Bad Consumer Security Advice

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice:

1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack into a VPN.

I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice? I think twice about accessing my online bank account from a pubic Wi-Fi network, and I do use a VPN regularly. But I can't imagine offering this as advice to the general public.

2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today! Go to www.SSA.gov.

This is actually good advice. Brian Krebs calls it planting a flag, and it's basically claiming your own identity before some fraudster does it for you. But why limit it to the Social Security Administration? Do it for the IRS and the USPS. And while you're at it, do it for your mobile phone provider and your Internet service provider.

3. Add multifactor verifications to ALL online accounts offering this additional layer of protection, including mobile and cable accounts. (Note: Have the codes sent to your email, as SIM card "swapping" is becoming a huge, and thus far unstoppable, security problem.)

Yes. Two-factor authentication is important, and I use it on some of my more important online accounts. But I don't have it installed on everything. And I'm not sure why having the codes sent to your e-mail helps defend against SIM-card swapping; I'm sure you get your e-mail on your phone like everyone else. (Here's some better advice about that.)

4. Create hard-to-crack 12-character passwords. NOT your mother's maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a "pass-phrase" as your answer to account security questions ­ such as "Youllneverguessmybrotherinlawsmiddlename."

I'm a big fan of random impossible-to-remember passwords, and nonsense answers to secret questions. It would be great if she suggested a password manager to remember them all.

5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.

Yes to the first part. No, no no -- a thousand times no -- to the second.

6. To prevent "new account fraud" (i.e., someone trying to open an account using your date of birth and Social Security number), place a security freeze on all three national credit bureaus (Equifax, Experian and TransUnion). There is no charge for this service.

I am a fan of security freezes.

7. Never plug your devices (mobile phone, tablet and/or laptop) into an electrical outlet in an airport. Doing so will make you more susceptible to being hacked. Instead, travel with an external battery charger to keep your devices charged.

Seriously? Yes, I've read the articles about hacked charging stations, but I wouldn't think twice about using a wall jack at an airport. If you're really worried, buy a USB condom.

Posted on December 4, 2018 at 6:28 AM • 74 Comments

Comments

WinterDecember 4, 2018 6:54 AM

"but I wouldn't think twice about using a wall jack at an airport."

I would like to know whether it is possible to hack your *gadget* through a (110/220V) power wall-socket and your own charger?

"Possible" as in proven or theoretical or anything in between.

Mike ScottDecember 4, 2018 7:41 AM

I get my email on my phone, but SIM swapping won’t let the attacker get my email, only my SMS messages. That’s why email is a better way to receive 2FA codes than SMS, if (and this is a big if) your email account is properly secured, with 2FA where the second factor uses neither email nor SMS.

BrianDecember 4, 2018 7:42 AM

Well, what’s a hack?

Let’s say you’ve been plugged in a while and so are fully charged. An adversary who can fully manage your network traffic might get some advantage from also seeing your moment by moment power draw.

JordanDecember 4, 2018 8:00 AM

Why is unsecured WiFi a risk?

You're using TLS end to end, right? Why isn't that enough?

If TLS isn't enough, why aren't you worried about the guys who maintain all of the routers between you and your destination, who all have access to your traffic without any WiFi-based security?

Gerhard PoulDecember 4, 2018 8:03 AM

Password managers and especially generating random passwords are a great idea, although not always very easy to do in all cases. (e.g. if you have mobile apps where you often need to enter said long random password)

But can someone explain to me why public Wi-Fi is the great danger and everyone should use VPN? Why isn't the current move to making everything through TLS sufficient? I guess because of DNS being spoofable or browser zero-day exploits? Especially if I control the endpoint and know there are no weird CA certs in my browser, what's the big risk of public WiFi that a VPN would solve?

Steven JDecember 4, 2018 8:06 AM

Tech fearful humans like absolute answers.
Security experts live in this space of risk mitigation, do at least as much as reasonable. Explaining that to normal people often doesn't work so "always" and "never" are the easy way out.

If you live in Cancun Mexico, NEVER use the ATMs that your Mother, a native of the area, says is safe. See how that works? Cancun is overrun with ATMs controlled by crime organizations according to Brian Krebs.

12 random characters for a password? Since we all use password managers, make them 40+ random characters. It isn't like anyone will be typing them in. If I'm going to type it, 20+ characters is my rule of thumb. I believe there is no substitute for length, everything else being equal.

I carry a USB charger with me when travelling that can last 3 days of phone use.

No email on my phone. I don't consider phones secure enough for email use. I have over 100 email aliases which are used for different online logins. Low value logins use a shared email. If there is money involved in any way, a unique email address is used for that site. This would be hard for most people.

VPN use is something I use about 90% of the time on Android, but for my travel Linux system, I tend to use ssh tunnels/proxies and a browser running on a file system overlay that is purged at browser close.

I'd never use Windows online for general use. Couldn't imagine travelling with Windows on a laptop.

After being hacked through bluetooth at a security conference, I disable bluetooth before leaving the house and keep it off. It seems the entire world refuses to talk about how poor the security of BT is.

And I'm amazed that people think putting their passwords into the cloud is a good idea. That fails every "smell test" I have. Don't put things you want secret into any cloud service.

IggyDecember 4, 2018 8:07 AM

Use the SSA website to sign up? What? No. No, no, no. For especially this, go in person or use USPS. Seriously. The SSA website might be well secured but what about your end (or ends)? Do not get a SSN for your child. That used to be a thing, but considering how creative ID thieves have gotten, no longer a safe idea. If you want to be the next wave of humans whose SSN is *not* readily available to theft and sale on the dark web, do not share any part of it with anyone not the SSA, your employer or, unfortunately, the bank. It's unfortunate because banks are very careless with customer account security. They just don't care, because, FDIC. No, not even the last four digits. Make your bank put a password on your account and make them ask for it. Otherwise, the poorly trained clerk on the phone will ask for the last four automatically and anyone can give him that.

PhaeteDecember 4, 2018 8:09 AM

@Bruce

Did you read the last sentence, who the article is attributed to?

Marla Ottenstein is a professional organizer in Naples, Florida, who offers expert residential and corporate professional organizing services.

Her tagline:

Professional Organizer Florida has the expertise, skills and compassion to help you do the things you can't, won't or don't want to do yourself.

I am unable to express my opinion about this without a lethal overdose of sarcasm.

