viewtopic.php?p=165535#p165535



Suggesting nothing but a VM is a random method. E.g., without other security means, a third person can access the PC, deactivate the VM, and that was that. Also VMs must be part of a greater security concept.

The VM security you describe is a dream, but is not the reality. The VM inherits the host's (typically the OS's) security environment. If the environment can be attacked, so can the VM. Therefore, VMs do not convince me. I prefer to concentrate on getting the host's environment right (and within the environment, one can define sandboxes).

Robert, your sandbox concept is good in theory, but quite likely not good enough in practice. The best sandbox for an application is inside a virtual machine. Virtual machines can't suffer from User isolation, password security and machine security are different problems, that have other solutions (full disk encryption, user permissions, etc)

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

I wish Windows Professional would have the Windows Server's Dynamic Access Control, with which it must be easy to set one sandbox per application and its ressources. Windows 7 easily allows only one sandbox (for all internet programs, as I use it). Windows 8 has AppContainers, but one cannot use them because their documentation is still missing, AFAIK. Anyway, Integrity Level Low as the one sandbox is essentially good enough for my purposes. Finer sandboxes would be better, but the harm for interacting internet programs is small in my security concept, because I hide most data from their access. However, Low is important in my concept, so I make great efforts to run my programs accordingly.

Well, Windows has made great strides forward, but when even OpenSSL can fail in servers, we can never be sure about where a buffer overrun can happen... And where our data is going, anyway. But I suggest you look (when you have some time) the subject of virtual machines (virtualbox is a good one at that) and its security. It would allow you to execute "somewhat untrusted apps" or do things like checking wbaduk quickly for this cases. Then re-install the machine as a clean environment when needed. Handy

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

That can also be done with Windows restore points.

These can be bypassed by a good enough attack (back in XP days there were samples of it). The virtual machine approach can't, since the attacker is supposedly inside the machine and the clean copy outside.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

For added security I found it a good idea to have cross-OS VMs... for example - a Linux VM environment within a Windows computer. Or vice versa, or whatever. This might not work if you want to test applications, but for browsing suspect sites, works great.

With that in mind - please do NOT tell us what sites you are planning to browse.

PS>
Or better yet, if you are so concerned about security, why use Windows at all?!? Just get Linux (its free) and when you combine it with Wine or VM or something like that - you can pretty much do whatever you want while cutting any security problems by a huge margin (pretty much - entirely) at the same time.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

Explain for Linux how software whitelisting and sandboxing by means of access rights are configured. Then we are at Windows's user mode security level. (Comparing the two kernals' securities is a task for a diploma.)

Why do you need to do that in Linux?
You need all that stuff for Windows because Windows is messed up to begin with. With a good operating system, you should be able to be OK without all that idiocy. Still, if you need to simulate it, you can always do it within a VM - which as explained to you is a better sandbox that whatever Windows provides. And there are other ways.

If you need more info, just google it.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

Above quoted from yours in another thread.

Computer security being your matter of concern, fine, but with WBaduk? Suspecting an innocent baduk client as of a security matter well at least by me is presumingly inferred as that you are quite unfamiliar with computers.

Why not use analogue recording methods to save extremely important information (like pin numbers?), and use digital methods while assuming that anyone may see what is in my hardwaredrive, e-mail, or whatever; I suggest.

_________________
Wait, please.

http://selinuxproject.org/page/Main_Page

EDIT: For example http://selinuxproject.org/page/PipelineDemo shows automation for what you do manually: vetting and processing files before moving them to a different information domain (e.g. filter and convert downloaded files before making them accessible to the user).

Remember - this comes from a person who designed something like a 50-step KGS client update process which included things like full manual Windows registry cleaning. And then was so proud of that that he posted it on GD.

PS>
Robert - It really seems to me that if you are that paranoid about security, then you should just use a simple 2-computer solution. If you really really really want to shoot yourself in the foot and go the Windows route - buy a cheap laptop (you can get some really cheap these days) and use it as a "sandbox" while you only transfer safe and secure and verified and validated data/software to your primary box. Combine it with the masures you have now - and it is probably the most secure solution you can have, better than internal sandboxes, firewalls, whitelists, and whatnot. You can always restore the cheap baby laptop to factory settings if you run into issues. And make frequent backups of both systems.

Or as I say - just avoid all that by avoiding Windows.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

This, IMNSHO, is the essential statement.



Greetings, Tom

_________________
“The only difference between me and a madman is that I’m not mad.” — Salvador Dali ★ Play a slooooow correspondence game with me on OGS?

