instant linux on winxp

[mahesh2k]

One more vote for qemu but I doubt if there is any way with qemu and ubuntu.

[Paul Keith]

Can you expand more on how it helps you with web-banking?

-Paul Keith (September 06, 2012, 09:19 AM)

Certainly.

First, let's get the obvious out of the way: it doesn't help a whole lot if the host machine has been compromised. With that out of the way...

The above-mentioned NemID has been shoved down our throats. It was commissioned by the big financial interests, and being run by a private (and, it unfortunately seems, darn incompetent) company. If it was just a banking system, it would be kinda OK - at least it offers two-factor authentication. BUT:

1) it's becoming mandatory for interacting with the government - so it should be classified as critical infrastructure (yet still being run by a private company, and iirc hosted by a company owned by a US company... patriot act...)
2) it's used for digital signature stuff. While technically there's cryptographic certificates involved, they're stored in escrow, giving us no control over them. While this might be safer than having a password-protected keyfile for 99% of the Danish population, it's scary that we have no alternative.
3) not only does NemID require a Java plugin (keep in mind how many security holes Java has had over the years), it has a signed Java applet that's really just a boostrapper, which downloads an unsigned java applet at runtime... and this unsigned applet contains native libraries invoked via JNI.
4) the company behind is extremely arrogant, having claimed that any possible attacks were purely theoretic, etc. Didn't take long before we saw the first real-world MITM attacks against it.
5) <tinfoil-hat>being shoved down our throats, and designed how it is, it would be the perfect trojan-launching vessel for the PET.</tinfoil-hat>

So yeah, I definitely want to keep that piece of crap contained in a VM. Also means I can keep the Java plugin out of the browser I use for everyday stuff, and thus be a helluva lot safer in general browsing. Just like my main browser, the one in the VM also has AdBlockPlus+NoScript+Certificate Patrol+Ghostery - and it's only used for web-banking and other NemID-requiring sites.

-f0dder (September 06, 2012, 09:38 AM)

Thanks.

Judging by your usage, would it be correct to assume that it only protects the scenario where the java plugin has been compromised? That is to say, the digital signature stored in escrow is still an exposed factor or does using Linux/using a VM serve as a form of anonymizer/2nd layer encryption against the system?

I'm not really familiar with digital signatures.

[f0dder]

I'm not really familiar with digital signatures.

-Paul Keith (September 06, 2012, 10:57 AM)

Let's start with that, then.

A digital signature is used to "sign" "something" to prove that you are who you claim to be - so far, so good. The ones I know about are based on public/private-key cryptography, e.g. RSA. The public part of your key is public knowledge, and you keep the private key really close to your heart. For normal scenarios, you'd keep it in a keyfile encrypted with a symmetric cipher, and a Real Good(TM) passphrase.

I'm not going to dive into how signing is done, since "it depends", but the important part is that it requires your private key. Oh, and that signing can potentially be used for stuff like acknowledging a bank transfer, or signing over the rights of your house to somebody else.

With key escrowing, instead of keeping your encrypted keyfile on your harddisk, you trust a third party to keep the private key stored. Now, I do believe company behind NemID to have proper HSM storage, and I mostly believe their claims that the system is not backdoored. But I do know that they have the capability to wait for my next NemID login and snoop my passphrase, and would thus be able to get at my private key. This is not tinfoil-hat, it has been revealed in a government question about the security.

So... I'm not super-worried about a hacker penetrating the system and grabbing all the keys - but it would be possible to snoop on people (or do more nefarious things) given a court order (we're not quite at the level of .us anti-terroism laws in .dk yet, but getting there). But (if I remember correctly wrt. the company ownership), I guess the patriot act could be involved (that's slightly tinfoil-hat).

That said, I do believe key escrowing is better for the majority of people, and the solution does add 2-factor authentication by the use of single-use 6-digit codes on a keycard. It's a cheaper and more pragmatic solution than keyfrobs or the like, and while it's one of the best things about the system, it's ironically also one of the things people bitch most about, while completely ignoring the security repercussions of the system. Sheeple, *sigh*.

Judging by your usage, would it be correct to assume that it only protects the scenario where the java plugin has been compromised?

-Paul Keith (September 06, 2012, 10:57 AM)

The Java plugin, or any number of other attack vectors, yes.

That is to say, the digital signature stored in escrow is still an exposed factor or does using Linux/using a VM serve as a form of anonymizer/2nd layer encryption against the system?

-Paul Keith (September 06, 2012, 10:57 AM)

Well, the main thing to avoid is having the Java plugin in your day-to-day webbrowser. I try to get everybody I know to get rid of it, and use a second browser (or alternate firefox profile, whatever) for the NemID stuff.

The reasons for running it in linux is a bit of paranoia, and a "go fsck yourselves, NemID" attitude. First of all, should something slip through the browser (however extremely unlikely), there's more malware for Windows than for Linux (that's not to say that there aren't juicy exploits available for Linux, but they're the kind you don't see in widespread use. If you're hit by one, you should probably be worried). Also, there's the fact that the NemID Java applet contains native x86 code - I don't really want "random" native code running on my machine. "We need it for making a fingerprint of your system", yeah right. I don't expect to be the target of a police investigation anytime soon, but I sure as hell don't want anybody to have a wonderful trojan delivery backdoor mechanism on my machine. While it's unlikely that the private keys are going to get hacked out of NemID, wouldn't the machine serving the non-bootstrap .jar be a juicy target? I think so.

