Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

LiveCD for Secure Web Browsing? 40

Posted by Cliff from the minimizing-the-risks dept.
An anonymous reader asks: "Say you want to do your online Internet banking on your home PC, with a bank that lets you send actual money to complete strangers online, and you want to be really, really sure that some hacker isn't stealing your password or your money or both. You don't fully trust Windows, despite your best efforts to keep it secure, and you know that no OS installed on a hard disk is guaranteed secure or immune to root-kits and the like. You know enough about computer security to know that you are always just one careless mouse click or one security hole away from being screwed. You've read the advice from your bank, which says 'turn up' your security settings (whatever that means), and don't click on 'unknown' links (ever). So what you really need is a bootable CD with software so simple and stripped down that it lets you browse the web and nothing else. The nearest I can think of is one of the Linux mini-LiveCD's with Mozilla or some other browser included, such as Damn Small Linux, or ByzantineOS. Such a system shouldn't even know how to speak to your hard drives. Do Slashdot readers know of anything like this?"
This discussion has been archived. No new comments can be posted.

LiveCD for Secure Web Browsing? More

LiveCD for Secure Web Browsing?

Comments Filter:

  • You're insane (Score:1, Interesting)

    by cookiepus ( 154655 )
    Seriously, there's such a thing as an overabundance of caution.

    How many condoms do you wear during sex? Wait, let me guess, you don't even go into a room with anyone who's ever had sex.

    You can't live you life like that.

  • Enough... (Score:5, Funny)

    by NemosomeN ( 670035 ) on Monday July 12, 2004 @09:06PM (#9681870) Journal
    Just using Knoppix/DSL should be enough, you don't have to worry about the CD being able to access the harddrive. Just use a base Mozilla with no extensions or whatever, and type in your bank's URL manually and don't do anything else. That should make you 99.99999% safe, excepting the .00001% chance God and Jesus hate you and are conspiring to ruin your life. Good luck.

  • Hardware insecurity (Score:5, Funny)

    by cbr2702 ( 750255 ) on Monday July 12, 2004 @09:13PM (#9681923) Homepage
    Knoppix with Mozilla ought to be fine for the software end of things, but the hardware could be compromised too. Someone could have a hardware keylogger such as the KeyKatcher [thinkgeek.com]. Building your own computer from scratch is the only way to really be sure. And by "from scratch" I mean from the raw ore.

    • Re:Hardware insecurity (Score:3, Insightful)

      by Asgard ( 60200 )
      True, but it is a lot harder to install a $89 hardware dongle on a lot of machines than it is to infect them with malware.
    • My bank offers a mouse based interface for the truely paranoid (even though they use a one-time transaction authentication number or TAN) in addition to the password. You can either type the TAN code or you may use a mouse to click on numbers to enter it.
      • I don't see why someone couldn't make a KeyKatcher-like device that would record both mouse and keyboard events. To combat this, they could have you enter your numbers in a calculator that darts all over the screen...
        • A mouse is harder to track because if you use an external logger, it would be a problem to work out where the mouse is relative to the window.
        • To combat this, they could have you enter your numbers in a calculator that darts all over the screen...
          I think I've seen that, but it's usually a monkey jumping around at the top of the window. I had the hardest time entering my password that way.
    • someone could have build a trapdoor into the eletroweak field when the universe was designed, so that every time someone builds a computer from raw ore, it inserts a dongle on the imaginary axis.
    • Bear in mind that there are no keyloggers for USB. Plug in a Mac keyboard or other USB device.
      • While no USB keyloggers appear to be available online, that does not mean they do not exist. They should not be very complicated to make. An on-screen keyboard is still more secure. Alternatively one could type the letters out of order, and then use the mouse to rearrainge them.

    • Someone could have a hardware keylogger

      Just install the required unames and passwords into the autofill data for the browser and put the sites into your booksmarks before you burn the CD. The key logger is unlikely to see much that's interesting.

      If you are afraid of losing the CD and having whomever finds it figure out how to use it, just use the bookmarks part. It's unlikely that someone will be able to connect a keylogged uname and password with the correct bank name (especially if you click on the pas

  • Piece of Cake! (Score:5, Funny)

    by ag3n7 ( 442539 ) on Monday July 12, 2004 @09:17PM (#9681946)
    Just run an old version of BeOS!

    No one writes Malware for BeOS!

