When I use a public internet access point
is it possible to scan ( or do any other check) the PC in order to
verify if the entry is going to be background monitored ?

Thanks
Manlio

Manlio <noemail@news.org> writes:

Hi Manlio,

I am not exactly sure what you're asking, but I can guess that your
native tongue is not english.

When using a public internet access point, it is wise to use a virtual
private network (VPN) connection to somewhere you trust. There are service
providers that will sell you VPN accounts for this purpose
(http://www.hotspotvpn.com/ came up on top of a quick google search),
but if you have a server on the internet anywhere, you can do this
yourself with openvpn software (free). Virtual private servers
(VPS) are handy for this sort of thing, but you will need to be linux
or freebsd savvy to configure and run one by yourself.

The issue is that free unencrypted public internet allows everyone
that can hear your radio to see all of your internet traffic,
including all domain name lookups (e.g. what sites you are surfing
to), all your email unless you use SSL connections to your server,
etc. Worse still, you might be conencting to a rogue access point
that will impersonate the servers you are trying to reach and
potentially spoof password entry pages, and cheerfully gather whatever
usernames and passwords you might type into them.

Unfortunately there isn't often a good way to strongly verify that you
are connecting to the real free public internet access point versus a
rogue access point.

Best Regards,
--
Todd H.
http://www.toddh.net/

Followup to msg on 20 Sep 2007 11:35:10 -0500, comphelp@toddh.net
(Todd H.) :


Hi,
thanks for your answer.

of course you're right .. I am italian and may be my question can be
misunderstood ..

I dont really think there is a solution to my problem and
I think your suggestion works only when you use your personal PC or
portable.


My specific problem arise as sailing around with my boat it happens I
need to use a public Internet Point (Cyber Caffe ..), and its
hardware, I may find ashore, to verify emails and bank expenses. As I
am sure any my keyboard stroke can be background monitored I cannot
use any password protected operation .. and there comes out my
question !!

Thanks for your attention

Manlio

Manlio <noemail@news.org> wrote in news:2625f3dt13m4ju0fvcusvgu3q26qu7pv8o@
4ax.com:


No, you don't scan them.

The key is to connect *through* a public internet access point, not *to*
one.

Use VPN, Tor, etc. to *tunnel through* the access point to a trusted server
elsewhere (e.g., a third-party server or even just one's home machine that
has been set up appropriately for this purpose.)

Regards,

Manlio <noemail@news.org> wrote in news:qta5f3l334ag6rsoi8a3iu208jl7p47nke@
4ax.com:

If you use their hardware all bets are off - you are vulbnerable. It is far
better to use your own computer (perhaps a notebook) and only use their
network for accessing the internet.

In short, you should use *your* computer, not theirs, and everything that
leaves or enters it over the network should be encrypted. Use their
network, not their computers.

Regards,

"Manlio" wrote ...

Everything you pass between your host and through theirs can be
monitored with a packet sniffer, same as when you use your own ISP.
You could try using encrypted connections to the target host (but it
is possible to use an intervening proxy that looks like the target to
your host, accepts the SSL connect, sniffs the traffic, and then does
an SSL connect with the real target host). However, when you sit in
that Internet cafe and drink your latte which was paid with a credit
card then why would they need to sniff your web traffic?

That depends: Are you talking about public, unsecured wireless Internet
(at a hot-spot, where you have your own laptop/PDA with you); or are you
talking about wired, public hardware you don't control (like in some
cybercafes, in libraries, or at public kiosks)?

If you're talking wireless Internet, then the advice about using VPNs
posted by others here, would apply (don't forget a software firewall for
your machine, though).

If you mean a public kiosk or public *hardware* - assume that the entire
planet is reading everything you type. Don't type anything that you
wouldn't want published in the Associated Press, because AFAIK, there's
NO way to ensure the system hasn't been compromised - either by hardware
or software.

Fenny Fox
http://fenrisfox.livejournal.com


Manlio wrote:

Replies inline:

VanguardLH wrote:
AFAIK, this is only possible if you install their certificate in your
machine, as an authority; this is, for example, how some corporate
proxies can "transparently proxy" SSL traffic.

Don't install any weird certificates, and - AFAIK - this attack is useless.

Private/sensitive != financial/ID-theft-valued.

I'm sure many people have lifestyles online, which they don't want the
whole world to know about (and no, I don't just mean porn-surfers).


