Secure, Portable, Virtual Privacy Machine

solcity writes "Looks like an online privacy company, Metropipe, are planning to release a secure linux virtual privacy machine that runs from a USB stick. The image contains a pre-release of their new 'Metropipe Tunneler' product and also contains Firefox, and Thunderbird with the Enigmail/gpg extension. Looks like the whole thing is based on damnsmalllinux and uses qemu to boot on Windows or Linux without any installation or configuration. Very interesting use of qemu and damnsmalllinux, and all 100% GPL."

Comment removed

[account_deleted]

Comment removed based on user account deletion

And yet...

[garcia]

And yet I am tunneling through SOMEONE ELSES proxy (which isn't free) to do my "secure" work.

I'm sorry but I cannot bring myself to trust my cookies, settings, and information to travel over anyone else's network. It's not safe unless *I* am the one controlling the proxy and the tunnel between the two.

SSH, Putty (for Windows users), and squid on your own machine is what I use. Yeah, you still can't avoid keyloggers and the like but at least you know that you are controlling what is being logged and where.

Re:And yet...

[garcia]

From the README.TXT
+++WARNING+++
-------------
This is a technology preview and comes with NO SUPPORT, NO WARRANTY
and NO GUARANTEE for any purpose.

Windows Instructions:
Double click on 'boot-win.bat'

Linux Instructions:
run 'boot-linux.bat' from the command line

Now what I find funny is that boot-win.bat doesn't exist and I believe what they meant was qemu-win.bat.

I just can't trust my data to a piece of software that claims no responsibility and doesn't even have the correct filename in a 491 byte README.TXT.

I'll stick w/my current methods TYVM.

Re:And yet...

[26199]

How to avoid keyloggers

miscategorized

[Khashishi]

this is more of a gadget than a your-rights-online

Re:miscategorized

[daxxar]

Heh, you don't find this useful?
I find any gadget which enables me to boot a decent Linux distro useful ('decent' being relative), if it can increase your privacy it's just an added treat.

Signed email is pretty handy, and setting up that stuff is a bit tiresome if you have to do it for *each* workstation you come to.

I'm assuming you can 'preconfigure' it, or atleast that it stores your settings? (in contrast to your average LiveCD)

Re:Correction

[DigitalRaptor]

No, PGP is a commercial, non-GPL'd product.

They mean GPG, open source software that works in the same way.

Re:How big?

The zip is 82MB. Probably want to run this on a 256MB or larger key so you have room to store data as well...

Re:Who's privacy?

Depending on what else is included in the distro... Yes. But there are already distros that let you do that NOW. There's even Windows live CDs that will let you do it to other windows systems. Google is your friend.

So what's your point?

[pavon]

The data on the laptop is insecure. Anyone with physical access to a machine can read the unencrypted data on that machine. It has been that way forever. The existance of this product doesn't make it any less secure than it already was.

However, the person with this USB fob has increased his security. Thus a net gain in securtity. If you want to be secure you need to take care of yourself. Sticking your head in the ground is not a viable security plan.

Re:So what's your point?

[mukund]

Actually you could argue that trusting a method is worse than not trusting it at all. Trusting a unknown key for example, for the sake of security, and sending out private encrypted data protected by it is worse than not trusting the key at all.

Personally, I think carrying your own laptop around is a far better approach (for what the author is trying to achieve) as you don't have to trust others' computers which may contain software to thwart the security of devices such as this USB key by reading all data off it.

You could find flaws with what I've said too---good security is not easy.

Re:So what's your point?

[metlin]

True, but there are situations where having such a tool around would be quite handy.

The problem is that one cannot always carry one's laptop all the time, wherever they are. Often times, you end up needing your laptop at a time and place when you are least prepared for it -- I'm sure those of us here who need to shuttle all over the place to meet clients have encountered this.

And besides, the laptop is an insecurity in and of itself. Thieves view it as something that can be stolen, and it is a device that can be physically bugged.

True, you don't necessarily trust a computer off an airport in Paris. However, using that computer with your safe-toolkit is probably a whole lot safer than using your laptop with a bug in it -- hypohetically, ofcourse :-)

So, I suppose this is a good security tool. Not the solution to all the problems, but a good tool neverthless.

