Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

274 comments

Gorrin dere frist (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16545840)

Fiiiiiiiiirst poooooOOOoooOOoost! w00t!

First reply!! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16546246)

At least to the first post.

I'd like to congratulate me, and, perhaps...MY MOM!!! (for making this happen today.)

That, or (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16545864)

A way to get your password stolen

classic diligence, albeit in a modern world (5, Interesting)

yagu (721525) | more than 7 years ago | (#16545872)

I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?

I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.

While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.

I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.

Now all you need.. (1)

Channard (693317) | more than 7 years ago | (#16546068)

Is a video camera built into your glasses, with a wire that goes down into your pocket to the battery and 30GB hard drive. Hey presto, inside information that can be reviewed at a later date.

Re:classic diligence, albeit in a modern world (4, Funny)

gEvil (beta) (945888) | more than 7 years ago | (#16546118)

So how much money did you make on that particular IPO? :-D

Re:classic diligence, albeit in a modern world (1)

ronanbear (924575) | more than 7 years ago | (#16546166)

Or how much money didn't you lose?

Or how might it have helped negotiating your consulting fees? What would you have done if you heard that there had been trouble over a leak of information?

Re:classic diligence, albeit in a modern world (2, Interesting)

Hoi Polloi (522990) | more than 7 years ago | (#16546250)

"I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers."

I needed a laptop for a biz trip to a software convention in SF CA. I was giving a talk and was reviewing my notes. But the thing the laptop was best for was killing the time during the flight. I was playing Nethack and even got a double take and knowing smile from a fellow techy who was walking down the aisle.

Interesting question (-1, Troll)

justinbach (1002761) | more than 7 years ago | (#16545888)

There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

Here's an interesting question for ya...why is that question interesting? I'll leave the subject/verb agreement alone for now; my Monday shift as grammar nazi doesn't start for another hour.

Re:Interesting question (5, Interesting)

Atheose (932144) | more than 7 years ago | (#16545950)

I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.

The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.

Re:Interesting question (2, Interesting)

ubergenius (918325) | more than 7 years ago | (#16546824)

I never use internet kiosks where you have to pay to use the systems. Ever. I can not for the life of me fathom a circumstance where I couldn't just wait until I got home to check something online. Bank account balance? ATM. E-mail? Mobile phone, or just be patient and wait.

Re:Interesting question (1)

Gulthek (12570) | more than 7 years ago | (#16546850)

What if you're traveling, esp. in a foreign country?

Always pay cash though.

Re:Interesting question (2, Informative)

MMC Monster (602931) | more than 7 years ago | (#16546958)

If you are that essential to a business that you need your email while on vacation, you can afford a mobile phone and have a secretary read you the highlights. If you need network access for work while on a trip, you should have the work get you a laptop. They're cheap enough.

Re:Interesting question (2, Insightful)

libkarl2 (1010619) | more than 7 years ago | (#16547086)

This is the first time I have ever heard of a keylogger that actually broadcasts it's presence in the system tray, althought I can see how that would be useful for non-malicious purposes.

The typical keyloggers I have dealt with operate as a standard process in the background. Most do not show up on the taskbar but can be stopped from the Process Manager (the Ctrl+Alt+Del applet).

The nastier ones either replace, or patch the keyboard driver. Upon reboot, they run at all times and can only be found by AV scanner (knock on wood) and/or by the log file they create. The classic infection vector for these are rootkits, and software installation packages that have been tampered with.

Re:Interesting question (5, Funny)

justinbach (1002761) | more than 7 years ago | (#16546080)

Wow, that's a sure sign I've had a rough weekend; my last post on Friday afternoon was a +5 Funny, and here I am Monday morning with a 0, Troll. I guess I need a hug... :-(

Re:Interesting question (0)

Anonymous Coward | more than 7 years ago | (#16546694)

Yes, that's right, it's all about YOU here.

