"Computers on the Road" June BCM Article

[Ed Hackenbruch]

I was referring to Len"s post, not John's

[Just Dallas]

Removed

[rv_safetyman]

I was going to try to respond to a couple of posts yesterday, but we were flying back from Mouseland (Orlando) yesterday and things were hectic.  We are in IA for a day or two and then head out in the bus to Elkhorn, WI for a trade show.  After that, we head south for another trade show.  Obviously, things will be hectic, but I hope to stay on top of this thread.

First of all a comment to Dallas.  I think I would have a hard time finding something you wrote that I would find objectionable (at least bus related ).  If I did, I would very much respect your point of view, since you post things based on your own experience rather than here-say.

Next I want to make it very clear that I expect (and hope) to get opposing views.  That is why I wrote the article.  I want to generate a platform from which we can all learn more from this group's vast experience.

One of the areas that I am very hopeful to get good input is data security.  Running a business when we are in the bus, scares the devil out of me.  I have to process credit cards and lots of other things that would be wonderful fodder in the hands of a bad guy.  I take every precaution that I know of, but I suspect there is more that I need to know about.

Paul, not to pick on you (well maybe now that you are a moderator ), but we all tend to feel comfortable with whatever virus protection we use.  However, the threats on a public WiFi are not virus based and virus software will not protect you.  The treat is capturing data that you are transmitting to your bank, credit card company, etc.  You full time and you have no choice but to use the Internet to conduct your personal business.  The bad guys can relatively easily record the information you send and that is all they need to clean you out or take your identity. 

My plan is to publish the input from contributors, give them the credit for the contribution, and then make editorial comments if appropriate.  I do not intend to have the editorial comment be a "rebuttal".  Rather, I hope to be able to build on the comment with additional research, or to present contributing opposing views and somehow weave them together.

Jim

[Sean]

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas ligula odio, congue dictum tempor vitae, malesuada eget lectus. Proin egestas mollis posuere. Etiam eu lobortis massa. In quis purus nisl. Cras nisl purus, ullamcorper at pellentesque et, euismod eget lacus. Phasellus tempor, metus non viverra semper, tellus est tempor ante, eu hendrerit diam nisl quis urna. Pellentesque id turpis eu sapien tincidunt gravida a nec leo. Nulla ac urna vel mauris facilisis egestas. Proin lobortis facilisis justo, pulvinar ultrices odio rhoncus ullamcorper. Proin ultrices orci ut nibh accumsan non mattis purus fringilla. Sed mattis interdum quam, eu varius quam rhoncus eget. Nunc tempor est ac turpis hendrerit tempor. Praesent pellentesque mollis sollicitudin. Integer sollicitudin, est id suscipit semper, tellus erat lacinia libero, at tempus ligula sapien non mi. Cras a nulla arcu, in molestie turpis. Nam eu mauris in enim aliquet pharetra. Etiam aliquet pulvinar justo sed vulputate. Mauris placerat blandit mauris, eget vehicula elit commodo vitae.

Quicquid id est, timeo Danaos et dona ferentes.

-Sean
http://OurOdyssey.BlogSpot.com
per aspera, ad astra

[Van]

LOL, Oh great, this computer thing is hard enough to figure out, doesn't anybody speak English any more sheesh! it's all greek to me ;)well not really LOL!

[Eric]

Do I dare ask?

[Just Dallas]

Removed

[bobofthenorth]

My plan is to publish the input from contributors, give them the credit for the contribution, and then make editorial comments if appropriate.  I do not intend to have the editorial comment be a "rebuttal".  Rather, I hope to be able to build on the comment with additional research, or to present contributing opposing views and somehow weave them together.

What I'd like to see discussed Jim is the relative risk.  I don't know what the real numbers are but I strongly suspect that a lot more people are ripped off by a minimum wage clerk who steals the paper copies of CC transactions than are hurt by cyber-thieves stealing the data out of the ether.  I was an early adopter of internet banking and conducting business online.  Maybe I've just been lucky but I think the fact that I have repeatedly had tools stolen and been the victim of vandalism while never experiencing anything close to cyber theft is because the average citizen's risk is still many orders of magnitude greater from plain old garden variety crime than it is from cyber crime. 

Cyber crime makes good news headlines.  Some welfare case copping my toolbox out of the back of my truck doesn't.  I'm not trying to take anything away from your story, just trying to put it in perspective.  There's not much point investing in fancy hardware firewalls if there's no locks on the baggage doors, IMHO.

[Sean]

I fear horses and gifts and Greeks too!

It is a line from the Aeneid, which I was forced to read in Latin in, I think the 10th grade.

I thought it appropriate, since we were talking about computer security, where a "Trojan horse" is a well-known type of attack.

It is generally translated as "Whatever it is, I fear the Greeks, even bearing gifts."  From which we get the modern expression "Beware of Greeks bearing gifts," or as we often say in computer circles, "Beware of Geeks bearing grifts" (whatever a grift may be).  It was uttered by the Trojan priest Laocoön upon discovering the wooden horse outside the gates.

The literal translation is "Whatever it is, I fear the Greeks, and bearing gifts," but the word "and" ("et" in Latin) has more meanings than in English.

