Secure Internetting with Fusion or Workstation

Hi folks! This one is a bit of a writeup… Talking about security and how to use Fusion to keep you and your family safe online, but bear with because the context is pretty important with respect to the solutions you have to choose from.

Browsing the web nowadays is not the same as it used to be, by a long shot. Between ads being shoved into every crevasse of white-space on pages (which you’ll notice is not the case on this blog ;), to potential man-in-the-middle attack-based information siphoning from WiFi hotspots, to the <insert 3-letter-agency-here> snooping on, well who knows what, the Internet today has evolved into something of a mess.

There’s some amazing stuff out there still, and so we, as an Internet-addicted society, have reached a place with an always-online presence and our every click (and more) being tracked mostly for the purpose of trying to sell you something.

It gets crazier with mobile devices in the mix, letting advertisers create persona profiles based off the browsing habits across all our devices. Check out something on Amazon on your iPhone, and go back to Facebook and see an ad for the very thing you were just looking at. What a time to be alive.

In some ways this is amazing. In others, it’s very creepy. It can be amazing because you get only “spammed” with stuff that is more likely to matter to you. Creepy because ‘they’ know what that is and will market to you accordingly.

Personally, we’ve had chances to get our (VMware Fusion and Workstation) ads placed with those ‘sponsored links’ you see at the bottom of some blogs (but not this one of course!), but frankly it’s not something I would ever consider doing for our products. It crosses a line that I’m not willing to cross.

Add to all of that the fact that people spend more time online and do more online than ever before. Shopping, taxes,

All of this points to one important thought however: protecting ones self online is more important than ever.

So, why am I writing this? Well, I’ve found that using Fusion or Workstation can be very helpful in masking ones identity online and keeping your main system safe and secure while you browse the wide open, and untrusted, Internet. (and yes, I still use a capital I because it’s a place).

So, for the rest of this blog we’ll look at how you can use Fusion (and by extension Workstation) to protect you when wading through the wild wild west that is The Internet. (Capital ‘I’ intentional, it is a place after all 😉

Background

Fusion (and Workstation) isolate the operating system it’s running (the ‘Guest’ OS) from the OS on the main computer it’s running on (the ‘Host’ OS) in such a way that app behaviour is limited to that guest.

In plain english, and in this context, it means that any ‘virus’ that gets into a VM is stuck there and can’t mess up the main system. This could be great if you have kids, for instance, who can get pretty random with their clicks, and you want to make sure the system stays secure. My nephew, aged 7, seems to know how to drive a Mac pretty well, but sometimes the Internet get’s the best of him and he’s lambasted with popups about poker and online casinos. It worried me because there is sensitive data on that machine… He uses his grandparents Mac, so they probably have credit card info, email history, etc, that they want to keep safe.

What I did for his grandparents (my parents) is build a secure VM that he can play in that will always go back to the way it came when he’s finished.

I certainly don’t want to have to go back and constantly fix things, so this is a handy and automatic way to always go ‘back to square 1’.

Imagine… rather than having to uninstall a ton of stuff and worry about the system being compromised all the time, or just giving up and saying ‘who cares’, imagine instead having a secure desktop that would always be the same when you brought it up, connecting to the Internet completely encrypted. Each time it powers off, everything that happened since it was powered on last is trashed and completely burned away when you fire up the VM the next time.

So, I’m going to discuss 3 solutions for 2 use cases here. Two to keep the kids browsing safe, and another that keeps your browsing completely private and anonymous.

 

For the kids:

A simple solution if you already have a Windows virtual machine: Clone it! (or make a copy if you don’t have Fusion Pro or Workstation Pro)

Here’s what we’re saying:

  • Take an existing VM (Win 7 is a good choice, less ‘auto-updatey’, but making a new OS X vm isn’t a bad idea either)
  • Make a copy in Finder or do a Linked Clone if you have Fusion Pro or Workstation Pro
  • Set up the VM as you want for the kids uses
    • Uninstall as much unnecessary software as possible leaving only what they need
    • Keep any locally installed games, etc, of course
    • Install a security-focused browser such as:
    • Have a limited user account for the kids (and maintain the Admin account yourself)
    • Make sure there’s some Anti-Virus running (Windows malware detectors are ‘good enough’ these days, but I’m a big fan of Panda Cloud AV: http://pandasecurity.com/

Once you have the system in a place where they can get at their favourite game or website and it all works nice, you can ‘save this point in time’ in a couple of ways.

#1: You can use a ‘Snapshot‘ to easily create a roll back point that you would manually roll back to in case something goes wrong.

