Slashdot Mirror
Security on Public Machines?
ThePopeLayton wonders: "I am currently a university student and unfortunately don't have my own computer yet. With all the key loggers and mal-ware out there, what can I do to keep my information secure. I probably log onto 20 different machines a week and changing my password, every two weeks, on all of my online accounts seems a little too much. What can I and other public computer users do to keep our personal information secret and safe?"
I don't know what your budget is, but computers have become a commodity, laptops included (though a tad more expensive). You can get a good functional laptop with 80 - 100GB drive, 512 - 1G memory, lots of processing power for under $1000. If your budget can't sustain that, sell something! It's well worth your while.
Logging on to up to 20 different computers and conducting personal business is like finding condoms and using them, trusting previous users to have been upstanding (ha-ha) citizens. The risk is high, especially in the Windows world, which if you're accessing the public computers, you're doing Windows.
The misery potentially save by getting your own machine is way more offset by the peace of mind and safety of your data. There is no excuse for most today to not make the investment. If you're a university student, look around for financial assistance to get a machine.
In the meantime, I'd minimize any activity where personal data in any way could be exposed and/or compromised. As to the bottom line and answer to your question: "What can I and other public computer users do to keep our personal information secret and safe?", not much really.
NOTE: getting your own machine does not assure safety, but it's a heck of a lot better than the alternative.
As far as password management goes try KeePass. Free as in speech and beer, flashdrive friendly, and darn nifty.
Debt is Hell. Get out now.
I'd think the easiest solution is to get yourself a livecd and boot one of the machines from it. Here is a nice list
Theres nothing you can do if you use a public computer.
What you can do is work hard, earn some money, buy a 400 bucks computer at Walmart,
load a free OS in it, and hopefully be allowed to hook it to the college's network.
I've wanted to pick up a macbook (pro, maybe) for a while... Check out http://store.apple.com/1-800-780-5009/WebObjects/E ducationIndividual.woa/6124004/wo/hX1oZOVCxcwo2FOc 3gY1sTEsCYk/0.PSLID?mco=E2944D52&nclm=MacBook for the discounts Apple offers College/Uni students.
*drool*
Scott Swezey
You can't secure against someone that has hold of the machine that you're working on. The only way to be able to manage it, is to buy your own computer. Anything else is delusion.
where you are. If you go to my school (*cough, somewhere in Illinois*), we have the machines locked down pretty tight. I work for the university helpdesk -- we manage all computers for students in the dorms and the dining and housing services. We have machines locked down with bios passwords (can't boot from cd), physical locks, either locked-down Novell client OR extremely locked down windows environment (no right clicking and other such things)... not to mention video monitoring 24/7... yet I would still never use those computers for any important information. It's kind of like an undocumented hooker -- you know you can put your *information* in her, but you don't know if there's anything lurking inside of her -- even if she uses protection and claims to be safe (worst analogy ever!).
PC's are bargain-priced nowadays, stop drinking for a few weeks and save up the $300 needed to buy a working computer.
A computer once beat me at chess, but it was no match for me at kick boxing.
I'm hoping that any computers in the computer labs, library, etc have their security restrained enough so it would be difficult to get much out of it. With ports blocked all over the place, it'll take a lot of effort to get a piece of software running hidden that will send off your information. The computers are rebooted weekly/daily, I'm not sure. My school appears to use some sort of virtualization software that probably resets the machine every time it reboots, except for the saved documents folder. And then you have hundreds of other students using the same computer, and here's hoping we'll all get along and not cutthroat each other. Drop by a friend's room to conduct your most sensitive activities; I'm sure you can trust your friend, right?
I've seen cheep used computers capable of running something like Damn Small Linux for under 20 at swap meets.
I've seen new Linux PCs for under $100 on special sale and under $200s routinely.
Add $100 for Windows.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Well, unless you're a conspiracy theorist... Trust your local library. Libraries are increasingly at the fore front of protecting your rights (because no one does that anymore in Dubbya's America...)
