What is Digg?64 Comments
- dashifen, on 10/12/2007, -0/+18I was with you until #5 .... what is this "outside" you speak of?
- int128, on 10/12/2007, -9/+25This is new(s)?
- Otto, on 10/12/2007, -0/+15Horrible article. Take this bit for example:
>>>“Where I’d draw the line is putting in your bank account information or credit card number,” he said, adding that checking e-mail messages probably is not that risky
Actually, checking email is riskier than putting in a bank account or credit card number. Because your email username and password, if you're using POP, is sent in the clear and is easily identifiable in a packet dump. But the credit card number is most likely going into a secure https webpage, which is encrypted before it leaves your computer at all.
With your email password, somebody can gain access to your email account and thus to any further information you may have just lying in there. With a credit card number, thieves can't inconvenience you quite as much. - MikeCerm, on 10/12/2007, -0/+12Anyone who can can successfully brute-force 256-bit encryption deserves my passwords. I just hope they a least say hello to my grandchildren, because I'll already be dead by the time they're done.
- MikeCerm, on 10/12/2007, -1/+13Yeah, this just in: When uninformed people engage in risky behavior, there may be adverse consequences!
Everybody should have a $20, 1GB flash drive with, at a minimum, Portable Firefox, Torpark, and TrueCrypt (to protect any personal documents you might have on the drive). - bleonard, on 10/12/2007, -1/+12VPN-it-up and feel safe(er).
- nmckinlay, on 10/12/2007, -0/+10@ jknight
You have insurance to protect your credit card... the same cannot be said of your e-mail. - Klowner, on 10/12/2007, -0/+10Or SSH tunnels even
- MikeCerm, on 10/12/2007, -0/+9Usually when I'm in public places, I spend most of my time wishing that I couldn't hear other people's cell phone conversations.
- nmckinlay, on 10/12/2007, -0/+6Aren't we already 'outside' if we are connecting through a public wifi?
- lbna5405, on 10/12/2007, -0/+6Show me a sniffer that can decode SSL streams. SSL connections to banks are most likely protected by high grade public key encryption (with changing secret key, yaddy yadda, etc). Maybe you can explain to us how these sniffers crack the encryption keys?
- rzklkng, on 10/12/2007, -1/+7How long till a "safe, secure solution" available from the airport, mall, whatever for only $5.99 per hour comes along? Instead of selling quality, no we'll be leveraging fear, uncertainty, and doubt to sell you "security". Just like how the credit card companies "sell" you credit monitoring since they have to give you gratis credit reports. All the more reason for secure browsing and knowledgeable users...
- ToastPop, on 04/17/2009, -0/+5Just a question, VPN is supposed to encrypt the information transmitted and that's why it is secure, so doesn't the same logic apply to credit card information and such that is done through the SSL web servers, or is that somehow less safe?
- MikeCerm, on 10/12/2007, -0/+5SSL is close enough to unbreakable that you should probably worry about keyloggers, not sniffers.
- inactive, on 10/12/2007, -1/+5Bleh, it's simple.
1) SSH to home computer
2) Remote Deskop / VNC through SSH
3) Do sensitive browsing / email from there
4) disconnect
5) go outside. - MikeCerm, on 10/12/2007, -0/+3I mean, come on people, it's an elevator, not a phone booth!!!
- toaste, on 10/12/2007, -0/+2I agree that there are often ways to be (relatively) secure when computing in public. Yes, use an encrypted VPN if available. Yes, boot a controlled environment on a public computer if you want to be extra secure (aka the Linux LiveCD distro of your choice). But while I think the general public is totally ignorant when it comes to computer security, I don't think they should be irrationally afraid of the resources available to them when they're computing in public.
- Wyzard, on 10/12/2007, -0/+2If you use a PC as a router on your home network, you can set up OpenVPN so that you can connect to your home network while away from home. Configure it to make the VPN be your default route while it's connected, and all your network traffic will go out through your home router, just as if you were surfing from home.
http://openvpn.net/ - cyssero, on 04/18/2009, -2/+4What about -
6) ???
7) PROFIT!
First list I've seen in some time now without those key steps.. - inactive, on 10/12/2007, -0/+2I think thats reserved only for slashdot.org . Even though digg is now "mini-slashdot", must be a copyright thing.
- DickBreath, on 10/12/2007, -0/+2Please post one single example of anything that can sniff and decode SSL/SSH. Just one.
Now I"ll grant that there are tools to do MITM attacks. But SSL/SSH warns you if the certificate thumbprint has changed. If you have written down the certificate thumbprint (or have it in a text file on your device), then you can instantly see that the certificate it NOT really the one on YOUR server. Therefore someone is trying to do the Monkey-In-The-Middle (MITM) attack on you. Don't accept the certificate and don't connect.
