I'm not confident, because I read this code for less than 5 minutes, but it looks like this is unauthenticated AES-CBC, complete with a padding oracle in fs_wget.c that, ironically, protects the system from what would otherwise be an exploitable integer overflow.
If I'm wrong, and there's a message authenticator somewhere I missed that makes this system secure, I sincerely apologize. It is not even a little unlikely that I'm wrong.
1. It is by Fabrice Bellard, of QEMU, FFMPEG, TCC, BPG, ... fame.
2. It runs Win2000 in QEMU in Linux in JS on your browser. Seriously. Not very quickly, but it works. See https://vfsync.org/vm_list.html ; Also X windows if you prefer.
3. The idea seems to be that you can store encrypted data in the cloud, and use it on any machine capable of running javascript, by booting into a Windows or Linux machine emulated in the browser. Obviously, it is only as secure as the machine you run it on -- but if you can trust that machine, you have an encrypted "fat" client everyone on "thin client" hardware. Dropbox lets you take your data, this lets you take your whole machine.
This guy is truly a legend. A force of nature.
"Windows 2000 Demo
It is done in an unusual way: the browser runs a Javascript VM, which runs x86emu, which runs Linux, which runs QEMU, which runs Windows. "
Why Windows 2000? Is that suddenly free or something or is it just fast enough to run in JS emulation?
There's a small industry targeting this kind-of thing but its a hosted remote desktop targeted at high value online banking users.. for example BankVault: https://www.bankvaultonline.com/
This could potentially be some kind of alternative idea I guess.
12 comments
[ 3.1 ms ] story [ 33.4 ms ] threadIf I'm wrong, and there's a message authenticator somewhere I missed that makes this system secure, I sincerely apologize. It is not even a little unlikely that I'm wrong.
Does this mean every time "secure" is mentioned on the page it should be replaced with "trivially obfuscated"?
http://www.networkworld.com/article/2223927/opensource-subne...
Maybe he just missed using Windows 2000. Then, decided to make it run on any of his machines. (shrugs)
1. It is by Fabrice Bellard, of QEMU, FFMPEG, TCC, BPG, ... fame.
2. It runs Win2000 in QEMU in Linux in JS on your browser. Seriously. Not very quickly, but it works. See https://vfsync.org/vm_list.html ; Also X windows if you prefer.
3. The idea seems to be that you can store encrypted data in the cloud, and use it on any machine capable of running javascript, by booting into a Windows or Linux machine emulated in the browser. Obviously, it is only as secure as the machine you run it on -- but if you can trust that machine, you have an encrypted "fat" client everyone on "thin client" hardware. Dropbox lets you take your data, this lets you take your whole machine.
For what I see in this page, seems that finally his PC emulator in JS has a MIT license [2]. Previously he didn't share the source code.
I don't quite understand the synchronization part of this project but this guy knows what he is doing so it might be a good project to invest time in.
I hope I will be able to host everything in my computers and avoid trusting a third party service.
[1] https://bellard.org/ [2] https://bellard.org/riscvemu/
There's a small industry targeting this kind-of thing but its a hosted remote desktop targeted at high value online banking users.. for example BankVault: https://www.bankvaultonline.com/
This could potentially be some kind of alternative idea I guess.
My speculation:
1) NT 3.51 or 4.0 would be faster, but significantly less compatible with any remotely modern software.
2) XP is significantly heavier while only being marginally more capable.
3) 95/98/ME is a horrifying amalgam of DOS and Windows code, which presumably makes demands on the completeness and accuracy of the x86 emulation.
Would ReactOS work at all though?