Using Linux either installed on a HDD or as a Live CD is growing in popularity as a way of improving security when accessing on-line banking services, paying for on-line services by CC, etc.

I have been playing around with installing Puppy and Ubuntu in Virtual Box (the Live CD can be accessed simply as the downloaded ISO) and both work really well for such purposes on my system.

I don't know if anyone will have a definite answer but this seems like it could be a very flexible way of going on-line in a much more secure manner than directly from Windows.

The question is this: "If the Virtual Box is in the state when it has captured the mouse and keyboard then would a key logger running on the Host Windows OS be capable of logging the keystrokes made in the VM?"

Can anyone also see any other particular pros/cons etc?

The question is this: "If the Virtual Box is in the state when it has captured the mouse and keyboard then would a key logger running on the Host Windows OS be capable of logging the keystrokes made in the VM?"
I would think that a keylogger in windows could. You could use a password manager in the VM to bypass that possibility. If you never have to type it in once it is setup you don't have to worry about it.

I would also think that the host OS (windows) would not be able to access any data on Linux beyond keystrokes being passed by the host OS. Windows just can't read the file system. Don't network the host and guest. Don't enable sharing files or clipboards.

But, if we are to assume keystrokes are being passed on and can be accessed then we can also assume the output is also being passed in a similar way to the user and can possibly be accessed by the host as well. :confused:

On the surface you would think it is much safer, but it is a good question. How safe is it?

The VM runs on the host, if the host is compromised the virtual running on it have the potential to be compromised in a number of ways. I would think the keystrokes are passed from the main machine to the virtual, but to be sure you could install a keylogger and test it.

but to be sure you could install a keylogger and test itI had considered doing this and although there are lots of Google hits for Download Keylogger this is such a murky area that I was cautious about downloading, yet alone installing, anything. I will however try this out in the goodness of time on a machine I can use in isolation and then wipe clean. If there are any specific programs that anyone can recommend that would be of interest. I suppose screenshot loggers would also be something else to consider and in a way they would be even more of a worry should one get on-board the host.

The ones I have seen people use you have to buy but I am sure there are free ones out there. A keylogger is no different from any other application, as long as it doesn't contain any extra add ons of course. But there is no magic to them and your are certainly capable of seeing what it is doing after you install it. I would treat any free software with the same skepticism no matter what it is to "supposed" to do. It would be nice to have a machine to test with of course.

as long as it doesn't contain any extra add ons of courseThat's the obvious rub of course.

Fear is for the ignorant my friend. You are certainly capable of understanding ramifications and taking appropriate measures. When do we learn? When we do something new...

V

One of the reasons I have (almost) never been infected is that I have (almost) only ever used software as recommended by trustworthy sources. Fear of the unknown is, I think, a normal human instinct and important for survival in both the real and virtual worlds.

:) there is a difference between fear and caution. I suffer no trepidation in proposing you try this experiment and you should not either.

I have downloaded and ran viruses just to see how they work. How do you think those Anti-virus application admins discover how to stop infections?

Remember there is a valid reason to have key loggers... They are not magic. They are simply a software program.

V

It is valid to monitor what one's children and (depending on one's jurisdiction: e.g. it is illegal in the UK if done without employees being told about it) on what one's employees are up to but even when this is done it is hard to give it a better name than spying. It does stretch my imagination to think of other valid reasons other than to learn about such things in order to be able to preempt them.

Of course they are not magic - they are just bits of software that manipulate 0's and 1's - but so are such things as Chernobyl. Just as a jemmy or a lock-picker are burglar's tools, but yet can be used innocently, so a key-logger is a stock-in-trade item for a hacker. Hackers (as opposed to crackers) also often claim that breaking-in to other peoples systems (but done for white rather than black motives) is a valid enterprise. I have even written a program to detect key-strokes so I surely know it is not magic.

Packet-sniffing software is another area that can have equivalent white or black uses but, from experience, even with clean and recommended software of such a sort one's security programs may well warn one that they have been or are being installed. That is just another reason why I would not want to install a randomly picked utility (of any sort) from a Google search onto a main machine.

Here's how un-magic such code is. Anyone with VB can create a single form utility containing just one text box and the following code:-

Option Explicit

Private Sub Text2_Change()
Me.Text2 = Left(Me.Text2, 1)
End Sub

Private Sub Text2_KeyUp(KeyCode As Integer, Shift As Integer)
Dim strTemp As String
strTemp = KeyCode
MsgBox "Last Released Key's KeyCode" & Chr(13) & strTemp
Me.Text2 = ""
End Sub

P.S. It would not be that hard to modify things so that global key-strokes were monitored rather than entries into the text box and to log the results as key-codes and/or as text. To be occult the program would then need modifying to be hidden from the user's detection and with much greater elaboration to send the results "home". All of that would of course take a bit of time to do. Time I don't have spare at the moment. I have however used the above and very simple program to detect and help diagnose problems with keyboards - both standard and non-standard. MsgBox can be substituted by a second text box in the above code if the pop-up is an annoyance.