Silk Road forums
Discussion => Security => Topic started by: Isa on November 09, 2011, 04:44 pm
-
I installed Liberte Linux as a virtual machine inside a truecrypt container. Well, at least I think I did. I'm completely new to linux and internet security.
I'm currently booting off of the .iso, is that acceptable or a security concern? I put the .iso in a truecrypt container. Is that more or less secure than making the VM hard drive bootable? Should I boot from the VM hard drive? Did I even install the OS or am I basically LiveCD booting? At this point, the instructions are over my head to be honest, I need to learn more about it. What does the .vdi file do if I'm booting off of the .iso?
I don't have any persistence. I want some just to have the ability to save bookmarks, how can I accomplish this? Currently, I'm sharing a truecrypt container with the host, but I don't want to be able to access these bookmarks from the host when the VM isn't running. Is this because I'm booting off of an .iso? I did notice when Liberte starts up, it says 'skipping' persistence setup or something like that.
Is there anything inherently more secure about operating inside a VM environment?
Do I need to have Tor running on the host if it's running in the VM?
Being a novice, what tools should I learn how to use to test my security? Does Liberte have any built in tools for that? Am I decently protected using Liberte right out of the box? If I'm only using Liberte for browsing these forums and an occasional SR purchase, do I need to do anything more than keeping everything up to date?
When starting Liberte in the VM, it says 'Failed to start splash daemon'? What is that and how do I fix it?
I don't recall making a password for Liberte, for instance, for executing terminal commands. I'm signed in as anon, is that a security feature, or am I just missing something?
One last question, is the traffic sent to .onion sites encrypted? I don't see https:// only http:// in the address. Can the Tor exit nodes read this post for instance?
Thanks in advance for any answers you can provide.
-
I'm currently booting off of the .iso, is that acceptable or a security concern?
That is how live CD's work. Well, at least when you run them in virtual machines. It isn't in itself a security concern, but it does indicate that you are using a live CD instead of a custom configuration. I haven't seen any live CD's that are exceptionally secure, but if you are a noob or just need something to work with and don't have time to configure everything properly yourself, live CD is fine.
I put the .iso in a truecrypt container. Is that more or less secure than making the VM hard drive bootable?
Well, you could put the virtual hard drive in a truecrypt container. Putting the .iso in a truecrypt container is borderline pointless considering it is a read only disc image and not illegal or necessarily indicative of illegal activity. Things that are saved in your VM shouldn't be leaving volatile memory if you are using a live CD .iso ... I think. I really should ask someone who knows for sure to confirm this though, but I am pretty sure. Of course the standard worries about SWAP space and such still apply, but you should have encrypted SWAP on the host anyway. And have FDE actually. Anyway it isn't really a black and white more or less secure question. It depends on what you are doing, in regards to if you should have a virtual machine that boots from a virtual drive or a live cd .iso. A lot goes into the answer too, if you get very detailed.
Should I boot from the VM hard drive?
Depends on your use case. For now I think it is smarter to use a persistent bootable hard drive then a live cd .ISO, because if you use a live CD .iso with Tor it selects new entry guards every time you boot it. Entry guards are not supposed to change that much, and by changing that much it makes you *far* more vulnerable to an active attacker re: your anonymity. If you select three good entry guards, you are not at risk of an active timing attack linking you to the servers you visit. Tor normally selects new entry guards once a month or so, and I think even this is probably more than it should. It also probably should only use two entry guards instead of three, I think. When you use a VM and a live .iso, every time you boot it Tor selects new entry guards because as far as it is concerned it is running for the first time. Until solutions to this problem are implemented in live CD distros, I would hesitate about using them. One solution is to use a snapshot of the VM and always load the snapshot. This will let you keep persistent entry guards, but it will also open you up to a different attack after a period of time, because your Tor client will eventually need to bootstrap at the directory authorities to get consensus. Normally if you don't have breaks greater than ~24 hours between times you run Tor, it connects to a mirror of the DA servers which could be on pretty much any of the Tor relay nodes. If ~24 hours pass, it connects directly to the directory authority nodes to bootstrap. An attacker who can monitor the directory authorities can use the bootstrapping information for a variety of attacks. It is much easier to monitor all of the DA servers than it is to monitor the DA servers and all of the mirror servers. If you take a snapshot now, in 24 more hours the Tor client of the snapshot will start connecting to directory authority server every single time you load the snapshot. Of course every time you load the .iso without a snapshot Tor connects to the DA's to bootstrap as well, but my point is that taking a snapshot can solve the entry guard issue but it can't prevent increasing direct bootstrapping frequency. Using a virtual hard drive with Tor doesn't have either of these issues.
