2010-11-07

before qubes there was mac vmware virtualizing windows


[at the ubuntu forum]/Setting up virtual machines

. I am so thankful this article was pointed out us;
for 2 years I've been using
mac.vmware`fusion to run ubuntu
-- worried about rootkits --
but since recently hearing about
Joanna Rutkowska's expertise in rootkits
I wondered how her setup differed from mine .

. I was suprised she did her online shopping
on a separate machine from her banking;
but she's right, once at macmall (a secure site)
I got my credit card "validated" by a scam;
who knows what else I got?
(I think macmall uses 3rd-party advertizing).

. as for linux having no 3rd-party drivers:
in security terms,
all open source is 3rd-party!
it's a lot of cooks in the kitchen;
complexity increases risk .
. did you know that most of
russia, china, the world,
are using bootleg microsoft?
when the world moves to linux,
the botnets will come for linux next !

. but by the time they do,
we will be saved by ...
# intel's VT-d, TXT, TPM,
# linux (or anything) on the
okL4 verified microvisor
# and using Joanna's system of
5 vm's for each security domain,
-- or Joanna's Qubes

5 vm's for each security level:
# red: browsing random sites, no privacy;
-- expected to get infected;
. I revert it to a known snapshot every week or so.
# yellow: semi-sensitive tasks,
. uses firefox.NoScript to only allow
scripting to a trusted few sites:
online shopping, blogging, etc.
Sure, somebody might do a
man-in-the-middle (MITM) attack against
a plaintext HTTP connection
that is whitelisted by NoScript
and inject some malicious drive-by exploit,
but then again,
Yellow machine is only semi-sensitive
and there would not be a big tragedy
if somebody stole the information from it.
[unless credit cards are used?
maybe that's for green vm?]
# green: https-only, bank's account
. it is quite important to make sure
only HTTPS is used for this machine
to mitigate potential MITM attacks;
for example, on any hotel Wi-Fi.
. don't use the host's browser as a Green machine:
[the host is a huge attack vector;
and, all the attacks are coming from online;
so, take it offline .]
# where to keep one's email client:
[with separate personal and work vm's;
both have mozilla mail;
work needs a noscript browser]

other tips:
#handling updates:
[getting prompt updates for each guest vm
dramatically reduces the number of attacks .]
# clipboard:
[every guest can be logging the clipboard .]
transfer of files between vm's and host:
[more networking is more risk .]