WeatherDecember 4, 2018 8:13 AM

Gerard
They are a lot of attackethods on http, cookie password replay, ssyn/back high jacking, open ports on computer, ddns changing,sensitive information, ffake ap(stronger signal next time in range,autoconnect) maybe more

Steven JDecember 4, 2018 8:22 AM

@Iggy - if you don't have a SSN, then you cannot deduct the child from your taxes as a dependent.
In the USA, good luck getting health insurance care without providing a SSN. Or a home phone or CATV service or car loan or credit card.

I don't disagree. When I visit different doctors, I write "on-file" in the SSN area. It just isn't in their files. ;)

WaelDecember 4, 2018 8:35 AM

@Bruce,

Yes to the first part. No, no no -- a thousand times no -- to the second (Whenever possible, change your passwords every six months.)

I have not seen a single objective justification to that. I've seen some heuristic arguments, but nothing concrete. My comments on the topic were here, here, and here.

Seriously? Yes, I've read the articles about hacked charging stations, but I wouldn't think twice about using a wall jack at an airport. If you're really worried, buy a USB condom.

I'll leave comments on this one for another time.

WeatherDecember 4, 2018 8:48 AM

Sorry @mod
Once you have mitm you can use sslstrip or write your own to read hijacked https ,if the user accept self signed certs

David HDecember 4, 2018 9:13 AM

@Steven J,

I enjoyed your first post. I'm quite a few steps behind your security posture but want to get there, slowly and steadily. If you're willing, can you share some (any) details on your setup?

I have over 100 email aliases which are used for different online logins. Low value logins use a shared email. If there is money involved in any way, a unique email address is used for that site. This would be hard for most people.
I've read of different ways of doing this, from using a free Gmail account (say, example@gmail.com) and doing example+citi@gmail.com example+fidelity@gmail.com, etc. I've also read a much better way of buying a domain and setting up legitimate e-mail aliases, so citi@mydomain.com, fidelity@mydomain.com, etc.


but for my travel Linux system, I tend to use ssh tunnels/proxies and a browser running on a file system overlay that is purged at browser close.

Fascinating. Can you spare any more details?


After being hacked through bluetooth at a security conference, I disable bluetooth before leaving the house and keep it off. It seems the entire world refuses to talk about how poor the security of BT is.

I've read of several legacy and maybe current attacks on Bluetooth but admit I'm quite rusty. I have BT disabled at all times anyways and have the Tasker app on Android only enable it when certain apps launch (or other triggers), then automatically disable. Would you be willing to share how you were hacked through Bluetooth at a sec conference?


And I'm amazed that people think putting their passwords into the cloud is a good idea. That fails every "smell test" I have. Don't put things you want secret into any cloud service.

Eh, not horrible for the layman. I've recommended commercial providers like LastPass to friends, but I use KeePass personally and have more control over where the .kdbx database file is physically stored. I'm considering syncing this file in Google Drive or SpiderOak or Nextcloud or [wherever] but haven't done so yet. I realize that an attacker can potentially get to this file and attack it offline at their own convenience. But as long as the crypto is solid and the password is strong, what's the harm? What's your current practice? I'd like to sync the password database between personal phones, tablets, desktops, and laptops and maybe use a cloud solution as the conduit. Either that or use Syncthing or something.

WarrenDecember 4, 2018 9:24 AM

Given all the issues USPS has had with Informed Delivery, API access, etc ... I think I'd recommend you *not* setup an account there :|

CallMeLateForSupperDecember 4, 2018 9:24 AM

"4. Create hard-to-crack 12-character passwords. NOT your mother's maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a "pass-phrase" as your answer to account security questions ­ such as 'Youllneverguessmybrotherinlawsmiddlename.'"

Hard-to-crack + 12-character is an oxymoron. Worse, the term "password" should be relegated to the dust bin and replaced with "passphrase". While the author eventually reaches that point of enlightenment, in her very next breath she relinquishes most of a passphrase's potential security by suggesting one that 1) contains no punctuation/special characters, 2) contains no uppercase characters, and 3) uses only common words, all of which are spelled *correctly*, (Which is to say, it is a perfect set-up for a dictionary attack.)


"5. Avoid the temptation to use the same user name and password for every account."

This wording can mean
1) It is alright to reuse a pass[phrase], so long as it's not paired with an already-used username.
2) It is alright to reuse a username, so long as it's not paired with an already-used pass[phrase].

I suggest this rule instead: Never re-use a username; never re-use a passphrase.


@Bruce did a nice job on the charging issue, so 'nuf said.

nycmanDecember 4, 2018 9:51 AM

Have seen many security articles that say unsecured public wifi = bad. Never seen a thorough technical explanation as to why. Is the SSL on your banking site insufficient? Is there a worry that apps aren't implementing encryption properly? Which apps and versions? Is the risk that you're revealing which sites you're visiting? Or are you revealing your passwords or something else? Legit questions because I haven't seen the risk quantified in any security article.

#7 should refer to usb outlets, not electrical outlets. A misconfigured/vulnerable phone could expose your pictures or entire storage, even if encrypted, if you plug a usb cable into it. You don't know what's on the other side of that data cable.

meDecember 4, 2018 9:51 AM

@Jordan
unsecured wifi it's not a risk if you use tls, the point is that not 100% of the websites support that.

i think that the "unsecured public wifi=danger" it's mostly a stupid thing.
also "use vpn" is ueseless: it just moves the problem in another place, it doesn't solve the problem.
TLS solves the problem!

the only logic part is that anyone with a computer can mess with wifi, but having access to isp network is not as easy.
that's why using home connection is safer, not because wifi encryption (that ends at the router in about 2 meters compared to 9000km that your data do). but because less people has the capabilities to mess with isp network.
it's like moving money from home to bank in insecure car but using a road with low criminality rate (home wifi).
doesn't improve security but decrease risk.

anyway i think that the security of a computer should not depend on the network it is attached on.
i think that i'm "stealing" schneier words from old article (but i'm not sure).

meDecember 4, 2018 10:00 AM

@Gerhard Poul
>Why isn't the current move to making everything through TLS sufficient

It is sufficient, if you don't ignore potential browser warnings about invalid certificate.

It's not about security, http is insecure both over wifi and over vpn (you just move the problem).
in the same way, https is secure over both channels.
The difference is risk: probably many wifi are subject to attacks by random people because they are cheap to attack: just get a pc.
while for the vpn, if the provider is legit, are more difficult to attack because you have to attack an isp network that gives the connection to the vpn provider.

so if you use vpn you can "skip" the wifi part where most of the attacks occour.

anyway i don't use vpn, and i don't have any problems using public wifi.
i use vpn only if public wifi has some kind of captive portal that try to intercept also https connections or i can't reach a website over the public wifi because is blocked for some reason.