Did I even install the OS or am I basically LiveCD booting?
You are Live CD booting...obviously. Do you remember installing the OS ;)?
At this point, the instructions are over my head to be honest, I need to learn more about it. What does the .vdi file do if I'm booting off of the .iso?
You don't need a .vdi file if you are booting off of the .iso, and I would even go as far as to suggest removing any .vdi if you are booting off .iso
learning is fun. Spend as much time learning security as you can and teach those who know less than you so we can all continue to evolve as a network and protect ourselves from the fascists and their mercenaries.
I don't have any persistence. I want some just to have the ability to save bookmarks, how can I accomplish this?
You can use snapshots to accomplish this.
Currently, I'm sharing a truecrypt container with the host, but I don't want to be able to access these bookmarks from the host when the VM isn't running. Is this because I'm booting off of an .iso? I did notice when Liberte starts up, it says 'skipping' persistence setup or something like that.
Sharing a truecrypt container with the host? Elaborate please. If you use snapshots, or even if you decide to use a virtual hard drive, you can keep the entire virtual machine inside a truecrypt container. Then you will need to mount the container and point virtualbox at it prior to launching the VM, but it will keep it encrypted :).
Is there anything inherently more secure about operating inside a VM environment?
No, but you can use advanced VM configurations to enormously increase your security. For example, I suggest that you run Tor in one VM and every other sensitive network facing application in its own VM [ie; a vm for firefox, a vm for pidgin, etc]. You can then use host only routing and firewall rules on the host, to force all traffic from firefox etc to either go through Tor or be dropped. The big benefit of this is that even if your firefox is hacked and the VM rooted, the attacker will only be able to get your internal IP address from it...the actual VM isn't even aware of your external IP address. This is a strong line of defense against application layer attacks, and if the presentations given to law enforcement at intelligence support service conference are anything to judge by we need to really start doing things like this fast if we expect to stay ahead of LE.
Do I need to have Tor running on the host if it's running in the VM?
It depends on what you want to do. Short answer is no.
Being a novice, what tools should I learn how to use to test my security? Does Liberte have any built in tools for that? Am I decently protected using Liberte right out of the box? If I'm only using Liberte for browsing these forums and an occasional SR purchase, do I need to do anything more than keeping everything up to date?
I would use amnesia tails over liberte honestly. Are you decently protected by using these live cd solutions? It depends on who you ask I guess. Compared to the majority of internet users, yes you are more secure than them if you use these live cd solutions. Compared to the majority of cyber criminals you are more secure than them as well. Are you exceptionally secure though? No. It takes more work on your part to be exceptionally secure. Are you secure enough to resist LE? So far, but times are changing fast and federal police are quickly becoming pseudo-intelligence agencies and using the same sorts of techniques to spy on the people as intelligence agencies use to spy on foreign governments. Remember, we are the enemy of the government after all ;).
When starting Liberte in the VM, it says 'Failed to start splash daemon'? What is that and how do I fix it?
Not sure
[/quote]I don't recall making a password for Liberte, for instance, for executing terminal commands. I'm signed in as anon, is that a security feature, or am I just missing something?[/quote]
It's a live CD.
One last question, is the traffic sent to .onion sites encrypted? I don't see https:// only http:// in the address. Can the Tor exit nodes read this post for instance?
Tor hidden service connections are end to end encrypted [between client and server, not client to client].
-
I think you are over complicating things.
All I do is have Liberte installed to a MicroSD card as per the instructions on the project site. Get a MicroSD to USB adapter and you are laughing. You dont need to hide the card as it is all encrypted anyway but if you cant manage to hide a MicroSD card then you have bigger problems! I think that having virtual machines and truecrypt containers is becoming largely irrelevant with the advent of Liberte, but I could be wrong.
