OK folks, I wrote this article for BCM with a lot of fear and trepidation. While I have been involved with using computers on the road since the early Kaypro days (remember CPM?), I am far from an expert. The article reflects my thoughts and research. However, it is my strong hope that folks will send me their CONSTRUCTIVE thoughts so that I can do a follow-up article.
We tried the concept of a follow-up article on the Engine Conversion Series, but I got very little input. I would guess that this subject will generate a great deal more discussion.
You can send your information to: jim at rvsafetysystems dot com.
Jim,
Thanks for the referral in the article. For everyone's convenience, here is a clickable link to my Netbook tutorial:
http://ourodyssey.blogspot.com/2009/09/moving-to-acer-aspire-one-netbook.html (http://ourodyssey.blogspot.com/2009/09/moving-to-acer-aspire-one-netbook.html)
I have not had a chance to read the entire article yet so I can't really give you feedback on all the parts. It's a great subject and a timely article, though.
-Sean
Removed
Quote from: rv_safetyman on June 05, 2010, 04:14:16 AM
OK folks, I wrote this article for BCM with a lot of fear and trepidation. While I have been involved with using computers on the road since the early Kaypro days (remember CPM?),
Not only do I remember Kaypro, I remember the Kaypro Fight Song, and I was a Kaypro dealer when they went hooves-up. When they were building computers, they were about the best out there.
For that matter, you could use the CP/M unit as a jack stand . . .
Quote from: Now Just Dallas on June 05, 2010, 10:32:22 AM
I just refuse to believe in the myth that some types are better than others. And have empirical proof of my assertions.
Then you have never had a Toughbook.
One of the guys I work with has replaced his laptop four times in a year, carrying it in a Targus case. I'm doing offroad (4x4) work, and live at the end of a mile-long goat track. My Toughbook has been in the computer mount, RUNNING, nearly every mile I've driven in the last year (it's for real-time communications and DeLorme GPS). I'm typing this on it, in the mount, as I sit in a parking lot waiting for someone.
Removed
Debian clone, with a 1.5Tb Raid +0, +1, a main Hdd of 500Mb, an NVidia of 512Mb and an AMD CPU running at 3.8Ghz.
You do and you will clean it up Mister!
In the same amount of time we had 5 different laptops that died... including the Toughbook.
"Ohhhhhhhh say it ain't so Joe. Say it ain't so". I bought a nice big Toshiba Satellite 18 incher JUST FOR THE BUS. I love it. I heard they all ahve more problems than a desk top but T has good marks in relation/comparison to other laps. Actually they call the thing a desk top portable and given its weight I hope to never have to carry it further than into Borders. I didn't think a desk top was up to the bus environment.
D, you are like HS in that you seem to be everywhere. And you present in each arena fully armed. Is there anything you aren't well versed in? Full on suck up complement there. I want t try to maneuver into a posit where your brain an be properly picked. Is it possible that the Pres would support a sub forum on computers and systems for the bus Knut and would you moderate such? Even with a "no" you would participate....right?
I'll get busy,
John
We bought a Compaq Presario 2500 laptop when we started fulltiming 6 1/2 years ago. We were told that laptops have a built in cooling flaw and that if we bought a cooling plate it would extend the life of the laptop. We were also told that laptops usually only last about 4+ years. We figure we will be replacing it in the near future. ;D
My grandson inherited my Toshiba after 6 years of abuse by me and it still works great.
We both have Toshiba's, mine is a Tecra A10, Vista Business. Wife's is a Toshiba Satellite, Vista Home. So far they work pretty good. We also have a Dell desktop as a backup. For the desktop we use this http://www.hawkingtech.com/products/productlist.php?CatID=35&FamID=111&ProdID=371 (http://www.hawkingtech.com/products/productlist.php?CatID=35&FamID=111&ProdID=371) to connect to local WiFi.
We are lucky to have great park WiFi but just in case we have a Verizon USB Novatel 760 air card like the one in Jim's article. When we both want Internet access if no WiFi available, we plug the air card into a Cradlepoint CTR 350 and both of us can be online. The antenna we use is this one
http://3gstore.com/index.php?main_page=product_info&cPath=138_145&products_id=1076 (http://3gstore.com/index.php?main_page=product_info&cPath=138_145&products_id=1076)
This vendor has great prices and shipping. I have no affiliation with this store, only a satisfied customer. ;)
http://3gstore.com/ (http://3gstore.com/)
For security we both have Microsoft Security Essentials installed, it does a great job of keeping our systems free from viruses, and it's free.
