Password security/disposable vm security

[mmm...@gmail.com]

So I was reading one of the guides and I came across this:

"there is absolutely no point in not allowing e.g. Thunderbird to remember the password – if it got compromised it would just steal it the next time I manually enter it"

So this was written 6 years ago but it's the latest one I think.

Can't we just create disposable thunderbirds to protect the password?
Or is disposable not true security? I mean maybe a custom thunderbird would be needed so it never used the password again/instantaneously forgets it after login >.>

[Matteo]

> "there is absolutely no point in not allowing e.g. Thunderbird to remember the password – if it got compromised it would just steal it the next time I manually enter it"

Correct!

> So this was written 6 years ago but it's the latest one I think.
>
> Can't we just create disposable thunderbirds to protect the password?
> Or is disposable not true security? I mean maybe a custom thunderbird would be needed so it never used the password again/instantaneously forgets it after login >.>

no, this is not possible. let me try to explain:

This is going to be looooong thing, i hope anyone will read it, i was
quite inspired; qubes is A-W-E-S-O-M-E-!-!-!

the main reason is that you want to be able to read your mails, so you
can't just drop/delete/forget every received mail on shutdown.
you also can't drop/forget/don't store the password after login because
the way any email work is: login->check if there are new
mails->download->logout
and if you keep it open like me so that it check for new mails every 10
minutes it can't work.
websites with a login works in a different way:
you fill the password and if it is correct they give you a cookie that
your browser store and automatically give back to website every time you
open.
as you can see if you want to be logged in a moment of time you have to
present to the remote side some kind of "secret thing" in that moment of
time. is not that "you login once and the remote side automagically know
that you are logged".
so for the whole time you use the service you must keep in memory a
secret to prove that you are logged.

So where is the difference between Qubes and a normal os? how Qubes
improve the security?

let's think about a normal windows/linux computer:
you have many programs and every program can control the whole pc.
yes, there is admin vs not admin but on windows this means that a not
admin process can't mess with admin processes or can't write in
c:\programs or c:\windows.
but this is useless! a virus can do all the damage it wants also running
as not admin; it can:
-delete all your files (cryptolocker)
-run at boot (persistence)
-spy you from mic/webcam
-steal/upload all your files in internet
-keylogging all what you write
-steal saved passwords
for me this is comparable to "full control of the pc"
the problem with this model is that any single exe that you open can do
pretty much what it want, and you can only hope/hava a bit of trust that
it will not do it.
in such security model it might be good not store passwords because when
you will get a virus it will steal instantly all your saved password
(bad). while if you don't save them it will only steal the one that you
will write while the virus is present for example mail password because
you use it often.
so if we suppose that antivirus delete it after a few days you can hope
that you have used only a few passwords on the compromised pc, and not
all your passwords.
TL;DR: any program you open/have opened in the past might have
read/stealed all your mails/passwords

NOW QUBES OS:
On qubes your pc is splitted in more parts, every part works the way i
said above (in fact they are normal windows/linux os) and is isolated.
the only (important) difference is that only home in linux and c:\users
in windows is preserved if you reboot; this is good because it limits
the places in which a virus can hide (but still there is persistence=run
at boot).

suppose that you get a virus, downloaded from your browser. your mail is
safe because it runs in another vm. simple, isn't?
same for every other action you can do on your pc: play games, reading
documents, ... because all these actions happens in a different vm, not
in the mail vm.
now suppose that you get a virus exactly the mail vm:
the first question is how this can happen?
it's not that virus pop up automagically, most of the time is the user
that open them.
so how can you open a virus from the email?
you can open an attachment or a link, thats all you can do to open a
virus from email.
but on qubes this should not be possible because you should not open
attachments and links in the mail vm, but in a disposable vm! (here is
where the disposable thing became useful!!!)
you can also automate this, so you can't forget to open a link in dispvm.
if the attachment was something bad you simply don't care, close dispvm
and virus is gone.
but sometimes (smaller that always!) you need to store attachments,
because they are work documents, photos, or something important.
but again mail can't be compromised because you save photos and
documents in work vm or somewhere different.
the final question is: can mail vm be compromised?
yes, but since the user can't be tricked to open something bad in the
mail vm the only thing left is a zeroday: some bug in thunderbird that
when it receive the bad email it is instantly compromised because *for
example* the bad guy send 500 attachments and thunderbird can manage
only up to 255 attachments, and this thing lead to code execution in
thunderbird when you receive that mail and tunderbird parse it.
but this is SUPER HARD.
such bugs are a small ammmount, difficult to find, and difficult to use!
suppose that you have found this "crash if more than 255 attachments" is
not that 5 minutes later you can hack any pc running thunderbird.
getting from "it crash" to "it does what i want" is difficult, and not
always possible.
how difficult? there are people who pay you 10000€ if you find such a thing.

