Qubes VM compromised?

[johny...@sigaint.org]

Wow, what a weird day.

A rather bizarre story, which is possibly a good example as to how Qubes
can help protect you from hacking, or at least spot the effects of it.

I use a sigaint address, because of a psycho ex and her corrupt cop buddies.

Anyhow, I created another sigaint address today, to keep identies
split/anonymous as much as possible, to share with a (supposed :P) friend.

It said it was successfully created, and I logged in to test it. It was
fine.

Went out for a couple of hours (including giving my buddy, ironically also
a police officer, the email address).

When I returned home, I tried logging in again, but from a different VM.
Failed repeatedly. I figured I must have messed up the password. No luck
trying other possibilities.

Eventually, I tried creating the same email address again, and it worked!
WTF?

So I tried logging into the sigaint account for *this* address, that I use
with qubes-users. It also failed repeatedly, until I attempted creating a
new account. That worked!

Went to the other VM, and the other old account was there. Two different
views of sigaint, with different accounts with the same name, from two
different VMs!!!

From the VM that let me (re)create the two accounts, I attempted to email
sigaint's support to ask if they were having problems, and that email
repeatedly failed. So if there is a shadow sigaint on a hacked VM, I'm
suspecting that one.

Where I was on testing, in case there's a dom0 vulnerability, I've
retreated to another OS for now, and I sent the info to sigaint support
with no problem, and this sigaint account and the other one I created seem
to be as expected.

It's entirely possible that sigaint is having server issues, and different
routes through tor hit different load-sharing servers, and it's all
innocent. But dayum, it seemed odd.

One was a Qubes-Whonix VM, and one was a "torbrowser-launcher" package
from Debian-8 (and qubes 3.2-testing).

The latter (Debian-8/torbrowser-launcher) had JavaScript enabled on some
possibly dodgey sites, which is why it was in its own VM. That separation
may have paid off on not getting my whole system pwned (yet again).

Creating the new sigaint account from that VM was sloppy, but might have
revealed a hack. (Again, if it's not an innocent glitch.)

I'll report back when I hear from sigaint (if I'm talking to the real one!
:) ), in case they just had some temporary service issues or something.
But all signs point to a VM compromise from what I've seen.

Will do a bit of amateur forensics from a safe offline OS tonight to see
if I can spot any weirdness in either of the VM's.

If it was actually compromise of the
Debian-8/3.2-testing/torbrowser-launcher VM, that would mean there's
possibly a 0-day vulnerability in there somewhere (or a boot sector virus,
or a comporomised bios, or . . . :P). I don't think intercepting an
.onion address in the network is possible these days.

If it is a real compromise, it is confirmation that Qubes VM separation is
one of the few hopes for sanity on this crooked thing we call the
Internet.

I think I'll go work in another industry. This one isn't fun any more.

JJ

[Chris Laprise]

On 08/23/2016 06:01 PM, johny...@sigaint.org wrote:
> Wow, what a weird day.
>
> A rather bizarre story, which is possibly a good example as to how Qubes
> can help protect you from hacking, or at least spot the effects of it.

What threat model does this fit? If a skilled attacker tricks you into
thinking you created an account at sigaint, but you later cannot use
it... what is the advantage of that? The possible gain seems to be
little or nothing.

It sounds like the sigaint server has bugs triggered by some variable,
such as tor/IP origin, lack of javascript, or signing in with a new
cookie right after you created the account (also with a new/different
cookie), etc.

One thing that seems missing from your description is whether you stuck
to https for security... Tor exit nodes are really frightful.

Chris

[johny...@sigaint.org]

> On 08/23/2016 06:01 PM, johny...@sigaint.org wrote:
>> Wow, what a weird day.
>>
>> A rather bizarre story, which is possibly a good example as to how Qubes
>> can help protect you from hacking, or at least spot the effects of it.
>
> What threat model does this fit? If a skilled attacker tricks you into
> thinking you created an account at sigaint, but you later cannot use
> it... what is the advantage of that? The possible gain seems to be
> little or nothing.

