l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2006 Apr 28 13:09

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Laptop WiFi Security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Laptop WiFi Security



Quoting Bob Scofield (scofield@omsoft.com):

> If a person uses a WiFi connection at an airport, hotel, coffee house, etc. 
> clearly the connection is not encrypted.

At the level of IP transport, no.

When I have my laptop at such a place, I make sure anything
security-sensitive goes over an SSL-wrapped session (https, SMTP-TLS,
IMAP-SSL, whatever) or a my SSH tunnel to my server at home --
encryption higher up the stack, implemented by me rather than someone
else's infrastructure.  There's no reason to trust the network.

> I have been told that if you use an open connection, someone can get 
> into your hard drive.  That is, a hacker could read your files.

Vague.

To discuss this fruitfully, one must discuss _process_.  The above
doesn't get into process at all:  This might be on account of the
speaker (the fellow you quoted, _not_ you) regarding all of this as
magic.

When I connect my laptop to a LAN -- even my own -- it doesn't have any
network daemons running, whatsoever.  (I occasionally double-check this,
by scanning it using nmap, from a test host.)  So, consider what an
attacker, trying to probe my machine, would see:  Just a TCP/IP stack, 
giving some signs of being based on a Linux kernel.  That's a pretty
darned hard target.  

Of course, the attacker is rather more likely to want to intercept and
misuse information going to and from my laptop, instead.  That's where
careful use of encryption comes in, plus my trait of not trusting the
local LAN, the local DNS, etc.  

> 1)  One computer professional told me that the solution to the problem
> is to have firewall software on your laptop. 

This is, in general terms, the "perimeter security" model, which has
strong appeal to people who don't want to think process.  ;->  I.e.,
build a wall around your machnine, so you don't have to think about
threat models and vulnerabilities.  It's also known as the "hard shell
and soft centre" model -- and people who rely too much on the hard shell
are frequently unpleasantly surprised by various types of badness that
are out of scope for their "firewalls" (IP/port filters), against which
their filtering is simply ineffective, meaning the soft centre is
potentially toast.

A different idea:  Concentrate on not being vulnerable in the first
place.  See Marcus Ranum's "Six Dumbust Ideas in Computer Security"
essay, especially "#3) Penetrate and Patch":
http://www.ranum.com/security/computer_security/editorials/dumb/

> My first question is:  Is there a firewall package for Debian?

How many do you need?  ;->

See "Firewall Builders" on http://linuxmafia.com/kb/Security .
Substantively all of those are packaged in Debian.


> 2)  The second question is whether there is *any* merit in the
> following idea I thought of.  Suppose you had a laptop  that had a
> major Windows partition, and a major Linux partition on it.  Suppose
> you also put a second very small Linux partition on it.  The small
> Linux partition would be used exclusively for e-mail and web surfing
> at open WiFi connections.  
> 
> Fstab would be configured on the small partition so that the major
> Linux partition could *not* be mounted.

Not very feasible, really -- unless the major Linux partition uses
on-disk encryption, which intruduces its own problems.

But I think this is trying to solve the wrong problem, fundamentally.

-- 
Cheers,
Rick Moen                                                    Habetis bona deum. 
rick@linuxmafia.com
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.