Slashdot Mirror
Web Surfing in Public Places Is A Way to Court Trouble
We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?
http://www.grc.com/nat/arp.htm
It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.
Slashdot: news for Apple. Stuff that Apple.
When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.
It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.
Thinking outside my Head
He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.
PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.
IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.
SSL uses a nice scheme that's difficult to crunch.
NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.
---- Teach Peace. It's Cheaper Than War.
I got a call from my uncle recently asking if (during his upcoming trip to Thailand /w his wife) he should bring his laptop so that he could get online, or whether he might be able to connect from public terminals. After discussing what he wanted to do, he indicated that he would like to get online to do his internet banking so that they could handle any bills etc while away.
My answer was of course: neither
Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).
The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.