Slashdot Mirror
Secure, Portable, Virtual Privacy Machine
solcity writes "Looks like an online privacy company, Metropipe, are
planning to release a secure linux virtual privacy machine that runs from a USB stick. The image contains a pre-release of their new 'Metropipe Tunneler' product and also contains Firefox, and Thunderbird with the Enigmail/gpg extension. Looks
like the whole thing is based on damnsmalllinux
and uses qemu to boot on Windows or Linux
without any installation or configuration. Very interesting use of qemu and damnsmalllinux, and all 100% GPL."
Basically a USB hard-drive that auto configs ssh and your browser so novice users can access proxyies.
A very cool idea but only "secure" if you trust the company. They say they don't keep logs, but you never know. Also a yearly fee with a limit on transfer.
The ./ story, as well as the link (Portable Virtual Privacy Machine), say that it's 100% GPL, but at least the Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License.
Should I believe anything else these folks say?
I'm reading that headline thinking I finally have a cone of silence with tinted windows I can carry around, and it's just same dorky VM.
Sheesh. Next you'll tell me I still don't get my flying car and robot sex-slave^H^H^H^H^H^H^H^H^Hmaid any time soon.
=)
Lost at C:>. Found at C.
I thought USB type keys were limited to 100k writes before failure. How many times or how long can you use this device before wearing out the key?
Apple free since 1990!
Good bye Carnivore?
James bond wants one of these. The FBI, when they finally figure out what this is, will want it banned. I have dreamed of doing something like this with an applet but this is much slicker and more powerful.
Next questions, can I tunnel through with VOIP? How "special" does my correspondent/recipient have to be for the trail for eavesdroppers to go cold on both ends of the connection?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
From the README.TXT
+++WARNING+++
-------------
This is a technology preview and comes with NO SUPPORT, NO WARRANTY
and NO GUARANTEE for any purpose.
Windows Instructions:
Double click on 'boot-win.bat'
Linux Instructions:
run 'boot-linux.bat' from the command line
Now what I find funny is that boot-win.bat doesn't exist and I believe what they meant was qemu-win.bat.
I just can't trust my data to a piece of software that claims no responsibility and doesn't even have the correct filename in a 491 byte README.TXT.
I'll stick w/my current methods TYVM.
Okay, lemme get this straight.
You take this USB key and plug it into an untrusted machine (since, if you had a trusted machine, you wouldn't have to go through these hoops). It fires up a virtualized PC that runs Linux and lets you get out to the web using an encrypted proxy.
I fail to see the utility of this. You're running QEMU on the host. If the host is compromised (and it's best to assume that any untrusted host is), it has full access to your keystrokes, I/O, and the entire memory image of your system.
Good crypto software for Unix makes sure to prevent its sensitive data from going out to swap by negotiating with the virtual memory system. This keeps your passphrases and keys from showing up in a swapfile if the machine is compromised. This type of system has no control over that -- if the host decides to swap the emulator out, foom! your entire system image is now on disk. A disk you don't trust.
Not to mention that processes on the host could simply read through your memory in real time.
So, in short, an untrusted computer is still an untrusted computer. While this sounds useful for encrypting one's network connections, it seems like an awfully complex solution to reinvent the concept of a VPN.