Good question, and it certainly crossed the back of my mind.

But a few things I did, was naturally try passwords from some of my other
accounts, in case I used one of them my mistake. They could have
harvested those. (All changed now, just in case.)

Also, since it's a new account, I could have just assumed it failed, and
been happy with the newly created (spoofed) account, and happily continued
my super-secret-mission-critical-world-changing communications ("hey bud,
ya up for a beer?) on the compromised account.

Alternatively, some actor could be trying to get me to such use a fake
sigaint, but with the multiple routes of access (and multiple VM's), the
system (obviously not built for me individually) slipped up.

Or it could be a glitch on one of several load-balanced servers.

> It sounds like the sigaint server has bugs triggered by some variable,
> such as tor/IP origin, lack of javascript, or signing in with a new
> cookie right after you created the account (also with a new/different
> cookie), etc.

Don't think sigaint uses JS at all, which is part of the appeal. But I
agree with your comments, it could be an innocent screwup, and if I hear
back from their support as to such, I'll update the list.

But this stuff does happen. I've experienced way more definitive things
along the lines of fake sites/email/fb. So this at least raised an
eyebrow for me.

> One thing that seems missing from your description is whether you stuck
> to https for security... Tor exit nodes are really frightful.

https doesn't add anything to onion addresses, they don't go through exit
nodes, they're entirely within the tor network, and (hopefully) strongly
encrypted each step.

But if it weren't an onion address, it'd be a good question.

I still can't believe the things that I have to download via http, like
Debian ISO's, many utilities. And Debian publishes the hashes on the same
http/ftp server. So what!?!?

But with some digging, one can find sigs/hashes on https sites, for what
that's worth, given the hundreds of CA's and gov'ts out there with ability
to spoof certificates.

I'd probably trust an http:// onion address more than an https:// public
net address.

But if the local system (or VM in the case of Qubes) is compromised,
neither particularly matters.

Some discussion here:

https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs

> In favor: we, the Internet security community, have taught people
> that https is necessary and http is scary. So it makes sense that
> users want to see the string "https" in front of them.
>
> Against: Tor's .onion handshake basically gives you all of that for
> free, so by encouraging people to pay Digicert we're reinforcing
> the CA business model when maybe we should be continuing to
> demonstrate an alternative.

Trust me, I'd prefer this to be an innocent glitch, and I'm probably about
60% expecting it to be so. But I've been the subject of some pretty
amazing hacking in the past (I suspect mis-used police/miltary tech), so I
wouldn't be surprised.

Cheers.

JJ

[johny...@sigaint.org]

>> On 08/23/2016 06:01 PM, johny...@sigaint.org wrote:
>>> Wow, what a weird day.
>>>
>>> A rather bizarre story, which is possibly a good example as to how
>>> Qubes
>>> can help protect you from hacking, or at least spot the effects of it.
>>
>> What threat model does this fit? If a skilled attacker tricks you into
>> thinking you created an account at sigaint, but you later cannot use
>> it... what is the advantage of that? The possible gain seems to be
>> little or nothing.

Oh, I should add, that on the dodgy VM, I tried accessing a few different
onion addresses, and they all failed. But cleartext http sites worked
fine.

Once again, maybe just a technical glitch, but combined with the other
weirdness, one has to wonder, and follow up a bit.

It reminded me of awhile back, when I downloaded from (presumably) the
Apple store, a Tor browser/Onion browser. In viewing the actual traffic
on the network coming from the iphone, the first few pages it loaded went
over tor, then the rest went cleartext over the Internet. Innocent
screwup, or malware?

After awhile, one would be a bit stupid not to wonder a bit.

I hope you never have to deal with it. :)

Cheers.

JJ

[johny...@sigaint.org]

> When I returned home, I tried logging in again, but from a different VM.
> Failed repeatedly. I figured I must have messed up the password. No luck
> trying other possibilities.

