[tor-talk] Is there a way to use internet in a sandbox environment? (Linux)
grarpamp
grarpamp at gmail.com
Fri Mar 29 14:28:54 PDT 2019
On 3/29/19, npdflr <npdflr at zoho.com> wrote:
> I am giving a scenario: (Devices: PC Hard Disk having important files for
> offline use, USB Device for data transfer and Mobile Device which has
> internet connection)
>
> 1. I have a hard disk that is offline (Linux OS).
> 2. I use a mobile device for internet, gather some data and transfer that to
> a usb device (via OTG).
> 3. I have to mount the usb device to the hard disk since I need the gathered
> data.
> 4. Give read and write permission to the usb.
> 5. I copy the gathered data from usb to the hard disk. Use/process the data
> as per needs.
> 6. I write some data back to the usb if needed.
> 7. Connect usb to the mobile device if needed.
>
> Data from mobile --> usb --> Hard disk
> Data from Hard disk --> usb --> Mobile
>
> How do I make sure that only the hard disk can read and write to the usb
> device and prevent the usb to read/write any hard disk data so that the
> files on the hard disk are always safe?
Search "BasUSB", "HDDHack", etc.
Excepting the direct hardware to hardware hacks
that bypass the OS entirely, such as read write
address space via hardware interfaces (firewire, pci-usb, etc),
the latest memory and cache exploits etc, perhaps put or left
in the HW by spies since there are no...
#OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #OpenAudits , etc
to help improve and defeat that...
Today's kernels still don't provide any sort of storage
block device command firmware update opcode filtering
that could help prevent implantation of firmware exploits.
Many OS still allow unpriviledged users raw access
to portable devices.
Then filesystem hierarchy access control schemes,
and install and boot infrastructures, are also cumbersome
or impossible to protect from user, root, or physical level access.
To the extent CD-R, DVD-R, and tape "specifications"
are just blocks with no firmware being plugged across
the gap, and if no "media updates firmware" capabilities,
those, or even serial and parallel port transfers, could be
more secure than USB.
But since it's not open, you never really know.
People need to start doing those #Open*
things above before they can start to have
even the slightest bit of trust in systems.
More information about the cypherpunks
mailing list