Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

The Problems of Web Surfing in Public Places 176

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"
This discussion has been archived. No new comments can be posted.

The Problems of Web Surfing in Public Places

Comments Filter:
  • Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer

    Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.
    • by heartless_ ( 923947 ) on Tuesday August 22, 2006 @07:47PM (#15959352) Homepage
      But solving that problem is a few dollars away in the form of a screen protector. For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise. What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of military orders in the dumpster at my former Air Force Base. Some people are clueless.
      • Re: (Score:3, Insightful)

        But solving that problem is a few dollars away in the form of a screen protector.

        Which solves only half of the problem of course, people can still easily observe and record your typing.

        For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise.

        True.

        What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of
      • I wasn't aware the technically uninformed read "News for Nerds" Slashdot.
      • Re: (Score:3, Insightful)

        by ms1234 ( 211056 )
        Does anyone else than me find it funny that when lcd screen were new people would bitch and moan about the angles from which the screen could be seen was bad and now when you have an almost 180 degree field of vision on the damn things people bitch and moan that others can see whats on their screens and are buying screen protectors?
        • Re: (Score:2, Insightful)

          Yes! Absolutely.

          I also find it highly amusing that people used to complain about glare from a screen until suitable anti-reflective coatings were developed. Now they pay extra for the Sony X-brite screens (or whatever it's called these days) that look great but reflect a lot.
  • by minuszero ( 922125 ) on Tuesday August 22, 2006 @07:42PM (#15959321)
    How many websites you use have a "log me in automatically" checkbox, ticked by default?

    Bet it's most.

    How many average users do you suppose won't bother/remember to uncheck it?
    • by daranz ( 914716 ) on Tuesday August 22, 2006 @07:57PM (#15959398)
      Ideally, a web browser on a public computer would be set up not to save any personal data, such as cookies, passwords, form entries, etc. Of course, in most cases it is not so, and such browser save cookies, and even passwords from the users... Fortunatelly, some browsers, like FF, have a convenient menu item that clears all personal data recorded by the user, and so it's possible to ensure that you leave no cookies or form entries behind, even if the browser is setup to allow them... Worst thing if the public computer runs IE, or some other browser where you have to dig in options screens to clear all your data. In many cases, such meddling with the browser is frowned upon by whoever is supposed to be watching over the computers.
    • by ackthpt ( 218170 ) * on Tuesday August 22, 2006 @08:01PM (#15959413) Homepage Journal

      How many websites you use have a "log me in automatically" checkbox, ticked by default?

      What gets me is sitting down to a mocha double soy and finding all these post it notes under the table with elegantly written little bits like 'bad1983girl', 'iluvpuppies' and 'password'...

      • Re: (Score:2, Informative)

        by OmniBeing ( 838591 ) *
        One of my clients insists on putting her password under a clear plastic desk protector. Did I mention she's the accountant for the company and she's the only who's supposed to have access, not just to that PC, but to the database...

        Everyone, even the contractors know the password, and they refuse to change it, Dolts.

      • Re: (Score:2, Interesting)

        by Mike Kelly ( 864224 )
        What's even worse is that most factory installs have no password set for Administrator. Nobody changes the Administrator password on their XP Pro/Home machine because you cannot normally see it. A simple keystroke and Enter and you're in!

        XP Home needs a couple more steps, but it's just as bad.

        Kinda makes any additional security measures pretty futile.

  • by Anonymous Coward on Tuesday August 22, 2006 @07:42PM (#15959324)
    Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.

    Who wrote this crap?
    • by Achromatic1978 ( 916097 ) <robert@chrom a b l u e . n et> on Tuesday August 22, 2006 @07:53PM (#15959380)
      Agreed. I was thinking that. "Don't do {any one of a number of tasks that are almost definitely encrypted}, but right ahead and do {any one of a number of tasks that almost definitely aren't}".

      Mind you, I SSL protect my webmail, too.

      • When used properly (Score:4, Interesting)

        by grahamsz ( 150076 ) on Tuesday August 22, 2006 @08:45PM (#15959571) Homepage Journal
        The problem with SSL is that many people, even in the high-tech industry, aren't very good at using it.

        It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).

        A more involved attack might involve getting a certificate issued for AMAZ0N.COM and the chances are good that you could stage a MIM attack without even a certificate warning appearing.

