Slashdot Mirror
Web Surfing in Public Places Is A Way to Court Trouble
We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?
I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?
I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.
While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.
I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.
North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...
I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.
The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.
I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.
I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.
..........FULL STOP.
The worst security? Man, it might be easier to say the best security. At a cellphone store with my brother, he looks at a blackberry and says "...it's overkill, but, probably handy if you need to get online all the time, check email etc". So, I take my PSP out of my pocket, and in about 15 seconds, I show him gmail. Every idiot seems to have unsecured wireless.
The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see what networks I could find. Everything was secured but one, and it seemed their ISP was down. So I said to my brother: "Only one jerk in this neighborhood didn't secure their wireless... and they have a flakey ISP, so I couldn't get online", he says: "Oh, that's me".
Of course, from checking my mail on the road, there are now items in my sent folder with such subjects as "Do you have the north korea nuclear salesman's number?" and "Cheap anthrax mailing services" and "Increase your volume by 6000%"
I've always wanted to marry trouble
It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.
I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.
Funnypics
Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*
Tsunami -- You can't bring a good wave down!
It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).
I use irony whenever I can, but my shirts are still wrinkled...
Is a video camera built into your glasses, with a wire that goes down into your pocket to the battery and 30GB hard drive. Hey presto, inside information that can be reviewed at a later date.
Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.
The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.
ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.
Wow, that's a sure sign I've had a rough weekend; my last post on Friday afternoon was a +5 Funny, and here I am Monday morning with a 0, Troll. I guess I need a hug... :-(
I left my wallet in El Sigundo!
http://www.grc.com/nat/arp.htm
It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.
Slashdot: news for Apple. Stuff that Apple.
It's not like they were trading invention information pre-patent, more things like memos about (small) customers. It would have cost someone more to hire a detective to snoop on them than what the information was worth.
Worst security?I was referrered to a sports medicine doctor. I was early as I'd never been to that part of town before. I opened up my laptop for fun and scanned and found two networks. 1 from the gym in the building and a "linksys". No wep, default passwords on the router, and net access. there were 7 machines connected, myself, a printer, 4 others that had no name listed, and one that had the full name of one of the other doctors in the office. I wasn't able to easily view any shares at least. I recommended he lock it down after I met with him.
packet sniffers are also used in security. They can sniff out anyone on your network and allow you to decide whether or not that person should be on the network. It all goes back to the way something is being used.
The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"
YOU'RE IN A F CKING SHOP!
The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was
I wonder how many people here are actually just using these computers to do something sinister?
Summation 2
So the usual sitting in the gate waiting for the plane to board. /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it) :)
:)
I happen to be happily on my laptop, doing those Oh so critical things like, well,
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop.
Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane.
I am 31337 or something.
Robert Vamosi, Senior Editor at CNET, you are an idiot. (Or maybe Susan Stellin is a terrible journalist - I suspect both.)
Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users understand about online safety, despite efforts to educate them about SSL...
And they even mentioned key-loggers later on...
*gah*
It sounds safe, but you never know...
Ben Hocking
Need a professional organizer?
I pretty much always connect to my university's VPN server whenever I connect to an unencrypted wireless access point.
Mostly just so my email doesn't go over the airwaves unencrypted, otherwise I don't care much, since most sites I use that ask for passwords use SSL at least for transmitting the password.
Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not just keep the encryption for the entire session?
I'd have a hard enough time finding an online store I would like to buy anything from that doesn't utilise encryption for the credit card process. Finding a bank that would allow me to give my credentials in cleartext would be even harder.
The big issue is probably email which most people still access without encryption.
One can count at least seven unsecured wireless routers, presumably sitting in peoples' houses since this is a fairly residential area. I'd have to say that for some folks, the least secure setting might be the one that literally offers all the comforts of homes. What can they be thinking? I guess the trouble is they're not thinking.
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information...
Sounds scary. Maybe there oughta be a law. On the other hand, since when did a tool like, say, tcpdump, typically used for networking troubleshooting, monitoring and analysis, become a tool that's "typically" used for something else?
I have to wonder. The quality of writing in a publication like The New York Times is above and beyond what one would expect from a local rag. Everybody reads it. The worlds movers and shakers read it, and contribute to it. It's for the elite, by the elite, but this is lowest common denominator stuff.
If not a non sequitur, at least on par with what passes for news coverage and/or editorials on Fox News. The only thing missing is a discussion of social networking and sexual predators.