  • Paranoid (Score:5, Funny)

    by Finuvir ( 596566 ) <rparle.soylentred@net> on Monday July 12, 2004 @09:18PM (#9681950) Homepage
    Wow, that's paranoid. What kind of transactions are you planning? Transfer of $28,000,000.00 to Farouk Bello, Executive Director of the Comercial Bank of Africa (Nigerian division)?
  • I honestly don't understand the problem here. You answered your own question, use a live cd. There are plenty of live cd's out, pick one and go with it. If your using dialup, then use a meta-live-cd-distro to roll your own live cd that includes drivers for your modem. You'll never be 100% secure. Even if you use a live cd and keep your side 100% secure (impossible) then what about on the other end?

  • Well... (Score:3, Insightful)

    by ReverendRyan ( 582497 ) on Monday July 12, 2004 @09:31PM (#9682038) Homepage
    If you're really that worried about it, why not just drive to the nearest branch? Even then its not 100% secure, because the teller is still using a comptuer connected to the bank's network, which is in turn connected to the internet (even of not directly).

    Knoppix should be enough for what you're talking about, tho.

  • Lots of Live Distros around (Score:4, Informative)

    by philntc ( 735836 ) <info@[...]loosystems.com_water_in_gap> on Monday July 12, 2004 @09:33PM (#9682053) Journal
    Nicholas Brand (who I believe has posted here before) has compiled a great looking List of Live CDs [frozentech.com].

    Looks like they are even categorized quite extensively too. You should find at least something to ease your paranoia. But if you don't, you can make your own with Morphix [morphix.org], which is sort of a customizable Knoppix, and even has a how-to for something similar to what you want.
  • It's admirable that you would know enough to avoid using windows / I.E. when trying to have secure transactions over the web. However, running any flavor of Linux is enough to guarentee a realistic amount of security. The .00000001% chance that someone is going to root your Knoppix distro is far smaller than the .000001% chance that someone has rooted the router at your ISP and is now rerouting all traffic from your bank site through their man in the middle. It's far less than the .01% chance that someon
    • it is far more difficult to root an ISP than it is to tap a phone line...

      That depends on the ISP. I would guess that in general most local ISPs are much easier to root than it is to tap a phone line. Especially if they are a Windows house.

      On a side note, I worked at a local ISP that accepted money to allow a third party to install traffic sniffers on all of the modem pools, and gave them access to our customer database so they could link the web traffic to particular home addresses (apparently it was
      • I didn't mean to insinuate that it is difficult to take over an ISP (ours had a server owned about once every four months, and we weren't a windows shop), but rather how easy it is [totse.com] to tap [howstuffworks.com], as well as otherwise modify [totse.com], a phone line. As Mitnick proved, it's easier to convince the phone company to switch a line or add a tap for you than it is to do the legwork yourself.
    • If you really want security, I recommend Emacs on a Lisp Machine

  • I considered this a while ago... (Score:5, Insightful)

    by WoTG ( 610710 ) on Monday July 12, 2004 @09:40PM (#9682105) Homepage Journal
    Personally, I could get by with a standard Knoppix CD if I really felt I needed the extra security for web browsing. So could the majority of slashdotters. But Knoppix would be a little tricky for the non-Linux user. So, I thought that a totally automated LiveCD for secure web browsing would be great for the average computer user - the very users who most frequently have spyware on their systems.

    As I thought about the idea, I came up with a few major complications:

    Many people are still on dialup or have weird login processes to get internet access - not the simple DHCP that I have at home and work. Most modems are of the "winmodem" variety, PPOE is often a mystery even in Windows, and let's not forget AOL's proprietaryness.

    Then I thought about printers. Invariably, you'll want a hard copy of some sort of banking transaction. That should prove to be lots of fun to get working. Unfortunately, most folks don't have Postscript printers at home, and text mode won't cut it. So printer drivers and settings will be an issue.

    Assuming you could step the average user through the two biggest troublespots above (and assuming there are NO other problems, yeah right) using a LiveCD without saving the configuration somewhere would become tiresome very quickly. So, some local storage would be required, i.e. hard drive, USB drive, or perhaps a floppy. So, saving configuration information somewhere should prove to be even more fun for Linux newbies.

    Some other things to consider: access to email (if you're not using webmail), the time to cycle between Linux and Windows (LiveCD's are "fast" when you're in a jam, but I wouldn't want to boot one everyday just to spend 10 minutes on my Bank's website!), web browser compatibility (depends on the bank), Personal Finance Software (what's the point in all this if Quicken or MS Money is going to connect through a suspect Windows installation anyways?).

    In the end, I just didn't see any easy way for the average computer user to have access to something like this - at least not until internet connection technologies get a lot more standardized or someone is willing to do a LOT of work on the Linux distribution side. I became disenchanted with the idea and forgot about it... until this Ask Slashdot. Well, that's my CAD 0.02 - it's a good question/idea, and I hope that someone else has a more positive answer.

