saving settings dsl sessions/usbForum: DSL Embedded Topic: saving settings dsl sessions/usb started by: sophosrex Posted by sophosrex on Mar. 25 2008,13:04
HI folksI travel quite a bit and use use dsl on a thumb drive to and boot up on the myriad of pcs running windblows out there in the wide wide world. It has worked great and I am not exposed to fraud and viruses that can exist on pcs in the internet cafes especially the third world ones. Here my question, I would like to save my settings like Firefox bookmarks desktop config etc. How do I do this. The docs are not very clear on this point. Thanks Posted by curaga on Mar. 25 2008,13:16
How is your stick partitioned? You just need to find out which partition you will use, which is probably sda1 or sda2. Then, on shutdown, tick the box "Backup", and when asked, give the partition. It will save automatically everything in your home directory, this includes Firefox bookmarks and settings.
Posted by sophosrex on Mar. 25 2008,14:14
I purchased the pen drive pre-installed with dsl and qemu for use as i described exclusively on windows boxes. In the qemu environment it does not recognize sda1 " it chokes and says invalid device.
Posted by curaga on Mar. 25 2008,14:34
Ah. I thought you usb-booted on the windows boxes. Can someone else fill in? I have no experience with dsl embedded..
Posted by lucky13 on Mar. 25 2008,15:03
Would you like to buy a bridge? And where does this BS come from whereby people presume they're immune just because they're using some form of Linux? *Any* time you're on an untrusted network, you're at risk of being surveilled in some form or fashion. That includes keyloggers when you're operating virtually from within another operating system on a host machine. Add to that the risks of unencrypted/plaintext data over networks, you're NOT inherently safer using Linux or any other OS without intentionally using secure servers, etc. Your DSL forum password is sent in plaintext to a non-secure http server. How many more passwords are you naively sending in plaintext over dubious networks? Don't believe me? Look up combinations of QEMU, keylogger, security, internet cafe, etc. You're only as safe as your host machine and your knowledge of security measures. Presuming that you're safe using Linux in QEMU on an untrusted computer -- whether it runs Windows or Linux or anything else -- doesn't make you safe. It only makes you gullible. Posted by ^thehatsrule^ on Mar. 25 2008,15:40
Yes, I suppose this thread should be under the embedded section.What you can do to save your settings is to create a virtual hdd, then partition and format it in DSL after launching qemu with it. Afaik there should still be those docs and/or README's that come with the embedded package. Please read those first, then search the forums/wiki/etc if you need more info. If you still are stuck, feel free to ask for help. lucky13: I suppose the "safest" bet would be to save your login details in cookies Posted by roberts on Mar. 25 2008,15:41
Saving setting in Qemu environment is explained in the readme file. It is not as simple as a native boot but can be achieved with a virtual drive or samba
Posted by sophosrex on Mar. 25 2008,16:18
Yes I did see the virtual hard drive setup in the docs this confirms my suspicion. I will try that.Thanks To Lucky 13 Easy big guy!! I completely agree that I am exposed to anyone sniffing traffic on the internet cafe. But I do gain security advantages that I would not on their PC. 1) I am not vulnerable to any malicious code or most viruses because they are written mostly for windows not Linux (99%).I am not using the hard drive of the cafes machine to access the necessary apps firefox etc therefore almost elimanating exposure to malicous code and viruses that are running or on the infected drive. 3) I am careful to use only ssl protected sites for banking and email retrieval which again minimizes my exposure to password theft. Thanks for the comments. Posted by ^thehatsrule^ on Mar. 25 2008,16:30
Just for discussion's sake:If you run something under a host OS, I would think that you would still be vulnerable to malicious code from the host, such as software keyloggers. Then again, there may be a hardware(?) keylogger. Or subject to phishing due to redirection by some network proxy, etc. I would not be surprised if people hard reset public machines after use just to clear volatile memory, heh heh. IMO, it just boils down to trust and your personal paranoia :P Posted by sophosrex on Mar. 25 2008,17:34
I did not know this would turn into security on the road thread but here goes. As I mentioned before the advantage of the embedded linux does not use the applications on the host OS or the host OS for that matter this using a linux os fufills one of the security axioms " security by obscurity" because most viruses,malware, trojans are written forwindows not linux this takes care of a great piece of the problem. The first thing I do is rebbot the machine, most places will let you do this. The second is perouse task manager to check for any keylogger apps or anything suspicious and kill anything I dont like. Most software keyloggers monitor certain apps like email or web browsers when opened are used to record keystrokes, this wont happen with me because I dont use any of host os apps. Assuming this wont always be the case and there is a hardware or software keylogger that records all keystrokes I dont use the keyboard to enter sensitive passwords I cut and paste them from a encrypted password app this app never exposes the actual password so this also eliminates shoulder surfing. You could also use a virtual keyboard app that allows you enter the passwords by point and click but I have not found a good one yet. Also my banking site uses visual keys and a redirect attack will not work I will know something is up when my visual cue is wrong. And finnaly before I leave I reboot again. Again I am not ever completely safe in these environments but the point is to minimize by exposure. Any further suggestions would be welcome. Posted by roberts on Mar. 25 2008,18:07
Moved to DSL Embedded section.
