How to Browse Safely on a Public Computer?

One of the points that Edward Hasbrouck makes strongly in his book Practical Nomad: How to Travel Around the World is that it’s inherently dangerous to use a public computer (like in a library or Internet cafe) to do things like online banking.

Even if the activity over the network is secure — using a browser to connect to a secure banking website, for example — there’s no way of telling whether or not the computer itself is secure. For example, there could be something in place, installed by a earlier user, that logs all keystrokes to a file. So you naively type in your credit card or bank account number into a “secure” browser, but it’s also logged to a file where it’s later examined and used for nefarious purposes.

The same danger applies to anything you do with a browser that’s not public — checking your Hotmail, for example.

I’m wondering it others have tips and techniques that can mitigate this danger. I imagine, for example, that using a version of “Linux on a floppy” or “Linux on a CD” that you could use to reboot a public machine would go a large way towards averting things like keystroke logging. Any other suggestions?

This is of concern not only for nomads, of course, but for the large number of people for whom “Internet access” is “driving down to the local library.”

Comments

Ken's picture
Ken on August 26, 2004 - 14:51 Permalink

The public PC’s in Confed ctr library are locked down pretty tight with Win-NT.
On the other hand, Timothy’s cafe are the loosest ones in town! They are so very slow, and barely have the power to surf, that spyware would be just enough to grind them to a halt!

itil's picture
itil on August 26, 2004 - 17:20 Permalink

Ok, who said ‘locked down’ and windows NT in the same sentance!!! :O windows + security dont go in the same sentance my friend, try looking up some work arounds :)

_______________
Help Desk Software Consultant

Dale's picture
Dale on August 26, 2004 - 17:41 Permalink

Hey Peter, there is a great version of Linux called Knoppix for PowerPC computers (not sure about Intel hardware) that boots and runs off the CD-ROM, it includes a browser and lots of apps and utils. You can totally use this OS right from the CD and all settings are saved in RAM, if you carry this CD with you, you could just boot whatever machine you are sitting at with your CD and leave no trace of ever having been there. Pretty secure.

Peter Rukavina's picture
Peter Rukavina on August 26, 2004 - 17:57 Permalink

Dale, I downloaded Knoppix (for Intel) yesterday, and tried it out on a laptop here in the office. It takes about 5 minutes to boot up, and, because everything is coming from the CD-ROM, everything is a little sluggish, but it *does* perform as you describe, giving you your own OS, and storing everything in RAM. I suspect that the only way to defeat this approach would be to have some sort of hardware keystroke-logging device attached to a public computer. I’m going to take the Knoppix CD up to the CAP site at the Tech Center and see if it will run there.

Cody Swanson's picture
Cody Swanson on August 26, 2004 - 18:07 Permalink

I’m sure there are secure public terminals out there, they are with santa and the tooth fairy. :-) Seriously though, any computer that’s available to the public should be considered totally insecure, especially ones running windows.

The best way to have a secure public terminal is to use a thin client that net-boots LTSP or FreeBSD from a read-only TFTP or NFS server. Configure a ram drive on the thin device for temporary files used by the running software (Browser cache etc) and ensure the user has minimal access to SUID binaries etc. Use a minimalist window manager (or none at all) and only provide access to a few programs like firefox and open office. Of course a setup like this also has advantages like low per seat cost (~$500 per seat), low maintenance, and the ability to control hundreds of seats from one central server. Instead of patching 200 machines you patch 1 and reboot them all.

While this configuration isn’t completely impervious it

Peter Rukavina's picture
Peter Rukavina on August 26, 2004 - 18:52 Permalink

Much to my surprise, the PCs at the Atlantic Tech Centre are locked down, so you can’t use CD-ROMs or floppies in them. While this does probably increase security — if you can’t do it, other’s can’t — it does limit ones ability to take responsibility for their own security.

John Jung's picture
John Jung on August 26, 2004 - 21:21 Permalink

No suggestions — just a comment…

I worked as a librarian for a while at a public library here in Ontario. I was once asked by a patron if it was safe to file his taxes online — I wasn’t sure so I asked my higher-ups. They scoffed and suggested the patron was an idiot for even thinking of doing such a thing.

That sort of attitude really irked me. As Peter suggests, not everyone has the luxury of home access to the Internet.

I never was able to answer the patron’s question.