Update: a signed message from SIGAINT indicating it was a system problem:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello all,

Due to excessive signups over the last few days our authentication server
cluster suffered a cascading crash.

We have restored all encrypted credentials from a backup. Everything should
be working normally now. If you are still unable to access your account,
please email support.

We are sorry for any inconvenience this may have caused everyone and our
technicians are looking into a more robust authentication system to handle
future growth.

Thanks,
SIGAINT
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXvMeKAAoJEM1IOzMPil9PVPAP/2UsdzaPJ1ZJstGhwsWHxLrp
yyTHTn+r1n3bg0nrYx7HEVoS4xB4DAIMcihyOhXQHzs6leNQ1P9EmL0/S6A2qUFs
kHwTtknxWSvgIwDMML4n5vFaaveECQX1f+UDh00nmTBvLGQHAJXP6XSp52ci7b4A
6rl4sfk6NDc3EeAiP/7LA6ImTCK/qdOK0BnrvyGGQdMdOTSBZNs9D+bDTw4nEEK8
F7uJFn2HOhIBKdm9+bNnkAvCAfjI1Yey4BH1U4/83J7abmqGmLTz5xCRPAqzId9G
JCC4FqpFjutA1DBxnxKI7/z5nuJSUefsrpieu/QRk1SAdiasd89jQ1OE5KGfkGxe
nhM2H+xc5vE1mbmMdu3f1GbxzHSeolyb8UXbd5ydIWpSGVvPIGAjoRFu0HaiP4JT
wS8gkSJ1HV0BbAHL1YoJrsSqHt8evsku6sBXWnFI7JlRGJ07IUlyYKuLFC8wGx+4
EeozNLzR1UVR6YaeXL5JojPNZ6pZyNt14dxZ9F/SbHx1Wt3nVisVaNe6PNQlhf8s
AYtK9Md6oqd+TnM/PYBdfr30HpGGKeLr+s0dah+Aec+/DwQclCkXqPlDgdVV2tI7
7dG+cU2m7atP6k6YnY6PQ+LfubmSOq60rIpEAObxHneHGu9VIvKX+swc+LI2NS56
d1g1X+tLVqMiNOQiSycP
=2kOo
-----END PGP SIGNATURE-----

Seems legit. :)

Had another bit of oddness today (under Cubes, Firefox in debian-8, no
Tor, since commerce sites get grumpy about weird locations):

Logged into PayPal for first time in months. It says there has been
attempted access from an unexpected device or something, and forces me to
change my password. I make sure the lock is showing for HTTPS, and it is,
so I proceed.

After doing so, I am unable to log in. Tried making a purchase with the
new password, and it also failed.

I just did another password reset via email, but I'm currently locked out
for previously trying too many times. Will have to wait it out, and
verify my new password is working and there was no unexpected activity.
(The bank account it's hooked to shows no activity.)

One possibility: I did a copy/paste from Keepassx in a
non-network-connected AppVM. It's possible I was sloppy with the
copy/paste or there were characters dropped somehow...? Haven't seen that
before, but I suppose it's a possibility.

I've also asked PayPal support if the forced-password-reset was a
legitimate thing in their records, and there wasn't some spoofing going
on. It probably was legit, but in the off chance it wasn't, I might take
a break from Cubes for a bit :)

JJ

[johny...@sigaint.org]

>> When I returned home, I tried logging in again, but from a different VM.
>> Failed repeatedly. I figured I must have messed up the password. No
>> luck
>> trying other possibilities.

I'm still a bit suspicious that one of my VM's has been compromised. I
still saw password problems after restarting the VM's, too, so if there is
a compromise, it is likely in the template.

After waiting for the PayPal "too many tries" timeout period, from another
OS, I tried to log into PayPal. It still failed. I did another email
password change request, and was able to do so successfully, then finally
log into my account. (No activity, whew.)

