[tor-talk] Is there a way to use internet in a sandbox environment? (Linux)
npdflr
npdflr at zoho.com
Fri Mar 29 14:31:34 UTC 2019
I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)
1. I have a hard disk that is offline (Linux OS).
2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG).
3. I have to mount the usb device to the hard disk since I need the gathered data.
4. Give read and write permission to the usb.
5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs.
6. I write some data back to the usb if needed.
7. Connect usb to the mobile device if needed.
Data from mobile --> usb --> Hard disk
Data from Hard disk --> usb --> Mobile
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data so that the files on the hard disk are always safe?
---- On Tue, 26 Mar 2019 16:21:52 -0700 Ben Tasker <ben at bentasker.co.uk> wrote ----
Nothing is 100% safe, but by instituting isolation you'll have raised the
bar.
For "something" to escape your internet VM would require some kind of
hypervisor exploit. Technically there is the potential for rowhammer style
attacks from within that VM, but for the forseeable future that'd likely
mean a pretty targeted attack.
Basically it all depends on your threat model. Some prefer to boot tails
from read only media on a system with no disks, others don't need that
level so are willing to sacrifice a little security in the name of
convenience.
There's a lot more to opsec than just the browser you're running too.
That said, you specifically mentioned concerns about malware, so a simple
VM could well be enough for you (or even a multi-vm setup like Qubes to
reduce the risk of data leaks). You could also have a disconnected VM for
"offline" stuff, but it'd probably be overkill for most people.
On Tue, 26 Mar 2019, 10:52 npdflr, <mailto:npdflr at zoho.com> wrote:
> Thanks Ben Tasker for the information.
>
>
>
> Regarding KVM:
>
> If I use two KVMs one for offline use and other for online use then would
> you say that the KVM used for offline use is 100% safe? (as KVM basically
> is a hardware-assisted virtualization)
>
>
>
>
>
> ---- On Sun, 24 Mar 2019 15:51:27 -0700 Ben Tasker <mailto:ben at bentasker.co.uk>
> wrote ----
>
>
>
> Most browsers actually already do exactly this and run tabs inside a
>
> sandbox.
>
>
>
> If you wanted to restrict that further, you could look at chrooting or
>
> using docker. Or take it a step further and use a full blown VM (whether
>
> that's KVM or something like Virtualbox).
>
>
>
> But don't, please, follow the suggestion of using root for routine
>
> non-internet tasks. You should use privileged accounts only when you
>
> actually require that level of privilege. Also keep in mind that while
>
> malware running as an unpriviliged user cannot (generally) hose the system,
>
> it can still steal/corrupt whatever data that user has access to. Unless
>
> this is a shared system, you probably care more about that data than the OS
>
> files themselves.
>
>
>
>
>
>
>
> On Sun, 24 Mar 2019, 13:27 npdflr, <mailto:mailto:npdflr at zoho.com> wrote:
>
>
>
> > Using internet in a sandbox environment would be ideal to prevent
>
> > viruses/theft.
>
> >
>
> >
>
> >
>
> > I am posting some links related to this topic.
>
> >
>
> >
>
> >
>
> > 1) Discussion on stackexchange:
>
> >
> https://security.stackexchange.com/questions/35373/how-to-make-sandbox-only-internet-access
>
> >
>
> >
>
> >
>
> > 2) Using hypervisor/kvm to connect to the internet. Hypervisor
>
> > Technologies:
>
> >
> https://opensourceforu.com/2016/03/the-top-open-source-hypervisor-technologies/
>
> >
>
> >
>
> >
>
> >
>
> > 3) Virtual Desktop: https://help.comodo.com/topic-72-1-522-6274-.html
>
> >
>
> >
>
> >
>
> > 4) Another way would be to block internet for the root user in Linux and
>
> > allowing internet only for other users. In this way, one is using root
> for
>
> > offline activities and other users for online activities (just like a
>
> > sandbox environment).
>
> >
>
> >
>
> >
>
> > But it looks like if you enable internet connection for non-root user
> then
>
> > the root user is automatically connected to the internet (I maybe wrong).
>
> >
>
> > I have tried using some commands from the below links replacing
> "USERNAME"
>
> > with "root" (THERE MAYBE RISK INVOLVED IN DOING SO) but I had to restart
>
> > the system to enable the internet connection again.
>
> >
>
> >
>
> >
> https://askubuntu.com/questions/223434/how-to-disable-internet-for-a-user-on-a-system
>
> >
>
> >
>
> >
> https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Any suggestions?
>
> >
>
> >
>
> >
>
> > Thank you.
>
> > --
>
> > tor-talk mailing list - mailto:mailto:tor-talk at lists.torproject.org
>
> > To unsubscribe or change other settings go to
>
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> >
>
> --
>
> tor-talk mailing list - mailto:mailto:tor-talk at lists.torproject.org
>
> To unsubscribe or change other settings go to
>
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - mailto:tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
tor-talk mailing list - mailto:tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list