As a tech for a local library here, we set our workstations to be usable for just about any means, and all user cookies, cache files, or anything installed erase instantly upon log off or reboot. We're not as concerned about security on the computer as we are about insuring YOUR security as a user.
Don't be afraid to ask the Library about it's privacy policies, and what it does to protect your privacy. A written policy should (in most cases) be available.
On the other hand... DON'T try using a Live CD on a public computer in a library: you're liable to have an angry tech in your face ejecting you from the premises or calling the police. Live CD's on a public terminal can be interpreted as breaking and entering under most Public Access terminal usage agreements. That's another argument in itself, but it's how we'd treat live cd usage in my library.
-Daniel
Ownyourphone.com. Custom ringtones, cheap and easy.
Ownyourphone.com. Custom ringtones, cheap and easy
have their security restrained enough so it would be difficult to get much out of it. With ports blocked all over the place, it'll take a lot of effort to get a piece of software running hidden that will send off your information.
What !?!?!
Let me introduce you to my good friend, Mr. TCP Port 80 and his cousin, Mr. TCP Port 443.
Assuming the school is doing a good job of maintaining those machines, you won't be able to boot off a live cd or usb thumbdrive or anything. In which case I'd say your safest bet is to get yourself a cheap machine.
A few weeks ago I ordered a refurbished HP Athlon64 3500+ machine from ecost.com. Total cost was $401 after shipping. It had a few mobo screws rattling around in the case when I got it, but after putting those back in place, I haven't been able to find a thing wrong with it. You'll need to supply your own monitor, but that shouldn't be hard to come by. Even a broke college kid can manage to scrounge up 400 bucks after a little while.
This guy's the limit!
First, you need one-time passwords. Got a decent programmable calculator? Program in a cryptographically secure random number generator.
Second, you need a friendly server. Serve yourself some kind of terminal program. You could do server-side VT100 emulation, then transmit MPEG video back to the PC. If bandwidth is a concern, VNC could be used.
As for the keylogger: it's damn hard for an attacker to make use of this if they can't automatically determine context. A human would need to be observing you, and that requires dedication directed toward you personally. You can throw a minor monkey wrench into things if you type dvorak on the querty keyboard, then do a server-side conversion. Unless you've really pissed off the CIA/MI6/Mossad/KGB, you'll be fine.
Roll your own WinXP Live CD: http://www.nu2.nu/pebuilder/
If you poke around the various torrent sites or mIRC, you should be able to find pre-made ISOs.
Anyhow, this way you won't get any strange looks from non-techies who become suspicious of anything other than the normal Windows GUI. And you can even run as Administrator.
a live cd + USB thumbdrive and you'll have all your files & settings to go.
[Fuck Beta]
o0t!
There's no telling how many viruses are on all those mice and keyboards.
Yes, now that private means are *sooooooo* secure, I think we can just move on to public machine security. ;)
Anyone who can install a keylogger can just as easily (or perhaps more easily) install a clipboard logger. ;-)
See: SetClipboardViewer(), WM_DRAWCLIPBOARD, etc.
Load firefox onto a flash drive and keep all your passwords stored (encrypted) on there. You'll still have to type a master password, but if you make that something that you dont use anywhere else it wont matter.
Another thing to do might be to find a SSL proxy server and use that for all your browsing, that should prevent packet sniffing, but someone *could* still be monitoring the RAM for passwords and such.
You'll never get it entirely secure, so if there's anything really important just borrow one of your friends computers for a few minutes.
If I was in your situation I'd put KeePass on a USB stick and carry that around with me.
It is able to enter your username and password in such a way that key loggers can't pick it up.
Have a look and tell me what you think.
http://keepass.sourceforge.net/
Seriously, they are really not that expensive. Dell has brand new notebooks starting at $499. eBay has more and cheaper. Seriously, you could easily get a decent compy and install GNU/Linux on it for $300-$400.