However, when setting the new password, I once again generated a random 30
character password. This time, PayPal told me there was a 25 (I think it
was) character limit on the password.

Earlier today, when inside a Qubes VM, the forced password reset (due to
"suspicous activity") accepted a 30 characater password without complaint.

Maybe sloppy programming on PayPal's part, but for such a key function,
it's highly doubtful.

At the time of the forced password reset in the Qubes VM, I remember
verifying that the URL was a PayPal URL, and that the SSL lock was
present.

I'm not sure how to proceed. I'm probably over-reacting, but at the
moment I'm a bit too nervous to go back to Qubes.

Where the VM's involved were debian-8 and Whonix (also debian based),
maybe I'll back away from using those (and TorBrowser, which was involved
in each instance), stick to the Fedora templates for now, and give it
another shot.

(Also, while I realize one of the biggest threats to TorBrowser is people
not updating it regularly, I really don't like that it does an update
check every launch. Too much phoning home for my tastes.)

I prefer Debian over Redhat, and I like Whonix, but I think I'll try
reducing the attack surface from 5 players/repos
(Fedora/Qubes/Debian/Whonix/TorBrowser) to 2 (Fedora/Qubes) and see how
that works out for me.

I'll update the list if/when PayPal gets back to me on what they saw from
their end.

Insecurely yours,

JJ

[Desobediente Civil]

My guess is that Paypal is giving you a hard time just because of the
tor exits you use to interact with their website.

So it seems to me all that you are saying is really related to using tor
via sys-whonix or manually trough the traditional means.

The sigaint episode is easily explained through the e-mail you provided.

But yes, the Paranoia is our shepherd and nothing shall lack. Paranoia
is what justifies the development of a operational system of this
nature, it shall never die.

[johny...@sigaint.org]

> My guess is that Paypal is giving you a hard time just because of the
> tor exits you use to interact with their website.

Could be. At first I didn't see how/why, but I guess refusing a legit
password from what they judge as a dodgy IP address is a possibility.

(Although accepting the password change on a Tor exit, and then refusing
that on a non-Tor https: connection was rather weird. Would they silently
fail a password change? Oh well, I won't stress over it, but will keep a
close eye on things, for sure. Ever vigilant...)

> So it seems to me all that you are saying is really related to
> using tor via sys-whonix or manually trough the traditional means.

Yes. I guess it really isn't necessarily anything to do with Qubes,
unless there is some dom0 compromise somewhere. That's probably pretty
unlikely, and I've only seen weirdness in Tor-based VM's, so I won't give
up on Qubes.

I've been using Tails for awhile, and never had strangeness like this; but
the new factors aren't necessarily Qubes, but the TorBrowser bundle (not
the Tails-reviewed/tested one) and Whonix.

Worst case, I could (and have successfully) just run Tails inside Qubes,
and it should be no worse (safer, actually) than Tails standalone, for
banking or email. (I was reading that the IOMMU protection prevents DMA
attacks, which is sweet.)

> The sigaint episode is easily explained through the e-mail you provided.

Certainly.

> But yes, the Paranoia is our shepherd and nothing shall lack.
> Paranoia is what justifies the development of a operational system
> of this nature, it shall never die.

Beautiful. I think I'll put that on a plaque for my wall.

Respect for paranoia, awesome. I guess a mailing list for a
security-focused operating system is a bit more sympathetic to my concerns
than the general public. Feels like home, man. :)

If I tell family and friends about the sad state of computer/network
security these days, the hacks I've seen, and the Snowden stuff, they
think I'm bonkers.

Now why I didn't receive your response (posted a few hours ago) via email
but only see it on the Google Group's page. . . I'll just assume SIGAINT
is still dealing with some capacity issues. :)

(I wonder if their surge in signups is possibly a denial of service.
They've been targeted with at least one significant exit-node attack in
the past.
https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html )

Thanks for your reply.

