I do that when I'm in a hostile computing environment, such as a house full of teenage hackers. The idea is not to expose my hard disk drive to any form of attack. For that, I use:
Lightweight Portable Security
It's a Linux CD or flash drive, with some security tools. I do carry a linux laptop with me, but this is easier as it can safely run on the teenagers virus infested computer. Of course, the need to do online banking while surrounded by teenage hackers is minimal, so I don't have much experience using LPS.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Java was also a Sun Product and we've all seen what happened to that. Oracle doesn't derive any revenue from VirtualBox and little from Java. I don't see them being inspired to do much maintenance.
I have one Linux laptop with VMware running an OS/2 image to run a pirated Mercedes Benz shop manual. Another desktop runs XP with several XP and W2K VM's for programming experiments and retro computing. Some of my Mac customers are running various VM's in order to have Windoze on their OS/X boxes.
Thanks. I'll give the dark side a try.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
I think it was just too easy to use webkit and way too much work to take their custom software do HTLM5. The memory footprint of the old opera was low, but I don't know if they compensated with file buffering.
someone came into our office complaining of $10 000 lost from his credit-card, and blaming some sort of database insecurity. It turns out he had a keylogger someone has lost $10K, probably the vendors.
Are you trying to get hacked? I close browsers within a few minutes, by policy. Some sites are unusable for me because i won't give them a damnzillion scripts and cookies. If you can't ask politely for what you want to make me your product, don't expect me to cooperate let alone return.
You don't need to have your computah infected with a keylogger in order to lose money. One of my intelligent but lazy friends[1] decided to use a single password for all his online accounts. That included banking, credit cards, email, ebay, Paypal, shopping sites, etc. I knew about this and pounded on him to change all passwords that involved money or email to something more secure. I also bought him a Verisign rolling code card for eBay/Paypal. I assumed that he had changed them, but I didn't check.
About 18 months ago, he simultaneously became the victim of identity theft, with bogus credit card transactions, new bogus credit accounts, an empty bank account, insane eBay purchases, redirected direct deposits, etc. Even his paychecks and stock dividends were being deposited in someone else's account. He's still cleaning up the mess and his credit rating is (probably) fatally trashed.
Moral: Password security and secondary authentication are a good idea. Also, few people care much about security until AFTER they have lost data or money.
[1] I have friends and I have customers. The difference is the customers pay me.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
I've never actually been stiffed, but big companies are sure slow payers in general. Many of them even drag their feet when paying expert witnesses who are helping defend them from lawsuits with damage claims that could run into hundreds of millions of dollars. Pissing off somebody like that is just criminally stupid. Probably somebody gets an award at the end of the year, or something like that.
That's one of the nice things about providing unique stuff--when you push back on the terms, people rarely just walk.
My rule is that anybody who has ever gone 90 days on an invoice is in the pre-pay group forever. New customers whom I'm not sure about, I ask for a 40-hour retainer, and bill them whenever it runs out. Once we get into a rhythm, I let them pay 2%/10 net 30. Another rule is that I rarely let invoices get much over $10k, because once somebody owes me really important money, there's an adverse shift in the balance of power.
How do other folks do it?
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
No, it's nothing as sinister as that. IME, it's just broken processes and the normal bureaucratic inertia and lack of interest. I've had holds put on our purchase orders more than once and have to track them down to get the vendors paid many times. It's always just someone, somewhere, who forgot to sign the PO (etc.), or something equally stupid.
It's not just large companies who drag feet. At my PPoE I was always getting "pay up deadbeat" calls from vendors. That, however, wasn't bureaucratic ambivalence.
While that is helpful once the diseased FF28 or FF29 and later get into your machine, i want to permanently block the updates until FF settles down like chrome has.
Customers. Guido, Mongo, and accomplices take care of collections.
Actually, I've not been paid only once, and that was intentional. I seem to have the ability to predict if someone is not going to pay. I have no idea how I do it. I wasn't certain about one potential customer, so I did the work anyway. As I suspected, he didn't pay.
I have had customers go Chapter 11, disappear, reorganize, or get fouled up in their own procedures and paperwork. For that reason, I do little work for shaky businesses, startups, government acronyms, universities, and businesses in the middle of reorganizations or owner divorces. I also have customers that are always one invoice behind on their payments, where I have to demand payment for previous work, before I'll do any new work.
When doing contract work, I've simply been lucky and have always been paid at least partially. It's probably a bad thing to believe in luck, but I seem to be doing reasonably well relying on it.
Incidentally, many of the customers that have supported my decadent and lavish lifestyle over the past 33 years are getting older and have retired and/or sold their businesses. Same with my contacts in industry. Replacing these with todays breed of business people has not worked well for me, probably due to differences in culture.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Most of my income is currently derived from doing repairs on computahs, test equipment, and machines. For computahs, I just tear it apart in plain view, and then mumble something about not having been paid on my last invoice. Translated, that means if someone doesn't magically appear with a check, their computah is going to be left in pieces, while I go to my next customer.