We're connected!
Paul
BTW Jim, great article!
I just use a Dell small desktop unit that works well for me and carry a laptop as backup thatr can run off the router too Jerry
Quotea 700mhz AMD with 2Gb Ram, 500Mb Hdd, 128Mb NVidia video card, and Win 2K Pro.
Then I went back to my first choice, Linux and currently run a Debian clone, with a 1.5Tb Raid +0, +1, a main Hdd of 500Mb, an NVidia of 512Mb and an AMD CPU running at 3.8Ghz.
What did he say??? LOL
I think he said Integer id pharetra eros. Praesent commodo ultricies elementum. Suspendisse ut nisl nec odio lobortis porttitor at et nibh. Aliquam erat volutpat. Etiam eros velit, tincidunt non vestibulum id, suscipit ut diam. Curabitur cursus commodo nisl, quis suscipit sapien tempor quis. Integer ultricies, nibh ut fringilla ultrices, tortor felis vehicula est, non ultricies lorem risus sed lectus.
The vulgarity of it all! :o
I couldn't have said it better myself! ;D
I was referring to Len"s post, not John's :)
Removed
I was going to try to respond to a couple of posts yesterday, but we were flying back from Mouseland (Orlando) yesterday and things were hectic. We are in IA for a day or two and then head out in the bus to Elkhorn, WI for a trade show. After that, we head south for another trade show. Obviously, things will be hectic, but I hope to stay on top of this thread.
First of all a comment to Dallas. I think I would have a hard time finding something you wrote that I would find objectionable (at least bus related ;)). If I did, I would very much respect your point of view, since you post things based on your own experience rather than here-say.
Next I want to make it very clear that I expect (and hope) to get opposing views. That is why I wrote the article. I want to generate a platform from which we can all learn more from this group's vast experience.
One of the areas that I am very hopeful to get good input is data security. Running a business when we are in the bus, scares the devil out of me. I have to process credit cards and lots of other things that would be wonderful fodder in the hands of a bad guy. I take every precaution that I know of, but I suspect there is more that I need to know about.
Paul, not to pick on you (well maybe now that you are a moderator ;D), but we all tend to feel comfortable with whatever virus protection we use. However, the threats on a public WiFi are not virus based and virus software will not protect you. The treat is capturing data that you are transmitting to your bank, credit card company, etc. You full time and you have no choice but to use the Internet to conduct your personal business. The bad guys can relatively easily record the information you send and that is all they need to clean you out or take your identity.
My plan is to publish the input from contributors, give them the credit for the contribution, and then make editorial comments if appropriate. I do not intend to have the editorial comment be a "rebuttal". Rather, I hope to be able to build on the comment with additional research, or to present contributing opposing views and somehow weave them together.
Jim
Quote from: Now Just Dallas on June 06, 2010, 07:08:23 AM
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas ligula odio, congue dictum tempor vitae, malesuada eget lectus. Proin egestas mollis posuere. Etiam eu lobortis massa. In quis purus nisl. Cras nisl purus, ullamcorper at pellentesque et, euismod eget lacus. Phasellus tempor, metus non viverra semper, tellus est tempor ante, eu hendrerit diam nisl quis urna. Pellentesque id turpis eu sapien tincidunt gravida a nec leo. Nulla ac urna vel mauris facilisis egestas. Proin lobortis facilisis justo, pulvinar ultrices odio rhoncus ullamcorper. Proin ultrices orci ut nibh accumsan non mattis purus fringilla. Sed mattis interdum quam, eu varius quam rhoncus eget. Nunc tempor est ac turpis hendrerit tempor. Praesent pellentesque mollis sollicitudin. Integer sollicitudin, est id suscipit semper, tellus erat lacinia libero, at tempus ligula sapien non mi. Cras a nulla arcu, in molestie turpis. Nam eu mauris in enim aliquet pharetra. Etiam aliquet pulvinar justo sed vulputate. Mauris placerat blandit mauris, eget vehicula elit commodo vitae.
Quicquid id est, timeo Danaos et dona ferentes.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
per aspera, ad astra
LOL, Oh great, this computer thing is hard enough to figure out, doesn't anybody speak English any more ??? ;D ;D sheesh! it's all greek to me ??? ??? ;)well not really LOL!
