Would SSH tunnelling be a viable option? Or is that too tech-y for this overview?

well, if all you're doing is surfing consumerist while at Starbucks - and not entering any sensitive information such as a username and password - the easiest advice is not to do anything in public you wouldn't do if a stranger was looking over your shoulder.

What an awesome idea!

Sadly, I turn off my router when I'm not home, so this isn't a viable solution. I can't shell out the funds for an Ironkey either. My solution is to not keep any personal information on my laptop, and to not sign-on to vital services (financial websites, email to a lesser extent) while surfing in the public view. As for files? One of my goals is to start experimenting with TrueCrypt.

doesnt macintosh come with VPN built in? i coulda sworn i seen it lurking in the network preferences....

@steegness: You just sent a lot people to wikipedia on that comment. It does amaze me how clueless people are when using public wifi, leaving shared folders open to anyone.

@mariospants: That was my exact thought, though I don't live in an urban area/hang out in coffee shops. When I use my personal laptop in airports or any other free wi-fi area I dont access anything I wouldnt want tracked, and I don't keep personal account info saved on a comp I carry around with me.

@mercnet: The same people would've gone there for "VPN" without the explanation of the article; it doesn't mean that it's necessarily a difficult concept to grasp, convey, or implement (though it very well may be... hence my wondering about the level of SSH versus the level of the article).

Just a question for you uber geeks: after a little researching, I could find no real way (outside of the potential vulnerability related to specific applications) for an intruder to enter into your system while you are hooked up to a shared wifi network. Is this true?

@mercnet: These are the same people using unpatched MS-Windows ME installs, what do you expect?

There really is no safe way to do this. Your system makes all sorts of asynchronous requests using unsafe protocols that can be spoofed.

For example, 100% of apple macs with dashboard widgets make periodic or on-demand connections over http-on-plain-tcp (not https, not ssh tunnelable, ...) requests to joe random server.

The dashboard widgets are really safari, javascript and all, so a local host that chooses to spoof the response faster than the actual server is subject to a javascript payload attack (through no user action). Yahoo widgets for Windows and google desktop widgets have similar issues.

The ___only___ easy to manage, safe way to access a public hotspot of any kind is to use a VPN client and immediately connect to the VPN. The downside is that almost no vpn client, including Cisco's, does the right thing and installs a 100% drop policy for non-VPNed packets prior to establishing the tunnel. Part of this is that there is no good way to do it; most hotspots require some sort of host spoofing http-to-https redirect to get you to the hotspot authentication page. While this is happening, if you get unlucky, you are fucked.

Pretty much all network communication at this point should use SSL with certificate validation (and proper enforcement for any autonomous agent, including things like th dashboard widgets, email, ...). No one should ever use pop-on-plain-tcp again, no plain http, etc. Ever.

But this isn't practical, so "hurry up and get on the vpn" is about as close as you can get. Running vpnless or attempting to craft hyour own via ssh is hopelessly naive.

@mariospants: That may be true for many, but your computer does a lot of stuff on your behalf that you might not realize is passing your personal information unprotected. What about your IM client? They're not necessarily encrypted. An email client could be sending your username and password in the clear. Simply visiting the homepage of a site with stored credentials is enough for someone to steal your unique cookies and reproduce your session data to access that site.

>>for an intruder to enter into your system while you are hooked up to a shared wifi network. Is this trueNo, that makes no sense. You are on shared media, it is trivial to attach peer machines.

"Professional" versions of Windows (Win XP Pro, etc) have VPN support built in as well: in XP it's configured as an "Incoming" network connection. You will need to configure your firewall or router to forward the appropriate ports, but that's a good solution for single users. Then your traffic goes through your home computer connection.

VPNs account for nothing if you have no idea who you are connected to. If you have you laptop to automatically connect to networks it has connected to before you can be herded like cattle.

If you don't look at your SSL certificate closely you can have your username and password stolen easily.

Just because it says SSL or [] does not mean it is secure in any way.

Remember that just because a network is open doesnt mean that its fair game. Who knows who is on the other end, it could be me.

@steegness: I think the rule-of-thumb should be: if the solution can be downloaded and installed like any other program, with few if any special skills needed—"install it, launch it, and it just runs"—then it's a viable option.

This post is geared toward people who don't know what VPN or SSH means, who don't want to know, and who won't or can't bother with anything more complicated than the sort of installation they're already used to.