Try running Portable Firefox off of a flash drive, or even Damn Small Linux. Then you can keep your browser cookied so you don't have to enter data into forms. Not a great solution, but still better than the basic IE on whatever you're using.
Of course, you could also just try using a Mac whenever possible. That would at least trim down the number of possible dangers.
In Soviet Russia, backwards is everything.
53 is easier to handle. Where I work, it is limited to local DNS servers doing lookups via a specific set of upstream DNS servers. Everything else on 53 is blocked.
DHCP points all workstations to the local DNS servers.
443 is your best bet.
A house divided against itself cannot stand.
Noone seems to have pointed out the obvious. Look for an option to "clear history" or "logout" when you are done using a public kiosk. (I know my company's kiosk software has the feature. I'm sure some other kiosk software have similar options, albeit not running a secure linux kernel like us. :) We actually do a complete browser restart to be sure everything starts from scratch; no saved history, cookies, cached images/css/js, etc. and also have an idle timeout which does the same.
;) (yes, they used to limit cpu time per user way back in the 90s and our login names were our social security number with just the last digit swapped for a letter)
(yeah, yeah, shameless plug for firecast.
Of course, there is no way to protect from a boot and root and someone running their own software without well secured hardware, but at least being sure to logout protects you from the more likely problem of someone else using the machine right after you.
My, um, friend, used to gain extra cpu time for MUDing by walking in to the university lab and being greeted by a prompt.
Frankly, IIRC correctly your average retail store's receipt (especially store credit card applications) tend to have more personal information than most of what people do on a computer. I don't see retail stores shredding their trash. Dumpster diving and social engineering are probably the most numerous causes of identity theft today. (Yeah, all it takes is one really good hack to harm a lot of people.)
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
http://www.projectblackdog.com/
Carry it with you wherever you go.
Plug it in via USB.
Athenticate using your fingerprint.
Use it on the most comprimised public terminal.
I've never used one.
Religion is poison to rationality, and we lose sight of that at our own peril. -- Lurker2288
I got an IBM ThinkPad 600X laptop on eBay for $150, including shipping. Installed Kubuntu on it -- works great!
Are you a Looter or a Producer? ('m a Producer...)
I assume you're going to school for computer science ... if so ... you NEED your own Linux box in order to do experimenting, learn new things, perform research, etc. You can get a Barebones box off pricewatch for literally $200 or so (so I'm sure you can afford this ... credit card if anything). Then go to any other student in the computer science department ... ask for a linux distro cd (ubuntu, debian, etc.) ... and odds are they'd jump all over it ... they'd probably even come over to your dorm room and install it for you (that's just what they like to do). Then boom, you're all set ... enjoy working from your dorm room ... and stay out of those public labs.
script kiddies have had access to a plethora of off the shelf rootkits for some time. There's even one they can install just by putting a SonyBMG music CD in the machine for a few minutes.
=+P
Okay, so the sony one won't obfuscate processes, but wandering around the darker corners of the 'net will find you plenty of free or cheap commodity rootkit kits.
Students should have their own computers. I remember having to work my ass off one summer to afford my first computer in college, and I couldn't afford a printer so I was always having to run to the lab fifteen minutes before my English Composition GE class to print out my essays. Fortunately I was able to stop using printers once my course load switched completely to CS. My point, however, is that if I could earn the $2k needed for a decent computer ten years ago working a summer at a boy scout camp, then you can earn the $500 needed to buy a Dell Back-To-School speacial today. Go ahead, try to prove me wrong.
That being said, I know what it's like to be without an internet connection or a computer of my own for extended periods of time. My solution was to get a shell account on a departmental server and carry around a floppy with putty-ssh and a private key. Keyloggers can pick up my private key password, but they won't be able to log in to the server without the private key itself. These days do a simple s/floppy/usbfob/ and that's pretty doable. Also, keep a (free as in beer) webmail account which you use for non-sensitive communications in case you need to contact someone from a public terminal that seems sketchy.
OK, I'm not paranoid enough to have done this, but I would set up a VNC session that only accepted local connections (via an SSH tunnel).