Do I dare ask?
Removed
Quote from: rv_safetyman on June 06, 2010, 08:59:30 AM
My plan is to publish the input from contributors, give them the credit for the contribution, and then make editorial comments if appropriate. I do not intend to have the editorial comment be a "rebuttal". Rather, I hope to be able to build on the comment with additional research, or to present contributing opposing views and somehow weave them together.
What I'd like to see discussed Jim is the relative risk. I don't know what the real numbers are but I strongly suspect that a lot more people are ripped off by a minimum wage clerk who steals the paper copies of CC transactions than are hurt by cyber-thieves stealing the data out of the ether. I was an early adopter of internet banking and conducting business online. Maybe I've just been lucky but I think the fact that I have repeatedly had tools stolen and been the victim of vandalism while never experiencing anything close to cyber theft is because the average citizen's risk is still many orders of magnitude greater from plain old garden variety crime than it is from cyber crime.
Cyber crime makes good news headlines. Some welfare case copping my toolbox out of the back of my truck doesn't. I'm not trying to take anything away from your story, just trying to put it in perspective. There's not much point investing in fancy hardware firewalls if there's no locks on the baggage doors, IMHO.
Quote from: Now Just Dallas on June 06, 2010, 05:30:11 PM
I fear horses and gifts and Greeks too!
It is a line from the Aeneid, which I was forced to read in Latin in, I think the 10th grade.
I thought it appropriate, since we were talking about computer security, where a "Trojan horse" is a well-known type of attack.
It is generally translated as "Whatever it is, I fear the Greeks, even bearing gifts." From which we get the modern expression "Beware of Greeks bearing gifts," or as we often say in computer circles, "Beware of Geeks bearing grifts" (whatever a grift may be). It was uttered by the Trojan priest Laocoön upon discovering the wooden horse outside the gates.
The literal translation is "Whatever it is, I fear the Greeks, and bearing gifts," but the word "and" ("et" in Latin) has more meanings than in English.
But I thought Dallas' "Lorem Ipsum" needed a retort, since he explicitly said that it was "for the rest of [us]". "Lorem Ipsum" is a well-known placeholder in the publishing and now computer worlds, whenever "dummy" text is needed to test typefaces, printing, screen displays, etc. It has been used for centuries for this purpose, and today you will even find it embedded in Microsoft products as standard font and printing test displays. The idea is to have text that looks representative of what someone might create or see, but is generally unreadable so that it can not be mistaken for a real document or divert anyone's attention from the task at hand:
http://www.lipsum.com/ (http://www.lipsum.com/)
http://en.wikipedia.org/wiki/Lorem_ipsum (http://en.wikipedia.org/wiki/Lorem_ipsum)
-Sean
who misspent his youth studying the classics
and then misspent his adulthood working on computers
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Bob, I wish I knew how much risk is involved with problems on Public networks. I think the risk on our personal Internet connections (DSL, Satellite, dial-up, aircard, etc is pretty low.
However, the research I did on public networks suggest that all the tools are there for the bad guys to grab your information. Key logging software is readily available. The information suggested that implementation is not difficult. The question is how often is it done. My approach is to always be aware and "lock the door" as best as I can.
I don't want to be "Chicken Little", but I do want folks to be aware that the potential exists.
Jim
Quote from: rv_safetyman on June 06, 2010, 07:49:06 PM
However, the research I did on public networks suggest that all the tools are there for the bad guys to grab your information. Key logging software is readily available. The information suggested that implementation is not difficult. The question is how often is it done. My approach is to always be aware and "lock the door" as best as I can.
Koy logging software isn't going to matter if you are on a public wi-fi or not.
Transactions done on the web should only be done with secure websites. It would be pretty difficult for a thief to figure out which packet is your credit card number or login/password and then decrypt it. Even POP3 email can be encrypted these days.
Brian, I hope you are correct.
The reading I have done suggests that a person on the same public network can record your keystrokes (including the launching the website) and capture your data transmission to that secure website. Or it can capture the data you are typing into a web mail server. The thesis is that they get the information BEFORE it gets to the https website.
Jim
Quote from: rv_safetyman on June 08, 2010, 08:14:24 PM
The reading I have done suggests that a person on the same public network can record your keystrokes (including the launching the website) and capture your data transmission to that secure website. Or it can capture the data you are typing into a web mail server. The thesis is that they get the information BEFORE it gets to the https website.