The great podcast Security Now! discussed this topic way back in episode #19. The basic technology of how VPNs work was explained in episodes 14, 15, and 17. Get them all here:

http://www.grc.com/securitynow.htm

I personally use Hamachi to secure my VNC and RDP traffic and a VPN account with SwissVPN for when I'm in hostile territory.

@mariospants: It is true, in the same way that you cannot be injured in any way (outside the potential vulnerability related to specific tissues and organs).

A machine with no applications has no attack surface... it's also about as useful as glowing stone tablet except with limited battery life. The point of hooking it up to a network is to use an application to reach out across it. In fact, the software used to implement network connectivity is, in fact, a kind of application in and of itself.

Security is always a balance of usability and protection.

@post_break:

that was a creepy, helpful and all-around awesome post

@mariospants: Being on a shared wireless network doesn't introduce or remove any vulnerabilities that didn't exist on "shared-segment" networks (like Ethernet back when hubs were common).

However, any intruder who's around can send packets to your computer, and if your OS (*ahem*Windows*ahem) or some program running on your computer handles them incorrectly, then there could be problems.

Generally, turn off any servers that you don't need for a particular reason; on Windows, the only server you'd need on most laptops is file sharing, and it's a good idea to turn it off when you're not using it. Also, Windows computers should use a software firewall to add one more level of protection against your OS's doing something stupid when an unexpected packet comes in.

@post_break: Well, I hope whoever I'm connecting to right now likes burritos because that's what they're getting.

[tinyurl.com]

I was at the airport and found a dummy system phishing for information. There were at least a dozen people connected to it. It was posed as a fake airport router. I connected and did some "investigating" and the person shut down the connection. Not sure who it was or what information they got from users but this was at a major airport in the terminal.

No connection is secure unless it offers a certificate authenticating who you are actually connecting to. Sad part is, anyone can spoof that and you are never actually secure. The only way to be safe is to check with the people who work there and find out which connection is legit. The danger on a public network is minimal, it's a little harder to get your data. They like you to connect directly to them as though they are a router.

@mariospants: also, most of the web-traffic that you send can be captured by a 3rd party. so while running a firewall might prevent them from accessing the files on your laptop the data you send over the web (that's not https) will be vulnerable.

@putch: that is, unless you use some kind of encrypted tunnel...VPN, SSH, etc.

winxp pro (not sure about home) has vpn client and server built in. you'll probably also need a router that supports a VPN pass through.

@courtarro: I disabled my IM client as soon as it installed itself without my permission and my advice still stands, right? I recommend NOT entering anything with a username and password and avoiding online shopping.

@putch: Well and great advice, but I'm already running a firewall, not accessing sites that require personal information and Windows + dlls and apps that require access to the Internet are either updated to latest or disabled (i.e. no IM). So, can anybody access my system via Wifi or not?

@blackmage439: All the software suggestions listed above don't require anything running back at home. They encrypt your data through a remote server elsewhere.

This is why I wrote they weren't really an end-all in privacy, because technically you're letting another party deal with encrypting your traffic. But it's better than nothing.

@steegness: SSH tunneling is fine, as long as you trust what's on the other end.

For example, I use SSH to connect to my linux box. All traffic between me and the linux box is encrypted. If you trust linux box's connection (for example: it could be at your house or at a secured hosting environment), and you have a *nix laptop, you should be able to use X-forwarding... so you can run Firefox on that linux box and see the results on your screen... totally encrypted between the two.

If you have windows, X-forwarding is a bit more difficult to do and may cost money... but anybody who is interested should send me a message and I'll see what information I can provide. :)

If I remember correctly, you should be able to remote desktop through SSH as well, regardless of operating systems. I can look for more information on this as well if necessary.

Hope this helps!

If you're at all network-savvy, it's pretty easy to set up m0n0wall (or any other software firewall package, like IPCop, PFsense, etc) on an old computer at home, set it up as a VPN endpoint, and use it at will. You can run it on that old computer you stuck in the closet years ago (you know, the one you really intended to donate to a school but never got around to it) just by throwing in another $10 network card.

This is my favorite solution to this particular problem, and I've been doing this for years at home. It's obviously more difficult to set up than a paid service, and it is theoretically possible your ISP might get annoyed about it depending on how aggressively they interpret their TOS (this is largely just for fair warning in my experience, but it is possible.)