so let's do a final comparsion for the email:
normal os linux/windows:
you open 1 bad program (virus) ->someone take full control of your pc
you are hacked using 1 zeroday ->someone take full control of your pc

on qubes:
you open 1 bad program (virus) ->don't care
you are hacked using 1 zeroday ->depends: a zeroday in which program? if
firexox, vlc media player, whatever-> don't care
if it is a zeroday against thunderbird->ONLY your mail is compromised

for *me* THIS IS AWESOME!!!!

a final note:
you might say "hey but pc is not only mail! you are ignoring the rest of
the pc!!!"
not exactly: for example think about "work vm" it has inside:
-documents you personally made (trusted/known good/not virus)
-documents some co-worker sent you *by mail* (see???)
so, yes work vm can compromised by opening 1 bad thing, but bad things
tend to not end up here :)

[mmm...@gmail.com]

Okay so I read all of that lol, and I understood it all but what if there was an e-mail client that used the browser method? You get logged in to all your emails without retrieving anything then switch to cookie authentication and forget the password, that way when the zero-day happens you only lose your cookie which is probably not as powerful as the actual password(ie I dont think you can change your password with just the cookie) plus the zero day can't "permanently" compromise thunderbird cause you opened it in a disposable , just only after this odd login method over and over again =p. Maybe that's overdoing it but....I don't want to change my passwords ever so laziness commands me to want such a thing XD.

[Tom Zander]

I think you may have misunderstood the idea behind the initial post you
quoted;

> "there is absolutely no point in not allowing e.g. Thunderbird to remember
the password – if it got compromised it would just steal it the next time I
manually enter it"

The thought behind that quote is that you have to trust your open software
running on your machine and there is no way around that. As the quote says,
feel free to let it remember your password. No point in trying to be smart.

So if you run thunderbird in a qube that has (access to) password and/or
emails, you better trust that open source software with that information.

So make sure your software is from a trusted source.

Personally, I' d avoid thunderbird and anything from mozilla, but thats just
me.
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

[mmm...@gmail.com]

"The protection you want is against the evil software leaking the password.
A disposable VM would not help in this case as you enter the password, or
you let it remember your site passwords, then it would just send it out t
the evil website immediately. "
Looks like the post got double posted somehow, and I'm not interested in just evil software rather good software that gets corrupted through evil input.

"So make sure your software is from a trusted source."

Right but even if it is trusted at one point it can become less trustworthy later(infection) so I wanted to keep it perfectly "fresh" by using disposables.

"Personally, I' d avoid thunderbird and anything from mozilla, but thats just
me."

Do they have a bad track record(I planned on researching my apps later =p).

[Matteo]

>> ...switch to cookie authentication and forget the password, that way when the zero-day

>> happens you only lose your cookie which is probably not as powerful as
>> the actual password(ie I dont think you can change your password with
>> just the cookie) plus the zero day can't "permanently" compromise
>> thunderbird cause you opened it in a disposable

yes, it can't probably change the password.
but this is useless, is again like "admin vs not".

stealing a cookie *ONCE* and you:
-can't change password
-CAN impersonate user
-CAN read all mails
in other words can do everything someone does with his mail...

and mails works in other way so...
i think that Qubes way is much better than any other thing, use it and
don't worry about some impractical scenarios.

[Tom Zander]

On Tuesday, 26 December 2017 00:56:30 CET mmm...@gmail.com wrote:
> "So make sure your software is from a trusted source."
> Right but even if it is trusted at one point it can become less
> trustworthy later(infection) so I wanted to keep it perfectly "fresh" by
> using disposables.

Aha.

In Qubes you *use* AppVM based virtual machines. Those are unable to change
software because the actual software is owned by a TemplateVM.
As such this idea of keeping it fresh is already done by normal daily usage
of Qubes.

The disposable VM concept goes one step up by isolating changes to your
private data (downloaded files, config, etc).

For your goal the dispVM doesn't add anything, AppVMs already do what you
want.

> "Personally, I' d avoid thunderbird and anything from mozilla, but thats
> just me."
> Do they have a bad track record(I planned on researching my apps later
> =p).

