25 replies to this topic

[NeverDie]

I've been quite impressed with the speed of internet web browsing using Chrome on a low-end (~$150 just recently) Windows 8.1 Zbox PC (http://www.newegg.co....-045-_-Product). It's at least as fast (maybe faster) at browsing as my Alienware i7 laptop, which runs Windows 7 Ultimate and has 24GB of memory. The Alienware i7 is a year old, so maybe the piling of Microsoft/ESET/who-knows-what updates have taken a toll. Both the Zbox and the i7 laptop have SSD's, but the i7 is also running ESET Internet Security, whereas the zbox is not. In fact, so far, while testing out the zbox, I haven't bothered with adding extra internet security, because I'm going to wipe it soon anyway. It's got me thinking: what's the fastest secure setup for internet browsing that doesn't cramp functionality? Ideas might be:

1. Stay the course: use the z-box as a Windows 8.1 PC but just add a typical software internet security package. I have doubts as to how secure this would be, and I also have doubts that it will remain fast over time, especially as more and more Microsoft updates get installed,
2. Chrome on Linux. Is that sufficiently secure by itself, or is more protection needed?
3. A Chromebox. Maybe powerwash it every night? e.g. ASUS has several Chromebox's with strongly positive reviews right now in the $150-205 range, such as http://www.amazon.co....asus chromebox
4. Run Chrome on a VM that gets completely wiped and rebuilt as often as you like so as to eradicate any malware that might creep in while browsing.
5. Similar to #4 but without the VM: reboot and re-install a baseline image, thereby destroying any malware acquired since the last major wipe.
6.  Run everything from volatile memory (e.g. by using Puppy Linux or equivalent).  Then after a simple reboot, everything's as fresh as brand new--i.e. guaranteed zero residual presence. It could boot from a write protected SD card, a CD-ROM, or do a net-boot.
7. Other ideas?

 

I wouldn't be surprised if the best answer isn't even on the above list.

Edited by NeverDie, 19 March 2015 - 12:47 AM.

[Work2Play]

In this situation, who's doing the browsing?  If it's kids then they may not need the full functionality (ability to run ActiveX controls, admin privileges on the PC, etc) or you?  My wife and I haven't been hit with malware in years because we either avoid the gambling/dating/porn/warez sites, or we're at least careful about what we click on!  Kids and novices on the other hand always screw things up...

 

I think this is why a lot of people are ending up on Macs these days - most of these problems are just irrelevant to Mac users.  I've only had one come across my desk (and it was probably porn related).  

 

My kids are young - but when they get a little older and start using computers on their own, we plan to do a separate wireless SSID just for them - they won't know the password to the grown up one... and it'll have URL filtering to control what they have access to as well as time restrictions.  This should stop a large amount of the problems.  The whole premise with a lot of the security appliances these days is not so much about trying to run protection on every single machine, but instead to catch it at the network's edge before it reaches the PC.  

[NeverDie]

Just ran across something which claims to be a "secure hardware browser" that you boot from a USB port. Too bad it self limits to just 30 minutes per use:

 

http://www.amazon.co....secure browser

 

On the plus side it suggests there's some merit to the question I asked in the OP. Perhaps there's an equally good live linux boot .iso I could use for free?

Meanwhile, I found a USB flash drive with a hardware write-protect switch. If Chrome OS works with the switch engaged, then that will give me confidence that it works in a read-only manner:

 

http://www.amazon.co....=AVM1Z79WGIB6T

I ordered it, but it won't arrive until Monday.  Meanwhile, I think I'll just test the idea with a CD-ROM.  Not as quick, but cheap.

Edited by NeverDie, 02 January 2015 - 03:18 PM.

[NeverDie]

Looks as though there are a number of Linux security distros that offer live boot and address, to varying degrees, the concerns listed above.  Anyone here been down this road before and care to recommend some?  I've barely scratched the surface, but, for example, Qubes or Kali seem like they could have relevance:  http://lifehacker.co...-qub-1658139404

[NeverDie]

Interesting review of ZeusGard, but even more interesting are all the hacker comments which follow it about the Zeusgard approach:  http://krebsonsecuri...comment-page-1/

 

I'm sure the ZeusGard is better than nothing, but since it is allegedly read-only and therefore can't be updated, any security holes that are subsequently discovered regarding either that version of Debian it's running or that browser version, there'd allegedly be no way to patch it.

Edited by NeverDie, 02 January 2015 - 06:30 PM.

[video321]

I'd go the virtual machine route as long as you have the hardware for it (mostly just need enough RAM.) You can run a linux appliance and have it reset on power off.

[Work2Play]

There's a lot of information out there about making secure Windows kiosks for schools and other environments that reset back to their base every time you reboot them.  You can occasionally do your updates then lock them again.

 

All feels like overkill to me.  I guess in my house, my wife now does most of her web browsing on her iPad which is basically immune.

[NeverDie]

I hadn't realized it until just now, but allegedly Windows 8.1 Pro comes with Hyper-V already inside it:  http://technet.micro...y/hh857623.aspx

I imagine that should make creating an isolated windows vm fairly easy. You can even run a "guest operating system" such as Linux within it.  Allegedly Hyper-V is also in Windows 10 Technical Preview, so that would be another (free) way to try it out.