But I thought Dallas' "Lorem Ipsum" needed a retort, since he explicitly said that it was "for the rest of [us]".  "Lorem Ipsum" is a well-known placeholder in the publishing and now computer worlds, whenever "dummy" text is needed to test typefaces, printing, screen displays, etc.  It has been used for centuries for this purpose, and today you will even find it embedded in Microsoft products as standard font and printing test displays.  The idea is to have text that looks representative of what someone might create or see, but is generally unreadable so that it can not be mistaken for a real document or divert anyone's attention from the task at hand:
http://www.lipsum.com/
http://en.wikipedia.org/wiki/Lorem_ipsum

-Sean
who misspent his youth studying the classics
and then misspent his adulthood working on computers
http://OurOdyssey.BlogSpot.com

[rv_safetyman]

Bob, I wish I knew how much risk is involved with problems on Public networks.  I think the risk on our personal Internet connections (DSL, Satellite, dial-up, aircard, etc is pretty low.  

However, the research I did on public networks suggest that all the tools are there for the bad guys to grab your information.  Key logging software is readily available.  The information suggested that implementation is not difficult. The question is how often is it done. My approach is to always be aware and "lock the door" as best as I can.

I don't want to be "Chicken Little", but I do want folks to be aware that the potential exists.

Jim

[belfert]

However, the research I did on public networks suggest that all the tools are there for the bad guys to grab your information.  Key logging software is readily available.  The information suggested that implementation is not difficult. The question is how often is it done. My approach is to always be aware and "lock the door" as best as I can.

Koy logging software isn't going to matter if you are on a public wi-fi or not.

Transactions done on the web should only be done with secure websites.  It would be pretty difficult for a thief to figure out which packet is your credit card number or login/password and then decrypt it.  Even POP3 email can be encrypted these days.

[rv_safetyman]

Brian, I hope you are correct. 

The reading I have done suggests that a person on the same public network can record your keystrokes (including the launching the website) and capture your data transmission to that secure website.  Or it can capture the data you are typing into a web mail server. The thesis is that they get the information BEFORE it gets to the https website.

Jim

[Sean]

The reading I have done suggests that a person on the same public network can record your keystrokes (including the launching the website) and capture your data transmission to that secure website.  Or it can capture the data you are typing into a web mail server. The thesis is that they get the information BEFORE it gets to the https website.

Not unless software has been installed on your computer first, such as through a Trojan (timeo Danaos, et dona ferentes), a worm, or some other malware.  Or maybe just while your back was turned at Starbucks.

Nothing goes out onto the airwaves unencrypted when you use HTTPS.

There is a very complicated form of attack known as the "man in the middle" that could theoretically be used on unsuspecting internet cafe patrons, but that's not something the guy sitting next to you could do with his wireless card.  Your traffic would actually have to be intercepted upstream of the cafe's WAP.  And now we are not talking wireless security, but the sort of attack that can only be carried out well inside the cloud.

FWIW.

-Sean
http://OurOdyssey.BlogSpot.com

[rv_safetyman]

OK guys, I am getting information that conflicts with some pretty significant documentation on the dangers of public (non-secure) networks.  to make matters worse, these comments are coming from folks whose comments/knowledge I trust.  I understand the https (secure website) technology, but the documentation I have looked at suggests that there is a danger getting the information from your keyboard to the site in a secure manner. 

So, just to make sure I understand: 

Sean (and others who have given the same basic comment), you would not be concerned about going to an Internet Cafe or Starbucks and doing your financial transactions? 

I am not trying to be argumentative (know it sounds like it), but I want to make sure that I understand the thesis that public networks are safe places to transmit personal data.  If that is the consensus, I will need to address that departure from what I published.

If the response is:  no problem, ***BUT*** I use XXXX software/procedure to protect myself, that is important information.

Jim

[Sean]

OK guys, I am getting information that conflicts with some pretty significant documentation on the dangers of public (non-secure) networks.  ... the documentation I have looked at suggests that there is a danger getting the information from your keyboard to the site in a secure manner.  

Jim, there is, indeed, a lot of misinformation out there, and also a certain amount of fear-mongering.  Some of the fear mongers have axes to grind, i.e. they sell something that supposedly protects you from these threats.

Sean (and others who have given the same basic comment), you would not be concerned about going to an Internet Cafe or Starbucks and doing your financial transactions?  

Not only am I not concerned, in fact, I do this all the time.  We use open WiFi networks whenever they are in range of the bus, to keep our HughesNet usage down, and for improved response.  Plus, I take my netbook with me when we travel and use any WiFi we can get our hands on.  We even run our own WiFi network here on the bus unencrypted;  any network can be compromised, and our computers had best not be doing anything on any network that can jeopardize our privacy, so we don't need to rely on "securing" our network.  (We have now locked it down by MAC address, but that's to keep inconsiderate neighbors from getting us FAPped; we add folks on request after explaining the usage policy.)

If the response is:  no problem, ***BUT*** I use XXXX software/procedure to protect myself, that is important information.

Well, yes, you should always use both an anti-virus program and a personal firewall.  I use AVG Free and Commodo Pro, both excellent and highly rated free products.  I also use FireFox and have security add-ins such as NoScript to further protect my privacy.  Linked within my netbook post that you linked earlier is this post on all the software we use, including privacy and security products, mostly free:
http://ourodyssey.blogspot.com/2008/04/odysseys-it-department.html

There is also no substitute for common sense and paying attention.  Don't send anything unless you see the lock icon or "https://" in the address bar, and don't click links without checking to see what sites they lead to -- I am sure you know how phishing works, and that sort of attack will work no matter what network you are on.

Why don't you give me a call before the next installment of the article; perhaps we can collaborate.  This was my bread and butter, having worked not only for ISPs and telecommunications carriers, but also once upon a time for PGP.  While not hard-core, I do consider myself a cypherpunk...

-Sean
http://OurOdyssey.BlogSpot.com