Posts Tagged ‘google’

Another reason to distrust open WiFi

Foreword

I connected to a wireless open network in a very busy part of Tallinn just moments ago. Something unexpected happened that made me once again thank Tux I’m slightly paranoid.

wifi
Image by miniyo73 via Flickr

 

 

As you undoubtedly should know, wireless networks – especially open and weak (WEP encrypted) ones are dangerous. Dangerous in a sense that everything you send over a network is as visible as if you were giving a lecture. Think it over.

No-one (except maybe Google) cares that you search for restaurant reviews. But what about sensitive information like sent passwords or any other kind of data I have access to, such as…

I was taught the basic skills on how to intercept digital data that’s traveling between networks on the first semester of the freshmen year. In fact, any kiddie could pull it off. Because of that knowledge, I tend to avoid logging in to anything unencrypted during my stay outside the pseudo-safety of my home network.

  • Login information (Facebook, mail, blog, travel, ANY kind of site)
  • IM message sessions
  • Vulnerable services running on the machine (file server)

Some More Background

As you might (not!) know, Facebook only just recently added a very important security feature (of course, you have to opt in for it – funny, usually one has to opt out of new ‘features’). Enabling secure(r) browsing means that the communication channel between your computer and the Facebook server is unreadable to the dude sitting behind the next table.

I’m sure you have connected to a free WiFi hotspot and seen the default welcome page that seems impassable unless you click on the “Yes, I take full responsibility for my actions while in your network” button. That's all warm and fuzzy, but it's also possible to configure the welcome page like so that it redirects you to a website of the owner’s choosing after you click on the button. That’s usually the companies website.

So what the hell happened?

With that background comes the main point of the post. The network I connected to had decided that the redirect page (after I click “Agree, let me use your WiFi”) should be their Facebook page. Okay, all well and good.

Except…

Remember that the connection to Facebook is not encrypted by default? And since I was already logged in from earlier, the data would have moved openly across several network hops, for everyone with motive to see, capture and/or modify.

Even if I weren’t already logged in, extensions like LastPass do that automatically. As if the initial request weren’t enough, there are loads of hidden background queries to and from the Facebook server – the chat window, friends online, notifications… all moving over the unsecured HTTP, wireless.

Not scared? You should be. Identity theft could sound like an obscure idea, but think of what you’d do if you had a day to live and no responsibility for your actions. You’d probably rob a bank or something.

Wrap

Weren't it a beautiful world of rainbows and butterflies if everyone knew at least a little about the threats in (open) networks? If you must check in with your digital social life, opt in/enable the goddamn encryption. It’s a one-shot deal, doesn’t cost you anything and is a hell of a lot better than explaining to Tim that you are not “It’s complicated” with his wife.

Also, a note to the unnamed coffee shop – please don’t pull stunts like that – throw the visitor to the wolves… or at least give a five second warning or something!

 

P.S I’d like to know more about what Facebook actually does when the user is idle – what type of queries move between the server and the client. Please leave a comment below if you know something about it.

Developers Toolbox

Today I was asked what tools I use in my everyday work. The funny thing is… I don't have any must-have tools, most of them are easily replaceable.

So, I'm a web developer / programmer who mostly focuses on the back-end, you know, making sure the comments get saved in the database and the user can log in…that sort of stuff that most visitors take for granted.

I'm a big time supporter of Linux so my work is done using my favourite distro, Linux Mint at the moment. Occasionally, running Windows in a virtual machine is required to do some testing.

The main body of my work is done alternating between my trusty (programmers) text editor (Kate, Komodo Edit, Notepad++, gEdit, Geany + a dozen more) and a web browser, but lately I've settled on using PhpStorm, which is an awesome IDE designed for, you guessed it, PHP

The browser… is Chrome with addons like a colorpicker, a ruler and debugger – Chrome's built in Inspect tool is quite good. Say what you want about Firebug, I'm happy with Chrome. Of course I occasionally use other browsers too.

I've yet to mention the most powerful tool in any developers toolbox. Can you guess? Where do you go when you want some help or information? You Google it. Stackoverflow and Google are developers best friends.

The Terminal (Konsole for KDE) also plays a major part in my work from moving files to creating a new release using SSH. I must say, /bin/bash is the greatest tool any developer could wish for…except the ones mentioned above. :)

Linux, IDE, Browser and Terminal – that's about all I need. There are others of course like Apache running on the background and PhpMyAdmin on the server… but mostly, all I need are those four.

So that's developing for you.

?Which tools are you using? What's your favorite editor/IDE and why?

eki-otsing

eki-228x90

Programmi veebiversioon asub eki-otsing.appspot.com

Minu uusim projekt. Tegu on Pythoni ja Google Appengine peal jooksva tööriistaga, mida saab kasutada eestikeelsete sõnade leidmiseks, kui ei ole teada kõik sõnas esinevad tähed. Mõeldud kasutamiseks eelkõige poomismängus (“Mõista, mõista: P_D_L”) ja ristsõnade lahendamisel. Koodis on probleeme täpitähtedega.

Programmi lähtekood (kasutamisel palun viidata autorile).

%d bloggers like this: