Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Extreme Security' Web Browsing

Posted by Zonk on from the i-think-i'm-paranoid-and-complicated dept.

Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"

56 of 267 comments (clear)

  1. Not sure how "secure" this scheme is... by TripMaster+Monkey · · Score: 5, Insightful

    How exactly is this strategy going to protect you from a keylogger?

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Not sure how "secure" this scheme is... by Kranfer · · Score: 4, Insightful

      Personally, I don't think it will. A keylogger is a keylogger... I have never seen one attached to a specific browser... usually just logs everything... How can it protect you? The fuzzy pink bunnies in your mind think that you are fooling the bad people on the internet who use myspace and livejournal from getting your data and setting up a fake "you" page only to trick your friends... Or stealing your credit card #'s and buying a nice new BMW all in your name... I could use a BMW though :/

      --
      -- Josh
      "Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
    2. Re:Not sure how "secure" this scheme is... by Library+Spoff · · Score: 2, Informative

      You're correct, it's not.
      Unless the second browser is on a knoppix cd...

      --
      Acid House saves Souls
    3. Re:Not sure how "secure" this scheme is... by Anonymous Coward · · Score: 5, Funny

      Knoppix...what version of Windows is this knoppix thing? I don't understand...

    4. Re:Not sure how "secure" this scheme is... by darthflo · · Score: 4, Interesting

      That'd help.
      Unless somebody really wants your data

    5. Re:Not sure how "secure" this scheme is... by ZombieWomble · · Score: 5, Insightful
      Well, looking at the article itself (I know, I know, heresy), the point is that there are whole classes of attacks (specifically "Cross Site Request Forgery" attacks, the focus of this article) which require significant effort on the part of websites to defend against, but which are trivially defended against by having users make a point of not accessing secure and insecure sites at the same time.

      It's in no way presented as a solution to all security on the internet, but a way of addressing one specific class of problems in a simple manner with a minimum of effort. Unfortunately there's plenty of sufficiently smug people on /. who will continue to repeat this idea in this discussion without even glancing at the article.

    6. Re:Not sure how "secure" this scheme is... by hawkinspeter · · Score: 5, Insightful

      There are easy methods to defeat a keylogger though most of them rely on the server side. Asking for only certain characters from a password (e.g. characters 1,4,8 & 9); virtual screen keyboards (just mouseclicks are recorded); drop down lists to select characters.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    7. Re:Not sure how "secure" this scheme is... by Florian+Weimer · · Score: 2, Insightful

      How exactly is this strategy going to protect you from a keylogger?

      It protects against CSRF attacks (at least when done properly), which appears to be the only thing the author cares about. It seems to me that a it's just some security outlet trying to gain publicity by referring to a vulnerability that has been documented for over a decade (see RFC 2109, section 4.3.5).

    8. Re:Not sure how "secure" this scheme is... by tepples · · Score: 3, Interesting

      There are easy methods to defeat a keylogger though most of them rely on the server side [such as] virtual screen keyboards (just mouseclicks are recorded) That's useful as an option. But please don't force it on everybody, as not everybody has a useful pointing device. Some of us use a laptop with a slow trackpad. Others are blind, use a screen reader, and have no mouse at all.
    9. Re:Not sure how "secure" this scheme is... by Jaliyl · · Score: 3, Funny

      I use a similar scheme, I use XP in VMware for shady downloads/torrents and pornsites while my Vista install stays clean.

    10. Re:Not sure how "secure" this scheme is... by gstoddart · · Score: 2

      "How is someone going to get a keylogger on my FreeBSD box? :-P"

      # pkg_add -r some_ev0l_keylogger, perhaps?

      Well, if someone actually gains physical access to my machine without me knowing about it, manages to get past the root password, and install that piece of evil software ... it's really too late for me to worry about it now, isn't it? At that point, I have bigger issues.

      On the presumption that there isn't some highly organized, well financed team of people with a strong desire to compromise my system from within my house, I don't guard against such things. A scenario like that falls into a completely different realm, and something I don't consider likely to be an issue.