Then use Port-a-PuTTY to connect and tunnel VNC to your box using passphrase authentication.
This way, the keyloggers only get the passphrase used to protect your Port-a-PuTTY's private key that (hopefully) stays on your thumbdrive / CDR. Perhaps there's someway to configure PuTTY to use a separate gold card that generates a rotating password.
Of course, you'd have to have your VNC session set up with a browser running that already remembers all of your passwords, so you don't have to enter them again through your unsecure keyboard.
Anyway, link to Port-a-PuTTY:
http://socialistsushi.com/portaputty
I recommend tightvnc on *NIX and UltraVNC + cygwin's sshd on Win32
The only way I can think to improve upon this setup would be to just reboot the kiosk under a livecd like Knoppix, but of course this isn't always an option.
Agreed. I've yet to find an IT department anywhere -- educational, corporate, or otherwise -- that didn't have a back room somewhere that was stacked with old PCs collecting dust.
If you act friendly and approach someone in charge when they're in a good mood, maybe you could get a "permanent loaner" to use until you can afford your own.
Computers are getting harder and harder to get rid of, and particularly desktops are not something that people exactly enjoy carting around. If you offered to pick one up from wherever the graveyard is, you might find your lack of computer issues immediately solved.
Of course, it probably won't be a very new computer, and if you're unlucky it'll be broken (but assuming you have access to a few of them, it's not hard to swap parts and cannibalize yourself a working unit, even if they've seen much better days). The main problem will be finding software to run on it; in that department I recommend grabbing yourself a minimal Linux distribution, although I suppose if you hunt around you might be able to find an older copy of Win98 or W2K. (Probably illegal, if it's OEM...)
I know this sounds cheesy, but sometimes you have to take your low budget and instead of viewing it as a limitation, look at it as a challenge. You have $0 (or $20, or whatever), and you need a computer. That's not an impossible proposition. You're not going to get anything that's going to impress people with its HL2 framerates or run WoW, but you'll definitely get something that you can word-process, browse the net, and do email on. Enough good computers are thrown out each day that I can guarantee that.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
As long as we're talking about sources for used systems, I'd like to plug Retrobox, who despite their obnoxious use of Javascript on their website, sell refurbished computers -- sometimes very nice ones -- for very reasonable prices.
I picked up a HP P4-based xw5000 "Workstation" (certified to run RHEL) with a dual-head NVidia Quadro4 NVS graphics card about six months ago for $280. Works great; use it every day. Sure, in the winter it also serves as a space heater, but it does what it's supposed to do.
Right now they have desktop PCs from $9 (for a Compaq Deskpro, 266MHz Celeron and 6.4GB HD) to $280 (an HP Pavilion P4 2.8GHz, 500MB RAM, 80GB HD). They also sell laptops and servers.
My experience with them was very positive -- the only catch is that they actually refurbish the machine AFTER you order it, so be prepared for a delay before it ships. Like, at least a week or so before it goes out their door. However, in return you get a unit that's cosmetically nice (at least mine was), has a clean drive, and is well packed. Drop your favorite *NIX on it, and away you go.
At least for most people with jobs, computers are now something that you get to decide how many you want, rather than how many you can afford / whether you can afford.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Mod me -1, Redundant, but the last time I looked (over 2 years ago), you could buy a decent used laptop for less than $400. Now you can get new ones for that much from Dell. And that's a laptop, not a desktop, which, with Wal-Mart selling new desktops for under $200, are even cheaper.
Get yourself a used 1GHz, 512MB RAM, 60-80GByte HDD desktop and a cheap used CRT. This shouldn't total more than probably $100 or so, if that. This rig will get you through any classes a university will throw at you, barring possibly some engineering or graphics-design applications (e.g. Matlab, AutoCAD for the former, Photoshop for the latter).
Certainly it will suffice if you are a Computer Science major or a major in any of the non-technical fields...
Is Capitalism Good for the Poor?