Network Security While Traveling? 312
truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."
Re:OpenVPN (Score:3, Interesting)
rent a $10/mo VPS and then tunnel?
Why will you not have a system at home? (Score:3, Interesting)
Encrypt your netbook, park data in the cloud (Score:3, Interesting)
Assume you will lose your netbook at some point: encrypt the entire thing using truecrypt or similar, and make sure you can access vital data from somewhere else: either use dropbox, or use google docs, or whatever.
Phone banking? (Score:1, Interesting)
My credit union still has a system for doing much of my banking over a phone line. I'd rather take my bets on the security through the phone lines than the interwebs.
Nothing (Score:2, Interesting)
There is nothing you can do. Keep strangers away from your machine. If you use SSL, check certificates or maybe even remember signatures of most important certs.
Re:are you sure you're asking the right question? (Score:5, Interesting)
Check the time mentioned in the summary. I would normally agree with you, and don't typically even use internet cafes while gone for a few weeks. However, I can't imagine being totally unconnected to email for a whole year. Yes, I could do without Slashdot, but just checking the news back home and following up with friends and family would be mandatory.
Not a lot (Score:5, Interesting)
There's not much you can do, this is why SSL saves millions of people's asses everyday - just be ultra-suspicious of any warnings that you don't normally get. This is why everyone has a "trusted" network piped into their house by their ISP, and why they get so uppity when that trust is abused (DNS redirection, deep packet inspection, traffic analysis, advertisement insertion etc).
Have a software firewall at *ALL* times that distrusts everything... on Windows I use Zonealarm with everything set to "Internet" and all the high-security settings for that (only exception is an OpenVPN interface which can *obviously* only be my remote access into my trusted networks at home - I let OpenVPN - the program - connect to the Internet and I let the OpenVPN interface do whatever the hell it wants ["trusted"], and obviously have all the checks enabled for certificate-authentication to get onto my home network). On Linux, that's just bog-standard iptables doing its job the same as ever.
I don't expect anything non-SSL to be secure by default. I treat it as if I was using Tor in that respect. Make sure you have Gmail or whatever set to "always use https". If you want anything better than that (i.e. email, IM, http, etc. traffic), or better assurance overall, you have to have a VPN to be safe.
My OpenVPN automatically deletes other routes except for the essential ones and adds a default route through my VPN interface so when connected to home I *know* everything has to be using the VPN to communicate in that instance (hate the idea that if OpenVPN dies, there might be "another" route lurking which sends things out on another interface - I've seen it happen with some "automatic" configurations on Windows).
I often game over an OpenVPN instance, even when playing locally, so don't take heed of the rubbish about it being too costly in latency terms - of course, if you are in a foreign country and relaying to another, it will lag, but the actual overhead is not much worse than just ordinary IP routing to your destination.
Basically - SSL in some form or another, whether that's direct or over a VPN... otherwise you cannot trust things. Of course, millions of people trust ordinary wifi points all over the world, all day, every day. If you decide to follow their lead, that's up to you.
Re:OpenVPN (Score:3, Interesting)
If he is going to be away and there is no one left at home (or at least no one sufficiently techie) to fix the setup if something goes wrong then the arrangement is stuff, so "a friend's house" is more the way to go.
Though as poor latency is already going to be an issue I recommend a rented VM on a properly hosted server - then the extra latency of a residential connection will not compound the issue. Also, it might mean more than on VM location during the trip if he is traveling far, so at each location latency can be minimised by keeping the other end of the VPN relatively topologically local (within reason, of course, as he'd have to keep the other end of the VPN somewhere he considers safe enough).
Also if using OpenVPN or similar setup both TCP and UDP endpoints - UDP is preferable (TCP wrapped in TCP can cause noticable efficiency issues for some traffic patterns and network issues) but sometimes a TCP OpenVPN connection works better if only because it can get through bad NAT arrangements more easily. Also setup an extra endpoint on port 80 or 433 as well as the standard OpenVPN port in case of firewall issues, just for good measure in case of strict outgoing port use limitations. For extra paranoia/completeness setup a HTTP-to-generic-TCP gateway too, that way you can connect to the VPN through that if everything but port 80 is blocked and the ISP are using DPI to ensure that traffic on port 80 really is HTTP traffic (far from efficient, but maybe better than nothing at all if that is the only option). This may of course all be far too much work depending on how much the security of the information you are sending is if you can't simply avoid sending it until you get back to your home turf or some other location you consider sufficiently secure.
Re:Slashdotters never leave home (Score:3, Interesting)
Given the current unstable nature of the world economic system, is it a sane move to ignore your investments for a year?
