>>>>Actually, at this moment there is a much more serious unpatched vulnerability in Java: http://mashable.com/2013/01/13/java-exploit/ . The same principle applies, disable or uninstall Java until it's fixed, or avoid untrusted sites that may use it.
>>>>
>>>One of the nice things in germany is that nowadays you must use a java based program to file anything with the IRS.
>>>Not only this give a nice opportunity to install any gov tracer it wants, it leaves the computers open to any java vulnerabilities,
>>>unless you opt to install/deinstall monthly. Now where was that old PIV clunker so I can set up as a gov dummy machine ?
>>
>>Sounds like a job for a VM!
>
>Yes and no - I am wondering if I should create a special, relatively open subnet living directly at my router,
>having a WiFi which is secured, but shared with trusted visitors. In that subrange a special surfing clunker
>would run via cable to "visitor" router - and have VM's for tax purposes and other stuff as needed,
>probably linux based as host.
>
>Running on another router with its own NAT and perhaps cable only would be the real work machines.
>Trying to think ahead - malware would have to cross more layers that way.
>Data "sharing" if needed done via table/ASCII sneaker net, today via USB sticky finger fishing...
>
>Unsure what would be best for my own aPad WiFi - also using the first router
>might offer more chances for my pwds sniffed out by compromized VM/other tasks,
>whereas having a second WiFi net makes the PCs on LAN less secure.
>
>While I guess I am a bit more paranoid than others, quite a few of the security holes I imagined have been realized -
>when I was automating IE last century quite a few leaks like cross site access were evident and the banking card
>scimmings and PIN thefts were as easy to predict as man in the middle attacks...

Trevor Potts is a fairly readable BOFH at the Reg. Last September (before the most recent problems) he gave up on Java: http://www.theregister.co.uk/2012/09/03/java_cleanup/ . His philosophy is to treat Java in the browser as compromised.

My thinking with using a VM was:

- run the VM the absolute minimum amount of time required
- restore a known good snapshot of the VM after each use ("toilet paper computing")

Yes, running that VM on a separate subnet can only be a good thing. I avoid wireless as much as possible, certainly never use it for anything sensitive.

As far as subnetting goes there are lots of options. I believe some consumer routers offer a "guest" subnet. More advanced models can support VLANs etc. Those sorts of solutions seem "elegant" but there are too many people trying to hack routers e.g. http://www.theregister.co.uk/2013/01/14/cisco_linksys_zero_day/ . There is also some concern about built-in back doors i.e. http://www.bbc.co.uk/news/business-17509201 .

So, physically separate routers, connected only by a cable that can be unplugged, can give the reassuring "air gap" :)