Denver Airport (5, Interesting)

Anonymous Coward | more than 7 years ago | (#16545892)

North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...

Re:Denver Airport (3, Funny)

ScottyH (791307) | more than 7 years ago | (#16546502)

"bags"?

Re:Denver Airport (5, Informative)

Crisavec (112287) | more than 7 years ago | (#16546904)

He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.

No, (0)

Anonymous Coward | more than 7 years ago | (#16546980)

"lost".

Re:Denver Airport (1)

XMyth (266414) | more than 7 years ago | (#16547156)

No, it's 'terrorist' obviously.

Public computers (5, Insightful)

spineboy (22918) | more than 7 years ago | (#16545962)

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.

I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.

Re:Public computers (4, Interesting)

denebian devil (944045) | more than 7 years ago | (#16546152)

My biggest issue has always been what am I willing to do or not do when I'm in various situations: on a friend's computer, a wired kiosk, a non-secured wireless connection using my own computer, etc., and the heartache that comes with those decisions.

I find this comment in the article very interesting:

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office's server, where it is decoded before going to its destination.

Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.

That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!

Re:Public computers (4, Insightful)

jonwil (467024) | more than 7 years ago | (#16546306)

SSL doesnt help when the machine you are using is running a software or hardware keylogger.

Re:Public computers (1)

AdamKG (1004604) | more than 7 years ago | (#16546670)

Neither does a VPN, but that's not what this article is about. This article is about compromises in between the antenna on your laptop/mobile phone and the internet.

Re:Public computers (1)

Brickwall (985910) | more than 7 years ago | (#16546804)

I find this comment in the article very interesting: "Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again. That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office's server, where it is decoded before going to its destination.

I found this comment very confusing. Since when does VPN = Encryption?

Re:Public computers (2, Informative)

squiggleslash (241428) | more than 7 years ago | (#16546854)

I'm not going to go so far as to suggest boxed unencrypted VPN connection systems do not exist, but every VPN system I've ever come across has provided some kind of encryption between the remote machines and the networks they're connecting to.

I guess you can bodge something together to run pppd over telnet, but generally off-the-shelf systems tend to be more secure than that.

Virtual *Private* Network (4, Informative)

NixLuver (693391) | more than 7 years ago | (#16546888)

It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.

Re:Public computers (2, Informative)

ConceptJunkie (24823) | more than 7 years ago | (#16547160)

Since when does VPN = Encryption?

Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.

Re:Public computers (1)

Angostura (703910) | more than 7 years ago | (#16546180)

I would hope that your bank has a Web site immune from threat by key-loggers. If not, change banks.

Re:Public computers (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16546584)

Troll.

Re:Public computers (1)

CastrTroy (595695) | more than 7 years ago | (#16546596)

How exactly do you propose to stop this? How do you make a web site that's immune to the threat of keyloggers, or in the more general sense, programs on client's machine that monitor what they do, either keypresses, or mouse clicks and screenshots?

Re:Public computers (3, Interesting)

bsane (148894) | more than 7 years ago | (#16546726)

The login process an ING would stop keyloggers. Kind of hard to explain, but basically you have to enter a piece of your authentication info using an onscreen keypad. The numbers on the keypad are mapped to keys (the change every time), so you can use a keyboard to enther the info, but the keystrokes would be different everytime.

Re:Public computers (2, Interesting)

Hobbled Grubs (651827) | more than 7 years ago | (#16546996)

One solution is a box with numbers randomly distributed inside it. You click on the numbers to enter your password. Saving mouse clicks will not work because the box never has the same distribution of numbers. You would have to screen capture all the time which isn't feasible. Of course, you could combine a mouse click monitor with a screen capture of the region around the mouse.

Re:Public computers (1)

NMerriam (15122) | more than 7 years ago | (#16546630)

I would hope that your bank has a Web site immune from threat by key-loggers. If not, change banks.