Or maybe I'm just being too paranoid. And that black helicopter outside my apartment probably belongs to that hot chick across the street. Who knows! ;)

Re:Who's privacy?

[julesh]

Presumably, if they were concerned, they'd have encrypted their files.

OK, let's think this through

[wowbagger]

OK, let's think this through:

As I read it, this is a Linux session running in a virtual machine under the host operating system - the idea being that any "sensative" data resides in the virtual session, so the host has no visibility to it.

Except that the host is providing all the screen and keyboard access, so if the host is comprimised and is running VNC the attacker can see where you are going, and what your password is.

True, *IF* the password is only the SSH keyphrase for a private key that is only accessible to the virtual machine, then *maybe* it does him no good.

But since the virtual machine needs to access the media through the (comprimised) host OS, the attacker can copy that data as well.

It sounds to me like this is just giving you a false sense of security.

Re:OK, let's think this through

[gl4ss]

besides than that..

you can buy dongles that record keypresses(that go into the cable).

if it's someone elses computer and you're _really_ paranoid.. then just forget about using it.

Trust is the Key Word

[ifreakshow]

Basically a USB hard-drive that auto configs ssh and your browser so novice users can access proxyies.
A very cool idea but only "secure" if you trust the company. They say they don't keep logs, but you never know. Also a yearly fee with a limit on transfer.

Not all GPL...

[non-poster]

The ./ story, as well as the link (Portable Virtual Privacy Machine), say that it's 100% GPL, but at least the Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License.

Should I believe anything else these folks say?

Re:Not all GPL...

[graveyhead]

Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License

I hate to be pedantic (well, ok no I don't, this is slashdot...) but Mozilla is now released under the MPL, the Mozilla Public License. The NPL is considered a "historic document". Grok.

Re:Not all GPL...

[juhaz]

The ./ story, as well as the link (Portable Virtual Privacy Machine), say that it's 100% GPL, but at least the Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License.

Huh? NPL is Gone. Dead. Buried. Mozilla has been (mostly, and the exceptions should be BSD etc. GPL-compatible) LGPL/GPL/MPL tri-licensed for quite a while now, the new licensing policy is over three years old.

Re:Who's privacy?

[Ford+Prefect]

If it is using QEMU, then it's just another normal process with the same privileges (or lack thereof) as any other. QEMU's basically a PC emulator, albeit a pretty fast and compatible one.

There is the risk that processes on the host machine can peer at its memory and fish out the unencrypted data without any way of it knowing - unlikely that someone would develop such a thing, but if you're being paranoid there's always the possibility.

Something like the stealthsurfer?

[LocoMan]

I was reading about something like this on a PC Magazine sometime ago called the stealthsurfer (http://www.stealthsurfer.biz/). I guess it's like this except that this one uses GPL software (stealthsurfer uses a personalized version of netscape 7)

only limited protection

[jeif1k]

Such approaches give you only limited protection: if you don't trust the systems you plug into, you may still be subject to key logging, screen recording and other attack.

Re:only limited protection

[a24061]

That's a very good point. According to the http://pvpm.metropipe.net/ link, PVPM runs from an OS that could have who knows what installed on it, so this would not protect you from someone like that guy who installed keyloggers in the Kinko's computers.

This is more secure than nothing (although there is the danger of a false sense of security!) and it would allow you to use portable encryption on machines that belong to people you trust, but that's all.

It would be much better to boot a secure OS from the key. Something like Tinfoil Hat Linux (following the link is worth it just for the Tux picture), but with more features (Tinfoil runs from a 1.4MB floppy, I think). Tinfoil can play text output as Morse Code through the keyboard LEDs, however, to prevent Tempest attacks.

Nope

[RealProgrammer]

RTFA: it's run on the qemu emulator. You first boot the host OS, and your qemu session is just a process under that, with no more rights than otherwise.

If you had a boot CD, now that would a problem. Would I let someone boot my laptop from Knoppix? Not unless I would trust them to sysadmin my laptop :-).

As the above poster says, security accepted wisdom is that physical control implies vulnerability.

Re:Who's privacy?

[theManInTheYellowHat]

It would only work if the person was logged in and had access to the USB ports (which I understand some places are locking down now).

