Monday, March 02, 2020

Snapshots and browsing security

Your browsing session carries along with it quite a bit of information--not just cookies. I'm told that even without cookies there's often enough info to almost uniquely identify your computer/browser combo.

There are supposed to be ways around that with Virtual Private Networks and anonymizers and what-not, assuming you trust them. I'll look into that some other time.

Another, perhaps more urgent, problem with browsing is that bad actors out there are happy to infect your computer with whatever they can load on. Anti-virus software can help, but last time I checked none of them were 100% effective.

I decided to experiment with virtual machines.

Maybe containers would be a more lightweight way to go. I'll look into that later. I figured virtual machines would be easier to offer step-by-step instructions for.

The platform is a 5-year-old Macbook I use but don't own: 16GB and an SSD. That SSD would probably be the biggest difference when comparing to some other platform.

I installed VirtualBox.

After starting VirtualBox and asking to create a new virtual machine, I installed Windows 10. And then installed the "extension pack" for VirtualBox into Windows 10. (I had to go back and add a "Virtual DVD drive" and then use the menu to point that at the extension pack's .iso file to get it to load) I asked that the clipboard be importable from the main OS to the client, but not vice versa. If you allow the VM to mount any part of the host's filesystem, a malicious worm may write there without your knowledge--so only mount scratch areas you don't care about.

In Windows 10, I installed firefox as the browser because it was familiar. I manually asked for the most recent Windows 10 updates. Then I started the browser.

Then I "took a snapshot;" both filesystem and memory at the same time.

That's a clever trick used with some filesystems (e.g. Plan9 and ZFS) and pretty much all virtual machine managers. At first there's no change, the snapshot is just like the original filesystem. But if I change a block of data, the old data in the snapshot does NOT change. What changes is the pointer: it points to the new data stored elsewhere. If you delete a file, the snapshot file is still there in the old area, but in the current system there's no pointer to it anymore.

You can tell the virtual machine manager to "revert" the virtual machine to the old snapshot, and it will chuck all the new stuff and return it to the old state.

So, suppose I need to look up repair manuals for a washing machine. Those sites are notoriously infected; as bad as recipe sites. I connect to a site that promises me a parts list, but instead it uploads a javascript that rewrites some important little files in my area.

At the end of the session, I have an infected machine, that may be phoning home as I sit back and reach for the peanut jar.

I log out and shut down the virtual machine. It isn't running, but is still infected.

I open the VirtualBox menu for the virtual machine and "revert to snapshot." It asks if I want to make a snapshot of the new version. No, I don't.

The system is reverted to the state of the original snapshot.

Now if I restart the virtual machine, it comes back to the state it was in at snapshot time--open browser and all.

Bottom line: With a Windows 10 VM and SSD for the host, it takes about 15 seconds to open and be ready.

I should play around with some other, lighter-weight, operating systems, to see if I can cut down that 15 seconds to something more snappy. I figure the less data it has to load from disk, the faster it will load.

Side effects: Any form fill-ins that weren't set up with the snapshot will be lost when you revert. Any updates to the OS that happen while you are browsing will be lost on reversion. That latter bit is important: every few weeks you will want to start a snapshot, install updates, create a new snapshot, and merge the old one away.

I tried watching YouTube videos: sound and movement were slightly and annoyingly out of sync.

UPDATE: Mint loads in about half the time.

3 comments:

Assistant Village Idiot said...

I had not known that recipe sites were notorious for infection. Hmm.

I don't use repair sites much, but I have occasionally.

Anonymous said...

LOL. Where to start. I was involved in network wars way back when they were fun, and my servers that were attacked, rather poorly, ended up hosting accounts I gave the attackers, after taking some of their stuff. Keep your enemies etc etc.

My Linux systems are not in any danger and my win10 system is just fine after 2 years of no virus protection whatsoever. It may be the case that virus protection is one vector, used by some to use your system.

I don't care who knows whatever about me, and am prepared to take everything to the metal to repair whatever I might need to. I have sat cackling as a win7 system melted down as I watched its pitiful death messages ... till I realized we were still online and pulled the plug. ;)

I use Virtualbox to host my car manuals and its does a great job. I would not expect it to protect me from anything much, so I'm not sure what advantage you think it brings to the table.

james said...

Disposability, of course. The equivalent of "taking things down to the metal."

AVI, I assume that the best known sites are kept more or less clean--though they'd be attacked more often. But if I'm searching for an uncommon manual, or obscure recipe, google may not send me to those. I think those may be the ones that drive the bad reputations.

FWIW, I haven't been infected by much of anything, but I can't say the same about a couple of other family members, who have needed my tech support to clean up. I've been hoping for some more bullet-proof browsing schemes. Unfortunately, one of the things they often want to do is download stuff, and there's a little conflict between security and convenience.