I have specific needs for a live OS

[Bruce B]

My my user-names and passwords are in jeopardy.

Unencrypted usernames and passwords are always in jeopardy, because they
are sent as plain text which could be captured in a variety of places. This
would typically be the case with http:// sites such as
this site.

Encrypted usernames and passwords leave the browser encrypted, even the
OS shouldn't know what it is that the browser sends. Nothing
should* be able to decrypt it except the destination. This would
typically be the case with https:// sites

Keystroke loggers I think could be a risk on any public computer of the kind
you use. But they log keystrokes. I don't think they log copy and paste
maneuvers.

Usernames and passwords can be copied and pasted.

~

* Remember we are living in the era of trustworthy computing. Which I
translate from Microsoft babel to mean - You cannot be trusted. To the
extent the OS Vendor refuses to trust us, who knows what is
possible?

~

[Pizzasgood]

No Todd, I understood. If you were running Puppy, you wouldn't need to worry about Windows spying on you as long as you leave no files behind (the only thing I would worry about is Puppy automatically trying to use swap - I don't know how current versions of Puppy behave in that regard, but worst case you could manually tell it to stop using swap with the "swapoff" command). You are right about that part.

The problem is that you can't run Puppy without risk unless you power down the computer and boot directly into Puppy (we're going to assume the BIOS on the computer has not been compromised).

I do believe that there is a way to get Windows to give up control and switch the computer over to Puppy without rebooting, but doing so would not be secure if you don't trust the computer. You can't be sure that Windows will completely go away if it has been tampered with (though I doubt anybody would have messed with it to that extent).

However, even if it were secure, this would hardly be better than rebooting the computer, because there would be no way to switch back into Windows from Puppy, so you would still need to reboot the computer when you were finished with it.

And no, this isn't just a matter of reversing the process that I mentioned could take you from Windows into Puppy. Running that, if it works correctly, would essentially shut down Windows without shutting down the computer. So if you did find or create an equivalent program to switch from Puppy into Windows, it would be like booting Windows, just as though the computer had been powered off.

The only way you could do what you are asking is if you had a way to save the complete state of a random Windows, switch over to another OS, and then when finished, restore the complete state of Windows, all without rebooting. As far as I'm aware, there does not exist a way to do this at all, with any OS, not just Puppy. And even if there was, the step where you switched out of Windows would need to be performed in Windows, which is a big security hole. And of course initiating the process would require administrator privileges.

Unfortunately, privacy is not always as convenient as we would like. Since as far as I'm aware what you want does not exist yet, unless you are ready to devote several years toward learning low-level OS architecture so that you could do the programming yourself, your best bet will likely be a netbook - which as I said would be far more secure anyway.

[Sideshow Todd]

Unless the proxy is lame and entirely client-side, you won't be able to get around it this way.

You usually need to buy your own server somewhere in the cloud that's not blocked and route your encrypted traffic through there. As Pizzasgood said, your mileage may very on how well encryption will protect you, and it's no good against local hardware sniffers.

There's plenty of proxy avoidance servers on the net, but net-nanny software generally becomes aware of them quickly - which is why you have to host it yourself and tell no one.

Sometimes Tor will work for proxy avoidance - but using that may cause problems on the local network. Not recommended for the library or workplace.

Good god, jemimah, you won't believe some of the lame azz security measures that some libraries employ. Many of times I've used public library computer that use firewalls/filter apps that were entirely client side.

And even more lame is those that do use server side firewall/filters, but leave the the hard drive(s) open for anyone to poke around, thus giving one the opportunity to shut the offending apps off or (if passwords get in the way) to do consul/registry hack and temperately shut the security down. Or they allow access my favorite VPN site that I use, with gives me access to any site that please me.

not for porn, as I explain in an earlier post in this thread, but so can chat on face book and to access innocent sites that are sometime block by overly strict filtration rules.

Most of the time restrictions are nothing more than a time consuming pain in the azz to get around, however, sometimes the admin knows what he's/she's doing, thus making it impossible for me to bypass the firewalls/filters.

But if I can figure all this out, then it wouldn't matter if the firewall/filters are on the server side because I'd have my own client side VPN.

REPLY TO moB: Thanx. This post has lead me down a path of thought, and I'll look more into this.


REPLY TO Pizzasgood: I'll look into moB's suggestion, but I'll use the host's swap because of the number write limitation of flash. Feel free to correct me if I'm wrong: I don't think user names and passwords would be left on the swap. I can compromise that much, for it's not like that conducting criminal acts or transmitting state secrets, or doing anything else wrong.

[Pizzasgood]

Any data that you input into the computer could appear in swap. Whether that's worth the risk is up to you.