        I also suspect that a fair chunk of users would happily type their information into an order form on Amazon.com even if the connection to them wasn't even https. I'm sure if it "looks like amazon" that'd probably suffice.
        • Not just the owner (Score:5, Insightful)

          by grahamsz ( 150076 ) on Tuesday August 22, 2006 @09:23PM (#15959707) Homepage Journal
          Anyone with a laptop on the same segment or WAP can run their own DHCP server. That way when you connect, there's a very good chance that they can send you connection details first.

          That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.
        • by asuffield ( 111848 ) <asuffield@suffields.me.uk> on Tuesday August 22, 2006 @10:42PM (#15959956)
          It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning


          Um, excuse me? All the workstations in the net cafe will have the cafe owner's CA certificate installed, which will validate all the MIM attack certificates for them (assuming that they didn't just have a modified version of firefox installed that lied about the SSL status). SSL is completely and totally worthless when the attacker controls the workstation you are using.

          The only thing SSL does is to ensure that communication between two secure endpoints cannot be accessed by somebody who merely controls the channel between them. It cannot be of any use to you if your endpoint is not secure.
          • Generally though I take my laptop to net cafes. I only ever use their machines when i'm travelling or living in the 90s.

            I'd like to assume my laptop is secure, and I have a certificate based VPN that can get me somewhere else if i need security.
        • It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).

          And since the owner of that net cafe would have full control over those browsers, it wouldn't be too difficult to install their own 'root certificate' and get rid of the warnings.

          You'd have to take a close look at the certificate to spot this.
          • I wrote the original comment in the mindset of a hotspot cafe where you at least bring your own hardware.

            There's no way at all that you can trust their machine, even if you have the root certificate fingerprints memorized they could still trick you.
    • by lars_boegild_thomsen ( 632303 ) <lth@@@cow...dk> on Tuesday August 22, 2006 @08:44PM (#15959566) Homepage Journal
      Who told you ssl is safe? Any computer on the same lan segment - a bit of arp poisoning and you got an efficient man-in-the-middle attach. Then you present the client with a fake ssl certificate made on the fly to look like the original server certificate. No - it will not have the proper signatures by any cert authorities, but honestly - how often do YOU read all the details of a certificate presented to you before you say "Accept"?

      Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.

      So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.
      • I'm not sure how that description fits a scenario where a browser popa up a window and tells you that tells you what might be going on.

        If I am asked about the certificate when I am buying something online or visiting my bank I probably won't read all the details but I will surely be clicking no.

        Accessing an SSL site over wireless is perfectly fine if you aren't a cretin.
      • by icebike ( 68054 ) *
        Sorry but MITM attacks are pretty obvious when they are being attempted.
        Popup warnings from every secure site you attempt to access is become
        meaningfull even for the clueless.

        Further, the chances of the MITM attacker being ready and prepared to
        intercept the particular site you chose to access at that particular
        time at that particular Starbucks is pretty small.

        (Unless of course you were buying from that Starbuck's website for delivery at table 2, in
        which case how many of your Mochas can the MITM at table 5 d
        • by lars_boegild_thomsen ( 632303 ) <lth@@@cow...dk> on Tuesday August 22, 2006 @11:22PM (#15960097) Homepage Journal
          Well - I am not sure I would call it obvious. Experimentally I had two PC's on the same LAN segment. One was running ettercap the other I used for browsing. Ettercap was configured to do ARP poisoning and track SSL sessions with dynamic certificate generation. From the other PC I logged on to my so-called secure banking and ettercap had absolutely NO problem whatsoever in getting my username and password. From a user perspective the only HINT that something was wrong was that the cert was self signed (all the data in the cert was a replica of the original - just self signed).

          Yes - if I had started the attack in the middle of a session it would probably have been obvious, but no - since ettercap was running before I even started logging on - there was no warnings of any kind - just a request from my browser if I wanted to accept the cert or not. Even looking at the cert for Joe Six-pack I would bet it looked pretty ok. You would need to understand the technology behind certificated to know that a self signed certificate is not secure - and honestly - while you and I might do that, how many users of on-line banking know? I am fairly sure that most - if not all - non-IT educated people would readily accept such a cert and therefore in reality browse in the open.

