Roll Your Own StealthSurfer II Privacy Stick

by David Ip  (auto209182@hushmail.com)

The StealthSurfer II Privacy Stick (SSII), advertised as the "key to portable, private surfing," is a suite of programs housed on a USB flash drive.

The programs run exclusively off of the USB drive with no installation on the host computer, allowing the user to maintain a portable set of programs (and resulting files) that can be moved securely from computer to computer.

For security purposes, the USB drive is encrypted with a password, and various security programs are included on the SSII to provide a measure of anonymity when using the Internet with the device.

There are three parts to the SSII system:

1.)  Hardware:  The USB flash drive itself.  The device, about the size of two pennies, is a standard USB drive (though smaller) which plugs into any USB port.

2.)  Software:  A suite of Windows programs that can run directly from the USB drive (no addition to host computer system required).  In addition to some proprietary SSII software that provides program updates and management, the programs include Firefox (web browsing), Thunderbird (email), RoboForm (password storage and form filling), Anonymizer (anonymous web browsing), and Hushmail (anonymous/secure email).  The SSII works only with Windows.

3.)  Security:  A third party encryption/decryption program is used to secure the data on the device.

As of this writing, the cost of the SSII ranges from $89.29 for the 128 MB version to $269.29 for the 1 GB version, plus shipping.  The suite of programs is the same on all sizes of the device.

To "roll your own" SSII type device, all you need is a USB flash drive, some programs, and a security method.  Let's look at each part of the SSII individually, along with possible free or open-source alternatives.

Hardware

The USB drive, manufactured by Power Quotient International (PQI) and marketed as the Intelligent Stick, looks like any standard USB drive, only smaller.

It is a USB2.0 compliant device that has been miniaturized by eliminating any large outside housing as well as the protective metal shroud around the USB pins.  Though an adapter is not required for proper function, one is provided for additional protection as well as a standard, metal housed USB plug.

The Intelligent Stick USB drive is available from many major retailers and is typically sold online for approximately $75, including shipping, for the 1 GB version.  No driver is required to mount the device on Windows 2000/XP systems, however the included encryption software requires a driver to be installed.

Software

Most Windows programs litter the hard drive with installation files and other garbage.

As such, special "portable" versions must be used which, among other things, do not litter the host computer's hard drive with files.  Also, since USB flash drives are much slower and smaller than a typical hard drive, special optimizations are used in the portable programs (low/minimal disk access, smaller compressed program sizes, no caching, etc.) to minimize disk space and maximize performance.

Portable versions of Firefox and Thunderbird, as well as other portable programs (AbiWord, OpenOffice, etc.), can be found at www.portableapps.com.  Firefox and Thunderbird together require approximately 26 MB of drive space, not including any plug-ins, bookmarks, or email files.

Secure web surfing is accomplished through the user of Anonymizer software.

The cost of a one year subscription to Anonymizer anonymous surfing software is included with the SSII.  The price of this subscription is currently $29.99 (regular price $59.99).

The Anonymizer service provides a secure encrypted SSL link between the user's web browser and the Anonymizer servers, which then pass on the requests unencrypted to the rest of the Internet.  There are a myriad of other free or low-cost services which provide similar functionality, such as the-cloak.org, Guardster, etc.  The freely available Torpark combines the secure capabilities of Tor (The Onion Router, tor.eff.org) along with the Firefox browser.  Using Torpark provides both a portable browser and a secure browsing environment.

RoboForm, in its Pass2Go portable version, is free when used for less than ten logins, otherwise it costs $39.95 for unlimited logins.  There are other free or lower cost programs which provide similar functionality, such as KeePass, AnyPassword Pro ($24.95), Password Gorilla, etc.  All can be copied and run from a USB flash drive for portable password management.

Hushmail provides secure PGP encrypted email between Hushmail users.

PGP encryption and management of public/private keys is handled by the Hush Encryption Engine (with keys stored on Hush servers) and takes place transparently between Hushmail users.  The basic Hushmail service is free (with limited storage), however several caveats apply: Users of the free service must deal with advertisements in their mail window; users must login at least once every three weeks or the account will be deactivated (and deleted after six months); the Hushmail encryption software is Java-based and as such requires a Java Runtime Environment (JRE) to be installed on the host computer.

