Safe web browsing on Windows XP (Linux sandbox overview)

Discussion in 'Windows XP Security' started by Sixthofmay, Jan 14, 2018.

  1. Sixthofmay

    Sixthofmay

    Joined:
    Jan 13, 2018
    Messages:
    20
    Likes Received:
    10
    Location:
    Tampa, Florida, USA
    Laugh please... the subject is oxymoronic-funny.

    Any version Windows has been unsafe for general web browsing for like 4 years now. Known safe sites- those having no third party ads are ok, the rest (most of the internet) are not safe. Which means you WILL get a virus eventually if you don't pre-determine with Linux or a Mac which sites are safe. I've gotten them from Staples.com, Newegg.com, UltraVNC (their site has been hijacked for several years). Most of the file sharing sites and free TV/movie sites have viruses in their ads, not to mention the content generally isn't legal. Amazon and Youtube have some currently safe third party ads, but you are still taking a risk visiting those from XP or any version of Windows. Antivirus protection can prevent an infection, but only if the engine detects the virus. A zero day encryption (ransomware) virus can totally ruin your PC, data and potentially all PCs and data on your network.

    Multiple offline backups of your important data is no longer optional- I use an old version of xxcopy on Win2000 to work around the ridiculously expensive licensing of the newer versions when accessing networked drives. The data from each PC is copied onto an internal 10TB drive on one of my Win7 boxes, then I have multiple external 10TB drives to clone the internal 10TB drive to. I know about Robocopy and other backup programs. Wasted 2 months with Robocopy scripts not doing what I wanted. FastCopy freezes every Win7 box it was tried on (requiring a power cycle and Acronis recovery, chkdsks be done).

    The safest Windows web browsing solution I know of is Google Chrome on Windows 10, with a realtime antivirus software running (MSSE is fine). Zero day threats are still a risk though. Windows 10 has the Windows 10 "experience" aka horrow show, 500GB Acronis images, what?!?, slow no matter how fast your hardware is, no proper 2D GDI video acceleration, not much works properly... etc. And Classic Shell (sourceforge) is no savior. I wouldn't wish this OS on my worst enemy.

    There is a solution for XP SP3 32bit. Minimum requirements- Core2Duo with VT enabled and 8GB RAM. One pagefile.sys on a RAMDisk using RAM XP cannot see (unmanaged RAM).

    I tried several Linux flavors on VMWare Player virtual machine (and real hardware too). Ubuntu and Debian have issues.. I don't know why they are hyped, wasted way too much time trying to get anything to work... horrid desktops lacking basic features... then I tried Linux Mint 17.3. Wow... with just a few tweaks, looks much like XP or Win7 in Classic mode. Powerful start menu with applications to tweak (or break) anything. And it runs Firefox and/or Chrome with everything working but DRM audio/video. Non DRM video is fine- fullscreen Youtube plays at 30FPS. Plus with running in a virtual machine, you can create Acronis style snapshots just by shutting down the VM and copying with Windows Explorer the VM's folder to another folder (have the date and PC name in the folder name and copy to a different drive for max speed as the folder can be 30GB). If you break the VM, delete the VM folder and copy your backup to the same place.

    Moving the VM to another PC is trivial. Install VMWare Player, copy the VM folder to it, and import the VM (you do need to be careful to not start the old VM; you can change the network name on one of them to avoid conflicts).

    I found 1 to 1.2GB for the Linux Mint VM seems to be the best compromise for VMed Firefox speed and XP available RAM and commit charge. You can run the VM with more RAM for even faster VMed Firefox performance, but then you can do less in XP before running out of RAM or forcing another pagefile be created somewhere. As I run one 5GB pagefile.sys on a 5GB Superspeed RAMDisk, I try to keep commit under 5GB or else XP will create another on one of my SSDs and greatly slow down the PC.

    VMWare Player has Unity mode which makes Linux applications appear on the host OS (XP) taskbar. You wouldn't know it's running on a different OS unless you select it- window outline glows, or save a file from it and you'll get the Linux file system. That right, you can have Firefox running on Linux, but it appears on the XP taskbar and appears to be a native XP app. Brilliant, but I prefer to just run Linux normally (Unity disabled), and have Firefox run inside the Linux VM window. As with XP, you can have multiple Firefox profiles and a custom shortcut to start each.

    Linux does have a steep learning curve, especially doing stuff from the command line. Use Linux Mint for your sanity. Learning VMWare Player and its config file is somewhat painful. The config file commands for VMWare Workstation generally also work in VMWare Player. Make sure to install the VMWare Tools for the 2D video acceleration.

    Disable the guid.vmem file. This is the VM's pagefile Linux uses. Even though I used it on a SSD, SSDs are horrible at writing data in small chunks. Spinning disk is probably faster... The solution is to disable the VM's physical pagefile (add to the VM's config file):
    mainMem.useNamedFile = "FALSE"
    from:
    http://www.artykul8.com/2012/06/vmware-performance-enhancing/

    The VM then reverts to its backup mode which is a virtual swap file kept in RAM which is presented to Linux (thus Linux still has a swap file, but it's not on physical disk). I was hoping the virtual swap file is paged out eventually, but from running XP's task manager and watching the vmware-vmx.exe process paging delta while copying a few GB of files, it looks like it's locked (not good... as it limits the number of VMs and apps I can run).