Fenny Fox
http://fenrisfox.livejournal.com

Clarification:

"...this is, for example, how some corporate proxies can "transparently
proxy" SSL traffic."

"Transparently proxy" = spy on. =D

Fenny Fox
http://fenrisfox.livejournal.com

Can someone recommend a good VPN client for a Windows PC?

I am assuming that I would have to installer companion server software
on my machine and have some sort of semi-public access, at least to
the point of the encrypted server. Is that right?

invalid@notreal.none (Beachcomber) wrote in
news:46f6b1a3.3669453@news.verizon.net:

OpenVPN: server & client

The best! And you can't beat the price: free!

http://openvpn.net/


Yep. OpenVPN is pretty straightforward but if you have a NAT router etc.
to futz with, figure on taking a Saturday afternoon to get everything set
up right (configure a TAP driver, make a certificate, setup the server &
client conf files, etc.).

Regards,

PS And not just for Windows - also Linux, *BSDs, Mac, etc.

"nemo_outis" <abc@xyz.com> wrote in
news:Xns99B4AE85B179Eabcxyzcom@204.153.245.131:

Afterthoughts:

1. Mastering OpenVPN is time well spent. It's damned versatile (even for
100% legit uses such as a road warrior connecting back home encrypted
through a hotel network access point).

2. It's easiest to set up OpenVPN with two computers at home (the main
one for the server, the other as a test client). It can take several
days if you try to futz about with client software at work and then have
to wait until you go home to make a tweak to the server and then back
again to tweak the work machine, and then...

3. You may have to futz about slightly with the client and server once
you try it from work even if it works perfectly at home. For instance,
you may need to communicate on the non-standard (for OpenVPN) port of
443, depending on how fascist the company firewall is).

4. OpenVPN only gives you an encrypted tunnel; how to use the tunnel is
a separate question. For instance, you can set up a http proxy at home
and tunnel to it (and an ftp one, and...). CCproxy (or analogx) is a
good choice if you go this route. Or you can use one of the VNCs (for
Windows, I like ultravnc) and just run a "virtual session" from work as
if you were seated at your own home computer. Or...

In short, think of openVPN as "joining" your home network (even if it is
just one computer) with your work network - this is actually what it
does. Now decide how you would use your work computer to "talk" to your
home computer which is now "network accessible" (over an encrypted
channel and only to you).

Regards,

PS You can get fancy and examine the "routing table" on your work
computer once it is set up to make sure there is no leakage for shit like
DNS, etc. but I'll leave this to another day.

Followup to msg on 23 Sep 2007 23:38:14 GMT, "nemo_outis"
<abc@xyz.com> :
(Original msg on bottom)


Thanks to everyone for the answers, particularly to "nemo_outis" for
the conclusive issues.
Nevertheless I have just found a confirmation to my presumed "no
solution" to the problem .. using other's hardware .. as I am
oblidged to do for practical reasons.
Anyhow VPN use is worth to make experience on ... !
Thanks again
Manlio

Jim Watt <jimwatt@aol.no_way> wrote in
news:lb9if3tk9gepkli517a64ktvhnv0dgtac7@4ax.com:


While that might be a good solution for some situations, it has the
following disadvantages wrt the OP's problem:

1. He can hardly install it at work.
2. Such a modem costs considerably more then OpenVPN (which is free).
3. Even for legit uses, it will frequently not work for the "road
warrior" scenario (e.g., someone wishes to connect securely to the
company network - or his home computer - from a hotel room *through* a
hotel network).

OpenVPN is arguably much better than most other VPNs implemented in
software (ipsec, pptp, etc.) and except in industrial load situations
(many users, etc.) will even give most vpn hardware implementations a
pretty good run for the money.

Regards,

Jim Watt <jimwatt@aol.no_way> wrote in
news:5o8of3l7vv7amjbc3l2g51d7ukppf1dnfc@4ax.com:

Both

Yep, should work. I haven't used a Windows VPN client since the old
insecure PPTP days so I don't know how tricky setup is, compatibility
issues, etc. They've certainly had enough time to work them out so
presumably Ipsec is not too hard to set up and is robust, etc.

Not all that quickly. A home computer acting as server with monitors,
etc. asleep/disconnected should burn only 100W (or so). With electricity
at $0.10/kW-hr (or so) it would take over a year of incremental uptime to
burn the $100 (or so) that a VPN router might add.

And it is frequently the case that when you connect remotely you want to
download/upload files from your home network. In that case the home
computer would need to have been left running anyway.

Good point.

Regards,