Posted by curaga on Mar. 25 2008,19:01
xvkbd is an OK virtual keyboard. Can you tell more of this encrypted password app? How can you copy and paste without it showing the pass?
Posted by lucky13 on Mar. 25 2008,21:19
hats:
Correct. Not only that, the moment you insert a USB storage device like a pendrive into a Windows computer, you are at risk of it becoming part of the existing operating system. That's because Windows automounts and often autostarts. The DSL-embedded is on a FAT partition, making it susceptible to any malware on whichever machines it's inserted. That's why I said it's complete folly to presume invulnerability. Especially when relying on a host OS in circumstances of questionable security all around (the host computer, the network, etc.). I can think of too many worst case scenarios: such as your device becomes a vector for whatever malware you acquire between all these internet cafe computers and then you take it home and think "dee-dee-dee, I'm safe because I'm using Linux." Not. ----------------------------------------------------- sophosrex:
1. You're inserting a USB device into a booted computer that automounts and (probably) autostarts it. If the host computer is infected or in any way compromised, so is your stick. Regardless of what OS you run in a virtual layer above the host OS. How often do you scan that stick? 2. You're using a FAT device in a FAT system. The fact that you have QEMU between Windows and Linux is beside the point. Your data are on FAT. FAT malware and virii don't discriminate between Linux and MSDOS image files, text files, etc. 3. You're only as safe as the host computer.
Again, what filesystem is your USB device? FAT. Those "viruses, malware, trojans" are written for FAT. Everything on your device is FAT. Therefore, you're susceptible to everything that can be affected by FAT-oriented malware. That includes your data files.
First, rebooting the host computer doesn't rid it of malware, virii, or trojans. Second, malware ordinarily doesn't advertise itself in the task manager. If it did, it would be a lot bleeping easier for most people to contain, manage, and get rid of. Third, I again encourage you to research this issue about keyloggers a little more seriously.
If you decrypt it in an insecure setting like on a questionable host computer on a questionable network, consider it compromised.
You're not safe at all.