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

i keep hearing this "wifi dangerous/vpn safe" and i think is meaningless.

Denton ScratchDecember 4, 2018 10:01 AM

@Gerhard Poul and others:

Indeed, password managers are a cool thing. I use Bruce's passwordSafe. But I need to be able to use my passwords from anywhere: third floor, ground floor, office, friend's house.

So I store the password repository on a USB stick (along with the portable version of the code). Simples! But actually I have been trying to reduce the amount of clutter filling up my manbag, so I generally leave the stick plugged into one machine.

Also - it so happens that most of the computers I use are low-power devices running command-line Linux (and no GUI).

What would be cool (for me) would be a password manager that (a) runs on a server that can be interrogated over the network, (b) only works for me (i.e. passphrase, I guess; I don't carry my phone, and don't want to use an app, and I've never thought bio-id was a good idea). I'd use a USB id-stick such as Yubikey; but I haven't convinced myself that Yubikey is sound. I own a FSF (GPG) privacy key; I believe this device is pretty sound, but it's the devil to use (and I only correspond with one other person that owns one - and we don't generally exchange secrets).

There's a password manager that runs on Linux command line; it's called Pass (bad name choice - Google will lose it among a mass of dross). It would be easy to give it a GUI, and it wouldn't be that hard to make it network-capable. Pass looks pretty good to me.

Ann OminousDecember 4, 2018 10:03 AM

As tempting as it is to say "never re-use a username", there's no getting around it for social media and for other situations where other users need to identify both accounts with the same entity.

meDecember 4, 2018 10:11 AM

@Weather
The same attacks can be carried also if you use vpn or any kind of tunneling. the only way to stop them is to encrypt from the source to the end, using https/tls.

@Jordan @Gerhard Poul
The wifi is dangerous thing it's designed to be a simple thing that anyone understands, exactly like "look for the lock icon, if it's there the site is legit/safe"
but that was never the case, https meaning was never "the site is legit" but "the connection is protected".
the point is that not all the people unterstand what you said:
-i control the endpoint
-there is no fake CA root
-i don't ignore the warings

most of the people when see an invalid cert warning read only "im the useless error preventing you from seeing the site that you want to see, click ignore to open the site"
so the most simple thing is tell them "just don't use wifi"
but i find this so wrong because you teach wrong things to the people and there will be a point where attacks will be common also in different locations and the whole thing became meaningless/dangerous.
in the same way it happened with "look for the lock icon" after let's encrypt.
we are seeing bgp hijacking to do ad fraud and to steal bitcoins so we should stop immediatly pretending that it's only wifi and that people will not understand, we shouldn't fix the user but we might remove the ignore button or make it in simpler words with a delay before the button become clickable.

WeatherDecember 4, 2018 10:41 AM

@me
Vpns help a little but if you as a attacker can setup a Ap the same as the lidget one, and then forward it over another link, oopen,listening, closed, key needed ports can still be accessed

The four types can all be attacked from easy to very hard

deanisheDecember 4, 2018 10:48 AM

> I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice?

Yeah, for convenience and privacy. Many of the corp networks I've used block random stuff, like SMTP or IMAP or the App Store.

I have an algo VPN box, which comes with a config profile that makes my iPhone connect to the VPN whenever it's not on my home network, so I don't have to worry about the whims of network administrators.

It also comes with DNS-based ad-blocking, which, imo, is reason enough in itself to use the VPN.

Hope iOS gets Wireguard support soon.

Clive RobinsonDecember 4, 2018 11:14 AM

@ Bruce,

    Seriously? Yes, I've read the articles about hacked charging stations, but I wouldn't think twice about using a wall jack at an airport. If you're really worried, buy a USB condom.

It all turns on what people mean about "charging".

There are three basic ways these days you can find in public places,

1, Low Frequency Mains AC Power.
2, DC charge --USB and other-- point.
3, High Frequency inductive loop charge point.

All three can not only carry power to your device but communications as well.

In general low frequency AC power "did not" have comms on it but that is changing very fast as utilities get into comms. So whilst it might only be X10 and other home control currently with no built in at the computer currently that is set to change (possibly ;-) If for no other reason of IoT blocking WiFi.

As for many modern DC supplies sending data comms down the line is quite normal, though you might not see it. Those pre IoT CCTV cameras, the head end of Satellite TV dishes and much else besides. The idea of power over communications such as PoE and USB is a little newer but is happening, the important point is your device has built in comms to the CPU. USB appears to be the current "common denominator" and as it's considered "safe" from an electrocution persoective, poping up on "trains, planes and automobiles" as well as street furniture like benches. Thus it would be wise not just to have a "data condom" but over voltage protection as well (remember the "USB of Doom" "USB-Killer"[1] device).

The latest power by wireless / induction is still an unknown, but RFID devices have used the technology for years and data comms comes built in...

@ ALL,

One issue of using not just WiFi but any network is your location can be tracked and more importantly your data packets tagged by the neywork you are connecting to.

Some VPN's supposadly remove both the location information, but also strip of the data tracking tags.

[1] https://arstechnica.com/information-technology/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/

WeatherDecember 4, 2018 11:19 AM

A AP with Vlan for data and 255.255.255.254 netmask and a landing page with a random 4 diget pin, in case the network drops out.ideally each connection should some how have unquie wpa2, for the air

WaelDecember 4, 2018 11:28 AM

These are some events that made me change my password and my username: for the sake of example, not exhaustion:

  1. Logged in to one of my accounts from a hotel in a country that was reported to hack into systems.
  2. Had a feeling someone was observing me typing a username / passphrase / PIN, or there was a camera somewhere
  3. Created a Cryptocurrency trade account, and was asked in the process to validate my username / password of my bank-account to link - no other option was given: no oAuth, no bank-hosted iFrame, etc... (are you kidding me!) I created the account and immediately changed my pass phrase and my username.
  4. Had indications there was screen-scraping going on...
  5. Forced to allow Javascipts, need to use web browser extensions, etc...
  6. ...

I didn't necessarily find out that my credentials were compromised. But I view the actions I took as the proper thing to do. There were some situations where a change of a password / username is warranted, in my view. Of course in the corporate world, we have to comply or we lose access.