JJ

[Desobediente Civil]

On 08/23/2016 07:25 PM, Chris Laprise wrote:
> What threat model does this fit? If a skilled attacker tricks you into
> thinking you created an account at sigaint, but you later cannot use
> it... what is the advantage of that? The possible gain seems to be
> little or nothing.

Well, (s)he has changed all its passwords. Tricking someone into
changing all passwords has been done before.

[Desobediente Civil]

On 08/25/2016 01:54 AM, johny...@sigaint.org wrote

> (Although accepting the password change on a Tor exit, and then refusing
> that on a non-Tor https: connection was rather weird. Would they silently
> fail a password change? Oh well, I won't stress over it, but will keep a
> close eye on things, for sure. Ever vigilant...)

Not weird at all, could be just the lag between the red flag raising for
a given account (yours) and someone manually deciding to block your
account "for security reasons" - read that as: "we crap our pants when
we see tor, and we rather block your legitimate attempt to login to risk
accepting a real world account hijacking".

> Worst case, I could (and have successfully) just run Tails inside Qubes,
> and it should be no worse (safer, actually) than Tails standalone, for
> banking or email. (I was reading that the IOMMU protection prevents DMA
> attacks, which is sweet.)

I am too paranoid for using tails other than the reccomended method (two
usb drives updating each other - I have two pairs of three).

I just use Whonix within Qubes and I like it. I'm glad it comes out of
the box since 3.1

Also, I would never use tor for banking, unless the banking wouldn't
involve my real world name - understand that one how you want.

[Desobediente Civil]

On 08/25/2016 01:54 AM, johny...@sigaint.org wrote

> (Although accepting the password change on a Tor exit, and then refusing
> that on a non-Tor https: connection was rather weird. Would they silently
> fail a password change? Oh well, I won't stress over it, but will keep a
> close eye on things, for sure. Ever vigilant...)

Not weird at all, could be just the lag between the red flag raising for
a given account (yours) and someone manually deciding to block your
account "for security reasons" - read that as: "we crap our pants when
we see tor, and we rather block your legitimate attempt to login to risk
accepting a real world account hijacking".

> Worst case, I could (and have successfully) just run Tails inside Qubes,
> and it should be no worse (safer, actually) than Tails standalone, for
> banking or email. (I was reading that the IOMMU protection prevents DMA
> attacks, which is sweet.)

[johny...@sigaint.org]

> I am too paranoid for using tails other than the reccomended method (two
> usb drives updating each other - I have two pairs of three).

No aware of the two drive method. Is that just updating to the next
version from the previous version, onto another USB drive?

While it's a bit slower, I prefer booting from DVD, a read-only medium.
(A bit of a pain to update, having to boot to a USB stick to write the
newer version, but it has to be done infrequently.) There's peace of mind
in a true read-only medium, that you keep with you.

> I just use Whonix within Qubes and I like it. I'm glad it comes out of
> the box since 3.1

I've retreated to only using Fedora. Setting up Tor and Firefox (with
noscript, ssl observatory, adblocker) to use it as a proxy is essentially
the same effect as Whonix (or tbb). Even if tor/firefox are on the same
vm rather than separated, you're behind sys-net and sys-firewall, so your
real world address isn't going to leak. Another two VM's on top of that
(whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig.

(I've wondered if it might be more natural to have tor running in
sys-firewall; it is kind of a fire-wall-ish thing. But having the
firewall separate is a nice additional barrier in case of compromise.)

> Also, I would never use tor for banking, unless the banking wouldn't
> involve my real world name - understand that one how you want.

Yeah, exit nodes are too scary. Okay to keep reduce cyberstalkers, but
for financial transactions, it seems a bit risky unless you got a solid
HTTPS connection (and trust the govt and crooks not to abuse CA's; I guess
that's not something seen in the wild much. For a high value target,
maybe; for someone being harassed by an ex, less likely.)

JJ

[johny...@sigaint.org]

Indeed. Psyhchological harassment can often by the goal, not necessarily
theft of credentials. (There's nothing left to take, in my case, lol.)