      Most of my international espionage activities is done in my sleep, so I don't have fears of INTERPOL or a crack team based in Langley coming for me . ;-)

      Cheers
      --
      Lost at C:>. Found at C.
    11. Re:Not sure how "secure" this scheme is... by Anonymous Coward · · Score: 2, Insightful

      Agree but I would never consider a password written down near my desk at home a real credible threat. If someone is going to break into my house, they are going to take my wallet and something of value to them, not the yellow sticky on my monitor with the text "bLowmEa$$h0l3", the crimes that you see on CSI are not what happens in real life. I could probably paint my password on the side of my house and still be safer than having a keylogger installed. Which would you feel more threatened by? The specific target of that random password you have written down and physical entry or a flaw in your OS and a keylogger?

      On that note though, I do not write my passwords on my monitor, I have them in a small notebook in the drawer! I would rather use completely different passwords for each site and write them down than use the same few passwords across all sites that I need a password for.

    12. Re:Not sure how "secure" this scheme is... by pyite · · Score: 5, Interesting

      This will just cause people to write down their passwords.

      And what, exactly, is wrong with this? Bruce Schneier offers the following wisdom:

      I write my passwords down. There's this rampant myth that you shouldn't write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.

      --

      "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

    13. Re:Not sure how "secure" this scheme is... by geminidomino · · Score: 5, Funny

      why even bother with a "promiscuous" browser at all? I prefer my security to be 100% at least 100% of the time. Translation: My computer is on the top shelf of my closet, the keyboard is stored off-site, and the power cord has been cut into 8 seperate pieces, hidden in the 8 underworld dungeons spread across Hyrule.
    14. Re:Not sure how "secure" this scheme is... by Bender0x7D1 · · Score: 4, Insightful

      Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files.

      Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
    15. Re:Not sure how "secure" this scheme is... by moonbender · · Score: 4, Funny

      Yes but then again Bruce Schneier's password has so much entropy, that gzipping it results in a stream sixty four times as long. And yet he can type it with a single roundhouse kick to the keyboard.

      --
      Switch back to Slashdot's D1 system.
    16. Re:Not sure how "secure" this scheme is... by hawkinspeter · · Score: 2, Interesting

      That's a fair point - it's much more difficult to beef up security if the user is blind. My bank (LloydsTSB) uses the drop down list method to enter three characters from my super-secret password (you need a normal userid and password to get to that screen), so I imagine that screen readers would be able to speak the current letter/number and of course you can use up/down cursor keys to use the drop down list.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    17. Re:Not sure how "secure" this scheme is... by m-wielgo · · Score: 5, Informative

      What you can do instead of using multiple browsers, is use separate Firefox profiles using MOZ_NO_REMOTE=1. I explain this technique in a blog entry, Using multiple Firefox profiles simultaneously to guard against CSRF attacks

      This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.

    18. Re:Not sure how "secure" this scheme is... by ubrgeek · · Score: 2, Funny

      > Asking for only certain characters from a password (e.g. characters 1,4,8 & 9)

      That's amazing. I've got the same combination on my luggage!
      *grin*

      --
      Bark less. Wag more.
    19. Re:Not sure how "secure" this scheme is... by MobileTatsu-NJG · · Score: 2, Interesting

      Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files. Well... they might see your address or account number or whatever, but most password fields are masked with asterisks.

      Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you. What about using something like VMWare? Fire it up with your favorite OS. Do your important browsing. Shut it down.
      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    20. Re:Not sure how "secure" this scheme is... by Anonymous Coward · · Score: 2, Insightful

      A list of passwords is indistinguishable from gibberish. Notice the GP didn't advocate writing down usernames or the purpose of the passwords. For added security, add in a faux characters (e.g. third and seventh characters are fake) and faux passwords to your list.

    21. Re:Not sure how "secure" this scheme is... by Garridan · · Score: 2, Interesting

      It's pretty easy to securely store a bunch of passwords on a piece of paper. A friend / co-worker I knew had a book of poetry. He'd pick a page out of the book for every security contract, and take passwords out of rows & columns of letters. I thought this was a good idea, but it's weak in that it only gives letters, no numbers or funny characters.

      First, print out block of random (as random as possible, anyway) characters onto a business card. Then, any time you need a new password, pick a starting point, direction, and number of characters -- this can be represented with 5 numbers. Now's where it gets tricky -- you don't want to write those numbers down, but you want to be able to remember them -- construct an invertable function, run the numbers through that function, and write the result down on the back of the business card.

