Bus Conversions dot Com Bulletin Board
November 22, 2014, 07:30:08 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: If you had an Online Subscription: It takes up much less space in your bus.
   Home   Help Forum Rules Search Calendar Login Register BCM Home Page Contact BCM  
Pages: 1 2 [3] 4   Go Down
  Print  
Author Topic: "Computers on the Road" June BCM Article  (Read 5769 times)
Just Dallas
Bus Conversion Stuff on a Budget
Hero Member
*****
Offline Offline

Posts: 842



WWW

Ignore
« Reply #30 on: June 09, 2010, 09:08:30 AM »

Removed
« Last Edit: July 14, 2010, 06:52:51 PM by Now Just Dallas » Logged

I'm just an old chunk of coal... but I'm gonna be a diamond someday.
Sean
Geek.
Hero Member
*****
Offline Offline

Posts: 2553


'85 Neoplan Spaceliner "Odyssey"


WWW

Ignore
« Reply #31 on: June 09, 2010, 09:22:39 AM »

I bow to the all knowing Sean.
Bill Gates has paid my bills for years, but I'm not as edikated as SW.


Dallas, to be clear I was not talking about you or anyone else in particular when I said there was a lot of misinformation.

Quote
... That's one reason I like dealing with Linux, which isn't as difficult as many may think.


As I wrote in the blog post I linked above, Linux is a much better choice than Windows for many reasons, including security.  Windows has more holes than Swiss cheese, and its complexity coupled with the fact that most users are not experts makes it ripe for attack.

However, realistically, Linux is just not an option for many if not most people.  And many of the most dangerous attacks are OS-independent, such as link misdirection (used by phishers), man-in-the-middle, and simple packet sniffing for private information sent in the clear.

-Sean
http://OurOdyssey.BlogSpot.com
Logged

Full-timing in a 1985 Neoplan Spaceliner since 2004.
Our blog: http://OurOdyssey.BlogSpot.com
HighTechRedneck
Global Moderator
Hero Member
*****
Offline Offline

Posts: 2935


BCM Editor


WWW
« Reply #32 on: June 09, 2010, 10:11:25 AM »

Packet sniffing is what I would be most concerned about on an unencrypted open wifi network (no password required).  I would never transmit any information that I wouldn't be comfortable posting on the open Internet for all to read on an open wifi connection without the browser window being SSL encrypted (HTTPS).  On the other hand, if the wifi is password protected and the "owner" of the hotspot is reasonably trustworthy then it is a bit better.  But still not good for confidential information without using encryption.

As was noted earlier in the thread, even email can be set to use encryption if your email provider supports it (often is).  But it isn't just the data that needs encrypting, the password needs to be protected by setting "Logon using Secure Password Authentication" (unfortunately that isn't as often supported).  Or you can simply use browser based webmail access to your email via a SSL secured (https) connection (most email providers offer it).

Another huge risk on a wifi network is if you don't have Windows "File & Print Sharing" turned off for wireless networks on your computer. In that case you may as well hand them your computer.  If you actually use sharing on your home wifi network, you'll can have it on at home and turn it off when away from home (just don't forget).

Here is a descent tutorial for turning off sharing on wireless netowrks in Windows XP:

http://www.internetsafetycenter.com/wireless-security-public-wi-fi-security



Logged
Dreamscape
Dreamscape
Global Moderator
Hero Member
*****
Offline Offline

Posts: 3313


1968 Silver Eagle Model 01 8V71 Allison 740 #7443


WWW
« Reply #33 on: June 09, 2010, 10:51:45 AM »

We have been paying our bills online for many years, WiFi, air card, Starbucks, McDonalds, Airports you name it. Have not been compromised yet. All of the sites that we do pay online are safe, secure encrypted sites. Otherwise we wouldn't.

I understand the need for being safe, but we're pretty small apples compared to most.

I just don't worry about it anymore.

