[gentoo-user] Re: Horribly off-topic linux distro question...
Hans-Werner Hilse wrote: Hi, On Thu, 07 Feb 2008 13:05:00 -0500 7v5w7go9ub0o [EMAIL PROTECTED] wrote: - The SSL connection is established within the Linux VM, so all the host sees is an encrypted connection to your bank. Wrong: It will also see all the virtual memory the virtualized machine is using, including those parts containing your precious unencrypted data. All you win by using a VM is that you don't need to boot into the OS (which might be impossible on some public terminals while running qemu might work). Huh!? Sure, virtual memory and real memory will together have bits and pieces of all executing code and data - paged in and out at various times - and if your local library or friend's windows machine is actually logging, reconstructing, and effectively parsing all of that, you could indeed be compromised. Never heard of such a resource-intensive, sophisticated attack; but can see that it could -theoretically- be done on a public library or friend's computer; though not likely on any computer I'll ever come across. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
Hi, On Thu, 07 Feb 2008 13:05:00 -0500 7v5w7go9ub0o [EMAIL PROTECTED] wrote: - The SSL connection is established within the Linux VM, so all the host sees is an encrypted connection to your bank. Wrong: It will also see all the virtual memory the virtualized machine is using, including those parts containing your precious unencrypted data. All you win by using a VM is that you don't need to boot into the OS (which might be impossible on some public terminals while running qemu might work). -hwh -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: Horribly off-topic linux distro question...
Steve [EMAIL PROTECTED] wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? DSL should come fairly close. Michael -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: Horribly off-topic linux distro question...
Jan Seeger wrote: snip insane security paranoia insane? What's insane: Presuming the windows host is compromised? or having your computer on a USB flash drive? or using two browsers to confirm the integrity of a site? The procedure is quite easy, once you've done it once or twice. But go ahead and do something less; it's easy to do something less cautious. Actually, at that stage, you should be more worried about the hardware. Slip a little hardware keylogger in there and all that is for nothing. And try to do online banking without entering anything... If your bank doesn't require something like a TAN (transaction number) or ITAN (indexed transaction number), I wouldn't use it at all. So it would probably wiser to get a laptop and take good care of it. Definitely agree. Laptop is easily the best choice. (But I still check for DNS poisoning and XSS attacks at the destination) :-) - However, maybe Steve doesn't have a laptop! At any rate, he is discussing a solution for use at a windows pc. (And I wouldn't mind entering a TAN via a library keyboard if the primary authentication (initial phase of a two phase identification) was hidden from the hardware - it alone won't compromise my account.) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
On Thursday 07 February 2008, Neil Bothwick wrote: On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? DSL should come fairly close. Dillo doesn't work with the online banking sites, and many others, that I tried. Basic web browsers do not have the javascript, Java (and soon enough flash?) functionality that the majority of banking sites require. Wouldn't Knoppix with its Firefox and equivalents do the job for you, after you set root and knoppix passwds? BTW, Konqueror will also work with many banking sites, but you may need to change the browser agent identification, treatment of cookies and so on. YMMV. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
On Thu, 2008-02-07 at 15:37 +, Neil Bothwick wrote: On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? DSL should come fairly close. Dillo doesn't work with the online banking sites, and many others, that I tried. Last time I tried, DSL came with Firefox 1.5.* signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? DSL should come fairly close. Dillo doesn't work with the online banking sites, and many others, that I tried. -- Neil Bothwick If it ain't broke, wait a day or two!! signature.asc Description: PGP signature
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 07. Feb, 7v5w7go9ub0o spammed my inbox with snip insane security paranoia Actually, at that stage, you should be more worried about the hardware. Slip a little hardware keylogger in there and all that is for nothing. And try to do online banking without entering anything... If your bank doesn't require something like a TAN (transaction number) or ITAN (indexed transaction number), I wouldn't use it at all. So it would probably wiser to get a laptop and take good care of it. Regards Jan Seeger - -- thenybble.de/blog/ -- four bits at a time -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHq1tTMmLQdC6jvocRAjmJAKCeg5QqD7386NTmbHN4gnACjYiCcACeIVmI ecAYIlfgyzbNN6xCG5OrP5M= =9/oh -END PGP SIGNATURE- -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Re: Horribly off-topic linux distro question...
Steve wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? My preference is using a safe browser (Opera with plugins removed) on a QEMU/Hardened Gentoo VM - on a USB flash stick. It presents the user with a window in which the Linux OS boots up and in my case, presents a Fluxbox desktop. - The VM (actually, a qemu emulator in virtual mode) will start up without privilege - say, while on the road at a public library. - At the end of the session, there are no relics that I can find, except for a single, minor note in the windows registry. - The SSL connection is established within the Linux VM, so all the host sees is an encrypted connection to your bank. - IIUC, today's biggest banking concerns, besides pharming and phishing, are Trojan/Keyloggers. This kind of VM is -probably- immune from most kinds of spyware on the Windows host, though not hardware loggers on the keyboard or Terminal. Workaround is to have passwords handled automatically by the browser within the Linux OS - so that passwords are neither typed nor displayed. - Other banking concerns are pharming, DNS poisoning, and XSS attacks. So I go to my banking site with FireFox first, confirm that the DNS is correct (or do your own lookup at Sam Spade), and have NoScript confirm that everything is o.k. Then use Opera (safer browser) to consummate the transaction. - If you go this route, do a little research and get a fast and quick USB flash. HTH -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
Mick wrote: On Thursday 07 February 2008, Neil Bothwick wrote: On Thu, 07 Feb 2008 15:27:51 +0100, Michael Schmarck wrote: In the context of online banking, where Windows of some flavour is the desktop OS, I see a substantial risk arising through spyware and/or viruses. I suspect that a neat way to mitigate this would be to run an OS from a CD which offers nothing more fancy than a basic web-browser. Is there anything like this already available? DSL should come fairly close. Dillo doesn't work with the online banking sites, and many others, that I tried. Basic web browsers do not have the javascript, Java (and soon enough flash?) functionality that the majority of banking sites require. Wouldn't Knoppix with its Firefox and equivalents do the job for you, after you set root and knoppix passwds? BTW, Konqueror will also work with many banking sites, but you may need to change the browser agent identification, treatment of cookies and so on. YMMV. I've had some success (one of two sites) with the opera browser. Free as in beer. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: Horribly off-topic linux distro question...
On Thursday 07 February 2008, Håkon Alstadheim wrote: Mick wrote: Basic web browsers do not have the javascript, Java (and soon enough flash?) functionality that the majority of banking sites require. Wouldn't Knoppix with its Firefox and equivalents do the job for you, after you set root and knoppix passwds? BTW, Konqueror will also work with many banking sites, but you may need to change the browser agent identification, treatment of cookies and so on. YMMV. I've had some success (one of two sites) with the opera browser. Free as in beer. The original post was about security rather than browser compatibility, but for what it's worth Opera can leave fewer traces behind than other browsers do. I also use Opera to check online banking sites and have similarly had success with more than a couple of them. However, I had to mask the user agent as MSIE, or lately Firefox for it to work properly. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