No, it isn't. But also taking into account the sporadic nature of connectivity while backpacking, it probably is a good idea to exit any stock holdings and leave your investment capital as cash in the bank for a year. Sure, it's a lower interest rate, but you can rest easy in the knowledge that your capital won't decrease.
Re:are you sure you're asking the right question? (Score:3, Interesting)
you're going travelling, to experience new cultures, people and ideas
put down the computer; the world won't end if you can't access slashdot and your email for a few months
And how does he keep all his friends updated on his Facebook?
I went on a cross country trip on a motorcycle. I posted on my blog at every stop along with a GPS coordinate. It made my family and friends happier and they knew that if I did not post the next morning to contact the authorities along my path.
It's just a smart thing to do. When I do backwood backpacking I email friends every 2 hours... I use a http://www.gadgetvenue.com/spot-satellite-gps-emergency-beacon-07231020/ [gadgetvenue.com]
SPOT personal location beacon. when I press OK it sends a nice email to family of my location and "I'm OK" works great and needs no cellphone coverage. I can press the help button when I break an ankle and know that someone knows I need help and my exact location.
Get one of these... (Score:3, Interesting)
http://www.gadgetvenue.com/spot-satellite-gps-emergency-beacon-07231020/ [gadgetvenue.com]
Screw internet security.. I prefer to have a way to let someone know my ass is in a bind and I need help RIGHT NOW!..
I use mine to keep family happy on cross country motorcycle rides or when I go backwoods backpacking. I press the "I'm ok" button at every break.
Long trips... It's more difficult (Score:2, Interesting)
He'll be away for a long time and can't come home ever once in a while. What if there is a power outage or something and the computer needs to be rebooted? Can't be left home alone.
Next option is family but if there is anything more than rebooting, most parents probably don't know how to deal with it.
Only option for depending on a computer at "home" is to leave it to some computer literate friend. But even so there can be problems in troubleshooting why something doesn't work, trying to call the friend only to find out that he is totally wasted/high/visiting relatives somewhere/etc. when you need to use the computer... Those are unlikely to be constant problems and might be that they don't occur at all (if you are very lucky) but they are very existent risk. Enough that I wouldn't prefer such option.
And then there is of course the extra latency from routing your traffic one more step. Usually not a problem but I could imagine it could sometimes be.
Re:Long trips... It's more difficult (Score:5, Interesting)
That sums it up pretty well...no home, parents that can only operate a power button, and troubleshooting via phone from Guyana could be tricky even if I were to leave a machine with a tech-savvy friend. VPNing to a hosted machine didn't occur to me for whatever reason, I'll probably look into that. This is probably an area where compromises will have to be made, but my first step is to avoid any potential complications because they'll be a real pain to deal with.
Re:Witopia (Score:1, Interesting)
Witopia VPN is highly worthy (with their recent price increase it's now about $70/year, iirc). In addition to encrypting all traffic between your PC and one of their 'hubs' (located in USA or England, your choice), it very effectively punches thru filtering that some hotels / govt's use. Widely used by expats in China to get around the Great Firewall. There is sometimes a minor speed hit. I've used it in a dozen different countries.
Re:OpenVPN (Score:3, Interesting)
Why make life hard ... use your family! (Score:2, Interesting)
(This is of course assuming you have any family, friends or a FB and you trust them)
1) Buy a pen and paper .. phone your family member/friend/FB and have them transfer it
2) Write how much you have free on your credit card at the top.
3) Every time you buy something subtract the amount from the amount left on your credit card
4) Have you credit card statements go to your family member, trusted friend or FB
5) Authorize with the bank your family member/friend/FB to handle payments of your credit card from your bank account
6) If you need extra money
If you really want, you could always learn the PGP algorithm and apply it to the numbers written on your paper manually.
Now is that so hard ?
Why Tunnel? (Score:3, Interesting)
Lots of recommendations here for encrypted VPN tunnels. But assuming the bank uses HTTPS, why would you need the extra layer of encryption?
I don't agree with those who say leave the netbook at home. Using a live-CD to avoid keyloggers in internet cafes is not always possible. Often the CD drive and USB ports are removed or defunct. Come to think of it, the keyboards are often defunct too. With wired or wireless connections increasingly available, a netbook can be very useful. Just keep a copy of any important data on a memory card in your money-belt.
Re:SSH & SOCKS Proxy (Score:1, Interesting)
True, but UPD does not travel well over HTTP proxies, which you are likely to encounter as well. If you can go for linux, it's pretty easy to setup both though. Hint: setup a SSH server on port 443 (the SSL port) so that firewalls don't try and inspect the stream (since they expect it to be SSL, not SSH and you cannot do anything with the encrypted content anyways). My Dutch ISP did that - brilliant for creating secure connections from a company firewall (ooh, now I have to go anonymous, sorry).