" system. Always keep in mind who exactly is your enemy and what exactly are you hiding from him.

You should start with describing threats, and only then - defence measures.

"TOR Hacker"

This system should give ultimate protection against all threats. User decides which elements are important to him.

Who are you hiding from? What are you doing? There is no such thing as "perfectly secure" system. Always keep in mind who exactly is your enemy and what exactly are you hiding from him.

"TOR Hacker"

Like I said before, it should be universal. System should give you tools and guide you, whatever you doing. If you want to protect important bussines data, publish antigoverment opinions, browse internet anonymously...

Unfortunately, this not gonna work.

Even when working on "fully secured" system you still have to keep in mind what information are you uploading and how it can harm you by leaving any traces. Your emails, credentials, nicknames, even browsing habits and word statistic.

Each security tool has it's own purpose. For example, you are going to use LUKS. This can help in 2 cases:
1) When your laptop is lost or stolen
2) When FBI guys broke into your house
Okay, one more scenario
3) When you pass border and have some hypothetical customs inspection.

I am not sure guys on customs would be satisfied if you just say "Sorry, this disk is encrypted, I will not gonna show what's on it". They will not let you in, or will confiscate your laptop, or will beat you untill you provide them a password. ^) Depends on country.


The next one: Strong security through isolation
This is made against exploits and 0-day vulnerabilities. When you think you can face it? Who will be using this exploits against you? What for?
There are several cases when this is possible, and we can try to name all that cases and see if we can do something.


In general there are 4 type of people you can have secrets from:
1) Government. Big brother is watching everybody.
2) Crime investigators. Eavesdropping personally you, not all citizens.
3) Criminals. Blackmailers, fraudsters & other bad guys who can use your information against you.
4) Business competitors. Well, this is very close to 3), they have same abilities & instruments.
5) Your wife

What you propose is kinda silver-bullet against all of them. ^) Sounds good, but I think is too hard to implement. And you will still need to know much about how things work, in order to use such a system. Just to ensure you are not checking your regular FB account from Tor. )

Why not just use VM for all your "bad stuff" and reset it to initial state between sessions?

This will definitely erase all traces such as cookies, shared-objects, cache & so on. You will have new identity each time, and nothing will point to your previous ones or to you real name.

Even if you get some malware, it will not be able to steal anything outside VM nor to reveal your real IP, and after resetting VM it will be killed.

Why not just use VM for all your "bad stuff" and reset it to initial state between sessions?

"Danja"

That was exactly my recipe from this topic!

You can use ANY OS inside VM. Even buggy one. Even with Flash & Java enabled, and even with evil rootkit installed. Just make sure it has no direct access to Internet, and think carefully every time you move any file to or from VM.

what if evil code breaks the security of VM and pops out?

Unfortunately, this not gonna work.

Even when working on "fully secured" system you still have to keep in mind what information are you uploading and how it can harm you by leaving any traces. Your emails, credentials, nicknames, even browsing habits and word statistic.

"TOR Hacker"

So system shuld warn users (in some invasive way of course) if possible, that some action may be dengerous for him. User education is also wery important in this situation.

Each security tool has it's own purpose. For example, you are going to use LUKS. This can help in 2 cases:
1) When your laptop is lost or stolen
2) When FBI guys broke into your house
Okay, one more scenario
3) When you pass border and have some hypothetical customs inspection.

I am not sure guys on customs would be satisfied if you just say "Sorry, this disk is encrypted, I will not gonna show what's on it". They will not let you in, or will confiscate your laptop, or will beat you untill you provide them a password. ^) Depends on country.

"TOR Hacker"

Heh, border crossing is tough situation. Although there must be some solution this problem. Any thoughts?

Heh, border crossing is tough situation. Although there must be some solution this problem. Any thoughts?

"lock"

Hmmm, maybe this? http://keyj.emphy.de/real-steganography-with-truecrypt/


What is really tough situation is checking my regular mailbox from anonymous system, or posting my ICQ number in carder's forum, or uploading pictures with EXIF data, and so and so on. If I am dumb enough to do such kind of foolery, nothing will help.

So in my opinion, security is first of all EDUCATION. You should know all existing threats, this is the only way to stay secure.

Of course, someone can make Firefox plugin that would automatically strip EXIF data from all images uploaded, and erase personal information from every textbox filled, and show warning each time you enter password somewhere, and so and so on. But this will be still not "fully secure system".

what if evil code breaks the security of VM and pops out?

"sakiri"

This is possible, but very unlikely.

You should understand, that there is no such thing as ultimate security, because security is always an arms race.

But in my opinion, the collection of disposable VM's with no physical access to hardware would be more secure solution, than hardening your main system.

There are millions of ways you can break your anonymity:
http://samy.pl/evercookie/
https://panopticlick.eff.org/
http://ip-check.info/description.php
viewtopic.php?f=4&t=18282
...

So erasing the whole system after each session is an absolutely must. And this can be done much more easily, then developing unbreakable Debian and keeping it up to date with every new vulnerability discovered. And more secure, after all. Because your system inside VM knows nothing about you, it has short memory and no access to physical world. Isn't it perfect?

You can use ANY OS inside VM. Even buggy one. Even with Flash & Java enabled, and even with evil rootkit installed. Just make sure it has no direct access to Internet, and think carefully every time you move any file to or from VM.

"TOR Hacker"

And don't install VMTools or similar addons for sharing folders, tracking mouse cursor on-the-fly, common clipboard etc.

what if evil code breaks the security of VM and pops out?

"TOR Hacker"

This is possible, but very unlikely.

"sakiri"

VMWare: http://www.zdnet.com/virtual-machine-ex ... 039661637/
XEN: http://www.vupen.com/blog/20120904.Adva ... 2-0217.php
KVM: http://blog.nelhage.com/2011/08/breaking-out-of-kvm/
QEMU: http://www.websecuritywatch.com/cve-2011-1751-qemu/

As for 2013 all these vulnerabilities are fixed.
Of course, you can always get some unknown 0-day exploit, but it is much much much more unlikely,
then having it in:
email client
IM client
Bitcoin client
Tor itself
Truecrypt
other utilities
Linux kernel
Debian
...


Hardening a big system is not a piece of cake, you should keep tracking all your software day by day.

While living in a small disposable VM you have only single point of failure - the virtualization engine.

I'm aware of the fact that using addons on the Tor browser is a no-no, but what about those that are cosmetic and/or make the browser easier to use? Examples are Tab Mix Plus, Menu Editor, Colorful Tab, etc. Also, I know that bringing down torrents on the Tor network is another no-no, but what if the Bittorrent client operated independent of the browser and outside the Tor network? Once you get the torrent file or magnet link you're in business, it doesn't matter that you live in a place where accessing that site isn't allowed.