Secure, Portable, Virtual Privacy Machine

solcity writes "Looks like an online privacy company, Metropipe, are planning to release a secure linux virtual privacy machine that runs from a USB stick. The image contains a pre-release of their new 'Metropipe Tunneler' product and also contains Firefox, and Thunderbird with the Enigmail/gpg extension. Looks like the whole thing is based on damnsmalllinux and uses qemu to boot on Windows or Linux without any installation or configuration. Very interesting use of qemu and damnsmalllinux, and all 100% GPL."

Who's privacy?

[conner_bw (120497)]

Stick one of these into someone else's laptop and don't you circumvent the default OS thereby having full access to their filesystem?

Re:Who's privacy?

[by Anonymous Coward]

Depending on what else is included in the distro... Yes. But there are already distros that let you do that NOW. There's even Windows live CDs that will let you do it to other windows systems. Google is your friend.

So what's your point?

[pavon (30274)]

The data on the laptop is insecure. Anyone with physical access to a machine can read the unencrypted data on that machine. It has been that way forever. The existance of this product doesn't make it any less secure than it already was.

However, the person with this USB fob has increased his security. Thus a net gain in securtity. If you want to be secure you need to take care of yourself. Sticking your head in the ground is not a viable security plan.

Re:So what's your point?

[mukund (163654)]

Actually you could argue that trusting a method is worse than not trusting it at all. Trusting a unknown key for example, for the sake of security, and sending out private encrypted data protected by it is worse than not trusting the key at all.

Personally, I think carrying your own laptop around is a far better approach (for what the author is trying to achieve) as you don't have to trust others' computers which may contain software to thwart the security of devices such as this USB key by reading all data off it.

You could find flaws with what I've said too---good security is not easy.

Re:So what's your point?

[metlin (258108)]

True, but there are situations where having such a tool around would be quite handy.

The problem is that one cannot always carry one's laptop all the time, wherever they are. Often times, you end up needing your laptop at a time and place when you are least prepared for it -- I'm sure those of us here who need to shuttle all over the place to meet clients have encountered this.

And besides, the laptop is an insecurity in and of itself. Thieves view it as something that can be stolen, and it is a device that can be physically bugged.

True, you don't necessarily trust a computer off an airport in Paris. However, using that computer with your safe-toolkit is probably a whole lot safer than using your laptop with a bug in it -- hypohetically, ofcourse :-)

So, I suppose this is a good security tool. Not the solution to all the problems, but a good tool neverthless.

Or maybe I'm just being too paranoid. And that black helicopter outside my apartment probably belongs to that hot chick across the street. Who knows! ;)

Re:Complications-

[homer_ca (144738)]

"Unfortunately, that flash fob is of very limited lifespan."

That's not really a problem. Damnsmalllinux is a livecd distro and the concept is similar when you boot off a flashdrive. The boot media is mounted readonly and the OS actually runs in a ramdisk (these days it's called a shared memory filesystem). The only writes would be user data which is very little compared to the OS.

As far as disposing of a broken flashdrive, I'd say take a hammer to the thing and be sure to smash up the flash chips very w

Re:So what's your point?

[cthrall (19889)]

But...if your end goal is to connect to another computer of yours on the net and you wanted to make sure that connection was encrypted and you weren't going to leave traces on the "temporary host," this seems like a good way to do it.

For example, if I want to connect to my IMAP server securely without this device, my option is web mail over SSL...even then, who knows what keystroke loggers are running on the public machine I might be using. Plug in this, reboot and unless there's some Van Eck device around

Re:Who's privacy?

[julesh (229690)]

Presumably, if they were concerned, they'd have encrypted their files.

Re:Who's privacy?

[Ford Prefect (8777)]

If it is using QEMU, then it's just another normal process with the same privileges (or lack thereof) as any other. QEMU's basically a PC emulator, albeit a pretty fast and compatible one.

There is the risk that processes on the host machine can peer at its memory and fish out the unencrypted data without any way of it knowing - unlikely that someone would develop such a thing, but if you're being paranoid there's always the possibility.

Nope

[RealProgrammer (723725)]

RTFA: it's run on the qemu emulator. You first boot the host OS, and your qemu session is just a process under that, with no more rights than otherwise.

If you had a boot CD, now that would a problem. Would I let someone boot my laptop from Knoppix? Not unless I would trust them to sysadmin my laptop :-).

As the above poster says, security accepted wisdom is that physical control implies vulnerability.

Re:Who's privacy?

[theManInTheYellowHat (451261)]

It would only work if the person was logged in and had access to the USB ports (which I understand some places are locking down now).

I don't believe that you can get a program to run at the login splash screen.

So shame on them for leaving their computer logged in.

