12 comments

[ 3.1 ms ] story [ 33.4 ms ] thread
I'm not confident, because I read this code for less than 5 minutes, but it looks like this is unauthenticated AES-CBC, complete with a padding oracle in fs_wget.c that, ironically, protects the system from what would otherwise be an exploitable integer overflow.

If I'm wrong, and there's a message authenticator somewhere I missed that makes this system secure, I sincerely apologize. It is not even a little unlikely that I'm wrong.

BTW Windows 2000 isn't terribly secure...
Under what threat model(s) does this become an issue?

Does this mean every time "secure" is mentioned on the page it should be replaced with "trivially obfuscated"?

Why would I use this instead of Tahoe-LAFS or magic-wormhole?
It carries an OS/Desktop, not just files.
The title doesn't do the linked page justice.

1. It is by Fabrice Bellard, of QEMU, FFMPEG, TCC, BPG, ... fame.

2. It runs Win2000 in QEMU in Linux in JS on your browser. Seriously. Not very quickly, but it works. See https://vfsync.org/vm_list.html ; Also X windows if you prefer.

3. The idea seems to be that you can store encrypted data in the cloud, and use it on any machine capable of running javascript, by booting into a Windows or Linux machine emulated in the browser. Obviously, it is only as secure as the machine you run it on -- but if you can trust that machine, you have an encrypted "fat" client everyone on "thin client" hardware. Dropbox lets you take your data, this lets you take your whole machine.

This guy is truly a legend. A force of nature. "Windows 2000 Demo It is done in an unusual way: the browser runs a Javascript VM, which runs x86emu, which runs Linux, which runs QEMU, which runs Windows. "
This project is made by Fabrice Bellard who is the author of QEMU and ffmpeg [1].

For what I see in this page, seems that finally his PC emulator in JS has a MIT license [2]. Previously he didn't share the source code.

I don't quite understand the synchronization part of this project but this guy knows what he is doing so it might be a good project to invest time in.

I hope I will be able to host everything in my computers and avoid trusting a third party service.

[1] https://bellard.org/ [2] https://bellard.org/riscvemu/

Why Windows 2000? Is that suddenly free or something or is it just fast enough to run in JS emulation?

There's a small industry targeting this kind-of thing but its a hosted remote desktop targeted at high value online banking users.. for example BankVault: https://www.bankvaultonline.com/

This could potentially be some kind of alternative idea I guess.

> Why Windows 2000? Is that suddenly free or something or is it just fast enough to run in JS emulation?

My speculation:

1) NT 3.51 or 4.0 would be faster, but significantly less compatible with any remotely modern software.

2) XP is significantly heavier while only being marginally more capable.

3) 95/98/ME is a horrifying amalgam of DOS and Windows code, which presumably makes demands on the completeness and accuracy of the x86 emulation.

But it isn't free AFAIK.

Would ReactOS work at all though?