          Regarding pop-ups on man in the middle attacks. Well - obviously I went through quite a lot of testing - mostly because I wanted to know what was possible and - if possible - how to prevent it. I did experience a few switches (and that is 2 to be exact out of at least 15 I tried with) that for some reason was not prone to the ARP poisoning, BUT I in those cases the attempt just quietly failed. In all other cases - ettercap happily sniffed just about any connection I tried to make without any hint on the client. The truly scary part is that ettercap can run pretty much unattended and just log whatever passwords it comes across, so I would say it was/is pretty viable to bring a laptop to a Starbucks and let it run for a few hours while I had a cup of coffee - then go home and see what I got. From the ettercap manual:


          SSL MITM ATTACK
                        While performing the SSL mitm attack, ettercap substitutes the real ssl
                        certificate with its own. The fake certificate is created on the fly
                        and all the fields are filled according to the real cert presented by
                        the server. Only the issuer is modified and signed with the private key
                        contained in the 'etter.sll.crt' file. If you want to use a different
                        private key you have to regenerate this file.


          The key here is that I do not agree with you that the chances of someone being there and ready is pretty small. Someone doesn't need to be ready - just run an application and wait - that is ALL it takes.

          So why is this not rampant (as someone else was commenting). Well - I wouldn't know. What I do know is that I just selected ettercap from the standard list of Debian packages and did no configuration whatsoever. I wouldn't know if it run on Windows or if it is hard to install and/or use. I guess in the Starbucks scenario I mentioned, the hard part would be the wep keys, last time I checked that still did require some knowledge and wasn't fully automated, but once on a shared network it does not require much skills.
          • Anybody have screenshots of what these "self-signed certificate" errors look like so that I know what to beware?
    • by fm6 ( 162816 )

      Reading email is still mostly via unencrypted channels.

      If by "reading email", you mean downloading messages from a POP or IMAP server, you're quite right. But that's only a tiny part of the problem. Most email messages can be easily intercepted, not just when the read or sent, but at several points in between.

      People seem to be pretty ignorant of this fact. When I worked the help desk for an ISP, I got complaints from folks because we didn't support SSL connections to our email servers. That would be like

      • Re: (Score:3, Insightful)

        by NMerriam ( 15122 )
        When I worked the help desk for an ISP, I got complaints from folks because we didn't support SSL connections to our email servers. That would be like using an armed courier to send a package to someone, then having the courier leave the package on the doorstep!

        I wasn't aware that every email I send and receive has my account password attached to it. Oh, they don't? Then I should probably use SSL to connect to my email server. SSL isn't about protecting the message, it's about protecting the client login.
        • by fm6 ( 162816 )
          If you look in the settings for your email client, you'll see separate settings for secure authentication and secure send/receive. You're right, not using secure authentication exposes the password to sniffers. But I wasn't talking about authentication.
    • How often do you read (or send) your credit-card number by email?

      Neither is good from an information-theft perspective, but dealing with sites that have your financial info generally requires more security.
  • by airuck ( 300354 ) on Tuesday August 22, 2006 @07:51PM (#15959372)
    It used to be a hobby of mine. tcpdump and ethereal. Chat, email, documents, http requests, password snarfing. Then I discovered that most folks had nothing of any interest to say. One step above listening to teenage girls talk on their cell phones.
    • by Bios_Hakr ( 68586 ) <xptical&gmail,com> on Tuesday August 22, 2006 @08:06PM (#15959430) Homepage
      You are thinking of it in terms of watching a TV. That's not the problem. Like you say, most people have nothing to say.

      However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords. Once they nail a CC#, they can examine the surrounding packets to find expiration dates, names and addresses, and that stupid "security code". MMO passwords can be used to empty a user's inventory for real money.

      How many people shop from Starbucks? I dunno. I bet quite a few do. How many play WoW at Starbucks? Probably some.
      • by Vellmont ( 569020 ) on Tuesday August 22, 2006 @08:36PM (#15959537) Homepage

        However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords.

        While this is somewhat of a concern, the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent. That would make any sniffing attempts useless.

        Hell, even Yahoo has a secure login for email these days.
        • That's not the real problem.

          The real problem is DHCP/DNS hijacking. With that, your bookmarked www.bankofamerica.com might resolve to MY server. Or better yet, all your HTTPS traffic will be routed through MY server complete with the man-in-the-middle setup.

          Sure the certificates will not match or give a self-issued warning. But how many people surfing at StarBucks care about those broken lockpad symbols?
          • Re: (Score:3, Interesting)

            by Vellmont ( 569020 )

            Sure the certificates will not match or give a self-issued warning. But how many people surfing at StarBucks care about those broken lockpad symbols?