The very fact that you would get the certificate warning, that is, once you have pre-installed your server's certificate, should be a major clue. - MikeCerm, on 10/12/2007, -0/+2Your banking site is probably secure (https), and faking that is harder than it's worth. The real threat, as alluded to in the article, is keyloggers.
A decent way to avoid keylogger problems is to not type the following:
www.nameofbank.com
MyUserName
Password
That's exactly how it will look in the keylog. Not good. Click around a lot, and occasionally type gibberish. That will help a bit. Also, change your password every once in a while, 'cause if you do get logged and the person responsible doesn't get around to screwing you right away, a monthly password change can save your ass.
Use something like KeePass to track your passwords. It allows you to use stronger passwords (like ones that you couldn't possibly remember yourself), and runs from a USB drive.
http://keepass.sourceforge.net/
- wvdavis, on 10/12/2007, -1/+3Crap, the packet sniffer secret is out!
/sarcasm - MikeCerm, on 10/12/2007, -1/+2SSL and VPN are equally as safe.
- inactive, on 10/12/2007, -1/+2some douchebag(s) are trying to bury the entire comment system again. i wish these kids would grow up.. maybe digg needs to be 18+
- cyssero, on 04/18/2009, -0/+1I actually thought it came from the /b/tards in #4Chan =/
- inactive, on 10/12/2007, -0/+1First not only is this news but it needs to grace more newspapers. I find that a majority of computer users(read non tech savy diggers) dont realise this at all. They are blissful ignorant that they are not secure. I have known many that have done their banking at a starbucks, etc. I am constantly trying to help people with this very subject.. so not only is it news but it is a critical update for peoples brains, that most people havent updated yet.
ANd to the digg complainers.. write a blog about what you hate about digg, post here and then complain in that comment section. NOone designed digg to keep you happy. If you dont like it, create your own, there are a couple of free open source digg clones. The only thing that bothers me about the myspaces, it is has caused jerks to act like ellitist - cyssero, on 04/18/2009, -1/+2A challenger appears.
- MikeCerm, on 10/12/2007, -1/+2Gmail, for one, uses all encrypted connections. Furthermore, if you send e-mail to another Gmail account, the message is only ever decrypted when the recipient views it (also over an encrypted connection).
- Wyzard, on 10/12/2007, -0/+1Wireshark is a general-purpose packet sniffer. An attack tool would be more specialized, looking specifically at certain protocols (HTTP, POP, etc.) and scanning for specific patterns. You're not likely to find such tools in general distribution, though.
There's an interesting program called Driftnet that sniffs out images and displays them:
http://www.mythic-beasts.com/~chris/driftnet/ - mrneutron, on 10/12/2007, -0/+1I don't think that SSL and VPN are equally safe. With VPN they can only tell that you're running VPN and where the other end connects. With SSL someone can see that you visited gay-chat.com, they just can't tell what you discussed on that site.
I'd like to know how I can roll my own VPN without having to pay huge fees to my hosting company. Someone digg up that story already. - phill, on 10/12/2007, -0/+1I just noticed that the RSS feed filters appear to be fixed.
- Wyzard, on 10/12/2007, -0/+1"Unfortunately, the log-in on the home page is not SSL. You have to click around to get to the SSL login page."
The SSL indicator only tells you whether the page you're currently viewing *was* loaded over SSL, not whether the next page *will* be loaded over SSL. Banks' home pages are usually not secured because they get lots of traffic and SSL is more demanding on the server, but when you enter your username and password and click submit, your browser uses an SSL connection to submit your login and load your account page.
An unsecured home page is still a weakness because an attacker could intercept and tamper with it, and change the login form so that it submits your info to the attacker's site rather than to the bank's secure login page, but that's an active attack, which is more difficult and therefore less likely to happen. As far as passive eavesdropping attacks go, as long as the page that processes your login uses SSL, it doesn't matter whether the home page (where the username/password boxes are) uses SSL. - robweber, on 10/12/2007, -1/+2@griz
You are right on that argument. The overall topic of the article about computer security when using public internet and wifi is a very good one. some of the suggestions they give about email checking and credit card usage are not.
@ MikeCerm
Although I generally agree that most people are idiots, especially when it comes to technology and security in general, since you can't really back up your comments (which sounds like an opinion anyway) i'm inclined to disregard it. if you have any concrete evidence (and not just a few experiences from someplace you've worked) then perhaps I'll agree. - Otto, on 10/12/2007, -0/+1>>>"Uh, What? I am thinking both are bad. I would think the credit card would be worse though."
With a credit card, the most they can do is to run up some charges and inconvience you in dealing with your credit card company (you're not responsible for fraud with a credit card).
