Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (4) </ 1 2 [3] 4 >/

[ Track this topic :: Email this topic :: Print this topic ]

reply to topic new topic new poll
Topic: saving settings dsl sessions/usb< Next Oldest | Next Newest >
roberts Offline





Group: Members
Posts: 4983
Joined: Oct. 2003
Posted: Mar. 25 2008,18:07 QUOTE

Moved to DSL Embedded section.
Back to top
Profile PM WEB 
curaga Offline





Group: Members
Posts: 2163
Joined: Feb. 2007
Posted: Mar. 25 2008,19:01 QUOTE

xvkbd is an OK virtual keyboard. Can you tell more of this encrypted password app? How can you copy and paste without it showing the pass?

--------------
There's no such thing as life. Those mean little jocks invented it ;)
-
Windows is not a virus. A virus does something!
Back to top
Profile PM 
lucky13 Offline





Group: Members
Posts: 1478
Joined: Feb. 2007
Posted: Mar. 25 2008,21:19 QUOTE

hats:
Quote
If you run something under a host OS, I would think that you would still be vulnerable to malicious code from the host, such as software keyloggers.

Correct. Not only that, the moment you insert a USB storage device like a pendrive into a Windows computer, you are at risk of it becoming part of the existing operating system. That's because Windows automounts and often autostarts. The DSL-embedded is on a FAT partition, making it susceptible to any malware on whichever machines it's inserted.

That's why I said it's complete folly to presume invulnerability. Especially when relying on a host OS in circumstances of questionable security all around (the host computer, the network, etc.). I can think of too many worst case scenarios: such as your device becomes a vector for whatever malware you acquire between all these internet cafe computers and then you take it home and think "dee-dee-dee, I'm safe because I'm using Linux." Not.

-----------------------------------------------------
sophosrex:
Quote
As I mentioned before the advantage of the embedded linux does not use the applications on the host OS or the host OS for that matter


1. You're inserting a USB device into a booted computer that automounts and (probably) autostarts it. If the host computer is infected or in any way compromised, so is your stick. Regardless of what OS you run in a virtual layer above the host OS. How often do you scan that stick?
2. You're using a FAT device in a FAT system. The fact that you have QEMU between Windows and Linux is beside the point. Your data are on FAT. FAT malware and virii don't discriminate between Linux and MSDOS image files, text files, etc.
3. You're only as safe as the host computer.

Quote
because most viruses,malware, trojans are written forwindows not linux this takes care of a great piece of the problem

Again, what filesystem is your USB device? FAT. Those "viruses, malware, trojans" are written for FAT. Everything on your device is FAT. Therefore, you're susceptible to everything that can be affected by FAT-oriented malware. That includes your data files.

Quote
The first thing I do is rebbot the machine, most places will let you do this. The second is perouse task manager to check for any keylogger apps or anything suspicious and kill anything I dont like. Most software keyloggers monitor certain apps like email or web browsers when opened are used to record keystrokes, this wont happen with me because I dont use any of host os apps.


First, rebooting the host computer doesn't rid it of malware, virii, or trojans. Second, malware ordinarily doesn't advertise itself in the task manager. If it did, it would be a lot bleeping easier for most people to contain, manage, and get rid of. Third, I again encourage you to research this issue about keyloggers a little more seriously.

Quote
I cut and paste them from a encrypted password app this app never exposes the actual password so this also eliminates shoulder surfing

If you decrypt it in an insecure setting like on a questionable host computer on a questionable network, consider it compromised.

Quote
I am not ever completely safe in these environments

You're not safe at all.

Quote
Any further suggestions would be welcome.

You'd be a bit safer using DSL with USB-HDD install on that device and using its available tools for encryption. That way you boot from a strictly Linux (not Windows-hosted Linux) environment. I don't consider QEMU a security feature. If you could see my NT sandbox, you'd understand why. But I also don't accept that Linux is inherently safer than any other OS. The weakest link will always be the user. That's why I encourage you to not make assumptions, especially on untrusted networks. :-)

EDIT: Here are a few links about how easy it is to **** up computers with USB devices.

1. This blogger had to re-install because of malware picked up on a promiscuous USB device.
http://howellabie.blogspot.com/2008/02/on-usb-drive-trojan-virus.html

2. Brandeis University had a viral outbreak last year due to USB devices.
http://my.brandeis.edu/bboard/q-and-a-fetch-msg?msg_id=0006FI
http://my.brandeis.edu/bboard/q-and-a-fetch-msg?msg_id=0006G4

3. This is old but still applicable because Windows autoplays USB devices by default.
http://reviews.cnet.com/4520-3513_7-6296529-1.html

4. And before you EVER insert a USB device, do you know where it's been? Thieves (and security analysts) are turning to planting devices where they can be found and letting curiosity and human nature take its course. First link is about someone who found a device and inserted it only to install a trojan. Second link is by a tech security consultant who breached a client's security by leaving infected sticks around for employees to find, insert in random computers, and collect data to show how vulnerable the client's systems were. (Many security-savvy companies have turned to removing USB ports, filling them with epoxy, etc., to prevent employees from easily removing data or even more easily spreading malware.)
http://www.gearlive.com/news....-drives
http://www.darkreading.com/documen....lumn1_1

The moral of the story: USB devices are a lot like sexually adventurous people. The more promiscuous, the more likely there's going to be some damage somewhere down the road. The more machines you insert your pendrive, the more likely it's going to be infected -- that's especially true in a booted computer (such as you're doing with embedded Linux). If you're uncertain about the security of any machine and/or network, you're taking a big gamble whether you run Windows-based apps or Linux-based apps virtually. If the machine is infected, your USB device will most likely become infected once plug and play mounts it and either asks if you want to open it or opens straight up by default.


--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
Back to top
Profile PM WEB 
lucky13 Offline





Group: Members
Posts: 1478
Joined: Feb. 2007
Posted: Mar. 25 2008,22:12 QUOTE

Quote
lucky13: I suppose the "safest" bet would be to save your login details in cookies

That's not very safe and still susceptible to man in the middle attacks, which one should expect in any insecure environment like an Internet cafe. What applies to wifi can be just as easy on any sniffed network. If you're unsure about how trustworthy any particular computer or network is, why should you assume or hope that your web traffic is unmonitored or not sniffed?
http://blogs.zdnet.com/Ou/?p=651
http://www.tgdaily.com/content/view/33207/108/


--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
Back to top
Profile PM WEB 
jpeters Offline





Group: Members
Posts: 804
Joined: April 2006
Posted: Mar. 26 2008,03:22 QUOTE

Kind of shocking; just leave some USB devices around a company building, and virutually all get picked up and plugged into their computers by employees (15 out of 15 in the study!).  Sit  back an  have all their sensitive info mailed to your home computer. Amazing!

It's lucky (no pun intended) that government workers would be too smart/honest to be vulnerable to such a strategy . :)
Back to top
Profile PM 
19 replies since Mar. 25 2008,13:04 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (4) </ 1 2 [3] 4 >/
reply to topic new topic new poll
Quick Reply: saving settings dsl sessions/usb

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code