And when I said I had a psycho ex, I truly meant that she has truly shown
all the signs of being a textbook psychopath or sociopath, and invested
heavily in having me harassed online. (I don't think she's a genius
hacker herself, lol.)

When you're dealing with a psycho/socio-path, logical and rationality
doesn't always factor into things, which can be hard to get your head
around at times. Sheer destruction can be the goal (in her case, a stated
goal).

That being said, I can believe that the recent password weirdness was
probably PayPal anti-fraud mechanisms being careful (or confused) with
Tor. (I'd say it could also be someone trying to grab all credentials
from a dodgy exit node, but the fact I saw the SSL lock/certificate and
the real PayPal URL makes me doubtful, unless the browser was compromised
and lying.)

Part of the leverage of psychological harassment is that you start seeing
unrelated screwups as part of the harassment. It's good to be careful to
try and separate the two. Not always easy.

Cheers. :)

JJ

[3n7r...@gmail.com]

On Thursday, August 25, 2016 at 7:34:01 PM UTC, johny...@sigaint.org wrote:
> Setting up Tor and Firefox (with
> noscript, ssl observatory, adblocker) to use it as a proxy is essentially
> the same effect as Whonix (or tbb). Even if tor/firefox are on the same
> vm rather than separated, you're behind sys-net and sys-firewall, so your
> real world address isn't going to leak.

This is incorrect. The primary motivation for separating the Tor Gateway from the User VM is to prevent a bypass of the Tor proxy. This is one of the main advantages of Whonix / TorVM over Tails. If a packet reaches your destination without having been routed through Tor, it will be stamped with your actual public IP as it's source, regardless of how many NATs / firewalls might be involved.

There are real world examples of both malicious and non-malicious cases of Tor circumvention. An example of the former includes the FBI's TBB-targeted NIT, called Magneto. In terms of the latter, inadvertent leaks happen when programs don't respect proxy rules, as has happened with Flash, Skype, Torrents, WebRTC, etc.

Whether using an "isolating proxy" (multiple machines) or not, using a white-listing proxy like Corridor can help ensure all of your traffic passes through Tor (Entry Guard, at least).

[Jeremy Rand]

johny...@sigaint.org:

>
>> I just use Whonix within Qubes and I like it. I'm glad it comes out of
>> the box since 3.1
>
> I've retreated to only using Fedora. Setting up Tor and Firefox (with
> noscript, ssl observatory, adblocker) to use it as a proxy is essentially
> the same effect as Whonix (or tbb). Even if tor/firefox are on the same
> vm rather than separated, you're behind sys-net and sys-firewall, so your
> real world address isn't going to leak. Another two VM's on top of that
> (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig.

Running Tor in the same VM as the browser won't keep your public IP from
leaking to the same extent as using Whonix. For example, if Firefox
gets pwned, it can simply generate a request to whatismyip.com without
going through Tor, and then send the result to whoever it likes.

(Unless I'm misunderstanding what you're doing.)

Cheers,
-Jeremy Rand

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

That's right. Also, using Firefox with those extensions is *not* the same as
using Tor Browser:

https://www.torproject.org/projects/torbrowser/design/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXwQIyAAoJENtN07w5UDAwHtkP/A3kywWti8ZmW2rXJWJ+l+2F
O75iNH2iH7bbvJs/+a64ZMQGM38qx79ADd9CTcoYjAXOrnw6SfIUI5HfkiSMf7EF
bsOzZSUPlAMzHzaiwzp5rbv8VseDpIr85fy7ptlQk0Dea47WoepkLuDxhv4Cmq1y
1AQ7j2d5K5InPkOEqgrtqhXSzgdiCjnnD7cyDrWxyeeRQnEWMkGIZTXmoICV4JDg
cBRnFPPBIpU7EXMJFH+uzTDjX6MycrnyJX0bm3doyA+bJxmf6Repj2PbHOPaXYRQ
YaSdm0LUS54MNf/ETFXGPG/d5ZofpvsEmNELsPZxOAWJQ0KQZLC1rtSnxdCDeZFD
2Av4Gv0zDBynf0uw/rtb8j+9sv2qlOLJsf/QqM9Hxcu33Y622v++DKgg5CsWnfE5
tEhd4Dv5LgenVePSZTncO0KEM8gnDvDDKxlCfAvQ9E1KRQFAFA/e6T2jQ6tDAOYp
WEmSBt3vI5Ap2RN/ItELk0tf9dKD7rTwWitjcW+otPOKzOqUe/v4jwzJOkFem33/
cPlxHW/X2Fd61blnDXreaHViAy3XxbRPrOyeFd0T3SrOUc+q5kSHNYc0Cv9GcVH5
h4y7F0481q9ObihzeyXM+W0VxLTq7FxDjODXPqN9S+nLi0uBY8o0wqjse3jODF5m
79r+DNlsM6DqqiaQ0ksR
=uu+p
-----END PGP SIGNATURE-----

[Achim Patzner]

Am 25.08.2016 um 21:33 schrieb johny...@sigaint.org:

> While it's a bit slower, I prefer booting from DVD, a read-only medium.

There are verifyably hardware-controlled (physical switch) unwritable
USB storage devices. A bit expensive but you can get one.


Achim

[johny...@sigaint.org]

I might look into that, it would be a lot more convenient (and faster)
than DVD.

In case anyone's not aware, the slider on "secure" digital media cards is
just an advisory for the software to not write to the SD card, and not
enforced by hardware, so very easy for malware to bypass.

JJ

[johny...@sigaint.org]

>> Whether using an "isolating proxy" (multiple machines) or not, using a
>> white-listing proxy like Corridor can help ensure all of your traffic
>> passes through Tor (Entry Guard, at least).
>>
>
> That's right. Also, using Firefox with those extensions is *not* the same
> as
> using Tor Browser:

Understood. I do take a few more precautions (with iptables, bridges,
etc.) but Torbrowser certainly does take care of a lot of important things
for you.

> https://www.torproject.org/projects/torbrowser/design/

Wow, that's a great resource, thanks!

I think I still prefer to "roll my own" versus using TBB. (And that link
is great for tips on doing that.)

There are four (probably reasonable and legitimate) things about TBB (and
tails) that are red flags to my overly-paranoid mind:

1) Not a problem in Tails (being a bit "read-only), but the normal
Torbrowser Bundle is very stubborn about doing an update check every time
it starts. I understand the reasoning behind it, keeping up with 0days as
they're discovered, and at least one exploit in the past would have been
avoided by anybody who stayed updated.

Sure, notify me, but forcing that "phone home" on every start is a bit too
much like MS-style tracking to me.

I could be wrong (I often am), but even turning off the update check in
settings didn't seem to work for me. Although I might have screwed up
somehow or it might have been an artifact of non-persistence in an AppVM.
Having that update check/download on by default, I don't like.

Finding the actual tor browser binary to launch is a major pain. It
almost seems intentionally hidden. :)

2) JavaScript on by default. I understand the convenience for the general
public, but TBB isn't really for the general public but the
security-conscious. And the security-conscious shouldn't turn on JS
unless necessary. (And with Qubes, one can keep their JS-dependant sites
to a separate VM, whoohoo!)

In Tails, having JS on plus automatically loading Tails home page (which
could be subverted by someone with CA ability) is a bit of a risk, IMO.
To avoid having a JS-enabled load of the Tails home page, you have to
start it without networking, disable things, then enable networking.
Blah.

3) Default search engine set to Disconnect.me. And disconnect.me seems to
do nothing but redirect your search to duckduckgo. Why are they even in
the loop then? Supposedly they financially support the tor project. So a
company founded by a former NSA person paid money to be able to capture
all the searches that are eventually done by DDG in TBB/Tails. Okaaaay...