I'm not even sure what that means. Most banks (here in the US) just use a user/password combination that it easily logged if your system is compromised. I know elsewhere many banks have smart cards with one-time use PINs and such, which we'd love to have, but it just isn't an option for most Americans.

Re:Public computers (0)

Anonymous Coward | more than 7 years ago | (#16546880)

My bank (credit union actually) uses two factor authentication - acc num/password as the obvious first, and the second is done by choosing a sequence of images from a given set. Clicking random spots on a webpage with a mouse is much harder for a key logger to figure out.

Re:Public computers (3, Interesting)

Compulsion (734114) | more than 7 years ago | (#16547088)

You mean captchas? captchas won't fool a keylogger. The important stuff will already have been recorded.

However if the captcha is "Which one of these is your mother?" or some other piece of info that is specific to you, then that would make the data thief's job a little harder.

The using the randomly-ordered on-screen keypad to enter data is a pretty clever solution, though.

Re:Public computers (2, Insightful)

caluml (551744) | more than 7 years ago | (#16546688)

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer.



Carry round Knoppix/Ubuntu/Gentoo Live CD. Boot off that, and you're safe. Apart from hardware nonsense, which you're probably OK with at a friends house. Depending on your kind of friends.

Re:Public computers (2, Interesting)

caseih (160668) | more than 7 years ago | (#16547034)

While that does decrease the risk somewhat, the risk is still there. My friend once showed me a keylogger he designed that would fit right inside the old AT-style keyboard plug. No software required. Of course that was years ago, but it's still possible that something like this could happen on computers in public places. This is a bit paranoid, granted. Maybe you can use knoppix and then change your bank passwords shortly after.

Best security ever (2, Interesting)

protocoldroid (633203) | more than 7 years ago | (#16545992)

The worst security? Man, it might be easier to say the best security. At a cellphone store with my brother, he looks at a blackberry and says "...it's overkill, but, probably handy if you need to get online all the time, check email etc". So, I take my PSP out of my pocket, and in about 15 seconds, I show him gmail. Every idiot seems to have unsecured wireless.

The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see what networks I could find. Everything was secured but one, and it seemed their ISP was down. So I said to my brother: "Only one jerk in this neighborhood didn't secure their wireless... and they have a flakey ISP, so I couldn't get online", he says: "Oh, that's me".

Of course, from checking my mail on the road, there are now items in my sent folder with such subjects as "Do you have the north korea nuclear salesman's number?" and "Cheap anthrax mailing services" and "Increase your volume by 6000%"

Re:Best security ever (0)

Anonymous Coward | more than 7 years ago | (#16546238)

Every idiot seems to have unsecured wireless.
Of course, the fact that you were checking your email is completely safe...

Re:Best security ever (0)

Anonymous Coward | more than 7 years ago | (#16546526)

Sure it is. See other comments re ssl.

It's true (0, Offtopic)

gh4nd1 (1012181) | more than 7 years ago | (#16545996)

I've always wanted to marry trouble

Cheap software (4, Interesting)

crazyjeremy (857410) | more than 7 years ago | (#16546014)

It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.

I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.

Sensationalist, at least about wireless (4, Funny)

markov_chain (202465) | more than 7 years ago | (#16546048)

From TFA:
These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.


Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels.


Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*

Re:Sensationalist, at least about wireless (3, Insightful)

timeOday (582209) | more than 7 years ago | (#16546404)

Exactly. I think this article is extremely ignorant:
Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay. "Where I'd draw the line is putting in your bank account information or credit card number," he said
You will have a very hard time finding any online shopping site that transmits a credit card number without SSL. If you find one, you shouldn't be entering your credit card number there, either from home or at the airport it makes no difference. (All this is assuming you're using your own laptop; you can't trust a publicly accessible Internet terminal for anything). Anyways, people don't steal credit card numbers by going to the airport and sitting around waiting for somebody to send one unencrypted; they steal them by breaking into a website and grabbing its database so they can get thousands at a time. Or they buy them at a few cents per, from somebody who already did that.