            Well, the browers should bring up a message that says the certificate isn't valid. That might be a red-flag to a lot of people, especially when visiting their bank. Some people might ignore the popup message like they ignore every message.

            But in general I agree that online banking could be a problem at your local Starbucks. I've felt for a long time that ban
            • by daranz ( 914716 ) on Tuesday August 22, 2006 @09:09PM (#15959653)
              Some banks actually issue scratch-off cards, that contain a bunch of authentication numbers. Each of those can be used only once, and they have to be used in order they are listed on the card. That way, even if the login data is stolen, no transaction can be done without intercepting the physical card... Sort of a one time pad scheme for transaction authentication. It's simple, cheap, but effective.

              As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...
              • That's not bad, but it's a one way authentication only. The bank knows that you're who you say you are, but you can't be sure the website you've connected to is actually the bank. A clever attacker could intercept your transactions and redirect you to a website with a similar name. The attacker could even get a valid signed certificate by a recognized certificate authority. Make the website look identical to the real website, gather the login information from the unsuspecting user, and then act like the
                • by jafiwam ( 310805 )
                  Durrr...

                  Or they could just add a response key for the one time pad the server sends back.

                  User: 43242efsdfs

                  Server: 523erfwerwe

                  Ok, no they both know who they are talking to (at least the end points) so you can login with user/pass under SSL.

                  Unless you are going to get both a cracked or spoofed (again, the ONE fucking thing the normals got right is looking for a certificate and the lock symbol) and do it in _real_time_ it's easy.

                  In fact, I like the scratch card idea so much I am going to pitch it to my CU.

                  Plus
            • Re: (Score:3, Interesting)

              by zcat_NZ ( 267672 )
              One of the New Zealand banks (BankDirect) a while back had their SSL certificate expire. In the 12 hours before it was fixed, 300 people were presented with an invalid certificate warning dialog and 299 people logged in regardless.

              Actual numbers. Google it for yourself.
        • the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent

          Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.
          • by Vellmont ( 569020 ) on Tuesday August 22, 2006 @09:04PM (#15959639) Homepage

            Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect.

            That's why SSL certificates are signed. As long as the certificate issuers are doing their jobs and only giving out signed certificates for www.myURLNameHere.com to the actual owner of www.myURLNameHere.com, and people actually don't complete transactions when a warning of a self-signed certificate comes up, you're fine. The cert issuers are pretty good (I haven't heard of any real problems). Some people do ignore cert warnings, but that's the risk they take. I know to take cert warnings seriously when entering in secure information, so the risks to me are minimal.
          • Re: (Score:3, Informative)

            by finkployd ( 12902 ) *
            Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.

            Maybe you don't know, but x.509 certificates are signed by a certificate authority. So the situation you describe requires an additional step: faking out a CA company into giving you a bogus cert. Not impossible, but certainly not trivial.

            Now wi
          • Re: (Score:2, Insightful)

            by RobertLTux ( 260313 )
            the big problem can be said in 2 words

            Keystroke Recorder
            You could have a 42 layer vpn/xyz/hypercryption tunnel but if the keystrokes are being logged then you are Foxtrot Uniform Charley Kilo Echo Delta #Bang #Bang
    • by Chuck Chunder ( 21021 ) on Tuesday August 22, 2006 @08:44PM (#15959567) Homepage Journal
      One step above listening to teenage girls talk on their cell phones.
      Presumeably this was before the existence of MySpace?
  • by Poromenos1 ( 830658 ) on Tuesday August 22, 2006 @07:52PM (#15959377) Homepage
    I'm very wary of typing stuff in public terminals nowadays, because even if I have a USB drive with a virtual OS on it (or at least a copy of Opera [poromenos.org]), I'm still paranoid that it might have a hardware keylogger attached (although I'm not really worth anything). You can't really protect against that.
    • "You can't really protect against that."

      Yes you can, with a virtual keyboard. xvkbd works for me.
    • Re: (Score:2, Interesting)

      Waaay back in 1990 when I was in Uni and internet was a place for people with a clue (well, mostly) you were required to take an knowledge exam before being issued an account to access the VMS and the net. I couldn't be arsed to take the test so I wrote a program that would mimic the login screen and then log the passwords. It would always display a login error notice the first time so I could double-check that it was the right one, then it would forward you to the real login screen. That's where I got my n
  • by hmccabe ( 465882 ) on Tuesday August 22, 2006 @07:57PM (#15959401)

    I used to work at an Apple store across the street from a high school. I would estimate that 75% of the packets coming into that store came from myspace.com. Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer. Favorite edits included

    • Changing interests to include homosexuality, drugs, etc.
    • Changing background images
    • Changing profile photos
    • Joining a group of people who check their myspace at the apple store. (I'm in that group too)
    I couldn't bring myself to break off any friendships, that's a bit too mean.
    • Myspace uses a session cookie, which goes away when the browser is closed.