    22. Re:Not sure how "secure" this scheme is... by Reziac · · Score: 2, Informative

      And use a tool like Password Asterisk Viewer (free from http://www.lostpassword.com/ to extract those asterisks... if a simple tool like this can do it, surely a sophisticated keylogger can have the same capability built in.

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    23. Re:Not sure how "secure" this scheme is... by Aram+Fingal · · Score: 2, Interesting

      Keyloggers can be installed at a variety of levels. They can be installed at a hardware level if someone has physical access to your machine. In software, they can be installed anywhere from the kernel level to the level of a specific application like IE. One of the most likely kinds of keyloggers for the average user to run into is the spyware/trojan browser redirect variety. These are browser-specific and will only capture what you do in that specific browser. Using separate browsers will protect you somewhat against that one kind of keylogger.

      I had an incident a few years back where one of the end users I support got infected with an IE specific keylogger trojan. It quickly became apparent because the machine was using a restricted IP address which requires proxy access with a login to reach sites outside the LAN. IE started asking for a login to the proxy server even when the user was only browsing internal sites. It took some investigation to figure out what had happened but we discovered the trojan and how its activity sending keylogger data to an outside site was what was triggering the unexpected proxy login requests.

    24. Re:Not sure how "secure" this scheme is... by baboo_jackal · · Score: 2, Interesting

      Actually, online banking has *never* implemented two-factor verification. It's just a bunch of different things that you know - password, mom's maiden name, first pet's name, etc.

      At best, they can only use this weird psuedo-2-factor thing where there's one thing you know, that others may try to obtain through various technological means - your password - and then another thing that they just kind of figger that nobody but you will probably know, and that those same "others" who may have obtained your password through technological means, won't be able to get (security questions, etc.).

      Online banking won't be able to implement 2-factor verification until card readers, or some other method to verify that you have something in your possession become standard.

    25. Re:Not sure how "secure" this scheme is... by v1 · · Score: 3, Interesting

      One system I saw reminds me of this problem. It was a touch screen that displayed a keypad. The screen was at a terminal of sorts, and there was a box drawn around the area in front on the ground in red tape. By company rules only one person was allowed in the box at a time, so if you needed to approach the door in a group, you were required to take turns and queue up in a line outside the box.

      The screen was a fresnel lens type cover, so you had to be standing at the correct orientation to the screen to read it. People behind you any distance, or off to the side even a little, could not see the screen at all. The screen presented a numeric keypad and you had to key in your passcode.

      The trick here is, the keypad was not a standard 0-9 3x3 grid. The numbers were in a 3x3 grid, but were in random places each time you used it. So anyone watching your hands to see what you pressed wasn't getting anything useful besides the length of the passcode. (which was fixed at 10 characters) There was a setting to shuffle the keys on each keypress but that was found to get on people's nerves, so you could presumably figure out if a person had a pair of letters in the code that were the same but that's not too big of a deal.

      Only thing is a screen scraper combined with a keylogger (to log mouse clicks) would still own all of this.

      --
      I work for the Department of Redundancy Department.
    26. Re:Not sure how "secure" this scheme is... by soliptic · · Score: 2, Informative

      Speak for yourself, my bank supplied me and all their online banking customers with a card reader. I believe all other major competitors in the UK banking sector do similar things.

  2. thats annoying... by Kranfer · · Score: 3, Interesting

    While I do understand what is being said about using two browsers, me personally, I would find that annoying... I only use FireFox... And opening and closing it to open say Opera or IE... that would get annoying after awhile when I know there are products out there that can help protect your data while doing online banking. Speaking of which, I have been doing that since 2000 when I graduated from highschool and ventured into the real world without any issues... How many of you actually use two separate browsers as described here, I am just wondering...

    --
    -- Josh
    "Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
    1. Re:thats annoying... by FredFredrickson · · Score: 5, Insightful

      I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful. That makes as much sense as only wearing the bullet proof vest when you're doing non-dangerous activities.

      If anything, I'd do it the other way around. Promiscuous browsing on IE will certainly get you infected (ever open a pron site with IE? I haven't in years, and I don't plan to start now- even if those exploits have been fixed). I explorer is the only browser I can remember that would just let a virus download and install itself while you battled 80 popups. I understand Iexplorer7 is slightly better, but come on- that's what people are targeting, new exploits will come up.