Whenever I do launch Torbrowser, the first two things I do is disable
global javascript, and change the default search provider.

4) It's not really fair to include this one, as I have nothing to back it
up with, but I remember something in the past that made me a bit uneasy
about Torbutton. I'll follow up if I can remember/find my concern.

Interested in hearing others opinions on those points.

Cheers.

JJ

[3n7r...@gmail.com]

Those are fair points. In fact, I deal with those complaints every time I install a new Tor Browser.

1. Automated updates: I set it to notify only - just because I don't want to be interrupted / surprised - not because I don't trust TPO or the update process. If you're worried about eavesdropping or metadata scavenging, this is not the same as MS phoning home because you can check the source and build it yourself.

2. Javascript on by default. I turn it off or set security to 'high'.

3. Disconnect.me default search. I change it to something else.

4. Not sure if this is your concern but TorButton works through Tor's Control Port. There exists a Tor control command called GETINFO that will retrieve the real public IP of your Tor client. In Whonix, these commands are filtered by the Control Port Filter Proxy. The control port can optionally be disabled entirely. This approach is much safer than using the Tor Browser Bundle on its own. I don't know how Tails addresses this.

As to your inclination to "roll your own" privacy browser, there are 2 things you might want to consider:

1. In general, security software (and anything involving cryptography) is best tackled as a community. No matter how brilliant you might be, one error is all it takes to render the whole solution dangerous. More eyes the better.

2. Unless you replicate Tor Browser *exactly* (why roll your own if you're going to do that?), you will likely have a fantastically unique fingerprint that will identify you anywhere you go on the Internet, regardless of however many anonymous proxies you sit behind. Browser fingerprints can not be eliminated completely. Instead of trying to hide, Tor Browser sets a public fingerprint that all users can share. As in #1, having a vigilant community helps identify new fingerprinting vectors asap.

[you might generate more interest on these topics on tor-users mailing list.]

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes, there are, and they're not as expensive as one might think
(assuming they really do what they claim to do). For example, there
are the Kanguru USB flash drives mentioned in this related issue (and
linked discussion thread):

https://github.com/QubesOS/qubes-issues/issues/1980

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXwnVBAAoJENtN07w5UDAwkv4QAMkcEs6hE3yjMp0qVTWA5edQ
GWnRb89XP+QEPtqud849//dsYmW0ejl/MPV8eJ4/wKECcu4sGkhDdo1Z5EehUzq2
zHU9LTrRD8FCXEemtx8jsegTxSevLxMx8enBNSecGqUZvaS0ffGLBFsqc+XR8sl9
bQ7dvVeotkeAuXfoBH0KnZ/FtvX3LI/Sf30euwGRx2MVXiWGqW44Nlz8dhHIX57H
J2zDyoROmqC2jC99swEDoM+Ofng4ebCgVRaUQhTcrMADKncysghV9tS4ATaO4egT
I8lQdHPWP4OPktAKWleSMfUvQEYuYtE8vVdQRQpNBn87gppP2C0E+TAI/pJx3Lqx
9XloGQoBYOYP4kNl3pP+138Ss7lK2BfVpieTgPhmfoQxiqf/fYkkpdNPxUTwTPdX
FnMXzFipeKFGht9zXBeQTWPMZ8deWYh1F4B8hcxnFGftYOu1OjVH5Xg9L3v4QUIl
BzBzPMDbeMk9VeQyqsteEdB8q/71YGpLNsmHk98/ss57MKSJGGJi90W/U9tD5k7l
xKn+LpOU7sH03kib+TTYJzMgGcKbRxBUkdY5J+rTxpV32FqPXdCMluP3vHDOqyKw
q3ZLNsRIyRuGKCrnTjsXSlnJAdS4QJ5y8c2edpiIgMU6i7Rg3BIvrlIBPvdKgDII
55tOWmWwy3ceDxd8jgRu
=OHJZ
-----END PGP SIGNATURE-----