  • Check the hardware (Score:3, Insightful)

    by Isao ( 153092 ) on Monday July 12, 2004 @09:42PM (#9682117)
    No matter the distro you choose for performing your transaction, check the hardware before you do anything on it.

    A keystroke logger could easily be wired in, or simply plugged in the back... waiting for you to enter your credentials.

    If you can't trust the computing platform, all bets are off.

  • While perhaps not ideal for taking to your parents house, I recently went through the steps necessary to boot puppy linux entirely from PXE. So far it is the only linux distro I have found that can do this (and load X). Very nice, but still needs some more polish.

    Check it out. It has bootable CD and Compact Flash versions.

  • If you're worried about your money... (Score:4, Informative)

    by TheLink ( 130905 ) on Monday July 12, 2004 @10:38PM (#9682461) Journal
    if you're worried about your money, then securing your money is the main thing. Securing the computer is useful, but there are numerous other things involved. The people holding your money are usually the banks and other financial institutions. Their online banking apps and _processes_ may not be that secure (cross site scripting attacks etc)- since most are quite new to it and haven't been burnt enough yet. Plus depending on your setup you may be reliant on your ISP to provide you the right IP address for your online banking site (and the dns traffic has to be untampered with). If you somehow get the wrong IP address you could be screwed too- unless you connect directly to the site using https and check the certs (that's assuming you ALWAYS make sure the fingerprints are the same and don't transact if fingerprints change, OR you trust the CA to NEVER incorrectly issue certs to the wrong parties - verisign has screwed up before with an MS cert).

    Because of that and so many other issues, if you are really worried about your money, try to get your bank to not allow online transfers, or only to selected accounts - e.g. to the bank account you use for credit card payment. If the bank doesn't allow that, then do you feel your money is safe in that bank? If no, then change banks- or keep the bulk of your money in a safer bank and transfer money from the unsafe one to the safer one. You can often also get the bank to limit the amount transferred per day.

    For online payment (and offline where reasonable) pay everyone else using your credit card. That way if anything goes wrong, at least it's not _your_money_ that's gone - it's the card issuer's money that's gone or the Merchant's (or some other party, just not you!) - in which case while you're going through all the legal processes to fix things, you still have money to live on, and the pressure is on the OTHER parties involved to get things fixed, you can actually be a bit more passive. In contrast, if it's your money that's gone, often the rest could be sitting around whilst you'd be the one burning up the phone lines trying to fix things.

    In conclusion, allowing money to be transferred online from your account to random parties is quite insecure even if it's with your permission, and even if it's your own hardware and software, coz unlike ATM transfers, you and the bank are _unlikely_ to control everything else involved in the transaction. Plus the devices involved often do other things as well.

    I have checked out a bank's online app before (with their permission as part of a job) and I found I could cancel other people's cheques without their permission, fortunately money transfers somehow didn't work - some other control was probably stopping it. I also found SQL injection in another bank's online app.

    There are bound to be flaws in banking apps. Previously this wasn't such a problem because the only people using the banking apps were the bank's staff who had to be trusted significantly anyway.

  • What i think you're looking for... (Score:1, Interesting)

    by Anonymous Coward
    Security minded live distro. Phlak. [phlak.org]

  • floppy vs. Other? (Score:1, Informative)

    by alexdm ( 728255 )
    If it can't fit on a floppy(50mb,8mb..2mb etc), you might as well just use a live cd which is normally fully loaded.

    Because if you have to boot from any media except a floppy, chances of you having to get into the bios and set the boot devices are high. So while you are at it, might as well get a full supported, fully loaded media right?

    As for floppy sized distros, the only thing that comes to mind, is tomsroot [toms.net]

  • But what if you bank's stupid? (Score:3, Insightful)

    by Teraiten ( 171892 ) <<teraiten> <at> <yahoo.com>> on Tuesday July 13, 2004 @05:07AM (#9683961) Homepage
    So you've got yourself a secure solution for online banking with the liveCD, and then your banking website tells you you need IE otherwise you can't continue. (And you really can't)

    Interesting as some banks and companies [theregister.co.uk] want their clients to connect insecurely, no other options available.
    • Switch banks if it means that much. If I was able to use my particular bank's (one of the megabanks) online banking service comfortably with IE, Mozilla and Lynx for Pete's sake, then *nobody* has an excuse to make a browser-specific interface.
  • I'm been working on some ideas along parallel lines for some while - making a "computer on a disk" (live CD) so that I can take my environment, apps and preferences and data, anywhere I go. But one of the complications I'm anticipating is finding places which will let me use it! A cyber-cafe or a Kinko's would be stupid to let anyone come in and boot off their own CD (how many of them know what a "Live CD" is?), so you may be forced to resort to computers owned by friends - which is OK, if you only travel

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close