      I do things exactly opposite. I use opera for all my browsing, and nothing gets through. Then I load up internet explorer for my online banking. (my bank requires IE). I see no danger in that, because internet explorer is clean when I do it, thanks to the fact I never use it (and I clean my system regularly) with hijack this and pv and what not.
      --
      Belief? Hope? Preference?The Existential Vortex
    2. Re:thats annoying... by gstoddart · · Score: 2, Informative

      is this firefox, and how do you do block non-originating images? is there an extension?

      i could really use that.

      Mozilla. It's probably an older version by now, but the Mozilla browser used to (possibly still does) have a setting which you could specify that only images from the original page would be loaded -- cuts out quite a few ads.

      Given Firefox's pedigree, I'd be willing to bet that about:config has some setting which allows this, but I can't say what it might be. Mayhaps some helpful soul will respond and say what the setting would be.

      Cheers
      --
      Lost at C:>. Found at C.
    3. Re:thats annoying... by rubato · · Score: 2, Informative

      You wouldn't need to use two different browsers, I believe, just two different 'users' on firefox, with two different firefox profiles. It's easy to set up new profiles using firefox's profile manager (under Windows: firefox.exe --profilemanager). This brings along a whole different set of cookies for the different user. (Being logged on to a site as one user would not carry over simultaneously to the other user.)

      Just double-click the desktop icon for the 'secure' user before doing online banking, etc., then close that user's firefox session when done.

      Of course, this is just aimed at CSRF attacks (discussed by TFA), and doesn't address any of the concerns about keyloggers, etc. expressed in the posts above....

  3. That's not extreme. by Anoraknid+the+Sartor · · Score: 2

    It is just common sense. Doesn't everyone do that?

    --
    Find Japanese addresses in English on Google Maps Japan: http://diddlefinger.com/
    1. Re:That's not extreme. by Explodicle · · Score: 2, Insightful

      You can have both usability AND security... "common sense" is to use a browser with both all the time.

  4. Better secure browsing by John+Jamieson · · Score: 3, Interesting

    For more secure browsing and ebanking(at our house), we keep knoppix cd and dvd's beside our computers and boot with that.

  5. This is silly! by RenHoek · · Score: 3, Insightful

    The article is silly. I mean most exploits are going to have a trojan running on your machine via exploits, usually with keylogging and other nasty tricks. The only thing you can stop with two browsers is the spread of cookies or activex plugins tied to your browser. The rest are going to be active regardless and will be collecting information no matter what program you are using.

    The only way to be safe is to use an up-to-date browser, (and lets say anything not-IE). And if you have Firefox, look into AdblockPlus, and NoScript. If you don't want cookies to bother you, set them to this-session-only. And lastly, Firefox has a lovely "Clear private data when closing Firefox" option if you want it.

  6. "Promiscuous" Browser by aquatone282 · · Score: 2, Funny

    Hell, mine's a slut.

    But then, so am I.

    --
    What?
  7. That's nothing by east+coast · · Score: 5, Funny

    I browse the web via correspondence.

    That's right. I snail mail the institutions for the answers I seek and they write me back after looking it up on the web.

    Even this post was done via correspondence. I mailed this letter to CmdrTaco a couple of days back and let him know to post my thoughts on the matter when the article hit the front page.

    --
    Dedicated Cthulhu Cultist since 4523 BC.
    1. Re:That's nothing by polar+red · · Score: 5, Funny

      Doesn't protect you from the man-in-the-middle attack though ...

      --
      Yes, I'm left. You have a problem with that?
  8. The only way to do your banking safe by emj · · Score: 3, Funny

    Only use a separate computer for banking, shouldn't be connected to any network. Preferably all I/O ports should be fit with epoxy, especially the keyboard.. A large faraday cage over the monitor to prevent Van Eck as well.

    But I might be paranoid.

  9. ArticleSummary.Equals(TFA) = True by TGhostH · · Score: 2, Insightful

    Not much content there...

    Am I living under a rock because I have never heard of Cross Site Request Forgery?

    Is it known by a different name?