Just last month they added an invisible plugin in their binary builds which
was programmed to not show up in the 'add-on' screen and had the ability to
alter page content.
Someone didn't actually program it well enough and the whole thing got
leaked and after a lot of heat, a lot of bad press they eventually
apologised.

I'm more concerned that they tried then how they failed.
It leaves a bad taste in my mouth.

Google for "looking glass" and "mozilla" if you want to know more.

[mmm...@gmail.com]

Kk, thanks for all the information as long as that AppVM thing is true I'm happy enough.

[Leo Gaspard]

On 12/26/2017 03:25 PM, 'Tom Zander' via qubes-users wrote:>>
"Personally, I' d avoid thunderbird and anything from mozilla, but thats
>> just me."
>> Do they have a bad track record(I planned on researching my apps later
>> =p).
>
> Just last month they added an invisible plugin in their binary builds which
> was programmed to not show up in the 'add-on' screen and had the ability to
> alter page content.
> Someone didn't actually program it well enough and the whole thing got
> leaked and after a lot of heat, a lot of bad press they eventually
> apologised.
>
> I'm more concerned that they tried then how they failed.
> It leaves a bad taste in my mouth.
>
> Google for "looking glass" and "mozilla" if you want to know more.

(disclaimer: I once was an intern for Mozilla, though I do not have any
bond with Mozilla right now)

tl;dr: please do google for “looking glass” and “mozilla”

Erhm. This is a *really* biased way of putting things. They did push an
(opt-out) study through the (opt-out, iirc) studies subsystem, that did
have the ability to alter page content.

That said, the add-on was not programmed to not show up in the ‘add-on’
screen (that I know of), it was just a regular opt-out shield study.

Now, the handling of this particular instance has indeed been stupid:
this study was actually no study, but a promotional event organized with
the Mr. Robot series (which explains the ability to alter page content,
though I'm obviously not saying anyone wanted it), and in addition to
this it appeared with the suspicious “My reality is different than
yours” message, which made some users think they had been infected by
some virus.

So I'm not saying this was not a particularly stupid action and that
they did not end up with woefully bad press (especially damaging given
they had just outed Firefox 57 and its long-awaited changes), but it's
nowhere near as bad as what you imply, ie. that they would already have
willingly pushed a malicious add-on.

[Tom Zander]

On Wednesday, 27 December 2017 00:34:38 CET Leo Gaspard wrote:
> > I'm more concerned that they tried then how they failed.
> > It leaves a bad taste in my mouth.

> tl;dr: please do google for “looking glass” and “mozilla”

Its good we agree on all the technical details, and I agree intent is tricky
to guess about.

I definitely will not advice people either way, my opinion is irrelevant and
browsers are not my specialty.

The situation left a bad taste in my mouth, I had to conclude that their
priorities are not aligned with mine. Your millage may vary.

[Tai...@gmx.com]

On 12/26/2017 06:34 PM, Leo Gaspard wrote:

> (disclaimer: I once was an intern for Mozilla, though I do not have any
> bond with Mozilla right now)
>
> tl;dr: please do google for “looking glass” and “mozilla”
>
> Erhm. This is a *really* biased way of putting things. They did push an
> (opt-out) study through the (opt-out, iirc) studies subsystem, that did
> have the ability to alter page content.
>
> That said, the add-on was not programmed to not show up in the ‘add-on’
> screen (that I know of), it was just a regular opt-out shield study.

No one wanted that dumb addon and most users aren't going to opt-out -
that is why "opt out" systems are a scam; what mozilla did was
incredibly wrong and I can't believe you are sticking up for them
without even receiving a full time wage from mozilla.

How many things does the average person need to keep track of when it
comes to opting out? did you know that if you get in to an accident and
need blood transfusions the local hospital may give you synthetic blood
that increases the chance of dying? guess you had better opt-out of that...

[Leo Gaspard]

Once again, I'm not saying anyone wanted that add-on. But not opting-out
of it caused no harm, nor was it meant to cause harm. I'd rather follow
Hanlon's razor and never attribute to malice that which is adequately
explained by stupidity, but that's only my opinion. That's basically all
I was saying.

[cooloutac]

chrome doesn't have a good track record either.

[Tom Zander]

On Thursday, 28 December 2017 03:49:07 CET cooloutac wrote:
> chrome doesn't have a good track record either.

Not to be confused with the project “Chromium” which is based on the open
source version of google-Chrome.

[cooloutac]

Even chromium has had black box issues in the past.