FWIW & IMHO

Paul
Logged

Becky and Paul Lawry, On The Road
Travel Blog - http://dreamscapetravels.wordpress.com/
Bus Blog - http://dreamscapesilvereagle.wordpress.com/
______________________________________________________

Our coach was originally owned by the Dixie Echoes.
Just Dallas
Bus Conversion Stuff on a Budget
Hero Member
*****
Offline Offline

Posts: 842



WWW

Ignore
« Reply #34 on: June 09, 2010, 10:56:24 AM »

Removed
« Last Edit: July 14, 2010, 06:52:26 PM by Now Just Dallas » Logged

I'm just an old chunk of coal... but I'm gonna be a diamond someday.
Sean
Geek.
Hero Member
*****
Offline Offline

Posts: 2553


'85 Neoplan Spaceliner "Odyssey"


WWW

Ignore
« Reply #35 on: June 09, 2010, 12:03:36 PM »

I would bet you that with minimal information, I could obtain the credit card and bank information from at least 75% of the members here. That would also include your 'secret question' and the PIN for your paypal account.


I'll take that bet, Dallas.  I have $1,000 that says you can not do this with passive eavesdropping alone, so long as all the sites use SSL.

Rules:
1. No "phishing" or link misdirection.  This is a well-known scam and works often enough that the crooks keep doing it.  Frankly, there is no way to stop this, any more than there is a way to stop people from buying snake oil (whether for humans or diesel) or becoming Scientologists.  As I think you yourself are fond of saying, "you can't fix stupid."

2. No trojans or other malware, or exploiting of "back doors."  You can only eavesdrop, not hack your way in to a machine to install key-loggers or other exploits.

3. Email is off limits.  I would bet that you are right, insofar as probably 75% (or maybe more) people are using insecure email systems that send passwords in clear text.  So, to make it a fair contest, you can't sniff their email passwords, and then, by social engineering, use that information to make a brute force attack on other, more secure systems, nor can you sniff email contents and feed that into social engineering exercises.  (And, important note to everyone following along:  Your email password is not secure, so don't ever use that same password or any permutation of it for secure purposes such as your banking, credit card, or PayPal passwords.  Also, don't ever send private information in email unless you encrypt it first.)

4. We're only talking about secure sites, including PayPal.  That would include most banks and credit card issuers, etc..  I would hope everyone here already knows that information exchanged with any web site that does not use SSL is sent in clear text and is subject to being intercepted and read, on any network (not just wireless).

5. You can only eavesdrop on someone else's network, such as a public hot spot.  If you yourself control the WAP and router, then theoretically you could run a man-in-the-middle attack by exploiting the MD-5 certificate vulnerability announced last year.  Although I would guess that, (a) very few sites still use certificates prone to this and (b) that would require way more work and equipment than any reasonable person would do for a lousy one grand bet.  Sorry, I don't have the kind of cash to offer the level of cracking prizes RSA hands out.

Now, all we have to do is find maybe a dozen volunteers from this site and a proper venue, perhaps a rally, to conduct the challenge  Grin

-Sean
http://OurOdyssey.BlogSpot.com
Logged

Full-timing in a 1985 Neoplan Spaceliner since 2004.
Our blog: http://OurOdyssey.BlogSpot.com
bobofthenorth
Hero Member
*****
Offline Offline

Posts: 2097



WWW

Ignore
« Reply #36 on: June 09, 2010, 12:58:28 PM »

I'd like to repeat my earlier question Jim because I think there is a disconnect between where people PERCEIVE the risks to lie and where they actually lie.  It would be a really useful article that quantified the relative risk between:

- handing your credit card to the waiter to process your bill "somewhere" out of your sight
and
- doing banking online through public wifi in a Starbucks

That would be useful information for those of us who travel.  I'm not interested in doing the research because I am comfortable with my own assessment of the risks but I expect that the credit card companies know the answer.  Whether or not they release that information I don't know.

Logged

R.J.(Bob) Evans
1981 Prevost 8-92, 10 spd
My website
Our weblog
Simply growing older is not the same as living.
Len Silva
Hero Member
*****
Offline Offline

Posts: 4086


Angle Parked in a Parallel Universe


WWW

Ignore
« Reply #37 on: June 09, 2010, 02:08:41 PM »

Dallas,

Go for it!  No bet though.  I would really be interested to know my vulnerability on the net.  I use my real name here and I have a couple of websites which have my full name and address all over them.  My phone is not unlisted so I shouldn't be hard to find.

I do all my banking and bill paying online and make frequent online purchases.