At this rate, I expect the Leo Laporte to win a Pulitzer.
If you're sitting at a coffee shop and surfing the net, not too much trouble. However, places like the waiting room at an Ariport are more liable to such inrtusions. Perhaps, the MIT campus? Althought unlikely kids are probably poking for fun.
In the worst case download something like Ethereal or some other software and monitor the traffic! Yipee!! What fun!
When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.
Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?
How many people, knowing they were on a very hostile network, still logged into slashdot, livejournal, ftp sites, webmail, all in the clear...
I like music
No kidding! I just sold some property and the realtor wanted me to email the title company my social security number so they could process the paperwork. I had a hard time explaining to them that I would only telephone or mail the number since email was insecure. Finally they emailed me their telephone number. I just can't imagine what a treasure trove their email account would be for identity thieves.
I find it amusingly that people believe that they can login and play World of Warcraft anywhere - gaming cafes, etc. - and then are shocked that their accounts are hacked by keyloggers.
Not sure if it's naivete, or simply an absence of logic. Yes, one would HOPE that such sites routinely sweep their systems for unauthorized software, but frankly, short of re-imaging the hard drive after every user, I'm not sure how they could entirely prevent it.
-Styopa
FTW
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
Back in the 80's when terminals and mainframes still ruled universities (don't know if they still do) students in CS classes still had to use the public terminals to do school work. Many of the students (especially in the introductory courses) seemed to be incapable of remembering to log out. The terminals were VTs so they didn't time you out or lock the screen. I was regularly logging people out when I saw them grab their stuff and leave. I finally got sick of it and started encouraging them to log out by, say, changing their default process name on the VAX to "{sys admin's name} SUCKS" or adding a line to their "INTRO TO CS" program that printed out their intention to hurt the president of the US. Don't know if it improved security but it sure amused me.
I had a few problems with the article:
- I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
- When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
- Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.
However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.Yes, that's right, it's all about YOU here.
stabbing yourself in the eye with a knife could lead to blindness
I have done some similar work, and yes they do ask if this is enough to protect themselves against an experienced hacker. Basically, I tell them this is only enough to protect you against the average wardriver. Being security savvy enough to know that if there is a will there is always a way, I am usually quite frank with my clients. However, there needs to be a will. Is there any reason in particular that someone wants YOUR network and the information on it. There might be, but for most of the clients I did this sort of work for, there really wasn't. The fact of the matter is, if you even have a week WEP key, the fact that you have something at all is enough for a wardriver to go elsewhere if there is an abundance of unsecured networks. Whenever I'm trying to pick up some internet access on the go, I don't bother trying to connect to the network with a uniquely named SSID and WPA enabled. I instictively go right towards "linksys" with no security (And if I'm feeling like an asshat, I'll change their router's password, MAC address filter everyone but myself and change the SSID to something that will piss off the owner). How many of you out there like to park your car next to a Mercedes or flashy sports car under the assumption that given the choice, the car-jacker will choose the nicer car?
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
I never use internet kiosks where you have to pay to use the systems. Ever. I can not for the life of me fathom a circumstance where I couldn't just wait until I got home to check something online. Bank account balance? ATM. E-mail? Mobile phone, or just be patient and wait.
Student Manager - Take control of your education!
Agreed. IME the places where you're most likely to be asked to email credit card numbers are smaller organisations and organisations which still do a lot of business face to face - places where the person you're dealing with can't say "Do it through our website".
My g/f booked a small hotel recently and they asked her to email a credit card number across. Thankfully she refused, but apparently the hotel was rather surprised at this.
What if you're traveling, esp. in a foreign country?
Always pay cash though.
It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.
Thinking outside my Head
If you are that essential to a business that you need your email while on vacation, you can afford a mobile phone and have a secretary read you the highlights. If you need network access for work while on a trip, you should have the work get you a laptop. They're cheap enough.
Help! I'm a slashdot refugee.
"lost".
The typical keyloggers I have dealt with operate as a standard process in the background. Most do not show up on the taskbar but can be stopped from the Process Manager (the Ctrl+Alt+Del applet).
The nastier ones either replace, or patch the keyboard driver. Upon reboot, they run at all times and can only be found by AV scanner (knock on wood) and/or by the log file they create. The classic infection vector for these are rootkits, and software installation packages that have been tampered with.
You are where you are at the time you are there.
Man-in-the-middle is not that trivial, my friend.
From SANS WhitePaper:
"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."
So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.
But there is some truth to your assertion, if you are of the Windows Ilk:
"One faulty SSL client implementation, Microsoft's Internet Explorer, allows for transparent SSL MITM attacks when the attacker has any CA-signed certificate."
Sweet! ANOTHER reason I can't wait to run Boot Camp and install Windows.
Thinking outside my Head
PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.
IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.
SSL uses a nice scheme that's difficult to crunch.
NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.
---- Teach Peace. It's Cheaper Than War.
Yeah, I just assumed that whoever put it on there was an idiot Frenchman (St. Maartin has two sides, the French side and the Dutch side, and we were on the French half) who didn't know what he was doing.
hostname that resolves to www.mozilla.org, ftp.mozilla.org,
or www.microsoft.com (and possibly www.apple.com) is
publicly accessable without an account. It was nice
when mozilla had several mirror sites I could use
to download various programs I couldn't do on standard
dialup. Unfortunately, now mozilla only resolves to one
site.
If any mozilla developers are reading this, could you *please* add in
more mirror sites to ftp.mozilla.org. I need to download
OpenOffice and update my linux laptop.
This is why I always carry a Live CD with me where ever I go. So once I enter this internet cafe where they had these windows 98 machines everywhere (jerks!!). And when I finally get ready for some secure surfing, 'X could not be loaded' !!! stupid xorg 7
Don't post if all you can do is a half-assed grammar complaint. You'll usually get modded down if you don't contribute something to the discussion. You'll get modded down less if you wait for something more compelling than an offtopic complaint.
Man, you really need that seminar!
The president of my division (about 1000 people) was flying from our main business office to our main engineering facility. When he was waiting in the airport for a flight, you overheard a conversation between 2 people sitting near him that were getting on the same flight as him. He later called someone in my office and reported back what he heard.
The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.
You should always be careful what you talk about in public places, you never know who is around and listening.
Its not what it is, its something else.
I got a call from my uncle recently asking if (during his upcoming trip to Thailand /w his wife) he should bring his laptop so that he could get online, or whether he might be able to connect from public terminals. After discussing what he wanted to do, he indicated that he would like to get online to do his internet banking so that they could handle any bills etc while away.
My answer was of course: neither
Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).
The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.
I think an often overlooked "intrusion detection" system is the last login time feature that you'll find in a lot of online services like web email, and banks. Monitor that value and make sure you're the only person logging on. I've also asked my bank to show the IP addresses logging in (a history) but they haven't done that. I wish they would, so simple
We had one guy in the lab who constantly harped on people who left themselves logged in. At the end of one class, we found that the great man himself had forgotten to log out, so we moved all his files to the end of a directory structure named something like:
p uter\logged\in\ever\again\etc\etc\
my\name\is\john\smith\and\I\will\not\leave\my\com
Remember this was a terminal system (vax) so he did have to type in the full path (while checking to see what the next subdir was) in order to get to his files.
Other tricks included putting the last command in somebody's login script as "logout" - but the teacher got annoyed with that as he was the one who got to change several login scripts a week. I believe other tricks included setting funny prompts and other such things, but nothing overly malicious that might warrant somebody getting a visit to the Dean's office. We did have one issue with a user that had left his IM on, and some dork decided to message a bunch of people rude IM's with *my* phone number (but it wasn't my IM logged in), which ended up with me getting some interesting phone calls and a rather long conversation between said dork and the admins for innapropriate behavior after he apparently also got caught making sexual comments on another person's IM (to a grandmother and a 15-yr girl, oooops).
I did a few times while in Ireland - it was something cheap like 2 euros an hour and all the coffee you could drink. If you need to check your favorite websites or read your email it's worth it. I used the internet for a total of about 3 hours the entire two weeks I was in Ireland - the least time I've spent on the internet since probably about 1995 or so. It was worth the euros.
That said, I would never check my online banking or anything else more secure than my personal email from a machine I didn't personally own or someone I know and trust owns. People who check their online banking in an internet cafe or at a kiosk are totally insane - maybe if you could boot your own OS on the machine, I don't know if many places would let you do that though.
5 minutes?
Did you at least allow him a bathroom break during this time?
Wouldn't it be possible to kill key logging if keyboard-to-computer comunication was encrypted via hardward with some form of changing key? Or is this not a good route?
P226
One word:
Knoppix
The tech school I went to had a wireless ATM in the pub.
:P. AND to top it all of, lets put it where they will be drinking.
Needless to say several of us brought in our laptop(just to see what the traffic looked like) and there it was, clear as day, encryped pins bouncing happily back and forth. I mean, it's bad enough to even have a wireless ATM, but to put it in a technical institute where it will be surrounded by poor students learning how to manipulate computers. That's just asking for trouble
To understand recursion, one must first understand recursion...
Similar situation - except it was a conference call between us and a supplier (10 people in our office on a speakerphone talking to 10 people in their office). At some point we needed to discuss something amongst ourselves so we told the suppliers we were going "off the air" for a minute and put the phone on mute. To our amazement, the suppliers thought that because they could no longer hear us that we could no longer hear them. Their mic was still open and we heard the talking as if we were no longer listening. They were quite candidly discussing flaws in their equipment that we hadn't found yet, and trying to decide which imaginary ship date they were going to tell us given that their product wasn't really going to be ready for 4 more months.
Needless to say, we made the "off the air" discussion a part of every call we had with them.
None of them can see the clouds; The polished wings don't care.
What's the worst... setup?
or
What are the worst... setups?
Heil Strunk
(Do I get a medal?)
"No fear. No envy. No meanness." Liam Clancy
The University-wide Wireless: Completely insecure. Open to students, faculty, community members, and hackers. This network covers the better part of a square mile. It's huge.
The College of Computer Science: This network has two levels of security. First, you need to log in to use the access points. You can choose to log in normally or via IPSec secured VPN. The former allows only port 80 traffic, SSH and other secure communication. The latter provides unrestricted traffic flow. You can't use it at all without being a currently enrolled student, and there is no connection further than a few feet outside of the building.
Like I said: The best and the worst.
There are 10 types of people in the world. Those who understand binary and those who do not.
Yeah, there's always that... unless they have the fancy keyloggers that physically connect between the keyboard and the computer. Then you're pretty much fucked.
From my office high atop the wsanders tower in Downtown San Francisco, I can usually see 2 or 3 completely open APs.
How else would I be able to do my firewall testing?
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Have you ever heard the phrase ``plausible deniability.''
There's always some way. This crap has happened before and it will happen again. Do you know all the CA's authentication policies? Unless you work there, I bet you sure as hell didn't actually check with them or audit them, and unless you're a criminal you probably haven't attacked to try to see if they will mis-sign something. Without looking, can you even name 10% of CA's that your web browser is configured to fully trust? Have you ever met any of them? Do you even have a rough intuitive sense of their "character" (as if a faceless corporation can have a character)?
99.99999% of the population just dogmatically accepts the list of approved CAs that come with their web browser. Even I do, despite knowing how foolish it is. It's not like OpenPGP where the user has to make a decision who they trust and how much. People are just defaulting, and like Rush says: "If you choose not to decide, you still have made a choice."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
No, you unplug the bastard and pocket it. Those things retail for about $90. Can you say eBay?
This story seemed familiar...because it is from Aug 22, 2006.8 /22/1526248?
It is also somewhat obvious for the technically minded Slashdot user.
mainly though, it is a REPEAT.http://it.slashdot.org/article.pl?sid=06/0
Infoport
Man, you asked for it. But then you were taking the hour off.
Heil Strunk!
"No fear. No envy. No meanness." Liam Clancy
Not sure I quite follow you - you don't need the correct CA cert for the site, as your clients would be configured to already know about the root CA you're using on the proxy server, and it's a cert signed with that which is presented to the client.
In any case, as I understand from what you say, all the dodgy cybercafe owner needs to do to make that much less of a problem is ensure his PC's are running a vulnerable version of Internet Explorer. Not exactly difficult, as they're his PCs.
Though thinking about it, I reckon if the cybercafe is that dodgy, it would be about 100 times easier just to install a keylogger on every PC.
A friend of a friend was recently in Asia (don't recall whether this incident occurred in Cambodia or Thailand). He went to an internet cafe, where he had to pay in advance for the amount of time he wanted. But regardless of how much time he bought (1/2 hour in his case) the email client was set up to require you to log back in every 5 monutes. So he started hitting "save" at the end of every line.
That's a good idea. But you can get teensy little hardware keyloggers for about $50 that you plug in between the keyboard and the box, which defeat even the boot-from-your-own-media defense.
Never attribute to malice that which can be explained by mere idiocy.
since public areas are the only areas where i've encountered real living breathing attractive people my age, i would easily part with my passwords in order to touch or be touched by one. i consider that an inherent security threat, so something must be done about it.
I've used a cafe on the Dutch side, and while the machines were pretty infected with spyware, it looked more like neglect than actual malicious intent on the part of the operators. As usual, I changed passwords before leaving on the trip and after returning, and didn't log into anything important or sensitive while there.
The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.
You realize that any business that you use your credit card at will have your credit card info already, right? You know, since they need it to charge you and all...
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl
back to my home network / RADIUS server. ... when using the interweb on public APs
actually I am happy to see you, however that is in fact a banana in my pocket.
The world's most dangerous network: DefCON. Everybody who attends knows it. And yet *still*, people use plaintext authentication to all sorts of services. And then they appear on the Wall of Sheep.
Better to light a candle than to curse the darkness.
Hellfire, even George Lucas seems to get it, and he's a lo-o-ong way from being technically proficient.
If you've ever been in a foreign country where you can't get your hands on an English newspaper or English TV, you'll love Google News in a web cafe. It's also good for checking stocks, sports, weather - that sort of thing.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
From hotel rooms: I do use the hotel LAN with my laptop. I immediately create a SSH tunnel to my own server and handle mail through the tunnel. I surf the web on my laptop. I will enter name, userid, password on familiar sites with SSL protecting the connection from my laptop to the known server.
At public computers: I assume that the machine has a keystroke logger. Never enter anything remotely sensitive on such machines. Never login to anything from a public computer.
Now, I often want to print a boarding pass or a document of mine. Here's my routine: Print to PDF on my laptop, upload the PDF from my laptop to my own web server with sftp. Name these a.pdf,, b.pdf, etc. The web server is set up so no one can get a file list for any directory. On the public machine, point the browser to www.mydomain.com/a.pdf and print. Later, from my laptop I'll login and delete the files.
Most airlines let you get a boarding pass with conf number and name, no login required. The confirmation number is like a one-time password. Someone was thinking.
-- Sally
That's what made it so ridiculous!
The worst I saw was a linux wireless router with default username/password and default IP addresses. Also, there was no Administrator password set on several of the machines that were connected to it. Very, very, poor security. Ed
A business in my town did several stupid things that led to disaster.
1. run windows 98 as your server (in 2005)
2. no passwords on anything
3. lets install a wap
4. passwords are inconvenient on a wap, turn them off
2am Sunday morning, janitorial staff notice a kid in the parking lot sitting next to his bike, typing on a laptop.
Next day, all gone. Except one rude note left on what was left of the fileserver. He basically deleted everything that he could, which was just about everything.
Darwin at work I suppose.
I work for the Department of Redundancy Department.
How many people out there have actually tried to crack someone's computer to steal information (including baking/credit card information)? Probably not many! Who of us really thinks that we're big enough and bad enough for somebody else to actually want to steal our information? By the way most banks use a SSL encryption which last time i checked was a 256 bit encryption. As far as I know online baking is VERY safe (excepting key loggers etc). Damn I live in New Zealand and even the four major banks in this country use those card thingy's that make sure the password is different everytime. No one wants to steal your information, no body cares. Get over it, get a life and get back to me if you've legitimately been the victim of identity or information theft!
Open Office- try it http://www.openofice.org
This was a little while ago, but here I am playing with my new laptop with wireless. In addition to our network, there was a coffee shop with a killer signal and another unprotected node named "linksys" - clearly a rookie with a new WAP. Of course, I poke the "linksys" node and list every stinkin' desktop, server and printer shared from a major trade association across the street which happens to run the largest consumer electronics show in the world (can you guess the association?). Some moron obviously bought himself a Linksys base station and plugged it into the internal LAN so he could use his wireless laptop.
Most of the servers were completely uncovered but I left all that alone. The only logical thing to do was print "SECURE YOUR WIRELESS NETWORK" in 24" multicolor characters on their HP DesignJet 5000 plotter in production plus several other LaserJets in important sounding offices. It was tempting to change the greeting on a few HP LaserJets' alpha displays from "READY" to "PAPER JAM". Wonder how long it would take them to find that. The wireless node was gone in two days. I could have completely blown up their network but did them a favor and dropped them a clue instead.
No no. Not for work. What if you want to check your email/blog/find hotels/etc. while traveling.
Just because it is a free service it gives nobody else the right to snoop in what other people are doing.
IANAL but write like a drunk one.
Blackberry