Re:Who's privacy?

[general_re (8883)]

Stick one of these into someone else's laptop and don't you circumvent the default OS thereby having full access to their filesystem?

Go into the BIOS settings, set a boot password, and then disable USB boot devices. No, it's not totally impenetrable, but it's better than nothing - at least your attacker will be forced to haul out a screwdriver. And for laptops, probably a soldering iron too, which sort of obviates a quick hit-and-run attack while you're away from your desk ;)

Re:Who's privacy?

[Pantheraleo2k3 (673123)]

Please RTFBlurb. It uses QEMU to run on top of Windows or Linux. Therefore you do not circumvent the default OS.

Re:Who's privacy?

[cortana (588495)]

Then how can it possibly be considered secure? You have no guarantees that what you see isn't being manipulated by the system you are running it from.

Of course, you shouldn't be using someone else's computer anyway, god knows what kind of keyloggers or whatever it has lurking in it... :)

And yet...

[garcia (6573)]

And yet I am tunneling through SOMEONE ELSES proxy (which isn't free) to do my "secure" work.

I'm sorry but I cannot bring myself to trust my cookies, settings, and information to travel over anyone else's network. It's not safe unless *I* am the one controlling the proxy and the tunnel between the two.

SSH, Putty (for Windows users), and squid on your own machine is what I use. Yeah, you still can't avoid keyloggers and the like but at least you know that you are controlling what is being logged and where.

Re:And yet...

[Orthanc_duo (452395)]

Perhaps I read it wrong, but it seemed to me you only needed to use their "annonamous" proxy if you want to. All the rest could be done through a direct connection or any other proxy you wanted.

Re:And yet...

[garcia (6573)]

From the README.TXT
+++WARNING+++
-------------
This is a technology preview and comes with NO SUPPORT, NO WARRANTY
and NO GUARANTEE for any purpose.

Windows Instructions:
Double click on 'boot-win.bat'

Linux Instructions:
run 'boot-linux.bat' from the command line

Now what I find funny is that boot-win.bat doesn't exist and I believe what they meant was qemu-win.bat.

I just can't trust my data to a piece of software that claims no responsibility and doesn't even have the correct filename in a 491 byte README.TXT.

I'll stick w/my current methods TYVM.

Re:And yet...

[26199 (577806)]

How to avoid keyloggers [columbia.edu]

miscategorized

[Khashishi (775369)]

this is more of a gadget than a your-rights-online

Re:miscategorized

[daxxar (823161)]

Heh, you don't find this useful?
I find any gadget which enables me to boot a decent Linux distro useful ('decent' being relative), if it can increase your privacy it's just an added treat.

Signed email is pretty handy, and setting up that stuff is a bit tiresome if you have to do it for *each* workstation you come to.

I'm assuming you can 'preconfigure' it, or atleast that it stores your settings? (in contrast to your average LiveCD)

Re:miscategorized

[serutan (259622)]

Yeah, it is a gadget, but one that seems likely to stir up more controversy about online privacy vs. the US government's perceived need to know everything. My first reaction to "Virtual Privacy Machine" was, uh-oh, don't they mean "Virtual Terrorist Machine?" Because that's how the Homeland boyz view privacy of any sort. Americans have privacy only in the sense that the government promises not to do anything improper with its unrestricted access. Will devices and software that hide anything from prying eyes

OK, let's think this through

[wowbagger (69688)]

OK, let's think this through:

As I read it, this is a Linux session running in a virtual machine under the host operating system - the idea being that any "sensative" data resides in the virtual session, so the host has no visibility to it.

Except that the host is providing all the screen and keyboard access, so if the host is comprimised and is running VNC the attacker can see where you are going, and what your password is.

True, *IF* the password is only the SSH keyphrase for a private key that is only accessible to the virtual machine, then *maybe* it does him no good.

But since the virtual machine needs to access the media through the (comprimised) host OS, the attacker can copy that data as well.

It sounds to me like this is just giving you a false sense of security.

Re:OK, let's think this through

[gl4ss (559668)]

besides than that..

you can buy dongles that record keypresses(that go into the cable).

if it's someone elses computer and you're _really_ paranoid.. then just forget about using it.

Trust is the Key Word

[ifreakshow (613584)]

Basically a USB hard-drive that auto configs ssh and your browser so novice users can access proxyies.
A very cool idea but only "secure" if you trust the company. They say they don't keep logs, but you never know. Also a yearly fee with a limit on transfer.

Not all GPL...

[non-poster (529123)]

The ./ story, as well as the link (Portable Virtual Privacy Machine [metropipe.net]), say that it's 100% GPL, but at least the Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License.

Should I believe anything else these folks say?