Or maybe... (1)

killmenow (184444) | more than 7 years ago | (#16546454)

And who is this Sellitto guy...
Maybe he's a shareholder of HotSpotVPN.

Re:Sensationalist, at least about wireless (3, Interesting)

freeweed (309734) | more than 7 years ago | (#16546528)

These guys must be part of my upper level of management.

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

I ended up installing the damn thing anyway, confirmed my suspicions, and saved myself and several hours many days of hunting around. Didn't tell them that, though :)

Every news story that tries to use the fear of "packet sniffers" as a dangerous tool can pretty much be dismissed out of hand. Watching the data flow in and out of your own computer is never a security risk.

Re:Sensationalist, at least about wireless (1)

Xugumad (39311) | more than 7 years ago | (#16546556)

In particular, now he's got his traffic encrypted all the way to the HotspotVPN people... who then send it out as cleartext on the Internet. Sure, it's less risky than broadcasting it over Wi-Fi in plaintext, but it's not a solution.

Gyah. Reminds me of a website I used briefly. Their custom security solution turned out to be server side crypto (of some unproven variety), through to the back office server.

Think about that a second.

The traffic went as clear text through the Internet, arrived at their server, magic runes were waved over it to make it hard enough to read that the developer couldn't think how to break the crypto, then sent off to the back office server.

Too many people know just enough computer security to be dangerous...

Confessions of a corporate spy (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16546050)

I'm a consultant for one of the big New York trading houses. A large part of my job is to fly around the country shoulder-surfing the competition. Anothjer thing I do is to work on carefully-crafted phony documents on the airplane. I have at least one counterpart at another house, doing the same thing. When a difference of a few cents or a few minutes can mean millions of dollars, it's well worth my fee.

It's not the security I'm worried about.... (5, Interesting)

HikingStick (878216) | more than 7 years ago | (#16546058)

It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).

Re:It's not the security I'm worried about.... (4, Interesting)

Geoffreyerffoeg (729040) | more than 7 years ago | (#16546350)

Yes, but are you sure those are necessarily evil networks?

Your post reminded me of the ad-hoc "Free Public WiFi" that I've been seeing a lot of, and I've never gotten a connection through. A quick Google revealed that this seems to be a case of computers picking up that ad-hoc network from other computers and rebroadcasting that name for the next while. TechBlog: "Free Public WiFi"? Not! [chron.com]

And yes, I don't have a problem connecting to sketchy networks. Other people can always associate with the legitimate network I'm on and try attacks, and my firewall's decent. And if I'm worried about sniffing I'll launch a VPN.

Re:It's not the security I'm worried about.... (1)

Intron (870560) | more than 7 years ago | (#16546402)

Like many people, I have a home computer attached to broadband, with a dynamic domain name and always on. It seems like I ought to be able to use it as a secure encrypted web proxy so that I can use my laptop on the road without worrying about eavesdropping. One method I can think of is to connect via a VPN and then configure my home address as the HTTP proxy in firefox, but I'm not sure how to guarantee that everything is going through the VPN and not through the insecure local net.

Re:It's not the security I'm worried about.... (1)

XSforMe (446716) | more than 7 years ago | (#16546844)

"I'm not sure how to guarantee that everything is going through the VPN and not through the insecure local net."

Assuming you are using Windows 2K-XP, open the VPN connection's properties, select TCP/IP properties (networking properties), click on advanced options and click "use as default gateway..." checkbox.

My system is in spanish, so some some of the labels might not match on a word-per-word basis, but I'm sure you can sort out the differences.

Re:It's not the security I'm worried about.... (1)

olorinpc (729849) | more than 7 years ago | (#16546676)

So does Chicago have open wireless? (Traveling through there for work tomorrow actually... been a while since I have been through there.)

Judging from some I have seen though... put a lot of stock into the AP's name... sadly.