[Paul Keith]

Thanks for the highly informative clarification.

To everyone else: I won't try to derail this thread any longer. It's just posts like these aren't stuff you can normally chance upon.

[kalos]

I installed Puppy Linux and it offers to reboot my system :/

[Paul Keith]

How exactly did you install Puppy?

As far as I know QemuPuppy should just be an icon. Click it and out pops a window just like a normal VM.

Normal puppy is often recommended as live cd first and foremost before frugal/whatever Linux likes to call installing in HD.

It would be highly strange to get into a situation where you might accidentally find yourself in a position to reboot to Puppy as a newb.

[kalos]

well, i installed  "Puppy Linux 528.exe", which is supposed to be a linux installer in winxp

[Paul Keith]

I've never tried it. From the description it sounds like you just wubi'd Puppy into your Windows.

It definitely won't be an instant linux on winxp since it's a separate partition. You need to look for the instructions specifically for QemuPuppy to just get a Virtual Puppy on your usb stick.

[skwire]

kalos, I really think you need to go with the virtual machine route.  That's the least invasive way to do what you want.

[40hz]

kalos, I really think you need to go with the virtual machine route.  That's the least invasive way to do what you want.

-skwire (September 07, 2012, 04:43 PM)

I think it's more like the only way.

[Paul Keith]

Well it depends on what only virtual machine way means. After all, he did go for an .exe over say an unburned Live CD iso first. (Not dumb but not something a beginner is recommended to do nor will a beginner accidentally be introduced to it first time they try Linux)

I don't know about VMWare but Virtualbox and Qemu from a person like me is vastly different despite being categorically considered the same.

Even now I still have problems optimizing Virtualbox and when I open it, my browser on my main OS slows down (highly invasive). Qemu is just click and run especially on Puppy.

Plus Virtualbox has streamlined mode which is also a different experience than a windowed OS.

There's also just finding Windows alternative for Linux specific apps which is much more likelier to happen.

Also there's Online Emulators like this for the technically minded: http://bellard.org/jslinux/

There could just easily be a fully functioning graphical online OS that no one has heard about.

[40hz]

Well it depends on what only virtual machine way means.

-Paul Keith (September 07, 2012, 05:54 PM)

If I understand correctly, what he wants is a machine setup that can toggle between fully local and active instances of both Windows and Linux in realtime - as in: without rebooting.

Since you can only currently have one OS active at a time per machine (real or virtual), the only way to have two OS instances simultaneously active is to somehow provision for two machines - and do some techno-magic to handle the details of switching between.

There may come a time when you could routinely have each core in a multi-core CPU running its own OS instance. But even then you'd still need a hypervisor to move back and forth between the instances. So some flavor of virtualization would still be required to pull that trick off. Can't see any way of getting around it.
Since VMs work very well - and also provide a huge amount of 'bang for the buck' - I can't see any practical alternative to using a VM approach. Especially for what kalos is trying to accomplish.

If there's another "mo better" way to do it with currently available technology, it'll be news to me.

[Paul Keith]

Yes but since both Qemu and VBox don't need rebooting and are virtual machines, that's not the issue here.

The issue is on the topic title: "instant".

In my experiences with Qemu, especially with a lightweight newbie friendly distro like Puppy, it is as instant as it is like opening a web browser where as Virtualbox, esp. unoptimized/wrongly sliced together settings, is more like running a Java app.

Both are at heart going to give you operating systems without rebooting but one requires not only loading for waiting times, additional confusing settings, questions of whether to install guest additions or merge two desktop OS's aesthetic together and the other is simply...a click. I.E.: instant linux.

The differences are so distinct that yes, depending on the needs, Qemu can seem like a better way than Virtualbox provided you know the limitations of Qemu and QemuPuppy but only towards a less experienced person because most average Linux users are at an elite power user that things like how many RAM to allocate and how to backup and export virtual HDs would be 2nd hand to them.

Also I'd be careful with using the words fully. To my knowledge, I could never figure out how to set up the fully functioning drivers that allows Virtualbox to support better gaming. I read somewhere that guest additions have to be installed in safe mode but I could never figure out what it really means where as something like QemuPuppy, the option doesn't even pop out when I last tried it. It's literally like a portable app to it's most basic sense. The only confusion is how to put it to a certain boot device but anyone can click on it and open QemuPuppy. Even users who are totally ignorant of anything virtual machine related.

[40hz]

@PK - A couple of minor points...

Yes but since both Qemu and VBox don't need rebooting and are virtual machines, that's not the issue here.

-Paul Keith (September 07, 2012, 08:23 PM)

I was adding my +1 to skwire's comment about virtual being the "least invasive way" to go and reinforcing that virtual was actually the only way to do that. When you commented "Well it depends on what only virtual machine way means." I thought there was still some question as to whether there was another way to attain the goal stated in the OP. To which I gave a very blunt answer. If I misunderstood your comment, please excuse me.