    If anyone has experience with this solution using Virtual Box, please post how well it works, and any special tweaks you had to do to the VM. Last time I tried Virtual Box (2010) it was very slow compared to VMWare's products.

    Set up Samba SMB networking on Linux (fun.. not) and map a drive to your Linux box. Use that to share stuff.

    If you haven't put your XP pagefile.sys on a RAMDisk, do so, as your commit charge will be well into the range (above 1.5GB commit) that any disk IO forces app data to the pagefile. Setting this up is not trivial.... and is several threads of reading on various gaming forums. There are other RAMDisks that support using unmanaged RAM and a pagefile on XP. I haven't tried any of them yet, and use Superspeed RamdiskPlus v11.5.390.0 32bit. Any newer version I wasn't able to get the tweak working. It took 3 weeks, many emails, and hours on the phone with Superspeed's staff to get a working license file for that version for the second box I set up with this tweak... (first box was set up in 2011 when that was the current version) I'd advise you to research the other RAMDisks first. I'll start a thread here on the tweak at some point.

    Note I ran this setup on another XP PC (also with 5GB pagefile and 5GB RAMDisk) for 1.5 years and used VNC to bring the desktops (I had 2) to my XP box. I had to create 2 programs with Lazarus to make the clipboard work properly and run an audio cable from the box to my soundcard to get sound. I gave the VM 2GB, but performance was subpar to local. Could do maybe 5FPS on a full screen Youtube vid. VNC just can't handle 30FPS full screen compression. Windowed Youtube vids were ok, but best performance is to run the VM local. Plus it is totally non-trivial to get VNC with a working clipboard on Linux Mint... wasted 3 months there... I did try some other desktop sharing program that had much easier set up, working clipboard, and better performance, but it used mpeg compression with visible artifacts and the killer was each connection used like 1GB on XP. VNC uses 5 to 9MB per connection on XP and lossless video compression. I have 8 VNC connections open now (8 other physical PCs running), so RAM usage per connection is a key metric for me.

    Note that DRM content does NOT work on Linux... even with the latest Flash DRM module installed. After some researching, there's a feud going on between Abobe, Mozilla, Google, Linux... Adobe refuses to allow DRM content to work on Linux (if someone has a solution, please post).... so I use a Window 7 box with Google Chome to watch those streams (despite the security risk). There is MSSE with realtime protection on that box. I do load the page in Linux first to see the risk. If I see no obviously unsafe 3rd party ads and it is not on one of the file sharing domains, I proceed to open the website on Windows 7. If the video needs to watched fullscreen, I'll have to disconnect VNC and go over to that PC (it's in another room).

    Once you get your Linux VM running with Firefox and/or Chrome, pat yourself on the back and enjoy safe web browsing on XP. Linux is the ultimate web browser sandbox.

    Note there are still some rarely used security exploits with older Firefox versions (pre v57) on Linux, but with some Googling you can fix them (I forget the name of the app you need to install on Linux).

    This solution works but comes with a cost of using about 1.2GB of the ~3GB RAM visible to the OS. It appears to be locked RAM (not able to be paged out). The point of my first test using a separate PC and VNC was to avoid this locked RAM cost. If I could get that working with 30FPS full screen video over VNC (or a different lossless desktop sharing program) I'd be most happy.

    The other cost is Firefox performance. It is slower than native XP. Oh well. At least it's not sucking a bazillion User and GDI objects. I haven't used Chrome on Windows or Linux enough yet to give a relative performance comparison to Firefox. And I'm avoiding FF57 for the moment due to some legacy plugins I still use that are not available on FF57 (Classic Theme Restorer, Mozilla Archive Format, Session Manager).
     
    Sixthofmay, Jan 14, 2018
    #1
    1. Advertisements

  2. Sixthofmay

    Mike_Walsh

    Joined:
    Jan 20, 2016
    Messages:
    115
    Likes Received:
    18
    Location:
    King's Lynn, UK.
    By DRM audio/video I take it you mean the likes of NetFlix, Amazon Prime, Hulu, etc.? Don't take this the wrong way, but it sounds to me as though you're working with 'old' facts...

    (I admit it; I'm an ex-Windows user (though I never got beyond XP; used it for its entire lifetime, and by EOL in '14 was so fed up with it that I trashed Windows, dumped it overnight and jumped straight into the 'deep end' with Ubuntu 14.04 'Trusty Tahr' LTS.)

    Nowadays I've moved on, and am a staunch 'Puppy' Linux user; I run around 10 of the little beasties on an old 2004 Compaq desktop (pre-HP buyout, so of much higher quality.....and still going strong.))