      Well, I take that back, it goes away when the browser application terminates, so if they just close the window they are still logged in but if they actually quit safari then they are logged out.

      Either way, by admitting I know this I just killed any /. cred I might have built up over the years :(

      Finkployd
    • Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer

      We did something similiar when I was in Kosovo. Hotornot was all the rage and 9 times out of 10 the last guy to use a computer in the internet center wouldn't log out. Change his preference from Heterosexual to Homosexual and the guy would check his account the next day and have 10 messages addressed to Cute Sold

  • by StikyPad ( 445176 ) on Tuesday August 22, 2006 @08:00PM (#15959411) Homepage
    The article looks at...the issues that using a wireless signal in a public place.

    Next we're going to look at the issues that posting without editing.
    • Re: (Score:2, Funny)

      by benicillin ( 990784 )
      im glad you posted that.. i noticed the error as well, and then somehow convinced myself it was a correctly written sentence..
    • Just to be nice, we're going to assume that you meant to keep both the quote and your reply in italics and that it wasn't something you would have noticed with some editing.
  • by ToastyKen ( 10169 ) on Tuesday August 22, 2006 @08:04PM (#15959426) Homepage Journal

    That's all the more reason to listen to The End-to-End Argument [mit.edu] [PDF]. (Wiki link [wikipedia.org] if you don't want a PDF.)

    Never trust the network!

    Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..

  • by Vellmont ( 569020 ) on Tuesday August 22, 2006 @08:11PM (#15959452) Homepage
    I'm soon moving to an apartment that offers free Wi-Fi internet connectivity. Though it's an encrypted connection, I don't necessarily want anyone in the apartment complex to be able to look at the contents of every un-secured website I go to. Can someone recommend a VPN provider that:

    1. Will provide a static IP address so I can run services like SMTP and HTTP
    2. Will easily work with some version of firmware on my wireless router, a WRT-54G. This way I can provide
    seemless access to the rest of the machines on my network without running VPN software on them.
    • Re: (Score:2, Funny)

      This is why you RTFA. There's, right there: HotSpot VPN [hotspotvpn.com].
      • This is why you read my actual question. Does this solution meet both my conditions? i.e. do I get a static IP address (not one behind a NAT), and can I get my WRT54G to work with it?
    • Re: (Score:3, Informative)

      by Scaba ( 183684 )

      You could get a cheap hosting account that offers SSH and open a SOCKS tunnel on your machine or router and point your browser at that. DNS will be resolved on your hosting company's server (for SOCKS 4a and 5), and everything will be encrypted until it leaves the hosting company's server, at which point it will about as secure as any other wired connection (which is to say, not at all to the determined cracker). You also get the benefit of the static IP address and ability to run mail and web servers. C

    • by battjt ( 9342 )
      So you trust anonymous ISP employees and unknown website owners, but you don't trust your neighbors?

      I'd move. (Really. What the hell is this world coming to?)

      Joe
      • Re: (Score:3, Interesting)

        by Stellian ( 673475 )
        So you trust anonymous ISP employees and unknown website owners, but you don't trust your neighbors?
        For the unknown owner of the animal-porn website I've visited yesterday, I'm just a face in the crowd. For Jimmy, the 16 y/o hacker who lives in my building, I'm just the right person to blackmail.
        • by battjt ( 9342 )
          I guess where I come from, Jimmy knows I'll kick his ass one way or another.

          Really. I live in a small town. Everyone knows everything about everyone, even if it isn't something that you will read in the paper; who is doing and selling drugs, where you can place a bet, who the corrupt and or inept folks in government are, who Jimmy's real daddy is. I've lived in larger cities; I like leaving my door unlocked. I trust my neighbors. (yes, I trust that the corrupt will bend to the highest bidder.)

          How will

      • So you trust anonymous ISP employees and unknown website owners, but you don't trust your neighbors?