Re:It's not the security I'm worried about.... (0)

Anonymous Coward | more than 7 years ago | (#16546860)

I was able to get wireless in a parking garage in Chicago when I was up there a few months ago. If you are in the loop you are pretty much going to have some networks open everywhere.

The virus of Troy wooden horse type (5, Interesting)

Anonymous Coward | more than 7 years ago | (#16546072)

Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.

The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.

ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.

Public websurfing (5, Informative)

SoVeryTired (967875) | more than 7 years ago | (#16546090)

Public websurfing is an inherently dangerous thing to do. If you don't believe me, check out the "security now" article on ARP cache poisoning.

http://www.grc.com/nat/arp.htm [grc.com]

It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.

See, now I'm scared to click on that link... (1)

benhocking (724439) | more than 7 years ago | (#16546194)

It sounds safe, but you never know...

Re:Public websurfing (0)

Anonymous Coward | more than 7 years ago | (#16546360)


If you think that's scary I have heard that public websurfing these days happens without wires and that practically anybody can listen to your conversations without having to spoof ARP! *Gasp*.

[ObAdHominem] Oh, and GRC == Gibson. He's a gimp.

Re:Public websurfing (0)

Anonymous Coward | more than 7 years ago | (#16546686)

Oh, and GRC == Gibson. He's a gimp.
Gibson has a realistic attitude towards educating computer-illiterate users. But, yeah, he can be a fuckwit at times: http://grcsucks.com/ [grcsucks.com]
He may know a bit of asm, but he's no +ORC. Am I right or am I right.

Btw, we all know that +ORC dropped off the map because he got a job at MS.

Re:Public websurfing (0)

Anonymous Coward | more than 7 years ago | (#16546374)

ARP deals with mapping MAC addresses to IPs. How is that relevant to the current topic?

We're not talking about malicious users jacking into public ethernet ports and using cache poisoning to steal IPs.

Re:Public websurfing (1)

Chris Pimlott (16212) | more than 7 years ago | (#16546830)

Because if I can make your PC think my PC is amazon.com, it doesn't matter if your credit card transaction is using SSL.

Re:Public websurfing (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16546442)

Glad Gibson is discussing this. He used to tell people that Ethernet switches, in contrast to hubs, were an absolute guarantee that nobody could sniff your packets.

Irrelevant to WiFi, though.

Sometimes OTT (2, Insightful)

16K Ram Pack (690082) | more than 7 years ago | (#16546116)

I've locked down people's home office PCs for their 3 man company systems (offices at home) with WPA and MAC address blocking, and they still want to know what else they can do in case someone wants to get their information.

It's not like they were trading invention information pre-patent, more things like memos about (small) customers. It would have cost someone more to hire a detective to snoop on them than what the information was worth.

Re:Sometimes OTT (0)

Anonymous Coward | more than 7 years ago | (#16546252)

That's the perfect security. If passing the barriers is more expensive than the thing you're protecting, then you can be sure that nobody will ever try it.

Best security is your neighbors lack thereof (1)

businessnerd (1009815) | more than 7 years ago | (#16546740)

I have done some similar work, and yes they do ask if this is enough to protect themselves against an experienced hacker. Basically, I tell them this is only enough to protect you against the average wardriver. Being security savvy enough to know that if there is a will there is always a way, I am usually quite frank with my clients. However, there needs to be a will. Is there any reason in particular that someone wants YOUR network and the information on it. There might be, but for most of the clients I did this sort of work for, there really wasn't. The fact of the matter is, if you even have a week WEP key, the fact that you have something at all is enough for a wardriver to go elsewhere if there is an abundance of unsecured networks. Whenever I'm trying to pick up some internet access on the go, I don't bother trying to connect to the network with a uniquely named SSID and WPA enabled. I instictively go right towards "linksys" with no security (And if I'm feeling like an asshat, I'll change their router's password, MAC address filter everyone but myself and change the SSID to something that will piss off the owner). How many of you out there like to park your car next to a Mercedes or flashy sports car under the assumption that given the choice, the car-jacker will choose the nicer car?