With access to your email account, they potentially have all your email history and everything in it, which can include lots of personal info and make it a lot easier for identity theft. Especially nowadays, with people storing email online (those 2 GB ain't for nothing). - databasecowboy, on 10/12/2007, -1/+1C'mon, you gotta feel sorry for most cellphone users. They aren't making a call, they are covering a disability. They compulsively talk to themselves in public. Mental Health professionals just give out dummy cellphones to help them blend in.
- ghouse, on 10/12/2007, -0/+0For all of those suggesting users stick with an encrypted email connection, note that some of the largest email hosts in the United States (Earthlink for example), do not provide their users with the option of using POP or SMTP over SSL. They require authentication, but do not allow the user to encrypt the connection.
- robweber, on 10/12/2007, -2/+2This is good information for the non-tech informed to be aware of, but most people who actually have to do this type of stuff on a day-to-day basis should now the dangers and take precautions appropriately.
- kent1146, on 10/12/2007, -1/+1@... (above poster):
As security goes up, compliance goes down. You can lock down your email system as much as you want, but users simply won't use it. If you force them to use it and give them no other option, you increase support costs and risk locking them out of doing whatever it is that they are supposed to be doing. - BuddhaChu, on 10/12/2007, -1/+1Here's the rules for the USAF:
"4.6.6. Public computing facilities. Do not use public computing facilities (Internet cafés and kiosks, hotel business centers, etc.) for processing government-owned unclassified, sensitive or classified information. Public computing facilities include any information technology resources not under your private or the US Government’s control."
http://www.e-publishing.af.mil/pubfiles/af/33/afi33-202v1/afi33-202v1.pdf#page=31 - MikeCerm, on 10/12/2007, -2/+2Most people who do this stuff on a day-to-day basis, like most people in general, probably know nothing about computers or safe-computing practices. If asked, they'd say that they do worry about things like privacy/security on the internet and identity-theft, but they don't have any idea how to do protect themselves, or even what kind of attacks they need protection from.
- griz, on 10/12/2007, -2/+2Misinformation is never good information. Telling people the truth of how things work will give them what they need to make decisions.
Instead, after reading this article, people will be checking e-mail and staying away from using their credit card thinking they are safe. Meanwhile someone is stealing their e-mail address and password and logging into their Pay Pal account using that information because the same idiot uses the same password on everything. - chedlin, on 10/12/2007, -0/+0I was going to say the same think. For the people suggesting secure IMAP protocols, keep in mind the target audience of this article. I use SSL for Imap and Smtp, but many people don't have that as an option.
- inactive, on 10/12/2007, -3/+3Doubtful. You're probably in a hotel / coffee shop / somewhere else.
Outside is the place where the "big light" is on for half the day. - frank3000, on 10/12/2007, -1/+1what is the packet sniffer that they are talking about?
something that can re-assemble the packets into something usable?
i have wireshark but don't know how someone could use it to see what exactly what other people are doing online - rokka, on 10/12/2007, -5/+5It's pretty easy to tap a cell phone as well. At least GSM.
- hooksie, on 10/12/2007, -3/+3“To be honest, it’s kind of a nice thing when you’re sitting in one of those long drawn-out meetings,” he said. “You can do what you need to do and no one will notice.”
I wonder what that guy is really looking at in his meetings... - eklass, on 10/12/2007, -1/+1@Mike
Unfortunately, the log-in on the home page is not SSL. You have to click around to get to the SSL login page. Bad decision on the bank's end, and my fault for not being more careful. - eklass, on 10/12/2007, -2/+2dugg since it maybe enlightening for a few people (hopefully no regular diggers!)
as a related note, i accessed my bank account from some access point in an airport. immediately after i hit "submit" the first thing i thought was that anyone could be running some packet capture software and my account could easily be compromised. just as a precaution, after i got home, i went ahead and changed my password. - DickBreath, on 10/12/2007, -1/+1Why not use POPS or IMAPS? I configure both of these services whenever I set up a SuSE server. In fact, I generally don't bother to open up the firewall ports (nor set up the xinetd entries) for plain ol' insecure POP/IMAP. I only want the "S" versions POPS/IMAPS. That way, all outside access to e-mail is at least over an SSL/TLS, even if it was not done over the VPN.
I do remote access to systems, but I use SSH remote tunneling.
Even if you don't want to carry around a laptop, you can carry a small device like a Nokia 770 (runs Linux and lots of software) or Pam TX, or Palm LifeDrie, etc. All of these are between $300-$400. Cheaper/smaller than a laptop. You can still access your own e-mail, securely, even over someone else's WiFi, using a very portable device. -
Show 51 - 64 of 64 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is