To make a broad statement that passwords / passphrase should not be changed unless there are indications of compromise is not a good advice. I did not cover scenarios where some of the above occurs at a time when the soon to be victim did not realize they took place. Furthermore, we can't claim with any degree of confidence that our credentials have not been compromised. Sometimes we'll detect it; sometimes we may not.

This is my heuristic argument. Still not conclusive, but I believe I presented a good defense of my stance.

Matt NewmanDecember 4, 2018 11:40 AM

No, no no -- a thousand times no -- to the second.

I understand that mandated password expiration isn't helpful, but I use a password manager and reset ~ 5% of my older passwords every month.

I'm running on the assumption that some services I use will be compromised, and some of them will have done something dodgy like log/store passwords in plaintext or hash them insecurely.

If you are already using a password managers & random passwords then I don't see the downside of rotating passwords (though I agree the utility is reduced if you have strong enough passwords to start with).

Otto DefeyDecember 4, 2018 11:55 AM

A bit of advice about WiFi I see all over the net and especially in documentation for consumer equipment is not to implement MAC filtering. I used to work on this stuff, so I understand that someone who is patient and adept can beat that. But that would need to be someone who had a reason to be out to get me in particular. It's difficult to believe that my home LAN is that interesting. Anyone looking for a LAN to crack will find much easier pickings in my neighborhood.

I suspect the real reason they say not to filter MACs is that when some people do it they forget, have trouble, and make calls to product support. That's an expense vendors would like to avoid.

Often similar advice is given about keeping the SSID out of the AP's beacons. Does anyone know a reason why not to do this things if one is a competent admin for one's own LAN? thanks.

WeatherDecember 4, 2018 1:15 PM

Otto
When a client connects it displays the essid, not broadcasting just means its invisible to basic click and point,search for networks, if you use pmosicous mode and airdump-ng or wireshark and a client connected they will see the essid,
Its security by insecurity

Its easy to change the Mac to match there's, if they then drop offline you just match there's.

Set the Ap to only use as many personal things you want connected, then change the netmask so no more things can connect unless one gets booted off,deauthincate packet.

Its really little things, but some little things are pointless

David HDecember 4, 2018 1:19 PM

Often similar advice is given about keeping the SSID out of the AP's beacons. Does anyone know a reason why not to do this things if one is a competent admin for one's own LAN? thanks.

@Otto, the long answer is to learn the nuances of how 802.11 works, the control, management, and data frames. The shorter answer is that disabling SSID broadcast can actually (ironically) weaken security/privacy.

When SSID is broadcast as party of the beacon management frame (often times every 100 ms or so, so 10 beacons/second), all stations (wireless clients) in the area have an idea of what access points are available. It's a passive activity that only requires listening, not talking, so a station can do so stealthily without revealing its presence or MAC address. Of course, a user or station/client can always manually ask "Who's out there?" which it does this by sending out probe requests, and all access points that hear the probe requests respond with probe responses.

So let's say you have a portable/mobile device such as a smartphone or tablet that connects to your home Wi-Fi. When you leave home then come back home, how does it know to connect to your home Wi-Fi? Because it hears your AP's beacons and can associate with the access point and then authenticate, joining your home network. But as you go about your day away from home, your phone/tablet/laptop has no need to yell out, "Is HomeWiFi there?" since it can assume it isn't there by the lack of beacons.

If SSID broadcast is turned off, it merely removes the SSID from the Access Point's beacon frame, shifting the burden to the station (client). So now your phone/tablet/laptop has to constantly send out probe requests (aka "Marco? Marco? Is HomeWiFi there?) which 1) yells out to the entire world that your home network is HomeWifi, and 2) yells out your phone/tablet/laptop's MAC address.

By shifting the burden to the client, this weakens privacy and potentially security since your device will have to constantly poke and probe like a blind person (assuming your Wi-Fi is enabled). Stores are increasingly using Wi-Fi, Bluetooth, facial recognition, etc. to uniquely identify customers for behavioral, analytics, and marketing purposes as customers walk throughout a store, and a unique MAC (that's not randomized) marks you.

A more sinister approach is that if your Home SSID is fairly unique, a stalker can search for the SSID, MAC, etc. in Wi-Fi databases such as WiGLE.net and find out exactly where you live. Which opens up potential safety concerns.

Modern OS's implement the Wi-Fi stack in different ways. I finally have MAC address randomization in Android 9 (Pie), and I believe iOS may have this. Not sure about macOS and the *Nix's. It's best to 100% disable Wi-Fi when not in use anyways, but unless this is automated (easier on Android), it's easy to forget.

There's other attack methods as well: Some OS's implement Wi-Fi so poorly that even if your phone/tablet/laptop hasn't connected to any "hidden" networks, it'll still leak out your entire list of saved networks and yell them out to the world via probe request frames. "Hello world! I'm a Windows laptop, MAC address 00:11:22:33:ab:54. I just wanted everyone to know that I'm a big fan of Starbucks, McDonald's, Panera, HolidayInnFree, HomeWi-Fi, CancerClinic, Jennifer's House, and Bar-Guest!" And from there, that unique combination of saved Wi-Fi networks is a great way to fingerprint somebody, and the metadata is gold for finding out where that person lives, works, and frequents, and who this person socializes with.

This was much longer and rambly than I anticipated. I dream of somebody being as verbose or brilliant as Clive, but that may take decades of study. :p

The tl;dr: Disabling SSID broadcast is an obsolete Wi-Fi security practice and actually weakens privacy and possibly security. SSID is communicated in plaintext anyways, so there is no point at this juncture, at least until 802.11 is amended to allow for SSID to always be encrypted.

PhaeteDecember 4, 2018 1:21 PM

I think a professional writer could have worded a lot of these statements better.
The following is my favourite:

2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today!

So as long as you know someone that is 18 years or older, you need to sign up for you SSN online, very bad choice of words there.

DougDecember 4, 2018 2:28 PM

So when is PCI DSS going to be updated on password requirements, hmmmm? Version 3.2.1 dropped in the middle of this year, but they are still requiring the password policies of several years ago. To make this even more hilarious, they repeatedly refer to NIST, SANS, CIS, etc. ... all of whom have updated their password advice.

What a farce. PCI, lift your game.

Actua[ria]llyDecember 4, 2018 3:01 PM

Credit freezes ding your credit.

It's bit like the problem gambler who calls a problem gambling hotline and submits to a voluntary casino ban.

A consumer's request to place a freeze on credit is always interpreted by the credit bureaus as, "I'm a problem borrower. I need my access to credit cut off."