Not unless software has been installed on your computer first, such as through a Trojan (timeo Danaos, et dona ferentes), a worm, or some other malware. Or maybe just while your back was turned at Starbucks.
Nothing goes out onto the airwaves unencrypted when you use HTTPS.
There is a very complicated form of attack known as the "man in the middle" that could theoretically be used on unsuspecting internet cafe patrons, but that's not something the guy sitting next to you could do with his wireless card. Your traffic would actually have to be intercepted upstream of the cafe's WAP. And now we are not talking wireless security, but the sort of attack that can only be carried out well inside the cloud.
FWIW.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
OK guys, I am getting information that conflicts with some pretty significant documentation on the dangers of public (non-secure) networks. to make matters worse, these comments are coming from folks whose comments/knowledge I trust. I understand the https (secure website) technology, but the documentation I have looked at suggests that there is a danger getting the information from your keyboard to the site in a secure manner.
So, just to make sure I understand:
Sean (and others who have given the same basic comment), you would not be concerned about going to an Internet Cafe or Starbucks and doing your financial transactions?
I am not trying to be argumentative (know it sounds like it), but I want to make sure that I understand the thesis that public networks are safe places to transmit personal data. If that is the consensus, I will need to address that departure from what I published.
If the response is: no problem, ***BUT*** I use XXXX software/procedure to protect myself, that is important information.
Jim
Quote from: rv_safetyman on June 09, 2010, 06:48:38 AM
OK guys, I am getting information that conflicts with some pretty significant documentation on the dangers of public (non-secure) networks. ... the documentation I have looked at suggests that there is a danger getting the information from your keyboard to the site in a secure manner.
Jim, there is, indeed, a lot of misinformation out there, and also a certain amount of fear-mongering. Some of the fear mongers have axes to grind,
i.e. they sell something that supposedly protects you from these threats.
Quote
Sean (and others who have given the same basic comment), you would not be concerned about going to an Internet Cafe or Starbucks and doing your financial transactions?
Not only am I not concerned, in fact, I do this all the time. We use open WiFi networks whenever they are in range of the bus, to keep our HughesNet usage down, and for improved response. Plus, I take my netbook with me when we travel and use any WiFi we can get our hands on. We even run our own WiFi network here on the bus unencrypted; any network can be compromised, and our computers had best not be doing anything on any network that can jeopardize our privacy, so we don't need to rely on "securing" our network. (We have now locked it down by MAC address, but that's to keep inconsiderate neighbors from getting us FAPped; we add folks on request after explaining the usage policy.)
Quote
If the response is: no problem, ***BUT*** I use XXXX software/procedure to protect myself, that is important information.
Well, yes, you should
always use both an anti-virus program and a personal firewall. I use AVG Free and Commodo Pro, both excellent and highly rated free products. I also use FireFox and have security add-ins such as NoScript to further protect my privacy. Linked within my netbook post that you linked earlier is this post on all the software we use, including privacy and security products, mostly free:
http://ourodyssey.blogspot.com/2008/04/odysseys-it-department.html (http://ourodyssey.blogspot.com/2008/04/odysseys-it-department.html)
There is also no substitute for common sense and paying attention. Don't send anything unless you see the lock icon or "https://" in the address bar, and don't click links without checking to see what sites they lead to -- I am sure you know how phishing works, and that sort of attack will work no matter what network you are on.
Why don't you give me a call before the next installment of the article; perhaps we can collaborate. This was my bread and butter, having worked not only for ISPs and telecommunications carriers, but also once upon a time for PGP. While not hard-core, I do consider myself a cypherpunk...
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Removed
Quote from: Now Just Dallas on June 09, 2010, 09:08:30 AM
I bow to the all knowing Sean.
Bill Gates has paid my bills for years, but I'm not as edikated as SW.
Dallas, to be clear I was not talking about you or anyone else in particular when I said there was a lot of misinformation.
Quote
... That's one reason I like dealing with Linux, which isn't as difficult as many may think.
As I wrote in the blog post I linked above, Linux is a much better choice than Windows for many reasons, including security. Windows has more holes than Swiss cheese, and its complexity coupled with the fact that most users are not experts makes it ripe for attack.
