Internet Cafes-How Safe Are They
December 5, 2006 10:30 AM   Subscribe

The way that I typically do this is to use SSH to create a secure proxy to my Linux shell server. If you don't have a Unix shell available to you elsewhere, this won't work. If you do, you'll need OpenSSH (installed by default on most Linux and Mac systems, you'll need to download it for Windows).

Use the -D [port] argument to ssh when you connect to your remote shell. From the man page:

"Specifies a local "dynamic" application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file."

So what I do is ssh -D 5050 myserver.org. Log in normally. Then tell my browser, IM clients, whatever else I need to use securely, to use a SOCKS proxy running on localhost, port 5050. Each of their preferences tools has a setting for this. Voila - simple security for everything! Just don't forget to undo that preferences change later, or your clients won't work : )
posted by autojack at 10:39 AM on December 5, 2006 [2 favorites has favorites]

Your connection might be reasonably secure - if you use SSL for your connection - but end-to-end won't be. How do you know what is inside the box at the cafe? What if it simply logs every key you push?
posted by jet_silver at 10:43 AM on December 5, 2006

You need to bypass keyloggers to avoid having your passwords captured. The simple way is to type a lot of gibberish into an irrelvant field before and after you type your password and user name, so that the person reviewing the logs can't find them. (Seach box, address bar without hitting enter, etc)

Such as for user USER with password WORD a keylogger would normally see you type like this...

www.banksite.com[enter]USERWORD[enter]

If you just typed the address, mouse to login and type username, mouse to pword and type your password.

On the other hand, you can mouse around and type in irelevant places and make it very much hard to find your login and password.

Such that...

www.banksite.com[enter]lsghldssoybobv;lkfsd;sdkUSERlkdj;fddsfdsl98912WORDoiuerlkewiosdf

Since the VAST majority of keyloggers don't keep track of where you're typing, and rely on examining order of entry to discover your details, changing up the order of entry and adding extra data can avoid most keyloggers. This assues you have a good password, ie, one that looks random. Obviously if your password is a word or phrase it'll still be found after some examination. If this is the case, change it.

There are also peices of software such as Roboform (commercial software, I have a copy, but don't have any other relationship with them) which type for you and therefore avoid keyloggers by not using the keyboard.

Roboform has a thumb drive and U3 drive version, and is a very great way to keep dozens of passwords secure and ecnrypted, although its really overkill unless you have more pwords than you can remember.
posted by tiamat at 10:45 AM on December 5, 2006

There was a big thread on this last year.
posted by smackfu at 11:02 AM on December 5, 2006

tiamat - that's pretty brilliant. Thanks.
posted by kdern at 11:03 AM on December 5, 2006

Some things to consider:

Are you worried about something sniffing the network between you and the bank?

Are you worried about software on the computer recording your secrets as you type them?

Are you worried about someone or something electrically capturing keystrokes from the keyboard en route to the computer?

Are you worried about someone waiting until you log-in with your secret and then stealing control of the computer over the network (physically or through software)?

Are you worried about someone or something watching over your shoulder as you type your secret?

There aren't many ways to defeat all of those worries, unless you bring your own trusted computer. You could bring your own trusted OS on a bootable hard drive, carefully inspect the computer and how it behaves, use encrypted data channels on the 'net, and use a one-time-password -- combing all of that will get you close to being safe.
posted by cmiller at 11:29 AM on December 5, 2006

I definitely think autojack has the right idea using an ssh tunnel but I would use a bootable os cd like knoppix and not what ever is installed on on the system. This should defeat any software keyloggers as for hardware keyloggers a simple method to defeat them is using an on screen keyboard.

Defeating Hardware Keyloggers

Instructions for setting up an SSH tunnel
posted by tke248 at 11:34 AM on December 5, 2006

If keyloggers don't log items items that are cut and pasted, maybe you could put your usernames and passwords in a text file on a USB thumb drive and then just cut and paste as needed?
posted by gfrobe at 11:50 AM on December 5, 2006

If you're already using Portable Firefox, consider switching to Torpark, which combines Firefox & The Onion Router into one happy package.
posted by scalefree at 11:59 AM on December 5, 2006

You might also be able to avoid hardware keyloggers by changing the keyboard layout to something like Dvorak and typing your passwords in that way.
posted by odinsdream at 11:59 AM on December 5, 2006

Far as SSH tunnels go I got advice from a fellow MeFite a while ago; Bitvise Tunnelier is an amazingly simple (and free) program for setting these up on Windows. As long as you have a Linux box somewhere that will accept SSH connections Tunnelier will do the rest of the things necessary to set up a SOCKS proxy for you, so all that is left is for you to set Firefox to connect through local port 1080 via manual proxy settings. Works for Thunderbird too. As an added bonus many airports, etc. will let you connect for free but won't serve any web pages unless you pay - but SSH tunneling through a nonstandard port can quite often allow you full access for free.
posted by caution live frogs at 12:01 PM on December 5, 2006 [1 favorite has favorites]

Recent FPP on this.
posted by weapons-grade pandemonium at 2:31 PM on December 5, 2006

Can you not call your bank's automated line from mexico?
posted by Mr. Gunn at 11:51 PM on December 5, 2006

You might want to check this little gadget out:

http://marketplace.hgtv.com/View_Listing.asp?RegionId=110&SubCategoryId=1&Level=3&Keyword=&Page=&Lid=2153-N6113019
posted by pikaboy202 at 9:32 PM on December 6, 2006

« Older Is it possible to over-breastf...   |   DreamALittleDreamFilter: So...... Newer »

This thread is closed to new comments.