Read more about how to use snapshots here:

https://pubs.vmware.com/fusion-7/index.jsp?topic=%2Fcom.vmware.fusion.help.doc%2FGUID-4C90933D-A31F-4A56-B5CA-58D3AE6E93CF.html

OR

#2: You can set the VM to be ‘Non-Persistent’ which means every time it shuts down it will forget literally everything that happened since it started. 

The Non-Persistent option is a little more hard core and requires some editing of the config file to add a value that we don’t bring into the main UI.

  • Shut down (NOT suspend) your virtual machine
  • Edit the .vmx configuration file:
    • Right-click the VM from the VM Library Window
    • Hold down the ‘Option’ key on your keyboard
    • You should see an option change to ‘Open config file in editor’… click that
    • Should bring up TextEdit (or whatever your default text editor of choice is.
  • Search through until you find the line containing name of the virtual disk (“Virtual Disk.vmdk”) which you want to make persistent. It should look something like:
    scsi0:1.fileName = "Virtual Disk.vmdk"
    

    (Though it might be ide0:0, or the bus numbers might be different)

  • Below that line, add the following:
    scsi0:1.mode = "independent-nonpersistent"
    

    Make sure to match the bus description. So if your device is ide0:0 you’d write ide0:0.mode

  • Save the file, then quit and relaunch VMware Fusion.

To test it, bring up the VM’s desktop… create a new notepad file (doesn’t matter what’s in it)… save it to the desktop and power off the VM.

When the VM powers back up, that file should be gone, like it never happened in the first place.

 

For the privacy-conscious

It’s not paranoia if they’re actually out to get you, or so they say. (and just who are THEY anyway??!?). Cover your tracks by using a purpose-built anonymous OS like Tails.

From their website:

“Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

  • use the Internet anonymously and circumvent censorship;
    • all connections to the Internet are forced to go through the Tor network;
  • leave no trace on the computer you are using unless you ask it explicitly;
  • Use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.”

So it’s designed to really be used on physical computers, but who has the inclination to reboot all the time just to be more secure?

An easier way? Run it as a virtual machine of course!

Now they claim on their site that Fusion can’t be trusted because we’re proprietary. I kinda despise that attitude, but I get where they’re coming from. Just because you can’t read an app’s source code doesn’t automatically make it malicious or ‘un-trustworthy’, and we are certainly not in the business of violating our users’ trust.

The thing about running a live CD as a virtual machine is that it’s pretty easy. No real installation to go through, and it does the same thing as the ‘non-persistent’ disk mode that I mentioned earlier… it brings the OS back to ‘square 1’ every time it boots.  Simply boot from the .ISO file attached, and you’re done.

To run Tails as a VM, the process is easy:

  • Download the latest .iso from here: https://tails.boum.org
  • Create a new VM
    • Set OS Type to Debian 8 (32bit, not 64)
    • Set RAM, CPU to reasonable levels (I use 2CPU and 2GB of RAM personally, it’s probably overkill and 1CPU x 1GB is likely enough)
    • Default Disk size is enough, but it actually doesn’t matter because nothing gets written to disk anyway.
    • Select the .ISO to install from and ‘Finish’ the installation
  • When it first boots up it will ask for ‘Live’ or ‘Live – Failsafe’… If you do nothing it defaults to Live within 5 seconds and continues to boot.

Everything boots up just fine, and there’s a quick dialogue at the beginning asking if you want to customize more options, but you don’t need to do that to get running securely. No tools to install, no other steps. Just boot and you’re in a safe place.

Now Tails complains that we’re not a ‘trusted’ solution because we are a ‘non-free’ application, but I think that’s entirely wrong. Sure people pay us money and our software is closed, but if 95% of the worlds Fortune 100 and 85% of the worlds Fortune 500 use the VMware hypervisor in their most mission critical environments, I’m pretty confident it’s safe for your private browsing needs.  You’re welcome to packet sniff and capture our telemetry data to see what we’re really doing… I promise you it’s borin, it’s 100% anonymous, and you can opt-in or out at any time. It’s super helpful for us to know what folks are doing with their copies of Fusion to a degree, but if you don’t opt in we never know about your setup. For instance, we made the decision to cut Unity for Linux guests because our telemetry data shows that represents <0.5% of users. We did hear a lot of complaints about that, but I suspect those users aren’t sending us any telemetry data… So maybe there’s actually 5% of users with Linux VMs, but we can only make decisions based on the data we have, and we just never know.

 

So that’s the long and short of it… there are ways to protect your kids and family online by making a nice roll-back point for your virtual machines or by setting the VM to be ‘Non-Persistent’, and you can protect your privacy online by running an anonymizing, ‘amnesiac’ OS like Tails in a virtual machine.

 

Have a different solution? Let me know in the comments!

 

 

 

Leave a Reply