I don't believe that you can get a program to run at the login splash screen.

So shame on them for leaving their computer logged in.

Oh, man ...

[gstoddart]

Secure, Portable, Virtual Privacy Machine

I'm reading that headline thinking I finally have a cone of silence with tinted windows I can carry around, and it's just same dorky VM. ;-P

Sheesh. Next you'll tell me I still don't get my flying car and robot sex-slave^H^H^H^H^H^H^H^H^Hmaid any time soon.

=)

Life span?

[Remlik]

I thought USB type keys were limited to 100k writes before failure. How many times or how long can you use this device before wearing out the key?

Re:Life span?

[FirstTimeCaller]

How many times or how long can you use this device before wearing out the key?

Well, if you set up a RAM disk and only store personal settings on the USB key -- then I suspect that it would last for quite some time. If you don't care about saving settings, then you can boot off the key as a read-only media and never write back to it. So I don't think this would be a major concern.

Re:Life span?

[Fencepost]

The limitation on the number of writes to a particular area of memory has been known since flash memory first started to appear. Most devices or drivers should account for the issue by either rotating writes to avoid overusing one particular region or by remapping failing sections into other areas. Remapping failing areas will cause the available capacity of formatted flash devices to gradually shrink, while rotating writes will attempt to keep any areas from wearing out too fast (making it more likely that multiple areas will start to fail around the same time). Someone who's done more looking into this should be able to give a good idea which technique(s) are most widely used.

Re:Life span?

Your description is conceptually good, but let me correct and add to it.

- The maximum number of writes a particular area of flash can sustain has been increasing as the technology has matured. Better manufacuter are now promising, in writing, endurance in the 100,000's and even 1,000,000's of erase/write cycles.

- Better manufacturers do both the "rotating," called wear-leveling, and "remapping," called spare sectors management or sparing.

- Flash memory modules already come with reserved spare sectors that are not included in the capacity usable by the host. In other words, as spares are mapped in to replace failing areas, the usable capacity does not decrease. The amount of spares decreases, obviously. Once the spares are gone and a new one is needed, the write will fail. It will be read-only after that but the capacity will be the same as when it was first used.

hail open source! hail freedom!

[museumpeace]

Good bye Carnivore?
James bond wants one of these. The FBI, when they finally figure out what this is, will want it banned. I have dreamed of doing something like this with an applet but this is much slicker and more powerful.
Next questions, can I tunnel through with VOIP? How "special" does my correspondent/recipient have to be for the trail for eavesdroppers to go cold on both ends of the connection?

Re:hail open source! hail freedom!

[metlin]

No.

You are still trusting the person at the other end. After all this, if the spooks could install sniffers at the other end, your data is still compromised.

Why go that far, the spooks need install stuff on just your machine, or use other means.

Carnivore will never entirely go out of the pictures, it's always a Cat & Mouse game. If this becomes widespread, something else would come up to counter it.

Besides, all this is good only until QC becomes viable and widespread, and at which point your existing encryption systems become quite moot.

Re:Nice!

[metlin]

Well, they've provided a torrent too, which seems quite well seeded for the moment. So, should not be a problem!

Waaaaaait.

[cbiffle]

Okay, lemme get this straight.

You take this USB key and plug it into an untrusted machine (since, if you had a trusted machine, you wouldn't have to go through these hoops). It fires up a virtualized PC that runs Linux and lets you get out to the web using an encrypted proxy.

I fail to see the utility of this. You're running QEMU on the host. If the host is compromised (and it's best to assume that any untrusted host is), it has full access to your keystrokes, I/O, and the entire memory image of your system.

Good crypto software for Unix makes sure to prevent its sensitive data from going out to swap by negotiating with the virtual memory system. This keeps your passphrases and keys from showing up in a swapfile if the machine is compromised. This type of system has no control over that -- if the host decides to swap the emulator out, foom! your entire system image is now on disk. A disk you don't trust.

Not to mention that processes on the host could simply read through your memory in real time.

So, in short, an untrusted computer is still an untrusted computer. While this sounds useful for encrypting one's network connections, it seems like an awfully complex solution to reinvent the concept of a VPN.

Re:Waaaaaait.

