Checking your e-mail at a coffee shop: good idea or terrible idea?  What about tweeting from a hostel’s Internet kiosk?  Want to work on your slashfic at your parents’ house without leaving incriminating smut on your mom’s computer?  Let’s talk about techno-security on the road.

First, let me issue a blanket proscription on doing your online banking, stock trading, or anything of vital importance over a computer or network that you don’t trust.  I’ll call these important sites.  For the rest–sites with comparatively less ability to destroy your life, e.g. your webmail, your social networking–let’s discuss some risk reduction.  Security is all about raising the bar.  Assume that a sufficiently motivated, skilled, and funded attacker can always defeat you.  Your goal is not to make it impossible to hack you; it’s to make it not worth their time.  Attackers are lazy–there’s easy pickings out there–so let’s make it hard for them.  Let’s make it hard enough that nobody bothers you.

 

 

Passwords

You know the drill: 8 characters or more, mix of upper and lower case, numbers, and special characters.

    No names. Not yours, your mom’s, your kid’s, or your goldfish’s.  The attackers have password crackers; how long do you think it takes to run through the baby name book? Answer: not long at all.

    Geeky references are a bad idea (unless very well-disguised–see below).  Geeks, the Internet’s indigenous population, have been choosing passwords longer than anyone else, and even the most trivial minutae of geekery have been pressed into service by now. I don’t care how obscure and clever your Monty Python reference is, I will eat my hat if it isn’t in the password cracker’s dictionary.

    No common words. Their dictionary crackers have very long word lists. In multiple languages. Including slang and swear words.

    The above rules hold even if you use l33t sp33k.  L33t obeys pretty regular rules, so it’s simple for the attackers to check for.

    No numbers that can be identified with you: not your phone number, not the year you were born/married/graduated, and for the love of God not your Social Security Number.

    Beware of password recovery questions.  The best are those sites that let you pick your own, for which I recommend some absurd piece of childhood trivia, e.g. “What was the rumor floating around summer camp in 1995?” “Johnny Cash had died.”  Usually, though, you have to pick from a set.  Some people choose patently untrue answers, on the grounds that it’ll be much harder for a thief to “recover” your password if the site thinks your mother’s maiden name is “The Denver Broncos”.  The catch is that you have to remember it, too.

 

“But Nightsky!” I hear you wail, “I know all this, but how else can I make a good password I can remember?”

 

All righty then, here’s a couple of techniques that have served me well.

  1. Acronyms. Think of a book (or music album, or TV show, or webcomic, or…) you love.  Take the initials of the author’s name, then the initials of the book’s name, and pick a nice special character (or two, or…) to separate them.  William Pene du Bois’ excellent The Twenty-One Balloons“>The Twenty-One Balloons becomes ’21B&WPduB’ , which is an excellent password.
  2. Pick a couple of small words. Egregiously misspell one or both of them.  Be creative, and remember English’s weirder spelling rules.  Stick ’em together, again separated by a special character or so.  ‘Fire’ +  ‘fly’ = ‘phyurr%ghli’ (that’s ‘gh’ as in “tough”, by the way)

I will turn a blind eye to you using the same password for different sites, so long as you at least promise that you never ever use that password for an important site.  I will even–albeit grudgingly–let you write passwords down, so long as you promise to write them down slightly wrong: for example, make a mental rule to add, say, 2 to all digits, so that if your cheat sheet says “2dorCastle”, you know that the password is really “4dorCastle”. (Bad password chosen for clarity.)  Or swap upper and lower cases. Or have all the letters be off by one. You get the idea.

For the really, really memory-impaired among you, consider something like Password Maker (passwordmaker.org) .  You remember one password; it and the site’s url are hashed to produce a mighty password, the kind everyone tells you to use but no human can remember, like “HSD3497623&^%%$$&asdfhuweuir%%^”.  Because hashing is deterministic (meaning that the same input will always generate the same output), the program doesn’t have to save anything–it just calculates the password, as needed, over and over.  There’s a Firefox plugin, a Mac dashboard widget, and an online version.

Systems you don’t trust

Library kiosks! Free wireless at the coffee shop! And aiport, and hotel… and there’s a kiosk there, too, hooked up to a printer so you can print out your boarding pass… but are you just going to blindly trust the network admin of Whatever Regional Airport to not use (the totally b0rken protocol) WEP?  Ha ha ha no.

Use common sense. A wireless network with an SSID of “SanJoseInternationalWiFi” is (assuming you’re at SJC, anyway) much more likely to be legit than one named “Sk00ter16sTotallyNotAHackerAtAllWiFiNetwork”.

Wireless users, try your hardest to have your first hop be a wired one.  It eliminates a whole class of attack. If the coffee shop has Ethernet jacks in the wall (as I remember they did in my college days; but then again that was after laptops became ubiquitous but before wireless network cards did), strongly prefer those.  If your hotel room has an Ethernet jack, plug in even if the wireless reception is great.

If whatever site you’re accessing supports secure login (i.e. begins with https:// (note the s)), type that.  Checking gmail? Type in ‘https://mail.google.com’, not ‘http://mail.google.com’.  Yes, I know that you can type http:// and you’ll just get silently redirected to the https:// site, but it still opens you up to a man-in-the-middle attack.

On computers not your own, always always clear your private information and cookies when you’re done.  Intelligently set up kiosks do this automatically, but you can’t count on that.  For Firefox, it’s Tools->Clear Private Data; for IE, it’s under Tools->Internet Options->General .  Those of you who are paranoid can load your favorite browser onto a USB drive and run that instead of the host computer’s browser.  Those of you who are really paranoid can load TinyLinux on there, and run that. There is a performance hit, naturally, which means it’s probably OK on anything reasonably modern, but may be unbearable on the public library’s creaky old 386.

Finally, a couple of other possibly useful tips for you globe-trotters

  • USB is USB the world ’round, and devices that can charge via USB are your friends.  Why? Because you won’t need a foreign electricity adapter thingy or all those wall chargers with their big transformers (that take up room in your suitcase and, in my experience, look suspicious to airport security).  You can just bring your devices’ USB cables, and buy a wall USB charger when you get to the foreign country.
  • Be aware that digital toys are almost always cheaper in the U.S. than in foreign countries (Japan probably excepted): not just because of exchange rates or Europe’s high VAT (sales tax), but also because companies love to pump up the price when they launch gadgets overseas, knowing that gadget hounds will have no choice but to fork over the dough. I was in Europe last summer, and the $399 iPhone was being sold for £399 in the UK, and 399 in France. (Answer to obvious question: if you ordered online and tried to pay in dollars, they’d only deliver to a US address.)  While this does mean that those of you visiting relatives overseas will be able to bring over some bitchin’ presents, it also means that a Blackberry is a much more appealing target for theft in London than it is in Los Angeles, simply because they’re more expensive there, in both relative and absolute terms.  Be careful bringing your awesomest or most favoritest new toys along, is all.
  • Those of you traveling off the beaten path may sometimes encounter people hanging around outside a bank or currency converting station.  Once they’ve deduced that you are changing money, they may approach you and offer you a really nice rate.  Do not do this.  This is the black market currency exchange you may have heard about: almost certainly illegal, and rife with counterfeiters.
  • In Europe, two kinds of shoes scream “Hi, I’m an American tourist, please pick my pocket”: flip-flops, when worn anyplace other than a pool or beach; and sneakers, when worn anytime that the wearer is not actively working out.

 

Have a great summer, and let’s be safe out there!