You'd be a bit safer using DSL with USB-HDD install on that device and using its available tools for encryption. That way you boot from a strictly Linux (not Windows-hosted Linux) environment. I don't consider QEMU a security feature. If you could see my NT sandbox, you'd understand why. But I also don't accept that Linux is inherently safer than any other OS. The weakest link will always be the user. That's why I encourage you to not make assumptions, especially on untrusted networks. :-) EDIT: Here are a few links about how easy it is to **** up computers with USB devices. 1. This blogger had to re-install because of malware picked up on a promiscuous USB device. < http://howellabie.blogspot.com/2008/02/on-usb-drive-trojan-virus.html > 2. Brandeis University had a viral outbreak last year due to USB devices. < http://my.brandeis.edu/bboard/q-and-a-fetch-msg?msg_id=0006FI > < http://my.brandeis.edu/bboard/q-and-a-fetch-msg?msg_id=0006G4 > 3. This is old but still applicable because Windows autoplays USB devices by default. < http://reviews.cnet.com/4520-3513_7-6296529-1.html > 4. And before you EVER insert a USB device, do you know where it's been? Thieves (and security analysts) are turning to planting devices where they can be found and letting curiosity and human nature take its course. First link is about someone who found a device and inserted it only to install a trojan. Second link is by a tech security consultant who breached a client's security by leaving infected sticks around for employees to find, insert in random computers, and collect data to show how vulnerable the client's systems were. (Many security-savvy companies have turned to removing USB ports, filling them with epoxy, etc., to prevent employees from easily removing data or even more easily spreading malware.) < http://www.gearlive.com/news....-drives > < http://www.darkreading.com/documen....lumn1_1 > The moral of the story: USB devices are a lot like sexually adventurous people. The more promiscuous, the more likely there's going to be some damage somewhere down the road. The more machines you insert your pendrive, the more likely it's going to be infected -- that's especially true in a booted computer (such as you're doing with embedded Linux). If you're uncertain about the security of any machine and/or network, you're taking a big gamble whether you run Windows-based apps or Linux-based apps virtually. If the machine is infected, your USB device will most likely become infected once plug and play mounts it and either asks if you want to open it or opens straight up by default. Posted by lucky13 on Mar. 25 2008,22:12
That's not very safe and still susceptible to man in the middle attacks, which one should expect in any insecure environment like an Internet cafe. What applies to wifi can be just as easy on any sniffed network. If you're unsure about how trustworthy any particular computer or network is, why should you assume or hope that your web traffic is unmonitored or not sniffed? < http://blogs.zdnet.com/Ou/?p=651 > < http://www.tgdaily.com/content/view/33207/108/ > Posted by jpeters on Mar. 26 2008,03:22
Kind of shocking; just leave some USB devices around a company building, and virutually all get picked up and plugged into their computers by employees (15 out of 15 in the study!). Sit back an have all their sensitive info mailed to your home computer. Amazing!It's lucky (no pun intended) that government workers would be too smart/honest to be vulnerable to such a strategy . Posted by lucky13 on Mar. 26 2008,04:00
It's not really that surprising. People don't change the Windows defaults so that media won't automatically mount/start and many virus scanners can't be set to automatically scan any new media upon insertion. What freaks me out is the number of people I see popping USB drives into library computers without a second thought, even right after a previous user removed a device. I always wonder how many of them go home or to other computers and pop them right in without any scan.
Posted by ^thehatsrule^ on Mar. 26 2008,04:57
Hence the quotes. It can be considered somewhat safer to some trivial degree since, in most cases, I think the password would not be visible. Posted by curaga on Mar. 26 2008,16:09
I would believe there is a way around sniffing: have your own server in a trusted environment, and whenever you go to a cafe, use your server as a proxy while encapsulating all traffic between your server and DSL with ssh.Having fat32 can get your files infected with windows viruses. But, as with the md5 limited set of possibilities causing a clash, security comes through the levels of packaging. Your files can get infected. But having them get infected, while also keeping their signatures recognizable as the files they are, and also keeping their structure intact so they still are usable, is way more rare. As the main file is a cloop pack, altering something would trigger a warning either on load or when trying to read from the changed block. Posted by lucky13 on Mar. 26 2008,16:57
Or use VPN. There's a new OpenVPN extension in testing but I haven't tried it yet because my wireless card is too hamstrung in DSL for it to be of much use to me. I want to look at that extension more closely because I don't recall TUN/TAP being in the config and I just extracted the extension and didn't see those modules in it. Hmmm... Posted by ^thehatsrule^ on Mar. 27 2008,15:36
Note of interest: after taking a glance at a few links that was posted here, I decided to see whether these forums had https support. Using the same address, but changing the protocol showed that this site does have support for it, but is not configured properly(?) to use it (expired cert, http links, Firefox says information is partially encrypted, etc.), which is a given since there are no links that point to it.
|