For test equipment and machines, I just hold onto the hardware until I get paid. There are some legal complications with doing this, but so far, I haven't had any visitations from the police claiming I've stolen the hardware.
When I did design work, I always withheld some part of the documentation until I got paid. Usually the customer received a "preliminary" schematic, which was full of mistakes and omissions. I learned that trick when I had some design work done cheaply in India. It doesn't always work, not because the customer has the time and talent to fix the mistakes and omissions, but because they don't realize that the documentation is wrong until the product hits purchasing or production. Telling them that it's wrong is the difficult part for me.
Quiz question: Given a mechanical prototype or competitors product of (for example) an antenna, what's the one thing necessary for production that can't be reverse engineered from the prototype or competitors product?
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Create the vdi files with 3.2 so they are all in the same folder: /home/YourName/.VirtualBox/HardDisks
This makes it much easier to back up the files.
VBox 4.04 spreads them all over the place, making backup difficult. But
4.04 boots much faster than 3.2, so you need both.
Ubuntu 10.04 is the latest version that doesn't have the Unity interface, which most people dislike intensely. You have to install it with UEFI disabled, or the hard disk won't boot.
10.0 doesn't have the TRIM command for SSDs. There is a manual version of the TRIM command, but I found it doesn't make any difference. It is an extremely good idea to disable the noatime,nodiratime features of the EXT4 drive format. Here is the batch file I use to install Samba, which gives access to the LAN. It contains the instructions on how to configure Ubuntu:
sudo apt-get update echo echo DO NOT USE Ctrl-C. THIS WILL TERMINATE THE PROCESS echo Use Shift + Ctrl + C to copy noatime,nodiratime, echo Add to next column past ext4 sudo gedit /etc/fstab echo echo edit grub boot options echo GRUB_HIDDEN_TIMEOUT=0 echo GRUB_CMDLINE_LINUX_DEFAULT="" sudo gedit /etc/default/grub sudo update-grub sudo apt-get install samba echo echo enter samba password sudo smbpasswd -a mike echo echo smbusers mike = mike in quotes sudo gedit /etc/samba/smbusers echo echo configure master or slave sudo gedit /etc/samba/smb.conf echo echo enter computer name mike0X sudo gedit /etc/hostname echo echo enter host name mike0X sudo gedit /etc/hosts sudo apt-get -y autoremove
The Master and Slave configurations for Samba merely designate who will take control when the LAN is active. They are too lengthy to post here, but I can email them to you if you need them.
Ubuntu has OpenOffice, so you may not need it. Do you really need to run Win 8.1? Win 7 only needs about 7.5GB, including the 6GB for all the DLL versions.
It may be a good idea to put the special software in a different VM. This protects you in the event the main VM gets infected. The infection cannot cross the barrier that VBox has between installations, and you can transfer files between them by copying to the Ubuntu Desktop and downloading from there.
The version 026 of Robocopy is incredibly fast, and maintains the timestamps for folders. You can find it in the Windows Server 2003 Resource Kit Tools available at
Install the package, extract Robocopy 026, then delete the installation.
If you run DOS programs, (on Win 8?) you will need TAME to control the cpu utilization. I found the best version is 4.5 available here:
You can send in the $20.00 purchase, but the registration file he sends you won't work. Never mind, you don't need it to run the program. He will not respond to questions or request for help, so you are on your own. But I will help when you need it.
I use 128 GB SSD drives for my main and backup, and a WD 1TB for archives. I wouldn't want to use USB - it is way too slow. The 1TB WD cost about $55 some years ago. Just install Ubuntu on it the same as the SSD drives so you can boot from it if needed. The file transfer rate is around 150MB/s, so backup is fast.
The SSD are much faster than the hard disk for bootup, but I'm running out of space. The next project will be to combine two SSDs in a RAID 0.
Why do you need Acronis? When you are running VBox, all you need to copy are the vdi files.
When you use an internal backup drive, the transfer speed is so fast you will be able to back up often, so your files will be up to date. But the file transfer is done through Ubuntu, and the ransomware is on Windows. It cannot reach the backup drive. This is also the reason I never allow Windows to connect to the LAN. I only use Samba running on Ubuntu. Any malware cannot see the LAN, and cannot propagate.
I also split functions into different vm installations. Each one only gets the capability that it needs to perform that function. For example, the main XP installation has all my datasheets spread over drives D: and E: It alo has the email client on drive C:, along with all my software source code, LTspice, my SPRINT editor from 1988, hundreds of megabytes of notes, email and newsgroup postings going back a decade or more, and a bunch of other stuff. This fits in 3GB with about 1.7GB free space. I was wrong in my earlier estimate of the backup time of 30 seconds. It is actually less than 15 seconds.