  10. built into IE since v4 by sh0rtie · · Score: 2, Informative

    they are called "zones" put sites you trust in "trusted sites" and once you dont in "restricted" you can configure each of the zones (there are 5 but only 4 visible) security settings to however paranoid or trusting you are of the sites you visit, each setting is independent eg turn off script on normal internet surfing but only allowing certain sites to use

    1. Re:built into IE since v4 by Simon · · Score: 2, Insightful

      What you have just described is totally different and doesn't in anyway address the class of attack (Cross Site Request Forgery, http://en.wikipedia.org/wiki/CSRF ) talked about in the article. It has little to do with scripting or zones, or that one browser is IE or the other is Firefox. Is has everything to do with the fact that two *separate* browsers are used, and that web sites in the untrusted browser can't send requests to the guy's logged in banking session.

      Turning off scripting doesn't guard against CSRF either BTW. I wish people would read the bloody article (and understand it!).

      --
      Simon

  11. This news is incomplete by Janos421 · · Score: 3, Insightful

    Well the news is not well reported. This tip aims to protect against "Cross Site Request Forgery (CSRF)--considered one of the most insidious but least appreciated threats in application security". So clearly it does not pretend to address key-logger issues

    For sure, in this context, the tip is quite effective.

  12. Only as strong as the weakest link by eli+pabst · · Score: 3, Insightful

    This is akin to putting a 5 inch thick steel door on the front of your house and unlocked screen door on the back. Once the "weaker" browser is compromised, generally at the very least it's going to allow user-level execution, so an attacker could modify the settings on the "secure" browser or insert a keystroke logger.

  13. That's not all that secure by Nimey · · Score: 3, Interesting

    If you want *secure*, you can boot the anonym.os LiveCD, which, while a bit out-of-date, has some good anonymization tools as well.

    Or, as others have suggested, a dedicated virtual machine which can revert its state at shutdown, so you know there won't be any nasties lurking even in the sandbox.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  14. Trying to Think This Through... by SixFactor · · Score: 2, Insightful

    Interesting countermeasure against CSRFs. I can just imagine Mr. Grossman not quite referring to IE (the promiscuous one) vs. Firefox (the safe one).

    Given the above and operating conditions being equal (with use of solid anti-virus and firewall measures), it seems to me that if a well-designed browser was used in the first place, then there would not be a need for a "promiscuous" browser. In fact, wouldn't the use of a "promiscuous" browser increase a user's risk when conducting, uh, questionable activities? End result (cue alarming music here): the box gets compromised, and it doesn't matter if a safe browser was used for banking, etc., something nasty now lives in the box.

    Continuing the FF vs IE model, if FF was designated for promiscuous activity, then the user is arguably better protected. So that leaves us with IE as the "safe" browser? The mind reels.

    I know there are alternatives (Opera, Konq, etc.), but presumably Mr. Grossman is addressing mostly Windows users.

    --
    Science never settles, never rests.
  15. 'Extreme Safety' driving by MagicM · · Score: 5, Funny

    I do the same thing when I have to go somewhere. I have two cars, one that's reliable, and one rusty piece of crap that's ready to fall apart any minute. When I need to go somewhere important, I take my reliable car so I know I won't die before I get there. When I just need to take a quick trip to the grocery store, I take my junk car and just cross my fingers.

  16. Dumbest Thing I Have Ever Heard by fsda · · Score: 2, Insightful

    This guy is a "Security Researcher"? Let me get this straight. You have 2 browsers, one insecure, one secure. On the insecure you do your daily stuff, on the secure you do your banking. Ok. Say your insecure browser gets compromised due to a vulnerability that is not yet patched or there is no patch for. Some of the browser vulnerabilites allow for full system control. Then what? Your whole system is now FUBAR. So there goes your "secure" browser. 15 year olds have more security sense then this guy.

  17. confusing web security with girl-friend security by oni · · Score: 5, Insightful

    What he's describing is not a way of keeping your computer safe, it's a way of hiding porn from your girlfriend. You use some browser that she's never heard of for all your illicit surfing. Then, she fires up your computer and starts running IE, she looks in your history and sees slashdot and CNN or whatever and doesn't think you're a pervert (which you are).

    It's also a good idea to have "honeypot porn" which is basically, a few very innocuous sites that you vist in IE that you intentionally want her to find - because once she starts looking, she's going to keep looking until she finds something. Best to give her something to find. Let her think you go to maxim.com or something.