-
I think you are over complicating things.
All I do is have Liberte installed to a MicroSD card as per the instructions on the project site. Get a MicroSD to USB adapter and you are laughing. You dont need to hide the card as it is all encrypted anyway but if you cant manage to hide a MicroSD card then you have bigger problems! I think that having virtual machines and truecrypt containers is becoming largely irrelevant with the advent of Liberte, but I could be wrong.
Hm, just looked into liberte in depth. It is based on hardened gentoo kernel which is really nice, has PAX and grsecurity fully enabled etc. This is very good for security from hackers, some of the features are automatic [like ASLR, SSP, etc] others require customized configuration though [like MAC profiles]. I don't know how the MAC system is configured with liberte but it is possibly well secured. Technically liberte actually looks far superior to tails, so I take back what I said about suggesting tails over it. I wonder why Tor project suggests Amnesia instead of Liberte now that I have looked at the Liberte spec. However, The issue about Tor persistence still stands for Amnesia and Liberte. I don't know if you can use Libertes persistence for persistent Tor entry guards though, although in that case it would be a live USB ;).
Regardless your reply is still naive. Truecrypt and virtual machines are not made irrelevant by an operating system, anymore than GPG is. There are multiple things to take into consideration when it comes to security. Traffic analysis, communications interception, hackers / application layer attacks, computer forensics, etc. Hardened Gentoo can do a great job of protecting from hackers / application layer attacks. It is definitely one of the best security oriented operating systems. I actually was recently discussing it with some security experts / researching it, although not in the context of liberte. Some of the people I talked with seem to think that it is the number one choice for security if properly configured, although extremely difficult to properly configure. Liberte is preconfigured, so that is a big advantage...I assume the people who made the live cd know what they are doing as well, so it is probably properly configured. Of course other people will disagree that it is the best, a lot of people prefer OpenBSD for example. The operating systems gain their security in different ways, and in some cases in the same ways, but it seems to be fairly commonly agreed that hardened gentoo is at least one of the best operating systems for security. One thing I am not sure of is if Liberte is 32 or 64 bit, if it isn't 64 bit it isn't going to be getting much from ASLR though.
Using a live CD without Tor persistence makes you more vulnerable to a number of traffic analysis attacks, as I already explained. A properly configured hardened gentoo based distro may protect significantly from hackers, due to its security features. But you also need to worry about being traced via traffic analysis.
Application layer attack: Firefox is hacked and the attacker EOPs to Tor, gets your IP address
Traffic analysis attack: Your adversary owns your entry guard and monitors SR, they correlate timing information from the entry guard to timestamps on SR and link your IP address to SR
Liberte tries to protect from traffic analysis by using Tor, but because it is a live CD it has limitations versus a persistent configuration. Every time you boot it, your entry guards change. This majorly increases the risk that an attacker will eventually own one of them. You can protect from this by loading from a snapshot, but you still are at increased risk because you will be bootstrapping at the DAs more than normal. Hopefully liberte and other live CDs start finding ways to get around these problems. Tor can also fix the problem of increased bootstrapping by using directory authority guards, I think they are already headed in this direction. These are not inherent limitations of live CD, but they are limitations of all the live CDs out there today, afaik anyway.
Storage encryption is still required as well. Liberte does not replace the need for this.
Application layer attack: Firefox is haxxored and feds remotely spy on the contents of your hard drive
Meatspace attack: Feds kick down your door and steal your hard drive
On the application layer, using a hardened gentoo based OS can offer protection from various attacks. It doesn't protect from the feds kicking down your door and stealing your drive though, assuming they can find you anyway [maybe they found you because you used 90 different entry guards in one month instead of the 3 you would have used with a persistent Tor installation :P].
Also, I think a MAC system can get similar results but I don't think liberte is currently configured in such a way....
virtualbox can be used to offer strong isolation. If you run Tor in one VM and firefox in another, and use host only routing to connect the two, you can make it so even if firefox is hacked the attacker can not get to your external IP address without breaking out of the virtual machine. This is really good protection from application layer attacks
application layer attack: Haxx0r pwns your firefox, EOPs to Tor user and gets your IP address
protection: Attacker pwns your firefox, now they need to break out of the VM before they can get to your IP address. This makes it a lot harder for them.