Re:Not all GPL...

[graveyhead (210996)]

Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License

I hate to be pedantic (well, ok no I don't, this is slashdot...) but Mozilla is now released under the MPL, the Mozilla Public License. The NPL is considered a "historic document". Grok [mozilla.org].

Re:Not all GPL...

[juhaz (110830)]

The ./ story, as well as the link (Portable Virtual Privacy Machine), say that it's 100% GPL, but at least the Mozilla parts (Firefox and Thunderbird) are under the Netscape Public License.

Huh? NPL is Gone. Dead. Buried. Mozilla has been (mostly, and the exceptions should be BSD etc. GPL-compatible) LGPL/GPL/MPL tri-licensed [mozilla.org] for quite a while now, the new licensing policy is over three years old.

Something like the stealthsurfer?

[LocoMan (744414)]

I was reading about something like this on a PC Magazine sometime ago called the stealthsurfer (http://www.stealthsurfer.biz/ [stealthsurfer.biz]). I guess it's like this except that this one uses GPL software (stealthsurfer uses a personalized version of netscape 7)

only limited protection

[jeif1k (809151)]

Such approaches give you only limited protection: if you don't trust the systems you plug into, you may still be subject to key logging, screen recording and other attack.

Re:only limited protection

[a24061 (703202)]

That's a very good point. According to the http://pvpm.metropipe.net/ [metropipe.net] link, PVPM runs from an OS that could have who knows what installed on it, so this would not protect you from someone like that guy who installed keyloggers in the Kinko's computers.

This is more secure than nothing (although there is the danger of a false sense of security!) and it would allow you to use portable encryption on machines that belong to people you trust, but that's all.

It would be much better to boot a secure OS from the

Oh, man ...

[gstoddart (321705)]

Secure, Portable, Virtual Privacy Machine

I'm reading that headline thinking I finally have a cone of silence with tinted windows I can carry around, and it's just same dorky VM. ;-P

Sheesh. Next you'll tell me I still don't get my flying car and robot sex-slave^H^H^H^H^H^H^H^H^Hmaid any time soon.

=)

Life span?

[Remlik (654872)]

I thought USB type keys were limited to 100k writes before failure. How many times or how long can you use this device before wearing out the key?

Re:Life span?

[FirstTimeCaller (521493)]

How many times or how long can you use this device before wearing out the key?

Well, if you set up a RAM disk and only store personal settings on the USB key -- then I suspect that it would last for quite some time. If you don't care about saving settings, then you can boot off the key as a read-only media and never write back to it. So I don't think this would be a major concern.

Re:Life span?

[Fencepost (107992)]

The limitation on the number of writes to a particular area of memory has been known since flash memory first started to appear. Most devices or drivers should account for the issue by either rotating writes to avoid overusing one particular region or by remapping failing sections into other areas. Remapping failing areas will cause the available capacity of formatted flash devices to gradually shrink, while rotating writes will attempt to keep any areas from wearing out too fast (making it more likely that multiple areas will start to fail around the same time). Someone who's done more looking into this should be able to give a good idea which technique(s) are most widely used.

secret decoder ring

[Doc Ruby (173196)]

I'd like to be able to send, along with my "ring", a crypto client to the person I call (or equivalent in email). So our messages can be end-to-end authenticated and encrypted, without relying on any other party or infrastructure. I could use different security protocols and secrets for each message, by sending different clients.

hail open source! hail freedom!

[museumpeace (735109)]

Good bye Carnivore? [pcmag.com]
James bond wants one of these. The FBI, when they finally figure out what this is, will want it banned. I have dreamed of doing something like this with an applet but this is much slicker and more powerful.
Next questions, can I tunnel through with VOIP [usatoday.com]? How "special" does my correspondent/recipient have to be for the trail for eavesdroppers to go cold on both ends of the connection?

Re:hail open source! hail freedom!

[metlin (258108)]

No.

You are still trusting the person at the other end. After all this, if the spooks could install sniffers at the other end, your data is still compromised.

Why go that far, the spooks need install stuff on just your machine, or use other means [wikipedia.org].

Carnivore will never entirely go out of the pictures, it's always a Cat & Mouse game. If this becomes widespread, something else would come up to counter it.

Besides, all this is good only until QC becomes viable and widespread, and at which point your existin

whats the root passwd?

[Delta-9 (19355)]

Started messing around and some things require root, so who wants to figure out the passwd for everyone?

Waaaaaait.

[cbiffle (211614)]

Okay, lemme get this straight.

You take this USB key and plug it into an untrusted machine (since, if you had a trusted machine, you wouldn't have to go through these hoops). It fires up a virtualized PC that runs Linux and lets you get out to the web using an encrypted proxy.