    NetFlix runs fine under Linux. Has done so under Chrome since version 37 (and we're now on, what.....64?) Not only on Chrome, but the major Chromium-based 'clones' (SlimJet, Iron et al) also run it quite happily. FireFox took a long while to 'catch up', but even it now runs NetFlix content without issue. (Just tick the 'Play DRM content' box under 'Preferences'.)

    DRM is not Flash-based; what you should be using are the WideVine DRM modules:-

    http://www.widevine.com/supported_platforms.html

    https://en.wikipedia.org/wiki/Widevine

    So long as these are installed into the browser directory, and in 'chrome://flags' you have the Encrypted Media Extensions set to 'Enabled' (this has been the case by default for quite some time now; you have to actually make the effort to disable them if unwanted), all the Chromium-based browsers will pick them up and use them automatically. In fact, for the Chromium-based 'Iron' browser by SRWare, the advice given on their forums is to 'borrow' the WideVine modules from a contemporary release of Chrome itself.....

    (Don't forget, even Chrome is based on Chromium; this is where all the bleeding-edge development work takes place. There are hundreds, if not thousands of researchers busily digging away looking for problems, due to Google's long-running 'bug-bounty', and the semi-autonomous, automated 'build-bots' at the Chromium Project churn out upwards of 20 some-odd builds per day..!! For the newest 'stable' Chrome release, Google take the most recent 'stable' build of the open-source Chromium, add their own proprietary bits'n'bobs to it, re-badge it, and release it as Chrome.)

    I'm a long-term Chrome user; been using it ever since the very first 'beta'-quality, pre-release evaluation copy was available back in the Autumn of 2008. Used to use FireFox, but was sorely disappointed by its tendency to constantly crash at the slightest provocation. I haven't looked back since, although I've trialled FF 'Quantum', and have to admit to being quite impressed with it.

    -----------------------------------------------------------

    No, DRM-based content is no longer the hassle under Linux that it once was. At the time of release for Chromium 49 and later, a bunch of us on the Puppy Forums had quite an extensive 'testing' session to find out exactly how many of the Blink-based browsers we could get NetFlix working in. It paid off, too; the Chrome/SlimJet/Iron packages I produce and release for Puppy have all had DRM working for a fair while now. With my being an inveterate sci-fi nut, I'm very pleased that this is the case.

    As for SAMBA, in Puppy we use a more lightweight 'fork' called Samba-TNG; much simpler (and easier!) to set-up, and extremely robust, too. It'll happily connect to pretty much any OS you care to name.


    Mike. ;)
     
    Last edited: Feb 14, 2018
    Mike_Walsh, Feb 14, 2018
    #2
    1. Advertisements

  3. Sixthofmay

    cornemuse

    Joined:
    Mar 30, 2016
    Messages:
    212
    Likes Received:
    17
    The 1st version of Ubuntu I tried was 8.xx, a friend gave a cd. Actually I really liked the gui (hideable bars both top & bottom. u/g'ed every new version to 12.xx They completely changed gui & finally made available option of older versions layout. I tried newer ver's, tried Lubuntu Kubuntu, etc etc (1 ver of 1 of 'em moved the minimize/maximize/restore/close to left side of window-Hey! lets switch the brakes and the gas pedal!! what were they thinking??)
    Right now I am d/ling Mint17.3, based on above comments, we'll see, , , , ,
     
    cornemuse, Feb 15, 2018
    #3
  4. Sixthofmay

    cornemuse

    Joined:
    Mar 30, 2016
    Messages:
    212
    Likes Received:
    17
    Installed Mint Mate 18.3 yesterday afternoon, I will keep this one, I actually like it, (bet you didnt expect that from me!!)
    Theres gonna be a bit of a learning curve for me, its closer to Windows gui than any others so far, (that I like). Keep ya posted, , , ,
    -c-
     
    cornemuse, Feb 16, 2018
    #4
  5. Sixthofmay

    trimis

    Joined:
    Sep 19, 2013
    Messages:
    190
    Likes Received:
    46
    For anyone wanting to learn Linux, duo-boot Linux with XP, or just make XP safer to surf the net, I'd suggest the following options: beginner-level Linux distros include MX Linux 17.1, Q4OS 1.8, RoboLinux Mate 3D 8.10, Linux Mint, ZorinOS, etc. Pick of the litter in my opinion is RoboLinux, due to ease of use, and the fact it will not only allow one to run XP in a protected virtual environment, but simplify the process. Second choice looks to be MX Linux, according to all the reviews I've seen. For those like myself that do not want to fool with downloading, making bootable CD, and so on, there is OSDisc.com...I have ordered both CDs, and will probably be setting aside the Puppy Linux LiveCD I have been using to teach myself Linux, to focus on RoboLinux and MX Linux. For more info on either/both:
    https://www.robolinux.org/

    https://www.linuxinsider.com/story/80540.html

    https://mxlinux.org/

    https://www.linux.com/learn/intro-to-linux/2018/4/mx-linux-mid-weight-distro-focused-simplicity
     
    trimis, May 27, 2018
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.