Stop telling people that VMs could protect anything

[cypherdoc]

Just want to make sure that no one else does what I've done so that malware will never be written to target my bitcoin.

so how do u refute whats been said throughout this thread that VM's do nothing to block an attack?

i was well aware of your software prior to this but haven't tried it out since you're so new as is the client so my interest was piqued by this thread.

[1713886044]

1713886044

[1713886044]

1713886044

[error]

The author was Theo de Raadt, (from the OpenBSD project)

And that means you have to wade through pages and pages of colorful invective -- and throw some back at him -- before he gets around to actually talking about the issue at hand, if he ever does. Theo de Raadt's attitude problem is the #1 reason I don't use OpenBSD.

That said, it's possible to provide reasonable security for virtual machines (for instance the use of SELinux with KVM) though things like VMware don't really provide anything reasonable, especially on Windows.

[bcearl]

Just want to make sure that no one else does what I've done so that malware will never be written to target my bitcoin.

We aren't in the 90's any more. Malware today is made from components and individually designed for each target.

Nobody would do that for a spam box, but when they got your bitcoins, it's a total win.

[bcearl]

Just want to make sure that no one else does what I've done so that malware will never be written to target my bitcoin.

You can do that. But don't tell people - especially unexperienced users - that this is security.

If we seriously want to get a situation, where most of the users have some security, we have to think about solid ways.

A savings wallet with password-protected private keys can be understood by a lot of users -- even those who don't know much about IT.

[Soros Shorts]

Whatever happened to the concept of layering your security? If using a VM provides adds some level of isolation between potential malware and the Bitcoin wallet then it would certainly be beneficial to use it as part of an overall solution. You shouldn't discard it just because it is not 100% "impenetrable" (Are you looking for a Maginot Line-type solution?). Other steps can and should be taken to protect the host, other VM's, the local network, etc. You may argue that this is just obscurity, but in the real world throwing an additional roadblock is usually all that it takes to prevent the success of a potential attack.

[bcearl]

Whatever happened to the concept of layering your security? If using a VM provides adds some level of isolation between potential malware and the Bitcoin wallet then it would certainly be beneficial to use it as part of an overall solution. You shouldn't discard it just because it is not 100% "impenetrable" (Are you looking for a Maginot Line-type solution?). Other steps can and should be taken to protect the host, other VM's, the local network, etc. You may argue that this is just obscurity, but in the real world throwing an additional roadblock is usually all that it takes to prevent the success of a potential attack.

It protects only in one direction: It protectes the host from the guest. Not the other way around!

But many people here use it the other way around. That does not work, it's just a little obscurity (which you could also have by renaming files).


Little Conclusion:
The title is not "stop using VMs", but "stop telling people that VMs do magic". If you know what you do, you can get some protection with VMs, as some people here do. But if you tell people, they will just install VMs (wasting ressources), and think they are secure, which they are not.
For example you could set up a VM full operating system based full disk encryption. That would protect the system while it is not running. When it is running, there is no more protection from the host. You can use that setup securely if you are fully aware of that facts. But most people just aren't, especially those who just listen to your security advice.

You have the same effect with my Ubuntu user account setup. While the special user is logged out, there is no way to access the private keys. They are encrypted (and never stored anywhere else).
And it has a lot of advantages:
- It is way less a waste of ressouces.
- Login and logout are much faster than booting a VM. (Hibernating a VM would mean to store private information in swap space.) So there is a smaller time window for attackers.
- Even while the special user is logged in there is no way for other user's software to manipulate unless they really crack the operating system. (Opposed to that the VM is run by a user, thus the user's software can do anything with it.)

[gene]

The author was Theo de Raadt, (from the OpenBSD project)

And that means you have to wade through pages and pages of colorful invective -- and throw some back at him -- before he gets around to actually talking about the issue at hand, if he ever does. Theo de Raadt's attitude problem is the #1 reason I don't use OpenBSD.

That said, it's possible to provide reasonable security for virtual machines (for instance the use of SELinux with KVM) though things like VMware don't really provide anything reasonable, especially on Windows.

You really are one dumb fuck aren't you?

Any retort on the content of his message? Or just more echo-chamber assfuckery?

[kloinko1n]

i think the thing to keep in mind with VMs is that there really isn't any cross-platform malware.  the browser-based stuff will infect any platform, but adapts to the platform it infects: the sophistication to reside (for example) on a windows machine, and look for a mac file system, isn't there.

i would suggest installing a VM of a different operating system, which also uses a different browser.  for example:

on a windows host machine using internet explorer, install a VM of linux/firefox.  on a mac/safari host, install windows/firefox.  etc.

one thing i haven't tried is installing a VM into a TrueCrypt partition - no way an infected/compromised host is going to get at that!  has anybody tried that?

seems to me that if you have a VM on board, its smart to do your browsing and email in the VM and have your bitcoin client on the host with your malware scanner/antivirus programs.  in this scenario does having a USB key with the data directory plugged into the host side provide any further protection?

...have your bitcoin client on the host with your malware scanner/antivirus programs...

If I may add: and a firewall as well

Yes, and that would be an even better solution if you'd use a second network interface for the VM. Otherwise lots of attacks still can occur through the open ports in the firewall of the host, which has to be open to allow access to the virtual (browsing) machine.
Or do you think it's safe to have the firewall of your host port just forwarding everything except bitcoin traffic to the VM?