        Basically, yes. ISPs have policies against looking at peoples internet traffic without reason, and have penalties like getting fired for sniffing internet traffic. My neighbors have no policies, no penalties, and no monitoring of what they're sniffing. I don't particularly want them reading all my email. There's nothing all that particularly interesting to see, but I value my privacy.
  • by Fëanáro ( 130986 ) on Tuesday August 22, 2006 @08:13PM (#15959462)
    I am wondering, is there a way to protect me when I am not using a laptop but a pc in an internet cafee?

    Assuming I cannot trust the browser on that pc to correctly encrypt my traffic even on https sites, I cannot install any vpn software, and I cannot be sure that there are no keyboard loggers.

    So, somthing like a java applet (stored on a secure webserver), that I can load, and that opens a browser-in-a-browser, encrypting all traffic, with an added on-screen-keyboard to defeat keyboard loggers?

    It would not be absolutely safe, since a good sniffer could also monitor the screen and the mouse movements, but it would be better than nothing.
    • I have this 20 rolls of tinfoil in my basement...

      And people call *ME* paranoid :)

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      If you can't trust the browser, how can you trust a java applet delivered through that browser?
    • Re: (Score:2, Interesting)

      by drcagn ( 715012 )
      Use your own operating system. Something like Anonym OS [sourceforge.net] will keep you safe, and you permanently change nothing. Just make sure that there are no hardware keyloggers, but that would make you REALLY paranoid...
    • Long answer: If you can't trust the software, you're SOL. If you can't trust the browser, how can you trust a java applet that the browser delivers? If you suspect a keylogger, your java applet will only be secure so long as it's uncommon enough that no one cares to counter it with common keylogging software. Unless you propose to implement the crypto in Java, and distribute all required components inside your Java app, there's a good chance you have to call a local crypto library, so one could easily i
    • by TheLink ( 130905 )
      Sure. Stick to nonimportant stuff that don't involve usernames and passwords, and avoid anything that you might ever regret if _everyone_ knew you did whatever it was.
  • http://blogs.ittoolbox.com/security/investigator/a rchives/look-at-all-of-these-passwords-11240 [ittoolbox.com]
    this is a good one, anyone buy any amazon books lately? take a look here.
  • by Ocular Magic ( 948250 ) on Tuesday August 22, 2006 @08:19PM (#15959481)
    "The article looks at the sloppy habits people have when using public terminals"

    When I first read that, I thought it was going to talk about people picking their nose/teeth/ears while using the terminals. I wonder what those dangers are? "What's that green thing on the key there? EWWWWWWWWWWWWWWwwwww..."
  • on my blog. Basically, I think people's habits are valid assumptions of relatively adequate privacy while using wired networks... but that gets thrown off the hook when using wireless networks. I make the assumption that a protocol change would give back that relative privacy.

    http://www.micheldonais.com/archives/44 [micheldonais.com]

    I guess I wasn't the only one that got interested in that. That's not counting books on the topic, or anything.
  • On a related note, check out this article in ITtoolbox called Look At All Of These Passwords! [ittoolbox.com]. Apparently, the public terminals at DefCon had illicit listeners. It's pretty amazing how many popular sites don't have any safeguards against a linux user using ettercap.
  • The Bottom Line (Score:3, Interesting)

    by PixieDust ( 971386 ) on Tuesday August 22, 2006 @09:22PM (#15959701)
    Here it is folks. Anyone using a public terminal and transmitting/receiving any type of personal information in one way or another, is playing russian roulette with their information.

    As for Wireless networks. Look, if it's broadcast, ANYONE, can pick it up. The right person, with the right skills, and the right motivation, and the right amount of time, can do whatever they want with the contents of said broadcast.

    Your cell phone conversations are not secure, your computer's files and transmissions over a wireless network are not secure. Granted cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.

    Want security? Stick with Ethernet, just don't let anyone too close to the cables, or the equipment.

    • cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.

      4096-bit RSA for key exchange. Blowfish for stream encryption. lzo compression before encryption.

      How long will that take to break? I think we're approaching theoretical impossibility. And how many packets can you really capture? I send DVD images over my VPN, over the wireless. Unless Google or Microsoft desperately wants so

  • Just wondering... (Score:5, Interesting)

    by Timbotronic ( 717458 ) on Tuesday August 22, 2006 @09:54PM (#15959801)
    Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission? Not keyboard sniffing the user's machine or hacking the receiving servers database. An actual, verified case of cc number theft.

    I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.

    Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).

    Why this obsession with HTTPS?
    • by Renraku ( 518261 )
      Doubt there's going to be unless its 'arranged' and baited.