I fail to see the utility of this. You're running QEMU on the host. If the host is compromised (and it's best to assume that any untrusted host is), it has full access to your keystrokes, I/O, and the entire memory image of your system.

Good crypto software for Unix makes sure to prevent its sensitive data from going out to swap by negotiating with the virtual memory system. This keeps your passphrases and keys from showing up in a swapfile if the machine is compromised. This type of system has no control over that -- if the host decides to swap the emulator out, foom! your entire system image is now on disk. A disk you don't trust.

Not to mention that processes on the host could simply read through your memory in real time.

So, in short, an untrusted computer is still an untrusted computer. While this sounds useful for encrypting one's network connections, it seems like an awfully complex solution to reinvent the concept of a VPN.

Re:Waaaaaait.

[jfengel (409917)]

It's a compromise. It's more difficult to modify the hardware than the software. And the software can easily be compromised without even the owner knowing it by various spyware.

A computer at an internet cafe is likely to have spyware on it, but it would take more work for them to install a physical keylogger. So if you sit down at one of those, you should at least check it for one of these [keyghost.com].

So this will protect you when you're borrowing a friend's computer or dropping in on a client or customer. Probab

Slow as hell

[joshv (13017)]

I just tried this on two reasonably modern machines, and it's slow as hell. Unusably slow. QEMU claims to be a 'FAST!' emulator. It is not.

Why not use Cygwin instead? Almost all of the apps in this distro has have been ported to cygwin, and I doubt there'd be much trouble porting Firefox if someone got serious about it.

A cygwin based distro could pack a minimal installation (including X) on a USB keyfob that would provide all of the same functionality, but running the apps as native code, at near native speed (minus the small cygwin/POSIX to win32 api translation penalty).

Now of course this solution won't work on a Linux machine, but I think it would be rare that you'd encounter a Linux machine that you'd want to run this on. Most likely you'd be at a friend's house, or in a computer lab where everything runs windows.

Re:Slow as hell

[kelnos (564113)]

I'm not sure what the point would be of running it using cygwin. The idea here is to run the entire "secure environment" inside the virtual machine that qemu provides. As others have noted, there are still some problems with this approach, but if you're going to run it in cygwin, you might as well just run the normal native apps. Then basically you'd just have a thumb drive with some privacy-related apps (such as thunderbird+enigmail) on it, which you can make in your spare time; no need to have this pro

neat-o, but slow... VMware is speedier...

[quinxy (788909)]

Last week I was thinking about exactly this question. I've been using VMware [vmware.com] to do the same sort of thing form my laptop, but it has the disadvantage of being costly, non-portable (no easy or possibly legal installing to usb drives/etc.), and not pre-configured for the purpose of this VPM. But in my experience VMware is quicker, feeling almost like the emulated computer was the host computer.

At any rate, I installed and ran this VPM software, and it certainly seems to deliver, and has a very nice collection of pre-installed apps. Sadly the performance is about as poor as you might expect (that's running it off a HD, not a USB drive). Every operation takes a while to complete, click on Firefox, and wait 40 seconds for it to ask which profile you want to use (this is after first use). Type in a URL and wait at least 30 seconds for any signs that it's coming up. My laptop is only P4M 1.8Ghz, so no doubt performance would be much better on a more recent machine.

Still, pretty neat, though not entirely usable for me.

quincy

FYI

[broothal (186066)]

A similar product has just released a new version as well. Check out Feather Linux [berlios.de]

I must be gettin' old...

[kippa (453370)]

I read...
Secure, Portable, Virtual Piracy Machine

Re:Correction

[DigitalRaptor (815681)]

No, PGP is a commercial, non-GPL'd product.

They mean GPG [gnupg.org], open source software that works in the same way.

Re:How big?

[by Anonymous Coward]

The zip is 82MB. Probably want to run this on a 256MB or larger key so you have room to store data as well...

Re:Sweet

[metlin (258108)]

I'd certainly be willing to paypal the creators of this when a final version is released.

Paypal is now a verb, too?

Their website seems kinda slow now, but they mention somewhere that they do not accept Paypal.

Re:Nice!

[metlin (258108)]

Well, they've provided a torrent [metropipe.net] too, which seems quite well seeded for the moment. So, should not be a problem!

Re:Can be subverted

[pkhuong (686673)]

IIRC, it doesn't apply here. The research was made on the JVM, showing that its security was vulnerable to gamma rays, etc, which isn't a big surprise. I'd expect the same for any other program. However, they also managed to craft their program in such a way to basically escalate the program's (class?) privilege level reliably. QEMU has different goals than JVM's security, and it being vulnerable to mutated data isn't more critical for it than any other program. You might be referring to another study. thou