So no new credit cards, you can't even open a new checking account, rent an apartment, buy a house or car, even when you are paying for things free and clear.

Your auto and homeowner's insurance premiums shoot through the roof, and you are essentially unemployable, all because you requested a credit freeze.

It's too much. What I call the consumer credit cartel. Visa, MasterCard, Equifax, Experian, TransUnion.

The lending is facilitated through Visa and MC exclusively, while Equifax, Experian, and TransUnion are essentially the bill collectors or enforcers of the cartel.

Steven JDecember 4, 2018 3:37 PM

David H - there are many people here with much more expertise than I. Anyway, here's some of what I do.

I've been setting up and running email servers for decades. I host a few domains for my private use. Unlimited aliases. Unlimited email accounts. I would never use gmail or any of the huge providers. Heck, I don't even like sending email to those anti-privacy places.

ssh can create a socks proxy for a browser easily. There really isn't much more to say.
$ more fireproxy-home.sh
#!/bin/bash

# Only start SOCKS proxy if necessary
if [ $(ps -eaf |grep ssh |grep -c 64000) = 0 ] ; then
# Setup SOCKS proxy through home server
echo "Starting ssh SOCKS Proxy"
ssh -f -C -D 64000 50.1.2.3 -NT # the IP could be a
# DNS entry, but
# IP won't be spoofed
fi

# Star private firejail with chromium, going through
# just setup SOCKS proxy
echo "Starting Firejail chromium with private & proxy "
export http_proxy="socks5://localhost:64000";
firejail --private chromium-browser \
--proxy-server="socks5://localhost:64000" &

I use KeePassXC on my linux systems and use rsync to push the DB file out to other systems just after midnight.

I don't trust wifi in my house, so why would I trust someone else's wifi? Wifi at the house is treated like it is raw internet. To gain access to internal systems, a VPN must be used.

I don't use any cloud storage and avoid using most cloudy services. Self-hosting isn't hard for me, but that isn't realistic for most people. When I'm remote, I simply want to get access to my internal systems. When I'm working from home, sometimes I don't notice internet outages for hrs because most of the services I need are local (though on different subnets).

Sorry for the post length.

tombDecember 4, 2018 4:26 PM

A far cheaper and simpler solution than the "usb condom" is a data only cable. Most of the magnetic charging cables only have one prong exclusively for charging. The magnetic tips are removable as needed.

Jari RDecember 4, 2018 4:31 PM

@David H
>> I tend to use ssh tunnels/proxies
> Fascinating. Can you spare any more details?

You need a server with sshd running in default config
and a valid login credentials for that server.

$ ssh -D localhost:5544 your-ssh-host.com

Then configure Firefox:
Edit -> Preferences -> Network Proxy -> Settings
Manual proxy configuration = yes
SOCKS Host = localhost Port = 5544
SOCKS v5 = yes
Proxy DNS when using SOCKS v5 = yes

Then click OK.
After that your browser's DNS queries and web
browsing are ssh-tunneled to your-ssh-host.com
where they pop out to the world.

tombDecember 4, 2018 4:39 PM

I meant to say "power only" cables in my last posting.

There was a fantastic skit on the television show Penn & Teller "Fool Us" in which the magician's gig is to do magic tricks with USB charging cables. The climax of the skit involves the magician borrowing Penn's phone and plugging his cable into the phone. The phone appears to shutdown. Then an animation of the phone's charging screen pops up in the foreground with a picture of Penn's face on the phone. The screen goes blank when the magician lets go of the cable and lights up once again when he holds it.

This is really a stupid and gimmicky trick but it won a "Fooled Us" award for the same reason I mention it here. Very few of us realize that a simple cable is capable of uploading malware to a phone. Penn gave the award specifically because "i don't know how phone chargers work".

asdfDecember 4, 2018 4:44 PM

@Peter Knoppers

I'd think that if you had control over the electrical pulses you could code something super sophisticated to symbolize USB cable inputs from a console to the phone. I'm reminded of those 1990s-2000s era wifi extenders that worked by sending coded pules through the electrical lines of a house.

WeatherDecember 4, 2018 4:58 PM

Don't no the command, but you can use Socat and if the DST port is 53 pipe it to 127.0.0.1:ssh tunnel

Can be used for other services

Rach ElDecember 4, 2018 5:11 PM

Appreciate the intelligent well considered comments, thanks everyone.

Travel with an AC charger because - because you shouldn't rely on USB charging! And USB stations are quite simply not availabe in many airports.

one aspect of changing passwords is it introduces a point of vulnerability. For inexplicable reasons the new password can fail- an error in reproduction, who knows.

I updated my Kepass password and some months later something went wrong and it stopped working. It took about 6 months of no access to that vault to realise Kepass had reverted to the previously used password, which was fortunately still in my memory. Maybe one of my back ups was swapped, or a corrupt database was overwritten, who knows

There are good arguments for paper based 'password managers' which will be familiar to many of you. They have some strengths over digital ones and also are laywoman friendly - and circumvent the potential cloud-synching issues laypeople often require. (I'd only ever use a local, off line portable Manager like Kepass)

I have experimented with storing my sensitive information (on paper or digitally behind a password) in a way a 3rd party cannot use - with a system to reorganise the data known only to me. Swapping the last digit for the first, or having 5 passwords listed for each username but only one being the correct one.

The latter idea was good but the former got me into trouble when I couldn't remember the system! 'why is this credit card not working!!?' YMMV

echoDecember 4, 2018 5:16 PM

My security is Swiss cheese but I don't do anything daft. Being boring = secure by design.

@Wael

With password length we need to consider entropy and search space (including brute force search space optimisations). This is partly why I never mention what password lengths or schemes I use to keep people guessing. I have no idea about a formal proof but assume a secure password will be secure for the duration as per the statistics. As Bruce oftens says "trust the maths".

It's an industry wide benchmark that a secret only stays a secret for no more than six months. I'm guessing in practice this varies depending on the type of secret and who knows and direct and indirect access to the secret. I don't personally buy the "change password every six months" meme. I am of zero tactical or financial interest and have risk managed what matters out the door. (I actually did make one stupid idiot security mistake in the past few months and am not doing this a second time.) The "change passord every six months" thing whiffs of corporate "one size fits all protect against the highest theoretical risk and lowest common denominator" type of reasoning. This seems like a lot of work over nothing.

