Secure Access Points

[Joshua Simeon Narins]

I feel like working away from home today, or, if not today, soon, but it is kinda sensitive stuff. How can I, or any of you, trust a public access point here in the city?



-- fin

[Josh Narins]

Well, I found this, and I can use my own server, not Amazon (I don't trust them, why should I? I could work there, and I know me)...

http://drewsymo.com/how-to/ssh-tunneling-how-to-with-examples/

A bit of a hassle to constantly be changing Chrome preferences, but I think it might work.

On Mon, Sep 16, 2013 at 9:06 AM, Matthew Zito <ma...@crackpotideas.com> wrote:

VPN providers or ssh tunnels and an amazon EC2 instance are your friends in this case.  

Matt

On Mon, Sep 16, 2013 at 7:46 AM, Joshua Simeon Narins <josh....@gmail.com> wrote:

I feel like working away from home today, or, if not today, soon, but it is kinda sensitive stuff. How can I, or any of you, trust a public access point here in the city?



-- fin

--
You received this message because you are subscribed to the Google Groups "Reddit NYC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reddit-nyc+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Matthew Zito]

VPN providers or ssh tunnels and an amazon EC2 instance are your friends in this case.  

Matt

On Mon, Sep 16, 2013 at 7:46 AM, Joshua Simeon Narins <josh....@gmail.com> wrote:

I feel like working away from home today, or, if not today, soon, but it is kinda sensitive stuff. How can I, or any of you, trust a public access point here in the city?



-- fin

[Ben Solwitz]

If your company doesn't provide vpn and you don't want to pay for it you could set up openvpn on a box there if you can get a port forwarded from outside. It's pretty easy to set up.

[Josh Narins]

I am my company, now.

I am the CEO of Mobehr Corporation. I'm also, currently, the lowest rank employee.

You can follow my exciting progress here: https://twitter.com/MobehrCorp

As for Matthew's earlier comment, my box is as secure as I can expect it to be, which is far more private than using someone else's cloud services, as I'm the only one with root, and my passwords tend to be very long (15+ characters) of pure noise.

[Matthew Zito]

Since the content is unencrypted once it hits your target machine, "your own" machine is unlikely to be any more secure than any other machine, especially if you're thinking of self-hosting.    Using Amazon at least has the virtue of having a virtual machine that is one of thousands identified by dynamic IP addresses and the like, where any one machine is unlikely to draw notice.

To your link, I wrote my own little app to automate the process, it's fairly straightforward.

Matt

[Pavel Lishin]

When he says "his own machine", I assume it's a machine that's at his physical house. Unless someone breaks in, using ssh tunneling should be as secure as anything else.

-P

[Jacob Shufro]

BUT NOTHING IS SECURE FROM THE PRYING EYES OF THE NSA.

ESPECIALLY NOT NOW THAT WE KNOW THEY BACKDOORED RSA AND SSL

[Matthew Zito]

I mean, this is dangerously close to descending into ridiculous "who's the better techie" arguments, but there's a lot of factors to consider:

- Physical security of the machine

- Access to hardware

- Resource isolation

- Network monitoring and security

- OS-level security 

A physical server colocated offers up:

- generally poor physical security, until the point at which you can justify your own floor of a facility or your own facility.  Cabinet locks are junk, raised floors are tailor made to be crawled under, social engineering can usually let you talk your way into a datacenter 

- Really good access to hardware - so you can control your components, that's a plus for certain applications.  

- Resource isolation - don't have to worry about anything else sharing hardware, that's a plus

- Network monitoring - generally terrible at colocated environments, unless you're going to set up your own hardware firewalls, IDS, and so on.  Most firewalling will be applied at an OS level.

- OS-level security - this is what you make of it.   Do you apply OS updates religiously?  Manage your firewall rules like an expert (i.e. without breaking useful things like PMTU)?  

An Amazon EC2 instance (or Linode, digital ocean, etc.) offers up:

- much better physical security.  They have a lot to lose if someone gets physical access to their machines, and are at the scale where they have security measures in place.  Plus, there's the challenge of even knowing which physical machine you're on

- Lousy access to hardware

- Lousy resource isolation, though the question is more about how much you trust technologies like Xen and KVM

- Network monitoring - vastly superior to a coloed machine, and it comes along for free

- OS-level security - external firewall rules are much better than OS-level, ability to snap-back my machine to a snapshot means that I can remove the risk of trojans stored locally, and I can still apply OS-level updates.

Again, it's about your fear.  Personally, I believe that an Amazon ec2 instance, one of literally millions, with the ability to roll back the entire OS to a known good state at any time, external firewall rules, outstanding physical security, with strong passwords is going to be way more secure than a standalone box wired into a rack in some random datacenter.

Matt

[Pavel Lishin]

Doesn't it all depend on what Josh is using it for? He just said he wanted a trusted connection. For that, a tunnel to an old Dell at home would suffice.

His twitter account does seem to imply that it's got something to do with medical data, so if he's storing that sort of thing, HIPPA regulations probably run to an inch thick about the proper way to do so. I'd be wary of just tossing it into the ol' butt-cloud.

-P

[Matthew Zito]

Sure, if he just wants a trusted connection, an old box at home would be fine.  His comment:

"Well, I found this, and I can use my own server, not Amazon (I don't trust them, why should I? I could work there, and I know me"

I took to mean he trusts *his* server, but not *amazon's* server, which seems odd to me if this is a "who's monitoring me" question, as once I VPN into my home, my ISP can immediately tag and analyze my traffic as if I were sitting at home (vs. being one of a million outbound connections from amazon).

That was my only point.  If he just is concerned about the server security, sure, go nuts, VPN into your home ISP connection.

[Jacob Shufro]

I'm the best techie, and I say that using hand-encrypted punchcards over sneakernet to establish a ssh tunnel into your home server is the only secure method.

Make sure the sneakernet is armed, though. With guns.

[Josh Narins]

The machine is co-located in Brooklyn.

Physical security at the data center is a joke, for social engineering reasons alone. At least it is video recorded, 24/7, and I doubt they'll let random people walk in with ski masks, so, worst comes to worst, I can prosecute. In addition, they would have unscrew the machine, take it out of the rack, open it, and drain the BIOS battery, to get anywhere, anyway.

As for firewall and OS security, I am content with what I've got. 

As for it being health data, I'm still just producing the demo. This is not a machine that will ever host production health data.

As for the NSA, what can one do? I'm more concerned about hacked access points in public.

I've worked in IT for a long time, but, with all my experience, at places like Bloomberg or Morgan Stanley, I never had to deal with VPNs except as a user.

[Pavel Lishin]

Punchcards? So susceptible to machine reading and analysis? Why not just hand the plaintext over to them on a DVD!? If you're not hand-writing your data (encrypted with pre-exchanged one-time pads, of course - it's flat out reckless to use anything else), I have nothing but pity for you. (Naturally, you shouldn't be using the English alphabet or Arabic numerals, either.)

-P