@blackmage439: TrueCrypt is pretty decent at protecting your laptop's files... however, if you're traveling overseas and don't want US Customs taking a copy of everything on your laptop (including asking you for the key to unlock the TrueCrypt volume), you might want to invest in the IronKey. I have one and I can tell you that it is absolutely fantastic!

Don't forget that TrueCrypt will not encrypt your traffic, just your hard drive.

@segamanxero: It does, but you still need somewhere to connect to. I VPN into work all the time.

If you need help setting it up, reply here and I'll be happy to walk you through it. :)

@mariospants: You're probably safe against WiFi intrusion attacks... however, the biggest issue is that ALL of your wireless traffic is sniffable, in plaintext (unless encrypted via SSH, VPN, https, etc), without you knowing. Hence the article... :)

@post_break: I think you're talking about a MITM attack: [en.wikipedia.org]

@narq: Even if somebody is sniffing or setting up fake connections, the first thing should be to test for internet access... (can you see Google? great!)... after that, before you do ANYTHING else, encrypt all your traffic (ex: through a VPN or SSH), then you're fine and all they sniff off you is encrypted. :)

@putch: I believe you can just use port forwarding on your router for that. A google search for "port forwarding [router model]" should provide you with all you need for that.

This should also be helpful for everybody... with pictures! :D [forums.bit-tech.net]

I used Witopia and so far have been very happy with it (just started using it about 2 months ago).

@mariospants: The average computer user doesn't think about using different passwords for different websites, much less asks themselves if logging into IM will safely send across a username/password or not.

The article is targeted to error on the side of caution.

@courtarro: [forums.bit-tech.net]

@mavrc: That's probably more effort than most people want to go through. There are many guides online for setting up such a thing... on any operating system... in case anybody really wants to do that.

With that said, there are a LOT of good uses for old computers... VPN, storage, web server, media center, etc! :)

One other catch is that often with VPN software from work only traffic that's going to/from the range of IP addresses that are on your employer's network goes through the VPN tunnel and everything else is just sent out nice and clear.

@Ein2015: I have actually done something similar, using SSH to get around a silly restrictive internet connection.

However, instead of forwarding the whole Firefox window over a remote X session, I set up a proxy on the remote computer, and used that.

If you trust the local computer, then it would be faster to only use a proxy and keep the browser running locally.

I use VPN every day to access my work server. Note that many free/public wifi connections do not allow VPN clients. I'm unable to connect at many public libraries, cafes, public outdoor wifi areas, etc. I have gone through the situation with our systems administrator, since I'm not a techie, and there's no way around most of them. It stick to the locations that do allow my VPN client.

@Real Cheese Flavor: Depends on the setup. From my experience, depending on the client-side software... ALL traffic is encrypted and sent through the work server (and then off towards the rest of the world or to the internal work servers)... or only work traffic is even sent to the work VPN and the rest of the traffic is sent through whatever connection you're on and never even makes it to the work network.

Hope that makes sense. :)

@Real Cheese Flavor: That's typically a configurable policy. My employer, for example, configures vpn to force ALL traffic through the tunnel, (for example, I can't print to my networked printer in my house while I'm on the VPN.) I would think that any company that didn't enforce that kind of full-tunneling config would probably also leave the VPN config open to a local admin on the notebook, so you could set it to tunnel-all.

Waving the white flag of idiot surrender, let me ask this pretty dumb question. So, am I safe-ish at a place where I have to log in in order to access the internet? For example, a hotel that gives me a code with my keys?

@Ein2015: It's just that I hear so much about wireless security "issues" and aside from the sniffing aspect the vulnerabilities exist equally if you're on a wireless network or just surfing from home on a cable modem. In other words - if you keep it simple - nothing to freak out about.

@Ein2015:When I was running 10.3 or so (it's been a few years), I had trouble with OS X's built-in VPN connectivity when trying to connect to my university. I eventually talked to a tech who said their VPN concentrator "doesn't support" the mac client. What the heck does that mean? L2TP is L2TP, but I digress...

you also could use RDP to a home computer...

@narq: I spotted someone doing this in the Mexico City airport as well. He was connected to the free wireless for Prodigy customers there and was using another wifi card to offer free internet to anyone else. All of the traffic was passing through his laptop, and when he realized I was on to him he shut his laptop and left (and the connection disappeared).