WaelDecember 4, 2018 5:58 PM

@echo,

The "change password every six months" thing whiffs of corporate "one size fits all protect against the highest theoretical risk and lowest common denominator" type of reasoning.This seems like a lot of work over nothing.

No-one is defending the six-month mandate. Perhaps six months is good for an organization and three is more suitable to another. It may seem like a lot of work over nothing, but I believe it has value, even though it annoys me to no extent. Now I am forced to use a password manager, and it took me forever to find one that I am ok with. Most of them want subscription fees, cloud, migration to other devices, etc. all I want is something simple and reasonably priced. I am not willing to pay subscription fees for such an app.

If I had time, I'd do my own.

WaelDecember 4, 2018 6:25 PM

@echo,

Besides: in the corporate world, users have varying OpSec habits, regardless of the training they get. I kid you not: one time I needed IT support help because I could not gain access to a resource. The IT guy said: "I'll IM you my password to use for now". I told him don't even think about it. Too late, he sent it to me. I told him you had better change your password immediately, I'm deleting what you sent me.

Call periodic mandatory password change a Defense In Depth[1] attitude; the corporate cannot assume all employees are Security Savvy: they are most definitely not, and that includes Security Architects, engineers, and IT, etc... You won't believe the kind of crap I saw. I could write a comedy movie script out of it. Worse things happen in the Defense Industry. Ever heard about the 00000000 password for missile launch, or is that an urban legend?

For the personal case: do what works for you. Problem is: do you know what works for you? Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

[1] And that's still not sufficient. One needs defense in depth, width, and hieght. That was yesteryear. We now need active defense (offense) on top of that, but I digress.

Loose TongueDecember 4, 2018 6:55 PM

Changing passwords every six months?

It's a good thing to do on one's own initiative, particularly if others are suggesting otherwise.

Or use one-time-only passwords with a system like S/KEY.

The risk of keeping the same old password increases as time goes by, due to shoulder surfing, surveillance camera peeking, cops with bodycams, keyloggers, spyware, and other malicious software.

"La Nueva Generación" is not just a drug cartel, by any means. Not all youth do drugs, but there is a certain "New Age" philosophy of life which maintains that whenever a password becomes "old" — and New Agers are always superstitious of anything "old" — it's time to retire it and generate a new password.

echoDecember 4, 2018 7:30 PM

@Wael

Besides: in the corporate world, users have varying OpSec habits, regardless of the training they get.

Yes, this is the kind of thing I was alluding to. It's like intersectional issues: a variety of factors all playing together and varies from instance to instance.

For the personal case: do what works for you. Problem is: do you know what works for you? Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

No but then I can't tell the other way either. I'm a PONTI (Person of No Tactical Interest) and don't have enough money to attract criminals. I'm fairly blackmail proof too and my default response is to scratch someone's face off and shout and scream and leave bite marks. The odds are I can embarass them more. If I am compromised they are either saving it as a last ditch Doomsday weapon or thrown it on the scrapheap. If any actually are compromised and used in anger? Oh, boo hoo someone has a collection of pixels on the screen.

Betrand Russell wrote very interesting essays on both power and laziness. From a security point of view they could be read as "shifting endpoints" and "least energy".

My mum grew up in a world where a scratch could kill, children went to school so poor they ate sugar sandwiches or wore clogs, and she was born when women didn't have the vote. I am just old enough to remember when women had few job choices beyond becomign a teacher, a nurse, or a secretary unless lucky enough to have rich parents. The world has a changed a lot since then. She was never showy but nobody died on her watch. I'm really really bad at following her advice but a few things stuck in my mind:

"Run away to fight another day".

"Take the rough with the smooth."

"Rome wasn't built in a day".

John SouvestreDecember 4, 2018 7:37 PM

I don't believe that the advice to register with USPS to avoid someone else from doing it will help. USPS treats John Doe and John A Doe as different people living at the same address.

echoDecember 4, 2018 7:44 PM

@Wael

Now I am forced to use a password manager, and it took me forever to find one that I am ok with. Most of them want subscription fees, cloud, migration to other devices, etc. all I want is something simple and reasonably priced. I am not willing to pay subscription fees for such an app.

This is a pain, I agree. I suspect they do this because it's a small requirement and once an application is good enough there is little need for anything else. Beyond this payment is simply for entertainment value or emotional comfort.

I sometimes suspect the biggest security gain from applications like this is if the developers weren't working on them or enjoying the benefits of revenue it would be a case of "idle hands make for the devil's work". I suspect this is true to some degree of parliament, the British Army, and large swathes of the civil service. If "make-work seat filler" weren't drawn into their hallucinatory prison they would be up to something else which, statistically speaking, might not be very nice as indicated by the repercussions of austerity policies becoming more obvious.

Jonathan WilsonDecember 4, 2018 8:11 PM

Do the policies that many corporations have for mandatory password changing actually make sense? Are they doing it because some standard (HIPPA for health care, PCI for anything to do with credit cards or otherwise) has been interpreted in such a way as to require it? Do the management types insisting on it genuinely think it is good for security?

WeatherDecember 4, 2018 8:35 PM

Jonathan
Maybe not, a rootkit or Apt doesn't need to know you password anymore, it's been planted, I'm meaning that once found the password and used it, it doesn't need to be used to get back into the system.so why change it.

If you detect a break in, then everyone changes the passwords

LsuomaDecember 4, 2018 10:58 PM

@Russ

Really? In the UK a packet of three is better known:

"Something for the weekend, sir?"

Going PostalDecember 5, 2018 1:08 AM

@John Souvestre

the advice to register with USPS

https://www.usps.com/ship/insurance-extra-services.htm

Registered Mail® is very expensive, and the clerks and postal inspectors and city cops all got their sticky fingers in it while they mutter under their breath about bearer bonds and gold coins.

And then everybody tries to steal whatever it is, plant some kind of controlled substance or illegal firearm, call the cops, make a bomb threat in your name, call in SWAT team for a bust, and make sure you are separated from your money and found in possession of something illegal under federal law.

The cops are all game for it, too. The make a sport of playing along with SWAT pranksters, robbers, and thieves, and either beating or shooting the victims to death.

It's not entirely clear what the cops' goals are, but banning guns is important to them and stopping crime is not.

Clive RobinsonDecember 5, 2018 4:49 AM

@ echo, Wael,

Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

I personally assume they are all compromised, before the last keypress of entering a new one has compleated...

The simple fact is that there are so many "endrun attacks" via CCTV cameras, microphones and similar available all before you actually get to the computer...