Running Puppy in an emulator is a great way to be able to operate in a more confortable and familiar OS without having to reboot, but I don't think it provides very much more security. I'm no expert but I kind of doubt that running Puppy inside a virtual machine will protect you from keyloggers. I'm pretty sure that when you type the original OS will first receive the keystrokes. Then it will pass them on to the virtualization software, just the same as it would pass them on into Word or Firefox or any other program. At that point the virtualization software would cause the virtual machine in which Puppy was running to mimic having those keys pressed.

In other words, if you emulate Puppy, Puppy's keyboard drivers aren't going to interact with the physical keyboard. They will interact with a virtual keyboard, which is simulated to match the keys being pressed on the real keyboard based on the information that the real OS gives to the virtualization software. This separation between the emulated OS and the physical hardware is one of the main points behind virtualization.

The ways around that are using copy/paste as BruceB said, or to install a program (in Puppy) that makes a keyboard appear on the screen with keys you can click on, to use for anything that requires privacy (passwords, love letters, schemes for world domination, etc.).

Using Puppy inside VirtualBox or Qemu would still be a bit more secure than directly using Windows though, mainly in that the virtual Puppy would not leave any files lying around on the physical harddrive, and also wouldn't involve running potentially infected programs - for example if the computer's installation of Firefox had a malicious plugin installed, it wouldn't bother you. The main things you'd want to be worried about are keyloggers, programs that scan the RAM for informations, and people/programs who later examine the computer's swap for information. Running a virtual Puppy increases the memory demands of the system, therefor increasing the chances that swap will be used, but also increasing the amount of irrelevant stuff somebody would have to search for to find anything useful, so I suppose it's a tradeoff.

Just my thoughts, so you can make as informed a decision as possible.

[nooby]

But would the software installed allow one to run that virtual puppy at all?

[Sideshow Todd]

You've raised some good point in the last post, pizzasgood. You've been helpful all in all, and now I think I have to step back and take all in and reflect and make a decision on what the hell I'm going do.

[Lobster]

schemes for world domination

If planning world domination, you need to think about security in a different way. For example generating spurious noise for librarians watching your activities as you browse as some systems are designed to do . . .

Operating from a trusted and secure cloud based system. These probably exist but cost money - maybe someone will know of penguin run alternatives?
For world domination set up your own and divert and monitor traffic. [practice evil laugh]

Security is inconvenient. It needs specialized knowledge.
You might for example use, modify and add to
my GROWL program.
http://www.murga-linux.com/puppy/viewto ... 216#335216

My favourite technique is to practice
Uttana Shishosana (extended Puppy pose)
and other techniques
http://www.yogajournal.com/poses/2476
which helps me to worship my fears, sleep soundly at night and not need to use the GROWL program.

Hope that helps

Puppy Linux
Vigilant penguins

[Pizzasgood]

But would the software installed allow one to run that virtual puppy at all?

The computers in question would almost certainly not have programs like VirtualBox or Qemu installed. However, that is a non-issue. You can install programs onto a flash drive and then run them on any computer with a compatible OS that you plug it into.

Of course there are programs that are not cooperative with such behavior. Some programs require registry entries or having support files in specific locations and other nonsense. It depends on the program. Programs that are happy being run from any location are often called "portable", and I believe there are actually a pretty good number of quite useful programs that support this. I think people even sell flash drives with a bunch of such programs preinstalled and configured on them, and I'm fairly sure there are "bundles" you can download and easily install as well.

Virtual Box and Qemu can both be installed to a flash drive, as far as I am aware.

[nooby]

I guess it is different for each Library or Internet Cafe one visit.

Many of our Public Library have free access to computers but you have to write down your true name and true mobilenumber and you get access to a screen and a mouse and a keyboard. The computer itself is hidden under a wood work or in a locked box and you have no USB slot access on it.

And if you try to download a program to do a Vbox install then they ask for Amin rights to do such thigns and only the IT department are allowed to do such things.

So sure when it works it works but in many places it is a big NoNo to even attempt it.

But one can sometimes use their open wifi wireless hot spot but then one are open to being sniffed at by others there too. So is it as easy as some say?

I guess one have to copy and paste passwords instead of using the keyboard on the smartphone to be fairly safe? Or copy and and paste also sent in plain text? I know too little but they did show on TV how easy it was to spy on others passwords.

[2lss]

I'm not sure what your constraints are for using a laptop but if its size you could look into a small handheld like a nokia n810/n900, open pandora, or even a smartphone that runs android.

Or if your only worried about email and facebook, set up a temporary gmail account that if someone was to 'break' into, wouldn't jeopardize any personal info. I'm sure the same could be done with a facebook account; just use it for the summer and delete it when you are done.

You could also check out this http://distrowatch.com/table.php?distribution=incognito

(Its a debian live system that ships with tor and some other goodies. It's goal is to provide "Internet anonymity for the user", which I'm sure is debatable.)