I pretty much use the same generic password for most sites that I visit, including this one.

Banking, mortgage, investments etc. however, I use a computer generated password which I trust Firefox to remember and keep secure.  The answer to any secret question is the same thing, a computer generated password which looks like gibberish.  I keep a copy of it in my cellphone.

Another thing I do to protect myself is to have all direct deposits go into a bank account which does not have checking or debit card.  I then transfer money as needed to another account to pay bills or go shopping.  If anyone got my credit/debit card number they would find it declined at anything much over fifty bucks.

Good luck,

Len
Logged


Hand Made Gifts

Ignorance is only bliss to the ignorant.
Sean
Geek.
Hero Member
*****
Offline Offline

Posts: 2553


'85 Neoplan Spaceliner "Odyssey"


WWW

Ignore
« Reply #38 on: June 09, 2010, 02:31:39 PM »

... I think there is a disconnect between where people PERCEIVE the risks to lie and where they actually lie.  It would be a really useful article that quantified the relative risk between:

- handing your credit card to the waiter to process your bill "somewhere" out of your sight
and
- doing banking online through public wifi in a Starbucks

Bob,

As you know, that assessment is very hard to make, because real fraud statistics are tightly guarded secrets of card issuers.  Also, when a fraudulent transaction occurs, whether on the internet or with a counterfeited card, it is very difficult to determine how the card number was stolen in the first place -- was it online, or by shoulder surfing, dumpster diving, or "skimming," which is your waiter example.

However, your very own RCMP estimates that 37% of fraud involves counterfeit cards, principally made by skimming, whereas only 10% is "no card present" fraud that might involve an on-line or telephone transaction:
http://www.spamlaws.com/credit-fraud-stats.html.

But I will hasten to point out that all payment forms have their risks; remember that Frank Abagnale cost the public millions through fraudulent checks in the era before computer networks, and Karl Malden told all of us that "It's dangerous to carry cash" and was mostly right.

While there is a public perception that theft and fraud is ever-increasing, the fact of the matter is that technology has done more, in general, to detect and combat fraud than to facilitate it, and the cost of fraud on a percentage basis has been steadily decreasing.

I feel much more comfortable carrying a couple of credit cards around with me and using them for everything, including Internet purchases, knowing that my liability is limited to $50 per card no matter what happens to them, than in either carrying wads of cash or sending checks through the mail.

JMO, of course, and YMMV.

-Sean
http://OurOdyssey.BlogSpot.com
Logged

Full-timing in a 1985 Neoplan Spaceliner since 2004.
Our blog: http://OurOdyssey.BlogSpot.com
uncle ned
Hero Member
*****
Offline Offline

Posts: 933



WWW

Ignore
« Reply #39 on: June 09, 2010, 02:35:02 PM »



Jim   I have 2 Kaypro computers and 2 1200 baud dial up modems. That would be so slow that no thief would sit around and check your packets.

uncle ned
Logged

4104's forever
6v92 v730
Huggy Bear
rv_safetyman
Hero Member
*****
Offline Offline

Posts: 2199


Jim Shepherd


WWW

Ignore
« Reply #40 on: June 09, 2010, 03:45:33 PM »

Extremely interesting comments on security. 

Ned, I am not sure that I can adopt your solution Grin

Len, interesting approach using a "shielded" bank account and then transferring.

I guess I am going to temper my concern about doing business on public networks.  As I mentioned early in this thread, my concern is medium for my personal business (they would not get much, but the effort to get your identity back could be a huge issue).  My real concern is doing business processes (mostly credit card processing).  I have switched my e-store and "virtual terminal" (credit card processing) to Paypal. Doing so assured that nothing on my site would contain critical customer information.  I can only hope that there secure site, is indeed secure.

Fortunately, I don't have to use public networks very often.  When we were in Europe, I had to do a bit of business (mostly personal) in internet cafes (on my computer) and that scared the heck out of me.  Obviously no problem.

I appreciate all of the input, but more importantly, I appreciate the fact that this has been a pretty darn friendly thread, given the nature of the subject.

