Web Surfing in Public Places Is A Way to Court Trouble

We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

Public computers

[spineboy]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.

I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.

Re:Public computers

[jonwil]

SSL doesnt help when the machine you are using is running a software or hardware keylogger.

Re:Public computers

[CastrTroy]

This solution, and the one your sibling poster pointed out, do stop keyloggers, but don't stop the general case of software on the client machine that monitors what they are doing. You could just as easily write a program that records mouse clicks, and screen shots, to see what they are clicking on. Maybe just record a square 128x128 pixels centred around the cursor, and save it compressed in 16 colours so you wouldn't have to store so much information. Maybe they could just attach something to whatever module is being called to encrypt the information for sending it over ssl, so they record all the information that you are sending out over ssl. The point is, is that it's impossible for the person designing the website to protect against malicious software running on the users machine. If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

Re:Sensationalist, at least about wireless

[timeOday]

Exactly. I think this article is extremely ignorant:

Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay. "Where I'd draw the line is putting in your bank account information or credit card number," he said

You will have a very hard time finding any online shopping site that transmits a credit card number without SSL. If you find one, you shouldn't be entering your credit card number there, either from home or at the airport it makes no difference. (All this is assuming you're using your own laptop; you can't trust a publicly accessible Internet terminal for anything). Anyways, people don't steal credit card numbers by going to the airport and sitting around waiting for somebody to send one unencrypted; they steal them by breaking into a website and grabbing its database so they can get thousands at a time. Or they buy them at a few cents per, from somebody who already did that.

Of course, the converse applies too...

[gjuk]

Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?

Re:CC numbers? Bank details? email?

[woodsrunner]

No kidding! I just sold some property and the realtor wanted me to email the title company my social security number so they could process the paperwork. I had a hard time explaining to them that I would only telephone or mail the number since email was insecure. Finally they emailed me their telephone number. I just can't imagine what a treasure trove their email account would be for identity thieves.

Re:Sensationalist, at least about wireless

[nine-times]

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

You know, having worked in IT, my inclination is to say that users shouldn't be doing that stuff. You're network is segmented enough? Unless you're in charge of IT security, it's not your job to decide that. I don't know what you're background in particular was, but I used to work for an engineering firm that made software (among other things). The programmers were constantly telling us that they needed to be able to install software, that they knew how to run their own machines, that they understood software better than we did, etc. And guess what? Those were the same guys whose computers were *constantly* broken. They did tons of stupid stuff because they didn't know what they were doing. Some of the best guys were tinkerers, who had been fixing computers for years, but didn't understand that working IT is different. In a business setting, mistakes and errors can have totally different ramifications.

So I'm not saying you did the wrong thing, but that it should have been your IT staff to do it. If you have a bad IT staff, that's a separate problem, but they're right to try to discourage you from tinkering around on your own. Being your own IT person is like being your own doctor, or a lawyer representing himself in court. It's just a bad idea.

Personally, I sometimes wish I had someone else who would lock me out of administering my own machine to keep me from fucking around and breaking things.