Yeah, OSX is my OS of choice as well. Unfortunately, its pricey, which is why I suggested Linux instead.
In either case - I really don't understand why somebody so security-obsessed as RJ would use Windows as the main OS. Or at all.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

Herman, thank you, SElinux goes in the right direction!

Bantari, paranoid is never a good description for security. 2 PCs is a good means for sure (which I do not want to apply ATM for other reasons).

All, Windows is not insecure and Linux is not more secure than Windows, but out-of-the-box operating systems, whether Windows, Linux, Android, iOS or whatever are too insecure (for my needs anyway). All deserve careful security configuration, whether one includes VMs or other means for that purpose.

“pricey”, as in “good shoes” for which I pay perhaps 20 or 30 € more but which last for decades instead of only until next year way better than “cheap”, and way more savings in the long run, if you ask me.


Correct. All we need is a sane level of security

Cordially, Tom

_________________
“The only difference between me and a madman is that I’m not mad.” — Salvador Dali ★ Play a slooooow correspondence game with me on OGS?

I.e., better than GCHQ, NSA and criminals.

Using any computer connected to the net could be a liability, w.r.t. the NSA. Looks like they have been tampering with servers/routers recently, for instance. Being really paranoid, what prevents them forcing Intel/AMD to install hooks directly at processor level? Or between processor and memory. Or...

I always take the approach of, well, not doing anything that is remotely interesting to a security agency, or even to a criminal, except for online banking. I'd love to have enough money so I could worry about someone stealing my online banking credentials, but as it stands it's easily covered by standard, bank insurance for these cases.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

I disagree.
A Mac is much more expensive than a PC, not only by 20 or 30 €. I can buy a PC laptop for ~$200-$300, while the low-end Mac is what? Around $900 - which is 3-4 times the price. Even if you want to get a PC laptop with comparable parameters - it will be $400-$600 depending on the brand and packaging. This is a big price difference.

Durability is also not an issue. These days - Macs have exactly the same components inside as PCs, so there is very little hardware difference. As a matter of fact, I have Windows boxes which are much older than all my Macs put together - and they still work great (whenever need to get my courage together to fire them up or feel nostalgic about some old games.)

Additionally, the same software tends to be more expensive in its Mac version than a PC version. For example: Adobe Creative Suite ~$300 for PC and ~$500 for Mac, MSOffice for PC ~$80, for Mac ~$130, and so on... its a huge difference, sometimes almost twice the price.

Then there is the whole thing of software availability. VM is a good solution for some applications, but cumbersome for other - this is why many have to use actual Windows PC rather than running Windows in a VM.

The biggest difference, for me, in running a Mac over a PC is the OS, not the hardware. And this is what I am willing to pay for. Its just so smooth... no registry, you install stuff and it just works, you want to uninstall and deleting a single folder does it cleanly, stuff like that. No hangups. And the fact that it is built on top of Linux, which makes it more secure and more stable - no more viruses, no more malware - haven;t have to worry about it in all those years I used a Mac - which is awesome, no more Windows hassle!!! That, and my work combines Linux-based development with strong graphical needs, which makes a Mac ideal for me.

Still, from my observation - the price difference is, for many, a very big factor.
And I have to admit that a Mac is not always ideal for everyone for other reasons as well.

But if it comes to security - both Mac and Linux beat the pants off of Windows. If for no other reasons that nobody really bothers writing viruses and malware for Linux, while the whole world seems to be busy cracking Windows left and right and center. So even if somebody does not believe in the inherent security advantage, the numbers themselves work in heavy favor of Linux/Mac over Windows. I know, I have been running both for ages (and yes, the CP/M as well) - and the hoops I have had to jump with Windows were very tiresome. I do the same with my Macs now and for the last 5-6 years of heavy use, not a single problem, not a single malware, not a single virus, nothing. With Windows, in spite of all the hoops, I had to clean it up twice a year, on average, sometimes more, because the system got unusable from all the crap it lets through when you just simply use it.

So my advice is - if you are fixated on security, go Mac. If you want cheaper - go Linux, same difference just not as flashy. If you want to use Windows, you get what you deserve, and you need a two page small-print precautional procedure on how to copy a file. Its the choice you make.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

A safely configured Windows PC combined with "think before you act" prevents malware, as everybody doing so reports (me too). You say that Linux or Mac would be more secure per se; you need to provide reasons for that. (I know that there is less malware for them, but this is not a sign of security of the operating systems. Tomorrow it could change.)

Let me guess: you mean something else. That out-of-the-box Linux or Mac would be safer than out-of-the-box Windows. Maybe.