Thanks,

Jim

Logged

Jim Shepherd
Evergreen, CO
85 Eagle 10/Series 60/Eaton AutoShift 10 speed transmission
Somewhere between a tin tent and a finished product
Bus Project details: http://beltguy.com/Bus_Project/busproject.htm
Blog:  http://rvsafetyman.blogspot.com/
Sean
Geek.
Hero Member
*****
Offline Offline

Posts: 2553


'85 Neoplan Spaceliner "Odyssey"


WWW

Ignore
« Reply #41 on: June 09, 2010, 03:57:26 PM »

...  My real concern is doing business processes (mostly credit card processing).  I have switched my e-store and "virtual terminal" (credit card processing) to Paypal. Doing so assured that nothing on my site would contain critical customer information.  I can only hope that there secure site, is indeed secure.


Jim,

So long as you are using secure web technology, there is no reason why doing so over a public network should be any more risky than a "secure" one (whatever that means -- there really is no such thing).

A much bigger issue for anyone accepting cards on the 'net is validating the authenticity of the credentials of the buyer, and that's not a matter of network technology at your end.  As you know, chargebacks are a real concern, and when you don't have the buyer in front of you with a physical card in hand, the risks are higher (and card issuers set the bar higher for you to prove your claim).

I, too, use PayPal as my credit card clearinghouse, and they end up assuming these risks, so long as I follow their guidelines for "seller protection" (mostly, shipping only to addresses that PayPal has approved ahead of time).

-Sean
http://OurOdyssey.BlogSpot.com
Logged

Full-timing in a 1985 Neoplan Spaceliner since 2004.
Our blog: http://OurOdyssey.BlogSpot.com
Just Dallas
Bus Conversion Stuff on a Budget
Hero Member
*****
Offline Offline

Posts: 842



WWW

Ignore
« Reply #42 on: June 09, 2010, 04:20:32 PM »

Removed
« Last Edit: July 14, 2010, 06:52:00 PM by Now Just Dallas » Logged

I'm just an old chunk of coal... but I'm gonna be a diamond someday.
Sean
Geek.
Hero Member
*****
Offline Offline

Posts: 2553


'85 Neoplan Spaceliner "Odyssey"


WWW

Ignore
« Reply #43 on: June 09, 2010, 05:01:58 PM »

...
Then you and I can set up 10 or 20 dummy email accounts at one of my web domains or one of yours, complete with fake credit card info, going to a fake ecommerce site.
...


Well, two problems with this.  First I said that email was off-limits -- I already acknowledged that most email is insecure, and trivially easy to break into.  Which is why I also advised folks to use a different password for email than for other activities, and never to send private information, such as credit card info, in an email.

That means, folks, BTW, that if you go to a low-volume retailer, and he has no secure credit-card processing site, and asks instead for you to send your card number in email, or for that matter he's got one of those web forms that generates and sends an email, DON'T DO IT.

Secondly, setting up a "fake" e-commerce site is a bit of a challenge.  In order for it to be a secure site, using SSL, it needs a security certificate, and that requires payment to one of the certificate providers to sign it with their root certificate.  Otherwise the browsers are just going to barf on it, saying that the certificate is invalid, or that the site is using HTTPS but has no certificate.

(This is another one of those BTW's:  don't enter your information if you get such an error from your browser.  Legitimate sites will always have security certificates, and those should be up to date, valid, and signed by a trusted authority.  If your browser is telling you there is a problem, you should be paying attention.)

But you said you could get people's account numbers and PINs, including PayPal, for legitimate sites.  I would volunteer to be the guinea pig -- no fake site required.  That's the bet I was taking...

Alternatively, we could generate and sign our own certificate for the test, but that's not a real-world test.

-Sean
http://OurOdyssey.BlogSpot.com
Logged

Full-timing in a 1985 Neoplan Spaceliner since 2004.
Our blog: http://OurOdyssey.BlogSpot.com
muddog16
Example is more powerful than reproach. ~Aesop
Hero Member
*****
Offline Offline

Posts: 506



WWW

Ignore
« Reply #44 on: June 09, 2010, 05:10:50 PM »

I remember Latin class.........it was a tough place to sleep!
Logged

Pat

1982 Prevost LeMirage
8V92TA/HT754

http://prevostlemirage.blogspot.com/
Pages: 1 2 [3] 4   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!