LiveCD for Secure Web Browsing? 40
An anonymous reader asks: "Say you want to do your online Internet banking on your home PC, with a bank that lets you send actual money to complete strangers online, and you want to be really, really sure that some hacker isn't stealing your password or your money or both. You don't fully trust Windows, despite your best efforts to keep it secure, and you know that no OS installed on a hard disk is guaranteed secure or immune to root-kits and the like. You know enough about computer security to know that you are always just one careless mouse click or one security hole away from being screwed. You've read the advice from your bank, which says 'turn up' your security settings (whatever that means), and don't click on 'unknown' links (ever). So what you really need is a bootable CD with software so simple and stripped down that it lets you browse the web and nothing else. The nearest I can think of is one of the Linux mini-LiveCD's with Mozilla or some other browser included, such as Damn Small Linux, or ByzantineOS. Such a system shouldn't even know how to speak to your hard drives. Do Slashdot readers know of anything like this?"
You're insane (Score:1, Interesting)
How many condoms do you wear during sex? Wait, let me guess, you don't even go into a room with anyone who's ever had sex.
You can't live you life like that.
Re:You're insane (Score:4, Funny)
You can't live you life like that.
You must be new here.
Enough... (Score:5, Funny)
Hardware insecurity (Score:5, Funny)
Re:Hardware insecurity (Score:3, Insightful)
Re:Hardware insecurity (Score:2)
Re:Hardware insecurity (Score:1)
Re:Hardware insecurity (Score:2)
Re:Hardware insecurity (Score:2)
raw ore (Score:2)
Re:Hardware insecurity (Score:2)
USB keyloggers (Score:1)
Re:Hardware insecurity -- don't worry about it (Score:3, Interesting)
Just install the required unames and passwords into the autofill data for the browser and put the sites into your booksmarks before you burn the CD. The key logger is unlikely to see much that's interesting.
If you are afraid of losing the CD and having whomever finds it figure out how to use it, just use the bookmarks part. It's unlikely that someone will be able to connect a keylogged uname and password with the correct bank name (especially if you click on the pas
Piece of Cake! (Score:5, Funny)
No one writes Malware for BeOS!
Paranoid (Score:5, Funny)
so what's your problem? (Score:2)
Well... (Score:3, Insightful)
Knoppix should be enough for what you're talking about, tho.
Lots of Live Distros around (Score:4, Informative)
Looks like they are even categorized quite extensively too. You should find at least something to ease your paranoia. But if you don't, you can make your own with Morphix [morphix.org], which is sort of a customizable Knoppix, and even has a how-to for something similar to what you want.
Re:Lots of Live Distros around (Score:4, Informative)
fighting the wrong fight. (Score:2)
Re:fighting the wrong fight. (Score:2)
That depends on the ISP. I would guess that in general most local ISPs are much easier to root than it is to tap a phone line. Especially if they are a Windows house.
On a side note, I worked at a local ISP that accepted money to allow a third party to install traffic sniffers on all of the modem pools, and gave them access to our customer database so they could link the web traffic to particular home addresses (apparently it was
Re:fighting the wrong fight. (Score:3, Interesting)
Re:fighting the wrong fight. (Score:2)
I considered this a while ago... (Score:5, Insightful)
As I thought about the idea, I came up with a few major complications:
Many people are still on dialup or have weird login processes to get internet access - not the simple DHCP that I have at home and work. Most modems are of the "winmodem" variety, PPOE is often a mystery even in Windows, and let's not forget AOL's proprietaryness.
Then I thought about printers. Invariably, you'll want a hard copy of some sort of banking transaction. That should prove to be lots of fun to get working. Unfortunately, most folks don't have Postscript printers at home, and text mode won't cut it. So printer drivers and settings will be an issue.
Assuming you could step the average user through the two biggest troublespots above (and assuming there are NO other problems, yeah right) using a LiveCD without saving the configuration somewhere would become tiresome very quickly. So, some local storage would be required, i.e. hard drive, USB drive, or perhaps a floppy. So, saving configuration information somewhere should prove to be even more fun for Linux newbies.
Some other things to consider: access to email (if you're not using webmail), the time to cycle between Linux and Windows (LiveCD's are "fast" when you're in a jam, but I wouldn't want to boot one everyday just to spend 10 minutes on my Bank's website!), web browser compatibility (depends on the bank), Personal Finance Software (what's the point in all this if Quicken or MS Money is going to connect through a suspect Windows installation anyways?).
In the end, I just didn't see any easy way for the average computer user to have access to something like this - at least not until internet connection technologies get a lot more standardized or someone is willing to do a LOT of work on the Linux distribution side. I became disenchanted with the idea and forgot about it... until this Ask Slashdot. Well, that's my CAD 0.02 - it's a good question/idea, and I hope that someone else has a more positive answer.
Check the hardware (Score:3, Insightful)
A keystroke logger could easily be wired in, or simply plugged in the back... waiting for you to enter your credentials.
If you can't trust the computing platform, all bets are off.
Puppy Linux (Score:2)
Check it out. It has bootable CD and Compact Flash versions.
If you're worried about your money... (Score:4, Informative)
Because of that and so many other issues, if you are really worried about your money, try to get your bank to not allow online transfers, or only to selected accounts - e.g. to the bank account you use for credit card payment. If the bank doesn't allow that, then do you feel your money is safe in that bank? If no, then change banks- or keep the bulk of your money in a safer bank and transfer money from the unsafe one to the safer one. You can often also get the bank to limit the amount transferred per day.
For online payment (and offline where reasonable) pay everyone else using your credit card. That way if anything goes wrong, at least it's not _your_money_ that's gone - it's the card issuer's money that's gone or the Merchant's (or some other party, just not you!) - in which case while you're going through all the legal processes to fix things, you still have money to live on, and the pressure is on the OTHER parties involved to get things fixed, you can actually be a bit more passive. In contrast, if it's your money that's gone, often the rest could be sitting around whilst you'd be the one burning up the phone lines trying to fix things.
In conclusion, allowing money to be transferred online from your account to random parties is quite insecure even if it's with your permission, and even if it's your own hardware and software, coz unlike ATM transfers, you and the bank are _unlikely_ to control everything else involved in the transaction. Plus the devices involved often do other things as well.
I have checked out a bank's online app before (with their permission as part of a job) and I found I could cancel other people's cheques without their permission, fortunately money transfers somehow didn't work - some other control was probably stopping it. I also found SQL injection in another bank's online app.
There are bound to be flaws in banking apps. Previously this wasn't such a problem because the only people using the banking apps were the bank's staff who had to be trusted significantly anyway.
Re:If you're worried about your money... (Score:2)
What i think you're looking for... (Score:1, Interesting)
floppy vs. Other? (Score:1, Informative)
Because if you have to boot from any media except a floppy, chances of you having to get into the bios and set the boot devices are high. So while you are at it, might as well get a full supported, fully loaded media right?
As for floppy sized distros, the only thing that comes to mind, is tomsroot [toms.net]
But what if you bank's stupid? (Score:3, Insightful)
Interesting as some banks and companies [theregister.co.uk] want their clients to connect insecurely, no other options available.
Re:But what if you bank's stupid? (Score:1)
Where are you planning to use this? (Score:2)