Wow, this has peaked my interest in air-gapping, especially via the DEFCON 1 approach... since hexing dnsapi.dll did bugger all, and IP ranges in firewall did bugger all! Thanks for the detailed post
What a mess. How about explaining what your point is before spilling all the links? Which defcon is the best? Which did you choose? Why trust vmware software if it was made by NSA as you say? The host pc can see some of what the guest virtual pc does? The only way for total privacy is a physical air gap. Virtual air gaps are **** unreliable.
An isolated PC is the safest, now someone had to give it a cute name (air gap). You can update, install, do anything from another PC, and you are suppose to use a CD or DVD with the files. Second comes NetTop, which HP has licensed this technology and is selling a commercial version of this architecture. NetTop employs Security-Enhanced Linux to provide a secure operating system platform and VMWare to provide multiple virtual workstations on the same physical hardware. Stops windows from having direct contact with the Net. These options will stop MS from phoning home, but they are for security, like if you have a nuclear power plant or a Missile silo. A Tor browser, VPN, and not using REAL personal info on a PC with firewall control is all that's needed for windows if you want to be an annon person from the net and MS. If you do have a missile silo, I have some coordinates for you.
The NetTop needs to have complete firewall to block the phoning home activity on virtual workstations running Windows. No firewall is completely immune to Microsoft, I read that Windows 10 phones home using services that can not be blocked without breaking down the internet access. The best solution still isolation. I am annoyed to discover there is no safe way to transfer data to and from an isolated computer by USB storage. If a USB device is infected, it can steal data from the isolated computer when plugged in, and secretly phone home when plugged back in an internet exposed computer. This happened in Iran nuclear plant. Using CDs and DVDs to transfer data is secure, yet is too slow. Why the world is not fixing up the USB vulnerability loophole, by making USB firmware open source or unwriteable? I really hate USB but there is no choice.
Spoiler Does using a well secured DEFCON 2, perhaps following the NetTop protocol of Linux host with whatever guest, bypass the whole USB issue? You can uninstall USB entirely from the guest machine. Protected from all, but NSA
Defcon 2 does not use USB as much as Defcon 1, because you are transferring data using shared folders, but you have bigger worries. Like holes in the virtualization allowing spyware to slip through the cracks. And it only takes 1 exposure to USB malware to be infected for eternity. If you plug infected USB in Defcon 2 once, it is as bad or worse than regular USB exposure in Defcon 1.