Thus with that assumption in place you move direct to the mitigation phase, where you actually protect what's on the computer in various ways assuming the "not nice SOBs" are already in and looking anyway...

The other thing I do is change my password every time the clock tics on my home systems ;-)

Back in 1995, Sun Micro Systems published the idea of Plugable Authentication Modules (PAM). In a way it could be seen as an extension of the idea of "Unix Streams". Less than a year later Red Hat pushed out the first implementation. Back then I was still producing code so I read the specs and cut my own One Time Password code. After I got the code running on a "pocket device" I went down an algorithmic method using time and a rolling crypto generator (think CTR mode with twiddles).

The big problem if you ever write your own is implementing "time sync" and "replay-lockout" together. Put simply the longer you make the time intervals on the CTR clocking the easier it is to sync up, however it's also easier for an attacker to re-use the password. But if you use short clocking intervals you get other problems. Hence you have to put in a mechanism that alows multiple logons to the same account in the same time frame, BUT using different passwords...

Like many things it's not difficult to do if you are aware for the need for it in the design spec stages ;-)

echoDecember 5, 2018 5:24 AM

@Clive, @Wael

GCHQ would make a fortune if they consumerised their collect it all "time machine". Never lose data or a backup again. GCHQ anticipates the problem and provides a solution by grabbing has a copy of all your data before you have backed it up!

Clive RobinsonDecember 5, 2018 10:46 AM

@ echo,

GCHQ would make a fortune if they consumerised their collect it all "time machine".

Don't say that too loud, remember the current emcumbrants see citizens data as "cash to collect" one way or another. From Council Tax records, through many other systems like education onwards to death with your health records and anything else that's not nailed down physically or legally...

They force you to hand it over then they flog it to cover give away taxes to the 1%ers, anyway with a little luck we will be rid of the worst of the current bunch befor the end of the year.

The smile I had on my face last night hearing that Parliment had given a certain pompus git two fingers by way of a "contempt" finding was sunny enough to heat the room ;-)

As the old saying goes "I couldn't wish it on a more deserving cause". Does that make me petty?

I hope not as I sit here making wax effigies of BoJo and Co especially that illegal act of Faraging ;-)

Oh spot the BoJo failed O Level maths at work,

    "As many as 16 per cent of our species have an IQ below 85, while about 2 per cent have an IQ above 130."[1]

Apparently he went on to fail an IQ test on air... And "This is the man who would be King"...

[1] https://www.theguardian.com/politics/2013/nov/28/boris-johnson-iq-comments

bigmacbearDecember 5, 2018 10:56 AM

@Jonathan: Yes, PCI DSS section 8.2.4 dictates "Change user passwords/passphrases at least once every 90 days."

Because merchant contracts with their banks dictate that PCI-DSS must be followed on pain of breach of contract, this gives these requirements "the force of law" on systems in their scope (and PCI scoping - which requirements must be met by which system - is probably the most controversial part of compliance).

What this means is someone needs to tell the folks who write the PCI DSS that they have to make amendments - the problem is that no one seems to know who that is and the process takes longer than is acceptable.

anonymuos crowardDecember 5, 2018 12:26 PM

@echo
"GCHQ would make a fortune if they consumerised their collect it all "time machine"."
Didn't the NSA already do that with the internet archive website?

@Bruce
"5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months."
Why not just change your password as often as it can be cracked by the fastest known computer to you? That doesn't account for a super computer that is unknown. Maybe the change your password every second thing is the best then.
Why are you tracking people by blocking using the name anonymous? There is a large amount of assumption in that last question. I apologize in advanced if this gets posted three times. Feel free to delete the first two.

@Clive
Is calling out new handles an exercise for the reader or yourself?

BobDecember 5, 2018 1:49 PM

She forgot one more important piece of advice: cover your mobile devices in a layer of Crisco. This makes them harder for thieves to snatch and run off with.

@bigmacbear
IS auditing is complete garbage. Standards made by accountants and MBAs who don't have the first clue about how anything works, audited by accountants who get certified to audit information systems despite not knowing TLS from AES, culminating in a nice little package that says "we know what's going on and it's all cool" wrapped up by people who don't know what's going on when everything's not cool.

Clive RobinsonDecember 5, 2018 3:39 PM

@ bigmacbear,

the problem is that no one seems to know who that is and the process takes longer than is acceptable.

It is however something judges are very good and usually quite fast to get to the bottom of.

The simple fact is the National Standards Organisation NIST has changed the rules, and after a reasonable period for adjustment --which is now long gone-- a judge would want a very clear and compeling reason why what are subsidiary standards --whether they like it or not-- have not changed. And if not given a sufficiently compelling reason make a ruling that the defendent(s) standards have a very limited time to come into line with the national standards.

The judge would not care if the defendent was a person "legal or natural" as punishment would be financial all the way through bankruptcy if required...

It's a point that the EU has recently got across to various US Corps via the GDPR, so any managment would find it dificult to convince a judge representing the other side --ie the shareholder interest-- that they did not see it coming, thus should have behaved competently.

As a friend once observed "Everybody has a fulcrum..." then alude to an anatomical action with an appropriate lever...

Clive RobinsonDecember 5, 2018 5:04 PM

@ anonymuos croward,

Is calling out new handles an exercise for the reader or yourself?

First ask if the person behind the new handle is actually new or not. When you see the same off topic behaviour / style and a new handle, it may well be a sock puppet etc.

WaelDecember 6, 2018 4:02 AM

@Clive Robinson, @echo,

I personally assume they are all compromised

That's why "multi-entity" Authentication is important. Authenticate both the silicon unit and the carbon unit (or the water-bag, if you like.) Multi-factor authentication can also be imposed on the carbon-unit. You know we talked about that a few times.

I say not only the passwords need to be changed periodically, but also the username. And usernames should not be easy to link to a real identity. Come to think of it, I advocate the use of "user phrases" and "pass phrases" -- keep both these bad boys secret. There: paranoid enough for ya? Now where did I put my straitjacket?

parentDecember 6, 2018 4:44 AM

@Denton Scratch: "So I store the password repository on a USB stick (along with the portable version of the code)."

(1) Is this "code" based on Pass ?

(2) Do you have to insert passphrases on foreign sessions? I do: as a parent, on the "parental control" authorization form of win10 and of MacOS. I have to insert the passphrase each time. And no password repository that I know of would have been able to let me insert that passphrase.