[jfengel]

It's a compromise. It's more difficult to modify the hardware than the software. And the software can easily be compromised without even the owner knowing it by various spyware.

A computer at an internet cafe is likely to have spyware on it, but it would take more work for them to install a physical keylogger. So if you sit down at one of those, you should at least check it for one of these.

So this will protect you when you're borrowing a friend's computer or dropping in on a client or customer. Probably. It can't reduce the trust to zero. You can get closer to zero by borrowing an Ethernet cable and using your own laptop, but it would certainly be convenient to have to bring along nothing more than a tiny USB key than having to schlep around your own processor, monitor, and keyboard.

Re:Waaaaaait.

[Ifni]

The simple answer as to what utility this has is that it solves a number of issues all at the same time.
First, all of your settings are immediately available - your bookmarks, your cookies, your saved emails, etc, on any computer anywhere without any complicated configuration.
Second, it is very portable - much moreso that a laptop. And as they say, you don't have to demonstrate that it isn't a bomb to the airport security guard.
Thirdly, it leaves no lasting record of your activities on the host machine. Yes, if the machine is compromized with memory scanners and key loggers and remote viewing applications (oh my!), this provides no appreciable increase in security. But if you go to your local library's computer you don't have to remember to clear the browser cache, you don't have to be restricted by their web filter, and you don't have to configure their mail client to check your pop3 account (and remember to have it not delete messages it checks for fear of wanting to keep a message that you have now deleted from the server when you checked your mail account). So, for a computer that you have a reasonable level of assurance that it is not compromized, this provides some nice utility.
Plus, this gives you a portable version of Linux that you can use even if surrounded by Windows machines, and it fits in your pocket more conveniently than a CD. It provides a significant amount of utility in a small, portable package.
Is it perfect? No. Is it circumventable? Yes. Should you rely on it explicitly? No. But if you don't know what layered security is, this is STILL a better solution than none at all.
My question is whether or not the QEMU image is encrypted or not, should I lose my USB key and it end up in the wrong hands.
If you want a solution that is more resistant to the vagaries of untrusted machines, boot the computer off of your own Knoppix CD, then run this from a terminal window. You have eliminated the possibility of any spyware in the machine compromizing your session, and you still have a nice modifiable virtual playground to keep all of your passwords, cookies, email messages, etc. Just be sure to make sure no one is looking over your shoulder and that there are no hardware keyloggers hooked up to the machine.
For me, it can provide a convenient way to keep commonly used data available to me whether I am on my work laptop (which I have complete control over) or my home computer (which I also have complete control over). That is why I bought the USB key in the first place - to move data back and forth between these two computers and keep some commonly used software/documents available when working on client computers. This just makes parts of that easier.

Re:Who's privacy?

[general_re]

Stick one of these into someone else's laptop and don't you circumvent the default OS thereby having full access to their filesystem?

Go into the BIOS settings, set a boot password, and then disable USB boot devices. No, it's not totally impenetrable, but it's better than nothing - at least your attacker will be forced to haul out a screwdriver. And for laptops, probably a soldering iron too, which sort of obviates a quick hit-and-run attack while you're away from your desk ;)

Slow as hell

[joshv]

I just tried this on two reasonably modern machines, and it's slow as hell. Unusably slow. QEMU claims to be a 'FAST!' emulator. It is not.

Why not use Cygwin instead? Almost all of the apps in this distro has have been ported to cygwin, and I doubt there'd be much trouble porting Firefox if someone got serious about it.

A cygwin based distro could pack a minimal installation (including X) on a USB keyfob that would provide all of the same functionality, but running the apps as native code, at near native speed (minus the small cygwin/POSIX to win32 api translation penalty).

Now of course this solution won't work on a Linux machine, but I think it would be rare that you'd encounter a Linux machine that you'd want to run this on. Most likely you'd be at a friend's house, or in a computer lab where everything runs windows.

Re:Slow as hell

[kelnos]

I'm not sure what the point would be of running it using cygwin. The idea here is to run the entire "secure environment" inside the virtual machine that qemu provides. As others have noted, there are still some problems with this approach, but if you're going to run it in cygwin, you might as well just run the normal native apps. Then basically you'd just have a thumb drive with some privacy-related apps (such as thunderbird+enigmail) on it, which you can make in your spare time; no need to have this productised.

neat-o, but slow... VMware is speedier...

[quinxy]

Last week I was thinking about exactly this question. I've been using VMware to do the same sort of thing form my laptop, but it has the disadvantage of being costly, non-portable (no easy or possibly legal installing to usb drives/etc.), and not pre-configured for the purpose of this VPM. But in my experience VMware is quicker, feeling almost like the emulated computer was the host computer.

At any rate, I installed and ran this VPM software, and it certainly seems to deliver, and has a very nice collection of pre-installed apps. Sadly the performance is about as poor as you might expect (that's running it off a HD, not a USB drive). Every operation takes a while to complete, click on Firefox, and wait 40 seconds for it to ask which profile you want to use (this is after first use). Type in a URL and wait at least 30 seconds for any signs that it's coming up. My laptop is only P4M 1.8Ghz, so no doubt performance would be much better on a more recent machine.

Still, pretty neat, though not entirely usable for me.

quincy

Re:Who's privacy?

[Pantheraleo2k3]

Please RTFBlurb. It uses QEMU to run on top of Windows or Linux. Therefore you do not circumvent the default OS.

Dynamic Forwarding

[engine+matrix]

Why do so many people continue to only use Squid/SSH for proxying when it is not required anymore? SSH supports dynamic port forwarding.

SSH basically includes a builtin socks proxy. Download putty and create a dynamic port on locahost:1080 and say goodbye squid.

Of course there are still advantages to having a local squid proxy, but in most cases it's not worth the effort anymore.

Re:Dynamic Forwarding

[engine+matrix]

If you are using putty simply create a dynamic tunnel on 127.0.0.1:1080 and forward it to your remote ssh server. If you are at work and they block http connects you should have the ssh server running on 443. (another advantage or tunneling over 443 is that people expect to see encrypted traffic, so you'll be flying under the radar)

Now in Firefox, Thunderbird, Trillian, whatever... tell it to use a socks proxy on 127.0.0.1:1080.

Before dynamic forwarding you would need to have squid and/or manually forward all of the ports you wanted to connect to.

I must be gettin' old...

[kippa]

I read...
Secure, Portable, Virtual Piracy Machine

Re:How big?

[Dan+Yaeger]

Dell is offering a 1GB Mini Cruzer for $50.96 after MIR. This should be plenty of storage for your needs. With 1GB at USB 2.0 speeds you can do more than use this as a toy. Link http://accessories.us.dell.com/sna/productdetail.a spx?sku=A0290872&c=us&l=en&cs=19&category_id=2999& page=external

Re:Can be subverted

[pkhuong]

IIRC, it doesn't apply here. The research was made on the JVM, showing that its security was vulnerable to gamma rays, etc, which isn't a big surprise. I'd expect the same for any other program. However, they also managed to craft their program in such a way to basically escalate the program's (class?) privilege level reliably. QEMU has different goals than JVM's security, and it being vulnerable to mutated data isn't more critical for it than any other program. You might be referring to another study. though; that's all IIRC.

Re:Complications-

[homer_ca]

"Unfortunately, that flash fob is of very limited lifespan."

That's not really a problem. Damnsmalllinux is a livecd distro and the concept is similar when you boot off a flashdrive. The boot media is mounted readonly and the OS actually runs in a ramdisk (these days it's called a shared memory filesystem). The only writes would be user data which is very little compared to the OS.

As far as disposing of a broken flashdrive, I'd say take a hammer to the thing and be sure to smash up the flash chips very well.

Re:How big?

[Charliems]

Uncompressed it is 122MB, a 128MB USB FOB would just make it with very little room for additional storage. 256MB would be more than enough.

Re:The Netherlands and Germany privacy friendly?

[geg81]

Germany and The Netherlands are preparing Europian legislation to log every email message you send, to log every url you are visiting for at least a year "to fight terror".

Well, as opposed to other nations that are doing that, at least they are passing legislation... :-)

Re:Who's privacy?

[cortana]

Then how can it possibly be considered secure? You have no guarantees that what you see isn't being manipulated by the system you are running it from.

Of course, you shouldn't be using someone else's computer anyway, god knows what kind of keyloggers or whatever it has lurking in it... :)