Worst (1)

crossmr (957846) | more than 7 years ago | (#16546122)

Worst security?I was referrered to a sports medicine doctor. I was early as I'd never been to that part of town before. I opened up my laptop for fun and scanned and found two networks. 1 from the gym in the building and a "linksys". No wep, default passwords on the router, and net access. there were 7 machines connected, myself, a printer, 4 others that had no name listed, and one that had the full name of one of the other doctors in the office. I wasn't able to easily view any shares at least. I recommended he lock it down after I met with him.

Re:Worst (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16546342)

Give the guy a break, he is a sports medicine doctor, not a sys admin. If you knock him for not locking down his network then he can knock you for not being able to treat yourself.

Re:Worst (1)

Dunbal (464142) | more than 7 years ago | (#16546906)

Give the guy a break, he is a sports medicine doctor,

      Ahh, the motor neuron...

It's ironic how (1)

gh4nd1 (1012181) | more than 7 years ago | (#16546140)

packet sniffers are also used in security. They can sniff out anyone on your network and allow you to decide whether or not that person should be on the network. It all goes back to the way something is being used.

The worst place? That's easy (4, Interesting)

Rik Sweeney (471717) | more than 7 years ago | (#16546164)

The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"

YOU'RE IN A F CKING SHOP!

The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was

I wonder how many people here are actually just using these computers to do something sinister?

Re:The worst place? That's easy (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16546600)

This is part of Apple's policy - you can turn up there either with your own machine, or use one of those on display - and use it for whatever you like (within reason - I guess booting off a installer DVD and resetting the root password would be beyond the pale). This is a good thing - it keeps the shop busy and, yes, people do use the machine to check their email. In the meantime, they are getting used to using a Mac. It makes a big, big change from PC World where you can't even normally USE the PCs without a password.

As far as I know, all the machines are rebuilt from a boot image each night. Although, with OSX's decent security and lack of trojans/viruses/spyware, even that may not be necessary.

Amusing/Lesson in boredom (5, Interesting)

Mr Krinkle (112489) | more than 7 years ago | (#16546168)

So the usual sitting in the gate waiting for the plane to board.
I happen to be happily on my laptop, doing those Oh so critical things like, well, /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it)
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop. :)

Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane. :)

Re:Amusing/Lesson in boredom (0)

Anonymous Coward | more than 7 years ago | (#16546436)

"Wife works for a DoD software contractor."

What does programming have to do with explosives? Blue Screen of Death bomb?

Re:Amusing/Lesson in boredom (1)

Mr Krinkle (112489) | more than 7 years ago | (#16546550)

hehe
Not that it really matters, but SOMEONE has to do the modeling to figure out how effective those bombs are going to be. And where to drop that MOAB on the wooden shack in the desert to ensure it is destroyed. :)
Same thing as with CAD work kind of stuff. Eventually you have to build stuff, but there is a lot of design and testing before building now.

Re:Amusing/Lesson in boredom (1)

Kjella (173770) | more than 7 years ago | (#16546814)

No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.

I'm not saying it was very smart but I can understand... you're out on a trip, someone calls and needs to fix something. You're already annoyed you're being disturbed. Apparently the other guy isn't too bright or you have a bad line, since he talked loud and repeated it multiple times. Particularly if it's the kind you need to handhold, hanging up to send him via SMS and then dialing him up again is not exactly intuitive. You just want to get this case out of the world.

Also, this doesn't sound that young but there's a new generation that's completely oblivious to the way they're broadcasting their life. Sitting on the bus I heard quite a few intimate details to the point I felt awkward sitting there, while they happily chatted on, mostly on the cell phone. Then again, I suppose people will regret that less than what they put on their blogs...