Also I'd be careful with using the words fully.

-Paul Keith (September 07, 2012, 08:23 PM)

I'm using the word "fully" because I have no other way of expressing what I thought was meant by phrase "100% functional" in the original post. I don't need to be careful with it. It wasn't my request. Just my summary of one of the goals made by the requester.

And... I think I'd best leave this discussion for others since I'm beginning to suspect I no longer "get" what's being discussed at this point.  

------------

@kalos - Luck!

[Paul Keith]

Oh there's no misunderstanding. It is I believe more of a question of experience. In fact I haven't fully experienced the experience myself.

Comprehension really all depends on whether one has experienced a Qemu of a lightweight distro versus an advanced/textbook VM such as Virtualbox. It is really as clear as realizing a portable app responds much faster and is "installed" much faster and conveniently than say an equivalent alternative software that is memory hogging.

The same can be said for fully. If one has experienced say trying to play a modern videogame on a guest Windows OS and have that game not play, the idea of a full virtual OS would be far different than merely the concept of a functioning OS.

It would be the same as if trying to tell a Windows user that Linux is a 100% functioning OS only to reveal to them that X windows software is not available on Linux. Most likely the distinction of functionality wouldn't be lost on them on the technical side but on the practical side, you wouldn't convince them that it is a fully functioning OS because they would not have the skills to build or access a particular feature which they have taken for granted in a fully functioning OS.

With things like a guest copy, it is especially of great importance to separate such distinction. At least, I think so. It is after all at the heart of what one expects from a copy. No one should be expected to be tricked into believing a ripped copy is a full copy and no one should be expected to believe that a 50% VM of an OS is in actuality a full 100% functioning VM. Even for Live CD copies this can be dangerous. There are Live CDs where because you can't test install the additional drivers without installing the actual OS on a HD would lead to screen flickering and it would be easy to mistake it as the full OS only on a CD and give up on it all together.

[tomos]

Was trying to find out more about Qemu Puppy and found this brief summary with links to instructions in the portableapps forum. (Not using it myself, just curious).

http://portableapps.com/node/27118

Skimming a couple of the links, IIUC it seems you get a virtual OS that isn't recognised by the main OS - so if you want to access the main OS you go through the virtual OS as opposed to the other way around. Which seems okay.

[rgdot]

off topic and newbie question

Can one 'easily' use Basket Note Pads with Puppy or Damn Small Linux?

[40hz]

-rgdot (September 08, 2012, 12:02 PM)

@rgdot: Not easily. Because you'd need to install all the package 'dependencies' for Basket as well. Since Puppy and DSL are designed to be small and fast, and Basket Note Pad was originally designed for the KDE desktop environment, it's very unlikely you will have the requisite dependencies already loaded. And odds are good you'll need to get involved in compiling some pieces of software besides remastering the iso image in order to get Basket to run under either...

Not to say it would be impossible. But it definitely wouldn't be a project for somebody new to either distro.

[rgdot]

@40hz, thanks, I suspected as much. Was hoping to try it on something other than playing with larger installs and VMs.

[rgdot]

.

[kalos]

VMWare and such are very slow

my solution would be to utilize live cd's, but without running them from a cd player, which makes them sluggish

is there a virtual cd player that can load a live cd?

[40hz]

VMWare and such are very slow

-kalos (September 13, 2012, 04:42 PM)

That depends largely on the machine and available RAM.

my solution would be to utilize live cd's, but without running them from a cd player, which makes them sluggish

is there a virtual cd player that can load a live cd?

Think about it... A virtual cd cannot create a separate OS environment because the cd player itself is running under the same operating system it's loaded on. So to go back to a previous post, you can only have one OS in control of a physical machine (i.e. one that is hardware.)

So unless you put the second OS on some sort of virtual machine, it can't be done. Sorry.

-----

Did you try running Linux from a USB2 key yet? That's much faster than optical media once it boots up.

[Shades]

Link to externally hosted screenshot of Portable Ubuntu Remix and Another screenshot.

Kalos should really consider running Portable Ubuntu. The screenshots hidden behind the links above show what it looks like to have Windows XP and Ubuntu running at the same time. Exactly what he wants. It doesn't require any messing about with Virtual Machines and it runs fine on a P4 3GHz, 2 GByte of RAM and a Sata2 harddisk. Ran such a setup for about six months without any problem on either (OS) side. Sold the PC afterwards after showing this to someone.


Then again, in my own personal opinion, virtual machines are the way to go, if you don't have spare hardware lying around.

[40hz]

Kalos should really consider running Portable Ubuntu.

-Shades (September 13, 2012, 05:40 PM)

@kalos - I'm +1 w/Shades here.  Even if Portable Ubuntu isn't the most recent version, or being actively maintained, it does do exactly what you're looking to accomplish.

[Shades]

You can update the included Ubuntu to a higher version. That worked also right out of the box. Granted, it takes time, but hey, it that is the only thing...