[vox-tech] Laptop WiFi Security

Tue Apr 25 11:14:48 PDT 2006

Quoting Bob Scofield (scofield at omsoft.com):

> If a person uses a WiFi connection at an airport, hotel, coffee house, etc. 
> clearly the connection is not encrypted.

At the level of IP transport, no.

When I have my laptop at such a place, I make sure anything
security-sensitive goes over an SSL-wrapped session (https, SMTP-TLS,
IMAP-SSL, whatever) or a my SSH tunnel to my server at home --
encryption higher up the stack, implemented by me rather than someone
else's infrastructure.  There's no reason to trust the network.

> I have been told that if you use an open connection, someone can get 
> into your hard drive.  That is, a hacker could read your files.

Vague.

To discuss this fruitfully, one must discuss _process_.  The above
doesn't get into process at all:  This might be on account of the
speaker (the fellow you quoted, _not_ you) regarding all of this as
magic.

When I connect my laptop to a LAN -- even my own -- it doesn't have any
network daemons running, whatsoever.  (I occasionally double-check this,
by scanning it using nmap, from a test host.)  So, consider what an
attacker, trying to probe my machine, would see:  Just a TCP/IP stack, 
giving some signs of being based on a Linux kernel.  That's a pretty
darned hard target.  

Of course, the attacker is rather more likely to want to intercept and
misuse information going to and from my laptop, instead.  That's where
careful use of encryption comes in, plus my trait of not trusting the
local LAN, the local DNS, etc.  

> 1)  One computer professional told me that the solution to the problem
> is to have firewall software on your laptop. 

This is, in general terms, the "perimeter security" model, which has
strong appeal to people who don't want to think process.  ;->  I.e.,
build a wall around your machnine, so you don't have to think about
threat models and vulnerabilities.  It's also known as the "hard shell
and soft centre" model -- and people who rely too much on the hard shell
are frequently unpleasantly surprised by various types of badness that
are out of scope for their "firewalls" (IP/port filters), against which
their filtering is simply ineffective, meaning the soft centre is
potentially toast.

A different idea:  Concentrate on not being vulnerable in the first
place.  See Marcus Ranum's "Six Dumbust Ideas in Computer Security"
essay, especially "#3) Penetrate and Patch":
http://www.ranum.com/security/computer_security/editorials/dumb/

> My first question is:  Is there a firewall package for Debian?

How many do you need?  ;->

See "Firewall Builders" on http://linuxmafia.com/kb/Security .
Substantively all of those are packaged in Debian.

> 2)  The second question is whether there is *any* merit in the
> following idea I thought of.  Suppose you had a laptop  that had a
> major Windows partition, and a major Linux partition on it.  Suppose
> you also put a second very small Linux partition on it.  The small
> Linux partition would be used exclusively for e-mail and web surfing
> at open WiFi connections.  
> 
> Fstab would be configured on the small partition so that the major
> Linux partition could *not* be mounted.

Not very feasible, really -- unless the major Linux partition uses
on-disk encryption, which intruduces its own problems.

But I think this is trying to solve the wrong problem, fundamentally.

-- 
Cheers,
Rick Moen                                                    Habetis bona deum. 
rick at linuxmafia.com