      All the CC company knows is that last week you placed an order for that anime keychain your friend showed you while you were surfing on the 's wifi connection, and three hours later you ordered an Alienware machine and had it shipped to a place you didn't live.

      Its clear after the frantic calls and sleepless nights that someone spoofed your credentials, but how they did it is another story. Using a wifi connection or a public terminal always has s
    • by fm6 ( 162816 ) on Wednesday August 23, 2006 @12:34AM (#15960341) Homepage Journal
      Why this obsession with HTTPS?

      They same reason people buy car alarms that will be ignored when they go off, or guns that they don't have the training to use. People want some technological solution to their security problems. They don't want to go through the hassle of doing a real security strategy. The real purpose of most security technology is not to provide security, but to provide the feeling of security.

    • >Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission?

      There was the Salcedo-Botbyl case involving an unsecured wireless network at Lowe's, but it's kind of marginal: they apparently modified software on the Lowe's network as opposed to passively scanning, their modified software only logged half a dozen credit card numbers, and they got caught before they retrieved them.

      There's more worry about Internet traffic because croo
      • IIRC the Lowe's case was still an attack against the server. The attackers gained access because the wireless network wasn't secured, but that's quite distinct from intercepting cc details during transmission from one machine to another.
    • by kabocox ( 199019 )
      Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).

      Why this obsession with HTTPS?


      Because computers are evil so of course they are unsafe. Who would dream that just by swiping a cc at a gas station pump your card's data could be stolen? There have been organized rings that intercepted all the cc data of the "pay at the pump" info. You aren'
  • SOCKS proxies rock. (Score:3, Informative)

    by SocialEngineer ( 673690 ) <invertedpanda@@@gmail...com> on Tuesday August 22, 2006 @10:04PM (#15959834) Homepage

    I just use an SSH-based SOCKS proxy for my secure wireless surfing needs. I've got a Linksys router set up back at home that I loaded with Linux.

    You can read a guide I wrote a while back on how to do this here [the-engine.org]. FF, Thunderbird, and GAIM all support SOCKS proxies, so it works out great for me. Only problem is your DNS traffic goes out unencrypted, but that isn't necessarily a big deal, unless you are visiting something along the lines of www.penisland.net.

    • Re: (Score:2, Funny)

      by JasonBee ( 622390 )
      So what exatly is wrong with visiting the Pen Island web site?

      Am I missing something?

      JB
  • Cain-n-Able (Score:3, Interesting)

    by ArcherB ( 796902 ) on Tuesday August 22, 2006 @10:47PM (#15959974) Journal
    Download an easy to use packet analyzer like Cain-n-Able [www.oxid.it]and go to a place with wireless access and connect to the AP. Hotels are the best if you are staying there, but there is no reason you can't just sit in the parking lot. Let CnA run for any amount of time and look at how many email, web page, news or whatever passwords you receive. Then realize that someone could be doing this to you!

  • Police scanners (Score:2, Interesting)

    by sporkme ( 983186 ) *
    I recall stumbling across a good database of 900 MHz cordless phone frequencies ages ago (pre-2.4GHz). I scrambled for my police scanner. For about five minutes, I thought I had died and gone to heaven. First, I listened to my neighbor talk about how she was not sure if *he* was really *the one*. Next, I fell asleep. Then I remembered that (US) police made (and still make) a habit of broadcasting your full name, social security number, date of birth, driver's license number and your special crime over
  • While this might not be in the direction of the article, getting a URL wrong can be equally as dangerous.

    I was at a public access terminal in an airport. The terminal was set up so no new windows could be opened. Ever heard of the web comic Sinfest [sinfest.net] ? I read it daily. Did you know there is also a sinfest.org ? I got confused. Never have I had to close so many pop-up windows so quickly while also trying to click on the HOME button
  • I recently setup my girlfriend's cafe with a speedy little router. The Cafe's WiFi is open, not WEP enabled (for ease of use)
    The Cafe has one 1 public PC for the use of anybody (also on wireless network)
    What i told her is to never do anything critical on the public PC. Then i showed her from my flash drive how fast i could install Cain+Able (or similar) and extract protected passwords to a .txt, uninstall C&A and nobody would know the difference.
    I would never abuse patron's info, because it is

Recent research has tended to show that the Abominable No-Man is being replaced by the Prohibitive Procrastinator. -- C.N. Parkinson

Working...