Utter garbage (2)

gnomeza (649598) | more than 7 years ago | (#16546170)

[Packet sniffers] are typically set up to capture passwords, credit card numbers and bank account information ... "Where I'd draw the line is putting in your bank account information or credit card number."

Robert Vamosi, Senior Editor at CNET, you are an idiot. (Or maybe Susan Stellin is a terrible journalist - I suspect both.)

Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users understand about online safety, despite efforts to educate them about SSL...

And they even mentioned key-loggers later on...

*gah*

Re:Utter garbage (1)

jimicus (737525) | more than 7 years ago | (#16546796)

If it's a public computer, it would be quite possible for an enterprising cybercafe owner to set up a proxy server which sets up the SSL connection itself, decrypts everything, then presents a self-signed certificate to the client PC. The upshot is that data is nicely encrypted to the proxy, whereupon it's decrypted, logged for later use, then re-encrypted to do the actual banking.

If properly set up, you wouldn't see any error messages on the client PC as it would have the root CA for the self-signed cert installed.

Re:Utter garbage (1)

arth1 (260657) | more than 7 years ago | (#16547032)

Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users understand about online safety, despite efforts to educate them about SSL...

The above sentence shows how little average users like you understand about online safety, yes.

SSL isn't safe on a public computer. A previous user might have installed (accepted) a Certificate Signing Authority cert, and set the browser to use a remote proxy server. All your SSL requests then go to the proxy server, which generates a site cert solely for the purpose of communicating with you, pretending to be a particular site. All your requests then goes to the proxy server, who decodes the traffic and logs it, and contacts the remote server on your behalf (to the REAL cert), so it can feed you the correct data back.

No, SSL is ONLY safe when used on a machine you have total control over. That's not the case for a public computer.

Making sure there's no proxy set or CAs accepted doesn't ensure you're safe -- how do you know that the browser hasn't been modified to lie to you?

VPN (1)

radarsat1 (786772) | more than 7 years ago | (#16546258)

I pretty much always connect to my university's VPN server whenever I connect to an unencrypted wireless access point.

Mostly just so my email doesn't go over the airwaves unencrypted, otherwise I don't care much, since most sites I use that ask for passwords use SSL at least for transmitting the password.

Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not just keep the encryption for the entire session?

Re:VPN (0)

Anonymous Coward | more than 7 years ago | (#16546314)

200% extra work for the connection.

Re:VPN (1)

Chris Pimlott (16212) | more than 7 years ago | (#16546908)

Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not just keep the encryption for the entire session?

Because it takes much more CPU to encrypt every connection. Keep in mind you also have to encrypt every image and included file that you use on an encrypted page. Trying to mix encrypted and unecrypted content will, at the least, give the user a warning dialog, and at the worst, it just won't work in some browsers; they'll get a bunch of broken image links.

CC numbers? Bank details? (1)

el_nino (4271) | more than 7 years ago | (#16546316)

I'd have a hard enough time finding an online store I would like to buy anything from that doesn't utilise encryption for the credit card process. Finding a bank that would allow me to give my credentials in cleartext would be even harder.

The big issue is probably email which most people still access without encryption.

Re:CC numbers? Bank details? email? (3, Insightful)

woodsrunner (746751) | more than 7 years ago | (#16546506)

No kidding! I just sold some property and the realtor wanted me to email the title company my social security number so they could process the paperwork. I had a hard time explaining to them that I would only telephone or mail the number since email was insecure. Finally they emailed me their telephone number. I just can't imagine what a treasure trove their email account would be for identity thieves.

Re:CC numbers? Bank details? email? (1)

jimicus (737525) | more than 7 years ago | (#16546836)

Agreed. IME the places where you're most likely to be asked to email credit card numbers are smaller organisations and organisations which still do a lot of business face to face - places where the person you're dealing with can't say "Do it through our website".

My g/f booked a small hotel recently and they asked her to email a credit card number across. Thankfully she refused, but apparently the hotel was rather surprised at this.