However, realistically, Linux is just not an option for many if not most people. And many of the most dangerous attacks are OS-independent, such as link misdirection (used by phishers), man-in-the-middle, and simple packet sniffing for private information sent in the clear.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Packet sniffing is what I would be most concerned about on an unencrypted open wifi network (no password required). I would never transmit any information that I wouldn't be comfortable posting on the open Internet for all to read on an open wifi connection without the browser window being SSL encrypted (HTTPS). On the other hand, if the wifi is password protected and the "owner" of the hotspot is reasonably trustworthy then it is a bit better. But still not good for confidential information without using encryption.
As was noted earlier in the thread, even email can be set to use encryption if your email provider supports it (often is). But it isn't just the data that needs encrypting, the password needs to be protected by setting "Logon using Secure Password Authentication" (unfortunately that isn't as often supported). Or you can simply use browser based webmail access to your email via a SSL secured (https) connection (most email providers offer it).
Another huge risk on a wifi network is if you don't have Windows "File & Print Sharing" turned off for wireless networks on your computer. In that case you may as well hand them your computer. If you actually use sharing on your home wifi network, you'll can have it on at home and turn it off when away from home (just don't forget).
Here is a descent tutorial for turning off sharing on wireless netowrks in Windows XP:
http://www.internetsafetycenter.com/wireless-security-public-wi-fi-security (http://www.internetsafetycenter.com/wireless-security-public-wi-fi-security)
We have been paying our bills online for many years, WiFi, air card, Starbucks, McDonalds, Airports you name it. Have not been compromised yet. All of the sites that we do pay online are safe, secure encrypted sites. Otherwise we wouldn't.
I understand the need for being safe, but we're pretty small apples compared to most.
I just don't worry about it anymore.
FWIW & IMHO
Paul
Removed
Quote from: Now Just Dallas on June 09, 2010, 10:56:24 AM
I would bet you that with minimal information, I could obtain the credit card and bank information from at least 75% of the members here. That would also include your 'secret question' and the PIN for your paypal account.
I'll take that bet, Dallas. I have $1,000 that says you can not do this with passive eavesdropping alone, so long as all the sites use SSL.
Rules:
1. No "phishing" or link misdirection. This is a well-known scam and works often enough that the crooks keep doing it. Frankly, there is no way to stop this, any more than there is a way to stop people from buying snake oil (whether for humans or diesel) or becoming Scientologists. As I think you yourself are fond of saying, "you can't fix stupid."
2. No trojans or other malware, or exploiting of "back doors." You can only eavesdrop, not hack your way in to a machine to install key-loggers or other exploits.
3. Email is off limits. I would bet that you are right, insofar as probably 75% (or maybe more) people are using insecure email systems that send passwords in clear text. So, to make it a fair contest, you can't sniff their email passwords, and then, by social engineering, use that information to make a brute force attack on other, more secure systems, nor can you sniff email contents and feed that into social engineering exercises. (And, important note to everyone following along: Your email password is not secure, so don't ever use that same password or any permutation of it for secure purposes such as your banking, credit card, or PayPal passwords. Also, don't ever send private information in email unless you encrypt it first.)
4. We're only talking about secure sites, including PayPal. That would include most banks and credit card issuers, etc.. I would hope everyone here already knows that information exchanged with any web site that does not use SSL is sent in clear text and is subject to being intercepted and read, on any network (not just wireless).
5. You can only eavesdrop on someone else's network, such as a public hot spot. If you yourself control the WAP and router, then theoretically you could run a man-in-the-middle attack by exploiting the MD-5 certificate vulnerability announced last year. Although I would guess that, (a) very few sites still use certificates prone to this and (b) that would require way more work and equipment than any reasonable person would do for a lousy one grand bet. Sorry, I don't have the kind of cash to offer the level of cracking prizes RSA hands out.
Now, all we have to do is find maybe a dozen volunteers from this site and a proper venue, perhaps a rally, to conduct the challenge ;D
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
I'd like to repeat my earlier question Jim because I think there is a disconnect between where people PERCEIVE the risks to lie and where they actually lie. It would be a really useful article that quantified the relative risk between:
- handing your credit card to the waiter to process your bill "somewhere" out of your sight
and
- doing banking online through public wifi in a Starbucks
That would be useful information for those of us who travel. I'm not interested in doing the research because I am comfortable with my own assessment of the risks but I expect that the credit card companies know the answer. Whether or not they release that information I don't know.