[NeverDie]

There's a lot of information out there about making secure Windows kiosks for schools and other environments that reset back to their base every time you reboot them.  You can occasionally do your updates then lock them again.

 

All feels like overkill to me.  I guess in my house, my wife now does most of her web browsing on her iPad which is basically immune.

There's a Linux distro called something like "Internet Browser Kiosk".  That's all it does.  Suposedly running a very stripped down distro would also have fewer flaws that could be exploited.

 

My gut tells me that running an uncommon OS together with an uncommon browser has the extra benefit of making you a smaller target.  i.e. your wife's implicit strategy with the iPad

 

Mostly though, you won't know that you have the malware even if you do, unless it's amature to begin with.  It tries to be invisible and just watch for passwords and such.  The anti-virus tests show consumer grade anti-virus only picks up about 70% of what's out there.  So, y ou could be harboring the other 30% right now and not even know it..

[Work2Play]

Mostly though, you won't know that you have the malware even if you do, unless it's amature to begin with.  It tries to be invisible and just watch for passwords and such.  The anti-virus tests show consumer grade anti-virus only picks up about 70% of what's out there.  So, y ou could be harboring the other 30% right now and not even know it..

Yeah - there's a reason I said nothing about using good antivirus software... I haven't found such a thing yet.  Remember I run IT Departments for a living so I come across this junk all the time and people always ask "why didn't the antivirus software catch it" - and the answer is that people are making new variants every hour - they only get detected by the antivirus software if they're big enough to have been caught and analyzed but millions of variants are out there every day that never get picked up.

 

I've been doing this long enough that most of the time, I can look at all the running processes, plugins, and BHOs and know which ones belong and which ones don't - this helps me when I get stuck helping other people clean up their viruses.

[LarrylLix]

Microsoft Security Essentials has been the best over the years as it is updated once and sometime twice per day. I have tried tonnes (about 2200#) of other antivirus packages in the last 30 years and they all get caught occasionally. Norton 360 was the worst virus I have ever caught and I had to re-partition my HDD and start from scratch to get rid of it. To add insult to injury I even installed it voluntarily. Now the pricks have stopped it working on Win XP and Win 8. Maybe too much anti-competition flak but they probably had to get their visible costs to run a Win system down and put the av manufacturers in their places for a while.

 

Strange my son never runs antivirus software for the last 18 years and has never caught a virus yet with downloads and trying ever POS software he finds out there. I did run that way for a few years and found a similar experience although when you get hit, it's bad.

[NeverDie]

I did try the Chrome OS, but it looks as though google doesn't really make it available directly anymore.  The image that's available through some European company is over a year old.  It might be different if you're on an actual chromebox instead of just downloading the software.

 

Anyhow, the boot-up time is a real impediment to use.  Also, the chrome (in the Vanilla distro that I downloaded) doesn't seem to be upgradeable to current Chrome releases, so that's an unfavorable a security hole.

 

Also tried puppy linux.  Once booted it's very fast, but it was 40-50 seconds to boot it from a usb 3.0 flash drive.  It's nonstandard linux using a non-standard browser.  I could imagine using it, but I think my wife would probably dislike the unfamiliarity of it.

 

I tried Mint, but I didn't see anything special about it.

 

I'll try out Chrome on Ubuntu (should offer easier/better installation and I'm hoping  updatability) too.  If that doesn't click, then I'll probably look into the Virtual Machine solutions.

[NeverDie]

I'm finding that with the advent of UEFI, there's a significant increase in hassle involved in switching between a boot USB drive and Windows 8.1.   I have to toggle "legacy"mode to boot from the USB, and I have to toggle-on UEFI before booting Windows 8.1.  It may actually  tilt the balance in favor of doing virtual machines....

[Work2Play]

LarryILix - Too true.. Norton 360 is awful - and so are the other old go-to's like Kaspersky and AVG - nowadays they're worse than the average virus!!  

 

I run without AV protection and have for the last 10+ years - though I wouldn't let anyone I care about do that (probably because I'd get stuck cleaning up their messes!).. but MSE is as good as any paid software these days, and its free.

[pete_c]

Here I have switched a bit (depends on which laptop / computer I am using) to just using a 64bit computer and now Ubuntu 14.04 Firefox.  It seems a bit faster.  That though and typically only go to a few forums and google searches.

 

I have now added Ghostery and Adblock Plus to my Firefox browser.  Never use Chrome here and only sometimes utilize IE.

 

Windows 8 and above is chatty and I have gone to a custom 8.1 which is closer to Windows 10 these days....but its still chatty.

 

It's totally very light using only about 4-6Gb of space these days.

 

Neighbors went to using Mac laptops.  Initially they would trash Wintel laptops in less than 6 months.  It has been the same for them using Mac laptops from what I have seen.   I have one and typically its off; but that is me.

 

Tablets are even more chatty; but you don't see it.  I shut mine off when I am not using them.

 

The assumption typically is that if you don't see the chatty pieces then its fine. 

 

Its been years now that I also utilize Tor (Onion Router) and Tails.  Tails off a boot stick is very fast for me.

 

 

 

This is kind of a regression in web surfing which provides you mostly text without the eye candy (well that really depends on what is defined as functionality though).