But you would be in the same boat as if you used Puppy, aka have to reboot the machine and/or issues with protected bios's

[Pizzasgood]

I guess it is different for each Library or Internet Cafe one visit.

Many of our Public Library have free access to computers but you have to write down your true name and true mobilenumber and you get access to a screen and a mouse and a keyboard. The computer itself is hidden under a wood work or in a locked box and you have no USB slot access on it.

Oh, I see what you meant now. Yeah, if you can't reach the USB slots, then you're out of luck. I haven't seen many instances of that here in the USA. Granted, I haven't gone to very many areas with public computers either. But of the ones I've gone to, all had the computers right out in the open.

You mentioned open wireless. Copy-past won't make any difference for wireless. Using copy-paste for inputting passwords was suggested for when using an untrusted computer, in order to bypass keyloggers. It does nothing to address people snooping on the network.

If the website that you're sending your password to uses SSL (their address starts with "https" instead of "http" and the browser shows a lock or changes colors and such), then the data your computer sends into the internet will be encrypted, so it doesn't matter very much if you use open wireless. Nobody would be able to read what you sent. Most banks and stores and such use SSL. If one doesn't, they need to have complaints sent to them...

On the other hand, many websites and forums (including this forum) that don't deal with money don't bother to use SSL. In those cases, when you send data to them, the data is sent as plaintext. If you're using an open wireless network, or one with weak security, anybody nearby could also find out what data you send in plaintext. (Also, no matter what kind of internet connection you use, anybody who is on the path between your computer and the destination computer could read the text if it is not encrypted. In particular, the ISPs and any unethical network operators who run one of the segments your data passes through.)

[d4p]

"Yeah, if you can't reach the USB slots, then you're out of luck."

Maybe using CD/DVD.
On my test Virtualbox can be execute from cd/dvd by using the HDD space for temporary files (thanks to windows that it can execute everything).
After quit from virtualbox, it will left a 16 kb *.tmp file in %temp%.
I guess, a 16 kb file doesnt mean a lot or ?

[yordanj94]

Pizzasgood wrote:

If the website that you're sending your password to uses SSL (their address starts with "https" instead of "http" and the browser shows a lock or changes colors and such), then the data your computer sends into the internet will be encrypted, so it doesn't matter very much if you use open wireless. Nobody would be able to read what you sent. Most banks and stores and such use SSL. If one doesn't, they need to have complaints sent to them

Hi.
Let's say i use Yahoo mail.First i got "https" when i type user and pass,
but then it turns back to "http".
Does this means that they protect only your user and pass and everything else can be captured and your mail can be seen ?
Thanks in advance

[Flash]

Hi.
Let's say i use Yahoo mail.First i got "https" when i type user and pass,
but then it turns back to "http".
Does this means that they protect only your user and pass and everything else can be captured and your mail can be seen ?
Thanks in advance

That's right, but don't assume that just because your login information is sent over the internet encrypted, someone can't log in to your account by guessing. That's why you should use long random sequences for your password. I don't know how many login tries Yahoo or Gmail allow.

[yordanj94]

Thanks.
Gmail encrypts all its traffic but Yahoo doesn't.
Then what's the point to encrypt only user and pass if someone with enough skills can read all the information in the email ?
In that case one of the ways to be more secure would be to encrypt sensitive information as attached file.
Or am i wrong ?

[Pizzasgood]

Encrypting only the password still leaves emails you send or read open to be sniffed, but it at least prevents people from being able to obtain your password, which would allow them to log into your account and send mail to people that looked like it was sent by you. Also, the person intercepting your traffic would only see the emails that you send or read during that session, whereas if they obtained your login credentials, they could log in later and read all of your saved messages as well. So it does offer some benefits over no encryption at all.

One thing to keep in mind though, in regards to email, is that email is mostly sent between email servers unencrypted. So let's say you use gmail to send an email to somebody who uses hotmail. Even if it's encrypted between your computer and gmail, when it passes from gmail to hotmail, it might not be encrypted. So somebody who is in the same room as you wouldn't be able to read the email by sniffing the wireless packets, but somebody who is able to intercept the traffic passing between gmail and hotmail would be able to read the email. That's harder to do than to just watch the wireless traffic, of course, but it can happen.

As far as manually encrypting your own emails goes, you don't necessarily have to send them as an attachment. It depends on how you encrypt them. GPG can encrypt them in such a way that you can just copy and paste the encrypted text into the email and send it on its way. The recipient can then copy it out and feed it through GPG. I believe there are also plugins for Firefox that can take care of this without all the copying and pasting. If you use an actual email client instead of webmail, some of them have built in support for GPG, and some that don't have it built in do have plugins for it (for Thunderbird there is Enigmail).

Of course the problem with sending an encrypted message is that the recipient needs to know how to (and be willing to) decrypt it, which I imagine could be troublesome if they are not as willing to indulge in paranoia as you are.