Dallas,
Go for it! No bet though. I would really be interested to know my vulnerability on the net. I use my real name here and I have a couple of websites which have my full name and address all over them. My phone is not unlisted so I shouldn't be hard to find.
I do all my banking and bill paying online and make frequent online purchases.
I pretty much use the same generic password for most sites that I visit, including this one.
Banking, mortgage, investments etc. however, I use a computer generated password which I trust Firefox to remember and keep secure. The answer to any secret question is the same thing, a computer generated password which looks like gibberish. I keep a copy of it in my cellphone.
Another thing I do to protect myself is to have all direct deposits go into a bank account which does not have checking or debit card. I then transfer money as needed to another account to pay bills or go shopping. If anyone got my credit/debit card number they would find it declined at anything much over fifty bucks.
Good luck,
Len
Quote from: bobofthenorth on June 09, 2010, 12:58:28 PM
... I think there is a disconnect between where people PERCEIVE the risks to lie and where they actually lie. It would be a really useful article that quantified the relative risk between:
- handing your credit card to the waiter to process your bill "somewhere" out of your sight
and
- doing banking online through public wifi in a Starbucks
Bob,
As you know, that assessment is very hard to make, because real fraud statistics are tightly guarded secrets of card issuers. Also, when a fraudulent transaction occurs, whether on the internet or with a counterfeited card, it is very difficult to determine how the card number was stolen in the first place -- was it online, or by shoulder surfing, dumpster diving, or "skimming," which is your waiter example.
However, your very own RCMP estimates that 37% of fraud involves counterfeit cards, principally made by skimming, whereas only 10% is "no card present" fraud that might involve an on-line or telephone transaction:
http://www.spamlaws.com/credit-fraud-stats.html (http://www.spamlaws.com/credit-fraud-stats.html).
But I will hasten to point out that all payment forms have their risks; remember that Frank Abagnale cost the public millions through fraudulent checks in the era before computer networks, and Karl Malden told all of us that "It's dangerous to carry cash" and was mostly right.
While there is a public perception that theft and fraud is ever-increasing, the fact of the matter is that technology has done more, in general, to detect and combat fraud than to facilitate it, and the cost of fraud on a percentage basis has been steadily decreasing.
I feel much more comfortable carrying a couple of credit cards around with me and using them for everything, including Internet purchases, knowing that my liability is limited to $50 per card no matter what happens to them, than in either carrying wads of cash or sending checks through the mail.
JMO, of course, and YMMV.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Jim I have 2 Kaypro computers and 2 1200 baud dial up modems. That would be so slow that no thief would sit around and check your packets.
uncle ned
Extremely interesting comments on security.
Ned, I am not sure that I can adopt your solution ;D
Len, interesting approach using a "shielded" bank account and then transferring.
I guess I am going to temper my concern about doing business on public networks. As I mentioned early in this thread, my concern is medium for my personal business (they would not get much, but the effort to get your identity back could be a huge issue). My real concern is doing business processes (mostly credit card processing). I have switched my e-store and "virtual terminal" (credit card processing) to Paypal. Doing so assured that nothing on my site would contain critical customer information. I can only hope that there secure site, is indeed secure.
Fortunately, I don't have to use public networks very often. When we were in Europe, I had to do a bit of business (mostly personal) in internet cafes (on my computer) and that scared the heck out of me. Obviously no problem.
I appreciate all of the input, but more importantly, I appreciate the fact that this has been a pretty darn friendly thread, given the nature of the subject.
Thanks,
Jim
Quote from: rv_safetyman on June 09, 2010, 03:45:33 PM
... My real concern is doing business processes (mostly credit card processing). I have switched my e-store and "virtual terminal" (credit card processing) to Paypal. Doing so assured that nothing on my site would contain critical customer information. I can only hope that there secure site, is indeed secure.
Jim,
So long as you are using secure web technology, there is no reason why doing so over a public network should be any more risky than a "secure" one (whatever that means -- there really is no such thing).
A much bigger issue for anyone accepting cards on the 'net is validating the authenticity of the credentials of the buyer, and that's not a matter of network technology at your end. As you know, chargebacks are a real concern, and when you don't have the buyer in front of you with a physical card in hand, the risks are higher (and card issuers set the bar higher for you to prove your claim).
