Virtual Machine

[RobertJasiek]

viewtopic.php?p=165535#p165535

using a virtual machine is not an incomplete "random" method, but it is what is used in most fields needing high security. Shared hosting environments, malware analysis companies, etc. You set up a virtual machine, and interact with the unknown program only within the virtual machine. No security problems, since the virtual machine hides all your system from the virtual machine.

Suggesting nothing but a VM is a random method. E.g., without other security means, a third person can access the PC, deactivate the VM, and that was that. Also VMs must be part of a greater security concept.

The VM security you describe is a dream, but is not the reality. The VM inherits the host's (typically the OS's) security environment. If the environment can be attacked, so can the VM. Therefore, VMs do not convince me. I prefer to concentrate on getting the host's environment right (and within the environment, one can define sandboxes).

[RBerenguel]

Robert, your sandbox concept is good in theory, but quite likely not good enough in practice. The best sandbox for an application is inside a virtual machine. Virtual machines can't suffer from User isolation, password security and machine security are different problems, that have other solutions (full disk encryption, user permissions, etc)

[RobertJasiek]

I wish Windows Professional would have the Windows Server's Dynamic Access Control, with which it must be easy to set one sandbox per application and its ressources. Windows 7 easily allows only one sandbox (for all internet programs, as I use it). Windows 8 has AppContainers, but one cannot use them because their documentation is still missing, AFAIK. Anyway, Integrity Level Low as the one sandbox is essentially good enough for my purposes. Finer sandboxes would be better, but the harm for interacting internet programs is small in my security concept, because I hide most data from their access. However, Low is important in my concept, so I make great efforts to run my programs accordingly.

[RBerenguel]

Well, Windows has made great strides forward, but when even OpenSSL can fail in servers, we can never be sure about where a buffer overrun can happen... And where our data is going, anyway. But I suggest you look (when you have some time) the subject of virtual machines (virtualbox is a good one at that) and its security. It would allow you to execute "somewhat untrusted apps" or do things like checking wbaduk quickly for this cases. Then re-install the machine as a clean environment when needed. Handy

[RobertJasiek]

That can also be done with Windows restore points.

[RBerenguel]

That can also be done with Windows restore points.

These can be bypassed by a good enough attack (back in XP days there were samples of it). The virtual machine approach can't, since the attacker is supposedly inside the machine and the clean copy outside.

[Bantari]

For added security I found it a good idea to have cross-OS VMs... for example - a Linux VM environment within a Windows computer. Or vice versa, or whatever. This might not work if you want to test applications, but for browsing suspect sites, works great.

With that in mind - please do NOT tell us what sites you are planning to browse.

PS>
Or better yet, if you are so concerned about security, why use Windows at all?!? Just get Linux (its free) and when you combine it with Wine or VM or something like that - you can pretty much do whatever you want while cutting any security problems by a huge margin (pretty much - entirely) at the same time.

[RobertJasiek]

Explain for Linux how software whitelisting and sandboxing by means of access rights are configured. Then we are at Windows's user mode security level. (Comparing the two kernals' securities is a task for a diploma.)

[Bantari]

Explain for Linux how software whitelisting and sandboxing by means of access rights are configured. Then we are at Windows's user mode security level. (Comparing the two kernals' securities is a task for a diploma.)

Why do you need to do that in Linux?
You need all that stuff for Windows because Windows is messed up to begin with. With a good operating system, you should be able to be OK without all that idiocy. Still, if you need to simulate it, you can always do it within a VM - which as explained to you is a better sandbox that whatever Windows provides. And there are other ways.

If you need more info, just google it.

[MJK]

Since watching live has proven to be impossible for me (the WBaduk registration procedure is too slow and I am waiting for a checksum of the installer, to start with the PC security problems I am going to try and possibly overcome), I wonder if the games will at least be published.

Above quoted from yours in another thread.

Computer security being your matter of concern, fine, but with WBaduk? Suspecting an innocent baduk client as of a security matter well at least by me is presumingly inferred as that you are quite unfamiliar with computers.

Why not use analogue recording methods to save extremely important information (like pin numbers?), and use digital methods while assuming that anyone may see what is in my hardwaredrive, e-mail, or whatever; I suggest.