So liberte does not make virtualbox irrelevant, and if you have the skills to configure hardened gentoo yourself I would suggest not using liberte and rather configuring multiple VM's in the manner I previously described [with hardened gentoo host, and hardened gentoo guests for each critical process that needs isolated away from your IP address]. This is actually the configuration that I plan to go with for myself, I didn't realize that liberte was so similar until just now, before I thought it was just another tor live CD on the level of amnesia...but not endorsed by the Tor devs...which is why I suggested using amnesia over liberte.
-
I should also add that I personally suggest not using their cables system for communications, simply because it requires you to run as a tor hidden service. Deanonymizing hidden services is much easier than deanonymizing Tor clients.
-
okay looks like liberte supports persistent entry guards if it is run as a live USB, obviously not as a live CD though. This fixes at least one of the major flaws in Tails. I really guess I should have researched this more before commenting, instead of assuming it was just another tails clone that wasn't endorsed by the Tor devs. I had seen it before, but didn't do indepth reading on it. I think I saw its "cables" system and immediately wrote it off because I really think it is a bad idea to form networks of hidden services for communications, hidden services ARE too easily traced versus tor clients.
I still plan to configure my own hardened gentoo with multiple virtual machines for isolation, but I suggest liberte for anyone who doesn't have the time for this ;P. It is funny because I was just about to make a post about hardened gentoo and suggest people try to configure it + VM isolation. Now I suggest that as well, but liberte looks like an excellent alternative for people who don't have the time or skills required to configure hardened gentoo themselves.
-
Thanks for the replies, lazypeeps and 1as3df4gh.
Here's the what and why. I'm booting Liberte from the .iso using VirtualBox. The reason I put the .iso in a Truecrypt container is to hide it and prevent being able to boot Liberte without the Truecrypt container being open, since the .vhd isn't really necessary at this point. What I'd like it to be able to do is boot Liberte in the VM from the .vhd, to have persistence for bookmarks (and now for the added security of keeping the same entry guards). I'd rather keep everything Liberte, Tor, etc. separate, hidden and secure from my host regardless. Once everything is nice and secure inside an encrypted container, I plan to clean up my host, shred free space, etc. Obscurity might not be security, but I have some family members who occasionally use my computer. I'm hiding in plain sight, if you will.
Sharing a truecrypt container with the host? Elaborate please. If you use snapshots, or even if you decide to use a virtual hard drive, you can keep the entire virtual machine inside a truecrypt container. Then you will need to mount the container and point virtualbox at it prior to launching the VM, but it will keep it encrypted :).
This was the solution for gaining persistence inside my VM. VirtualBox gives the option to designate Shared Folders on the host accessible to the VM. I selected a Truecrypt container on the host to share with the VM, so I have access to bookmarks. Even though it's encrypted, I don't want any access to this data from the host directly without first booting the VM. When I find a way to install Liberte on the .vhd, this issue should be resolved.
So, at this point, I'm searching for a way to install Liberte to the .vhd. Unlike Ubuntu, there isn't an easy "Install Liberte" option when booting from the disk. See how much of a noob I am? While inside the the VM, I have don't seem to have access to the .vhd at all. It may have something to do with persistence support being disabled, so copying files to the top level drive and running sh setup.sh /dev/sda1 in terminal isn't working for me. I tried searching for a way to access the .vhd from the host, however, it's proving difficult. Now that I'm fully awake, I'll see if I can figure it all out.
1as3df4gh, I really like the MicroSD option and will probably pick one up soon enough. For my limited purposes, it would probably work out well. Although, this is as much a learning endeavor as it is a SR buying endeavor for me. Three weeks ago, I was set up on OS X with little security knowledge and I'm paranoid by nature. I've created an encrypted partition, installed Ubuntu, I'm learning as much as I can about Linux, networking, security all of which has led me to running Liberte inside a virtual machine. It's absolutely fantastic.