I, too, use PayPal as my credit card clearinghouse, and they end up assuming these risks, so long as I follow their guidelines for "seller protection" (mostly, shipping only to addresses that PayPal has approved ahead of time).
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Removed
Quote from: Now Just Dallas on June 09, 2010, 04:20:32 PM
...
Then you and I can set up 10 or 20 dummy email accounts at one of my web domains or one of yours, complete with fake credit card info, going to a fake ecommerce site.
...
Well, two problems with this. First I said that email was off-limits -- I already acknowledged that most email is insecure, and trivially easy to break into. Which is why I also advised folks to use a different password for email than for other activities, and never to send private information, such as credit card info, in an email.
That means, folks, BTW, that if you go to a low-volume retailer, and he has no secure credit-card processing site, and asks instead for you to send your card number in email, or for that matter he's got one of those web forms that generates and sends an email, DON'T DO IT.
Secondly, setting up a "fake" e-commerce site is a bit of a challenge. In order for it to be a secure site, using SSL, it needs a security certificate, and that requires payment to one of the certificate providers to sign it with their root certificate. Otherwise the browsers are just going to barf on it, saying that the certificate is invalid, or that the site is using HTTPS but has no certificate.
(This is another one of those BTW's: don't enter your information if you get such an error from your browser. Legitimate sites will always have security certificates, and those should be up to date, valid, and signed by a trusted authority. If your browser is telling you there is a problem, you should be paying attention.)
But you said you could get people's account numbers and PINs, including PayPal, for legitimate sites. I would volunteer to be the guinea pig -- no fake site required. That's the bet I was taking...
Alternatively, we could generate and sign our own certificate for the test, but that's not a real-world test.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
I remember Latin class.........it was a tough place to sleep!
Removed
Quote from: muddog16 on June 09, 2010, 05:10:50 PM
I remember Latin class.........it was a tough place to sleep!
In schola somnus!-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
Quote from: Now Just Dallas on June 09, 2010, 05:26:37 PM
OK, ...
I am almost certain that I wouldn't break your security, however, in a real world test, there wouldn't be a limit or a set of rules to follow. The one to get in, get the info and get out with the most information would be the winner.
...
Yes, but that's not really what Jim was asking about, to which I answered that there was "misinformation" and "fear-mongering." He explicitly asked about HTTPS, and was told by someone that even with that protocol, information was flowing in clear text: it's not.
I think, otherwise, that you and I are probably in violent agreement about most of this. Which is why your reaction to my statement surprised me.
-Sean
http://OurOdyssey.BlogSpot.com (http://ourodyssey.blogspot.com)
I had no problem sleeping there. I wasn't even signed up for the course. Good one Len.
Dallas,
Sometimes your posts seem cryptic when I am involved... ??? :-\ ;)
Oh, and JohNed, What does Ned mean in Latin? Got me think'n
I have ........ a few degrees. Jesus and Mohammad said I have to...
Now just how many of those degrees are in Divinity and should we start calling you Rev?
But I love you. Yes I do, No disrespect.....really.
That surely isn't the "respect you in the morning" thing variant is it.? Just kidding, Really. ;D ;D ;D
you are a hero in some circles, yup, some circles.
I have found that I can drive 10% of the people in any room to distraction with loathing for me. Except military folk and with them I ran near 100% hero status. I had a NSA security investigator stop by my office and thank me for the opportunity to do a deep background investigation on me. His words were "Day in and day out I investigate the worst people I can imagine and submit reports that jerk their clearance. You have been that breath of fresh air I never thought I would ever get. Everyone within a half mile of your home speaks highly of you . You have fixed a car or appliance or helped build a wall or lent a vehicle or tool to everyone I talked to and they appreciated it. Thank you for this experience". Then he suggested that I request a copy of the report thru the Freedom of info act. Met a lot of people that were legends in their own minds but I sent that guy out with "I can't answer those kind of questions...ask around." And he did. Of course I have been kicked out of some circles and I wear that with pride as well cause I heard that a man is know by his detractors as well as his advocates. In my case, and in one circle, it was said that "all the right people HATE you."
"but I love you"
Not just "off topic" but better left to the PM or email. Hey, whada ya say? No offense....really ;D ;D ;)
John
Removed
Removed
Dallas,
You gotta quit quoting me to me. It sounds really weird and "not like you". Not to mention SCARY. ;D ;)
entertaining evening
Now that's the truth. 8)
John