A one year subscription to the Premium Hushmail service (currently $29.99, regular price $49.99) removes the advertisements, eliminates the required three week minimum login, and adds 64 MB of storage space.

It is possible to manage public PGP keys (keys are stored on the Hush network) using Hushtools.  If secure email is required, a portable version of Thunderbird which includes GPG+Enigmail capability is available.

Security

The SSII uses the U-STORAGE encryption and password protection software that is included with the PQI Intelligent Stick.

The U-STORAGE program creates two partitions on the USB flash drive, one public and one secure.  The public partition is visible when the USB drive is plugged into a Windows 2000/XP computer.

When U-STORAGE (on the public partition) is run, the secure partition (which is hidden) is decrypted and mounted and the public partition is set to read-only.  Further encryption/decryption happens transparently as the secure partition is used.  This software is unique in that the secure partition is completely hidden from the Windows operating system unless the password is entered; it is even obscured from partitioning software such as Partition Manager (only the public or secure partition is visible at any one time).

However, U-STORAGE is not without its downsides: it requires administrative privileges to run, which makes its usefulness with public, non-secure computers limited.

Also, since the U-STORAGE software is a product of OTi, maker of USB flash drive chipsets, a USB flash drive with an OTi chipset is required to install the U-STORAGE driver and software.

Fortunately, many generic flash drives utilize an OTi chipset.  The U-STORAGE Windows 2000 driver recognizes the USB idVendor string of OTi (hex Ox0EA0) and USB idProduct string 0x6828 or 0x2618, which correspond to the OTi 6828 and 2618 chipsets.

In order to find out the Vendor ID and Product ID of any USB flash drive, it is a simple matter to go into "Device Manager" and check the "Details" tab (Hardware IDs) under the device "Properties".

Alternately, the program USBVIEW.EXE (found on a Windows 98 CD) can be used.  If the corresponding Vendor and Product IDs can be found, then the U-STORAGE software can be used.

Another program which can be used to encrypt a USB flash drive, and appears to work with most any generic USB flash drive, is the FORMAT.EXE program for OCZ Rally brand flash drives.

The system is similar to that of U-STORAGE, however the password is limited to four characters.  With the OCZ formatting program, even though the hidden (secure) partition is not visible, it is possible to format the device without entering the password.  This is generally a limitation of all encryption software, since the encryption is not being performed on a hardware level.

There are other "on-the-fly" encryption/decryption programs available, most of which work with USB flash drives by creating a volume file (encrypted file on a device) which is then mounted and used as a normal hard drive.

All programs and sensitive data are stored on the volume file and encrypted/decrypted on the fly.  Two popular open-source programs are TrueCrypt and FreeOTFE.

Both programs work with volume files or entire disk partitions.  So, depending on the USB flash drive used, it is possible to partition the drive into two partitions, one seen by Windows and the other encrypted.  Note that in this case, since the encrypted partition is only being mounted/dismounted, it is still visible when using partitioning tools.

In the event that the user's USB flash drive is stolen, the appearance of an encrypted partition may arouse suspicion.  In this case, both TrueCrypt and FreeOTFE provide extra security with the use of hidden volumes/partitions within encrypted volumes/partitions.

Some dummy sensitive data can be stored on the regular encrypted volume/partition, with the actual true data safely hidden.  However, since any extra encrypted partitions are not hidden, it is simple enough to re-partition or reformat the entire device in the event it is lost/stolen.

Also note that like U-STORAGE, TrueCrypt and FreeOTFE (and almost all other on-the-fly encryption software) require administrative privileges (or a previous installation of the drivers by an administrator) in order to run.  The programs and drivers themselves can be stored on the device and loaded as necessary.  Other similar programs include Cryptainer, CryptArchiver, Dekart Private Disk, DriveCrypt, Pointsec, etc.

Putting Everything Together

The author's own personal portable web browsing/email device utilizes all free software that provides similar functionality to the SSII, with the only cost being the USB flash drive itself:

The main benefit of the SSII is its simplicity; as an all-in-one, fully supported product, updates can be downloaded automatically to the device periodically.

With a "roll your own" product, the user is left to update and manage the software on their own.  Of course, this allows a level of customization not possible with a commercial product.

Links/other information: A Simple Guide to Securing USB Memory Sticks
Return to $2600 Index