Right Here in My Own Neighborhood (1)

beadfulthings (975812) | more than 7 years ago | (#16546334)

One can count at least seven unsecured wireless routers, presumably sitting in peoples' houses since this is a fairly residential area. I'd have to say that for some folks, the least secure setting might be the one that literally offers all the comforts of homes. What can they be thinking? I guess the trouble is they're not thinking.

The Newspaper of Record (1)

value_added (719364) | more than 7 years ago | (#16546346)

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information...

Sounds scary. Maybe there oughta be a law. On the other hand, since when did a tool like, say, tcpdump, typically used for networking troubleshooting, monitoring and analysis, become a tool that's "typically" used for something else?

I have to wonder. The quality of writing in a publication like The New York Times is above and beyond what one would expect from a local rag. Everybody reads it. The worlds movers and shakers read it, and contribute to it. It's for the elite, by the elite, but this is lowest common denominator stuff.

... which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

If not a non sequitur, at least on par with what passes for news coverage and/or editorials on Fox News. The only thing missing is a discussion of social networking and sexual predators.

At this rate, I expect the Leo Laporte to win a Pulitzer.

Re:The Newspaper of Record (1)

Dunbal (464142) | more than 7 years ago | (#16546834)

Sounds scary. Maybe there oughta be a law.

      There already is a law. Several in fact. Just goes to show how unenforceable they are.

It probably depends on the place. (0)

Anonymous Coward | more than 7 years ago | (#16546386)

If you're sitting at a coffee shop and surfing the net, not too much trouble. However, places like the waiting room at an Ariport are more liable to such inrtusions. Perhaps, the MIT campus? Althought unlikely kids are probably poking for fun.

In the worst case download something like Ethereal or some other software and monitor the traffic! Yipee!! What fun!

TFA is uninformed (4, Informative)

Facekhan (445017) | more than 7 years ago | (#16546400)

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.


When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.

Of course, the converse applies too... (5, Insightful)

gjuk (940514) | more than 7 years ago | (#16546410)

Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?

FM8ist stop (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16546446)

Defcon - Wall of Sheep (1)

xrayspx (13127) | more than 7 years ago | (#16546504)

How many people, knowing they were on a very hostile network, still logged into slashdot, livejournal, ftp sites, webmail, all in the clear...

Internet cafes, gaming stores (1)

argStyopa (232550) | more than 7 years ago | (#16546590)

I find it amusingly that people believe that they can login and play World of Warcraft anywhere - gaming cafes, etc. - and then are shocked that their accounts are hacked by keyloggers.

Not sure if it's naivete, or simply an absence of logic. Yes, one would HOPE that such sites routinely sweep their systems for unauthorized software, but frankly, short of re-imaging the hard drive after every user, I'm not sure how they could entirely prevent it.

EVDO (2, Funny)

TrappedByMyself (861094) | more than 7 years ago | (#16546614)

FTW

Terminal rooms in schools (2, Funny)

Anonymous Coward | more than 7 years ago | (#16546618)

Back in the 80's when terminals and mainframes still ruled universities (don't know if they still do) students in CS classes still had to use the public terminals to do school work. Many of the students (especially in the introductory courses) seemed to be incapable of remembering to log out. The terminals were VTs so they didn't time you out or lock the screen. I was regularly logging people out when I saw them grab their stuff and leave. I finally got sick of it and started encouraging them to log out by, say, changing their default process name on the VAX to "{sys admin's name} SUCKS" or adding a line to their "INTRO TO CS" program that printed out their intention to hurt the president of the US. Don't know if it improved security but it sure amused me.

Problems with the article (4, Interesting)

RT Alec (608475) | more than 7 years ago | (#16546660)

I had a few problems with the article:

  • I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
  • When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
  • Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.
However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.

in related news... (0)

Anonymous Coward | more than 7 years ago | (#16546708)

stabbing yourself in the eye with a knife could lead to blindness

sh1t (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16546794)

much as Windows I type this. st4ndards should
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...