[HermanHiddema]

Explain for Linux how software whitelisting and sandboxing by means of access rights are configured. Then we are at Windows's user mode security level. (Comparing the two kernals' securities is a task for a diploma.)

http://selinuxproject.org/page/Main_Page

EDIT: For example http://selinuxproject.org/page/PipelineDemo shows automation for what you do manually: vetting and processing files before moving them to a different information domain (e.g. filter and convert downloaded files before making them accessible to the user).

[Bantari]

Computer security being your matter of concern, fine, but with WBaduk?

Remember - this comes from a person who designed something like a 50-step KGS client update process which included things like full manual Windows registry cleaning. And then was so proud of that that he posted it on GD.

PS>
Robert - It really seems to me that if you are that paranoid about security, then you should just use a simple 2-computer solution. If you really really really want to shoot yourself in the foot and go the Windows route - buy a cheap laptop (you can get some really cheap these days) and use it as a "sandbox" while you only transfer safe and secure and verified and validated data/software to your primary box. Combine it with the masures you have now - and it is probably the most secure solution you can have, better than internal sandboxes, firewalls, whitelists, and whatnot. You can always restore the cheap baby laptop to factory settings if you run into issues. And make frequent backups of both systems.

Or as I say - just avoid all that by avoiding Windows.

[Bonobo]

[..] just avoid all that by avoiding Windows.

This, IMNSHO, is the essential statement.

I use a Mac. Plus, <brag> working with computers since before CP/M, and having used more operating systems than I have fingers on my hands (none amputated), </brag> I know what to click and what not. But I also believe that we’re all pwned by #NSA and the likes.

Sadly, I currently need Windows (oh, I wrote “Windows”, gotta wash my hands now) for earning my money (since Adobe killed Framemaker for Mac ), and therefore I run it in a virtual machine—putting Windows where it belongs: in a window (though I use it full-screen), and where it can’t do much harm

I taught media design/operating for almost ten years; every time I used the word “Windows”, I added “this punishment of heaven” (»diese Strafe des Himmels”) and “I must go wash my mouth now”. (There actually are three major punishments: Windows, Outlook Express, and Internet Explorer. Minor punishments are Powerpoint and Word. And the only bug-free Windows programs are Minesweeper and Solitaire. MCSE = Minesweeper Consultant, Solitaire Expert. Could go on like this for hours.)

Greetings, Tom

[Bantari]

[..] just avoid all that by avoiding Windows.

This, IMNSHO, is the essential statement.

I use a Mac. Plus, <brag> working with computers since before CP/M, and having used more operating systems than I have fingers on my hands (none amputated), </brag> I know what to click and what not. But I also believe that we’re all pwned by #NSA and the likes.

Sadly, I currently need Windows (oh, I wrote “Windows”, gotta wash my hands now) for earning my money (since Adobe killed Framemaker for Mac ), and therefore I run it in a virtual machine—putting Windows where it belongs: in a window (though I use it full-screen), and where it can’t do much harm

I taught media design/operating for almost ten years; every time I used the word “Windows”, I added “this punishment of heaven” (»diese Strafe des Himmels”) and “I must go wash my mouth now”. (There actually are three major punishments: Windows, Outlook Express, and Internet Explorer. Minor punishments are Powerpoint and Word. And the only bug-free Windows programs are Minesweeper and Solitaire. MCSE = Minesweeper Consultant, Solitaire Expert. Could go on like this for hours.)

Greetings, Tom

Yeah, OSX is my OS of choice as well. Unfortunately, its pricey, which is why I suggested Linux instead.
In either case - I really don't understand why somebody so security-obsessed as RJ would use Windows as the main OS. Or at all.

[RobertJasiek]

Herman, thank you, SElinux goes in the right direction!

Bantari, paranoid is never a good description for security. 2 PCs is a good means for sure (which I do not want to apply ATM for other reasons).

All, Windows is not insecure and Linux is not more secure than Windows, but out-of-the-box operating systems, whether Windows, Linux, Android, iOS or whatever are too insecure (for my needs anyway). All deserve careful security configuration, whether one includes VMs or other means for that purpose.