Another installation is for products. It has no email, so it is immune from phishing attacks. It has no browser, so it cannot go online and get infected. It has no Flash or any other app that is not needed. I transfer files via the desktop, so there is no way that malware can affect it. I bak up to the 1TB hard drive and also to another completely separate computer.
The banking installation is for online purchases and access to my bank accounts. It has no email, LAN, Flash, or anything else not needed to log on. It is the only place where the logon information is kept, and that is in a secure password manager. I prefer Sticky available here:
formatting link
The banking vdi is backed up the same way as the others.
It won't work on Win 7, so it will probably fail on Win 8. But if you want to try XP, you can get the files from the Win 98 cabs that are available on the web, or you may have an old installation disk. The SFC locations are:
All that disappears with VirtualBox. The vm gets a generic set of interfaces so they all operate exactly the same. You don't have to mess with drivers any more.
You can easily personalize the vms as much as you want. I just recommend to split the critical functions into separate vms so any infection on one will have no effect on the others.
Keeping the banking and browsing in separate vms can help. The browsing vm can get clobbered, but you don't care. Just copy the backup over it and you are back in business. The banking vm has no email and never goes anywhere except to banking sites, so it should never get infected.
You have to enter the site url by hand. This leads to typos and criminals are sitting on those urls waiting for you to enter your logon credentials so they can steal your money.
You also have to copy the urls for eBay and Amazon purchases. This can also lead to problems copying the urls which slows you down.
You need to keep copies of all the bank logon info somewhere, perhaps on a piece of paper. This can give problems protecting it from unwanted visitors or simply losing it.
When you are done, you have to put the CD away in a safe place. A scratch can ruin it, so you need a backup.
Now, you need to reboot you computer. All this wastes time and leaves several openings for error that can defeat the entire purpose.
Putting the banking function in a separate virtual machine isolates it from the other vms so any infection cannot cross over. You can use a password manager that encrypts the logon information to keep it secure.
The password manager should connect to the desired site and log on automatically for you. This eliminates the possibility of typos.
You can back up the vdi file to a USB stick and put in a safe deposit box for security.
Fatal mistake. Gotta followup. Check everything - he will likely screw up.
Passwords are useless. Get a long 64 bit random string from GRC's Ultra High Security Password Generator:
Note: this is only for banking and financial info. Firefox's password manager is fine for site registration and other non-critical use. But the financial sites need a password manager to encrypt the info. There are many different ones. I much prefer Sticky.
It is strange that nobody has mentioned this, but Symantec has declared AV is "dead" and "doomed to failure".
"Commercial antivirus pioneer Symantec has finally admitted publicly what critics have been saying for years: the growing inability of the scanning software to detect the majority of malware attacks makes it "dead" and "doomed to failure," according to a published report in the Wall Street Journal:
Also see:
For more bad news, Microsoft Now Recommends You Use a Third-Party Antivirus in place of Microsoft Security Essentials.
Clearly, we have to take computer security into our own hands. The old methods don't work. Criminals can shut our business down and steal our money in seconds.
I propose running Windows in a vm and split the critical functions into separate installations so an infection in one cannot affect the others.
Use Linux as the host for the hypervisor, again to prevent cross- infection.
Keep Windows away from the LAN so infections cannot propagate.
Disable wireless functions on your router and remove the antennas.
Use the System File Checker from Win98 to verify the date and time stamps, filesize, and CRC32 of all the critical files. This requires XP.
If you must use Win 7, find a program that can list all the files in the critical directories and do a diff to check for changes and additions.
Use SysInternals Rootkit Revealer and other similar programs to check for hidden rootkits.
Disable the bios flash update on your motherboard.
For the Bank logon strings such as what was your first car, use a long nonsense string from GRC and use it for all the verification questions.
Split your bank accounts into ones that can be reached from the web and others that cannot be reached. For example, Paypal and debit cards can use an account that you only put money in when needed. Keep the rest in a different secure account. If you bank will allow it, have an account that is blocked from any online transfers. Make it so the only way to transfer money in or out is to get a manager's override when you visit the bank. Keep most of your money in it except for normal expenses.
The criminals do not mess around. They want your money, and they can afford the very best software engineers to find a way to get it. You can do a lot to make it difficult or impossible for them to succeed.
In reality, most criminals /do/ mess around - the great majority of criminals are pretty stupid. You can see this by phishing scams - most bear clear signs of google translate, and have spelling or grammar mistakes. But there are a few criminal groups around the internet that are sophisticated.
However, you don't need to go overboard to protect yourself. All you need to do is be a harder target than other people - then you are safe (baring very bad luck). Avoid java, avoid windows, and the criminals will avoid /you/, until they have robbed every windows user on the planet.
The CD's huge advantage is that it's really and truly read-only. I don't know about you, but I don't have a big problem typing "
formatting link
" correctly, or remembering my banking PWs.
Mostly I use my Blackberry 9900 for banking.
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
Correct. I was very careful not to disclose tolerances, specifics on materials, and vendors until after I was paid (and the check cleared the banks).
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.