  18. Re:confusing web security with girl-friend securit by stewbacca · · Score: 3, Interesting

    Wow. Sounds like you put a lot of personal perspective into your post. My wife goes for more porn online than I do by a long-shot, so I don't worry about my browser history too much.

  19. Why do online banking? by jcaplan · · Score: 2, Interesting

    The question for me is:

    Why do online banking?

    My bank had a poster in the lobby stating that they used "state of the art" security measures to protect their online banking customers. I reflected on the state of the art and wondered why anyone would trust their money with online banking. For me the risk / convenience just doesn't work out. My electronic banking is limited to checking balances and cleared checks by phone. I know my account number and password are transmitted in cleartext (clearbeeps), but access to the phone network is reasonably limited and the phone access system doesn't allow transfers to anywhere but my other accounts. I'm curious what benefit other people feel they get from online banking.

    I'm a little troubled by the security researcher's online banking ritual. Its not that it doesn't make sense technically and help protect against a class of attacks. It just feels wrong. It feels like he is performing a ritual to reassure himself before doing his online banking, which he clearly has reservations about. He does not discuss any other measures he takes to secure his system.

    Those who talk about booting off a live CD such as Knoppix sound a little more sensible to me, as the integrity of the system is pretty well ensured. This isn't an approach that scales well to the general public, though, for reasons of convenience and knowledge. It involves education about the risks, downloading and burning and ISO and sometimes fiddling with BIOS settings - not something that the bank is likely to ask users to do. A bootable read-only flash drive might simplify things, though. Maybe a security minded bank would distribute bootable read-only flash drives with built-in password-generating fob. Plug in, boot, see browser window already pointing to your bank's site with secure connection. Type in account number from a card, password from memory and number from fob. Now I want to know how you would break this system. Let the replies begin...

    -Jon

  20. Secure Password Manager by (rypto* · · Score: 2, Insightful

    Nothing is as secure as your own memory..

    Let us understand the flaws of this guys "grand" idea:-
    1 - There is no as such a absolutely secure browser, there is no stealth mode even if you are on it how are you going to log into an account?.(Every one has holes too;)
    2 - Browse without "Anonymous" proxy and your IP is advertised, i.e.. your system is out in the open..(Like someone mentioned - Keyloggers,trojan.. many many others can evade)
    3 - There are always SBS(Some Bloody Software) trying to open ports for pirates.
    4 - In an era of high bandwidth internet where is the wait to guess what's wrong with a computer.( scan it all )

    Now..

    Think, why do you have brains?
    Can it keep secrets?
    Can you trust it?

    1- Remember and Type all your passwords & user id's- its tough if you are used to someone else remembering the password for you, its proven good for your brain..
    2- Accept cookies from sites you trust ( avoid inter-site tracking cookies )
    3- Keep no cache memory
    4- Use ssl login whenever possible. (https://mail.google.com/mail/)
    5- Use a browser without susceptible addons
    6- Hide your WAN IP. ( google "anonymous browsing" )
    7- Try to even remember your account numbers ( After a while it dissolves )

    Give it a thought.

    --
    #3 pencils and quadrille pads.
  21. More importantly by spun · · Score: 2, Insightful

    How is this going to protect you from sharks with fricken' lasers on their heads? Or even ill-tempered sea bass with lasers on their heads. Oh, wait, this scheme isn't designed with sea bass in mind. Or sharks. Or keyloggers. It's designed to protect against cross site scripting.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  22. Re:confusing web security with girl-friend securit by Corporate+Troll · · Score: 2, Insightful

    No chance in hell... I have my own account and she doesn't know the password. Unless I get caught red-handed, she won't know.

  23. Virtual machine by athloi · · Score: 2, Informative

    VMware player is open source:

    http://www.vmware.com/products/player/

    It also has a secure browsing "virtual appliance," or virtual machine with software pre-installed:

    http://www.vmware.com/appliances/directory/browserapp.html

    The software is open-source.

    --
    technical writing / development
  24. Re:confusing web security with girl-friend securit by Zadaz · · Score: 3, Insightful

    If you're girlfriend doesn't know you're a pervert then you're doing it wrong.