Speaking of which, I am very concerned about that myself and that is one reason I still don't have internet or even a computer at home: I trust the network admins at work to be at least marginally competent whereas I know I am not. That will soon have to change, however, and now I am _very_ worried. One thing I tought of and which I have since learnt is used by the NSA is to perform all dangerous activities (like connecting to the internet) in a virtual machine (e.g., using VMWare if on a PC) that has limited privileges and is regularly destroyed (i.e., you keep a copy of the original, never-used file around and you just overwrite the just-used VM instance with it: same as reformatting and reinstalling but it takes only a few seconds, so you can do it as often as you wish: there is no deterrent). The problem is that the VMs and the host still share some hardware (the Ethernet card, for one) and I am worried that it must be easy to get it wrong and get only fictitious security as a result. Because, e.g., NSA uses it I know my scheme is basically sound but I need to get the details right. The fact that recently I wasn't even able to get X running on a Linux instance I installed under VMWare is not encouraging: obviously I simply do not have the skills to get this right. So my question is: would you know per chance know where I can find a howto for implementing this scheme correctly?
An alternative is to have several computers and not to network the one used to connect to the internet but that gets expensive and is rather inconvenient as well.
Posted by Olivier at October 3, 2004 01:14 PMWhy is the name "McCarthy" running through my head so many a times these days ?
Like a song of old, you hate the tune, but it is too easy to hum along with it.
grrr....
Posted by Twan at October 3, 2004 01:15 PMI personally don't know where there is one. Places to check would be the general security groups, and anything to do with OpenBSD.
That sort of scheme is ... if it works ... most likely to be related to the OpenBSD operating system. This doesn't mean that it would only be available in OpenBSD, but if you want to place security before anything else, that's where you'll find the people who talk about it.
When it comes to installing VMWare and running virtual machines, there are limitations to those sorts of systems. The PC architecture is not that clean and easy. Things like X dive in and muck with the hardware directly, which means that a virtual machine has a tough job in trapping and delivering that interface. I'm not that surprised that VMWare couldn't easily do the X, and even if it could be got going, I'd be suspicious of it breaking the first time you get some delta (new app, new hardware, new OS...).
Posted by Iang at October 9, 2004 04:48 AM