Clive RobinsonDecember 6, 2018 7:50 AM

@ Wael, echo,

Come to think of it, I advocate the use of "user phrases" and "pass phrases" -- keep both these bad boys secret.

This is going to at first sound like madness but bear with it.

The likes of PCI require "two factor authentication" and an auditor is supposed to look and verify before puting the tick in the checkbox on their list.

So far so good. The problem is some specifications just say "two factors" not "two different factors"... So it has been known for an organisation under audit to use "two passwords", as the organisation pays for the audit and auditors like repeate business, it's been known for an auditor to accept this argument...

If you say "user phrase and pass phrase" it's entirely possible some auditor might be persuaded...

I remember Ross J. Anderson telling a story of just how difficult it is for people to think outside the box with "factors". As a standard part of teaching about them he would ask the students if there were any other factors outside of the three standard "Something you are / have / know". Depending on how you view it there are or there are not.

Which is why I say that "where / when" of geo and temporal location are sub classes of "know".

Back when Ross was first asking the question "where/when" was not seen as particularly important. As you may remember both @Nick P and myself realised in different ways that the politicians would stick their nose in like the proverbial camel[1] and that they would resort to their usual "thugish behaviour" disguesed as "the word of law". I pointed out that "secret sharing" out of a nations legal jurisdiction with "duress checks" would put a curb on such political excesses, and Nick pointed out that even that was insufficient thus we needed not just multiple jurisdictions but ones that were actively hostile to each other, thus not disposed to cooperate.

As predicted the politicians legislated but worse the LEOs pushed further via chosen court cases to set "case law". In effect we have lost two of the original three factors, because LEOs have the power of violence to force "are/have" leaving only "know" as safe currently. But judges under LEO / Prosecutor pressure are now using contempt of court to attack the simple "know" by forcing the issue via "compulsion" of unlimited --illegal[2]-- detention.

Thus extending the simple "something you know" of a pass phrase to the more complex knowing where to be and when, redresses the balance, a little bit. Esspecially if the "where" is well outside of the juresdiction the LEO / Prosecutor / Judge is.

The hard part is making the "where / when" sufficiently difficult that it can not be "faked" or "guessed", and importantly can only be done by you in person.

Which is where another subset of "know" can be used which is the "who" of "shared secrets".

All of which brings out the point about psychopathic[3] LEOs and Prosecutors, who care not if a person is innocent or guilty or if there are any extenuating circumstances. Their sole objective is that their will, will prevail. In turn they are ably supported by legislators making pointless and dangerous law. You can not legislate against the laws of nature and trying to do so can only result in violence... Which the state just so happens to reserve a monopoly on, for exactly the purpose of enforcing their will by fear, force and murder, justice is not something psychopaths care to understand...

[1] The camel is supposadly both curious and obstinate, thus it will push it's nose under the tent flap, and unless soundly beaten back will quickly occupy the whole of the tent much to the occupents disadvantage.

[2] Many nations have signed up to various international treaties that prevent crul, unusual, arbitary justice. Contempt is most certainly arbitrary and when used for compulsion of the mind unusual, which if it goes on for very long becomes crul, if not torture. The fact contempt still exists actively in courts suggests that various nations have signed a treaty under false pretenses.

[3] Simply a person who exhibits sufficient of the traits given in one of several lists, which does not need a qualification to judge, https://www.psychologytoday.com/gb/blog/mindmelding/201301/what-is-psychopath-0

WaelDecember 6, 2018 8:24 AM

@Clive Robinson, @echo,

The problem is some specifications just say "two factors" not "two different factors".

It's implicit.

to the more complex knowing where to be and when, redresses the balance, a little bit.

These are not factors; they are other parameters that can be enforced. Some of them have device-affinity and some have user-affinity. And yes, they count as additional guardrails.

The hard part is making the "where / when" sufficiently difficult that it can not be "faked" or "guessed"

It's challenging, given that there are GPS simulators, Fake location Apps, etc... the weakness is in protecting the signal, GPS for example. Unless we use Military grade GPS satellites with encrypted and signed signals that can be used as proof or attestation of the location, I'd say it's very challenging.

and unless soundly beaten back

You don't that to camels, my friend. They keep score and will take revenge, sometimes years later. Don't mess with them.

chrisDecember 6, 2018 8:45 PM

Can't one make their own "USB Condom" by buying an inexpensive USB cable at, say, a dollar store and simply cutting the data wires and taping them off. It seems to me that Google search and a simple splice and some electrical tape would help you make a non-data USB cable in a few minutes. Am I missing something?

echoDecember 7, 2018 7:46 AM

My PortaPow USB data blocker arrived. I bought the dumb version not the one with a chip in it for "smartcharging". It has a small window you can see the conacts through. The power contacts are present and data contacts absent. I checked it and it works. It's available in the UK at least with local shipping and is cheaper than Bruce's suggestion.

@Chris

Can't one make their own "USB Condom" by buying an inexpensive USB cable at, say, a dollar store and simply cutting the data wires and taping them off. It seems to me that Google search and a simple splice and some electrical tape would help you make a non-data USB cable in a few minutes. Am I missing something?

There's nothing wrong with this. I find the manufactured product tider and can use it with any cable. It's also smaller and saves carrying an extra cable for data use. I guess it all dpends on what your personal needs are.

Clive RobinsonDecember 7, 2018 7:53 AM

@ Chris,

Am I missing something?

Short answer "Yes"...

Long answer it's to do with what voltage, how much current or power you can or cannot draw (mwc 20V, 3amp Confusingly there have been several specifications which are almost as good as sleeping tablets when you read them. If you look it up you will find the following,

    On 8 January 2018 USB-IF announced "Certified USB Fast Charger" which will certify chargers that use the feature "Programmable Power Supply" (PPS) of the USB Power Delivery 3.0 specification.

Is --possibly-- the latest in a long line of USB Power Control Specs...

In most cases the use of a resistor and one of the data lines surficed. But... It's been a few years since I designed a USB device, so "Read the Specifications", lest you blow something up (like the inductor in the power supply line, ment for EMC filtering but also makes a handy fuse...).

CallMeLateForSupperDecember 7, 2018 8:11 AM

@Chris
"Can't one [..] make a non-data USB cable in a few minutes. Am I missing something?"

You are correct. A person with a knowledge of USB wiring spec. and some skill with simple hand tools can make a non-data USB cable.

The reason that pre-made is available is not because maling them is hard but because a significant number of potential customers exists => product is viable. Why are there a bunch of potential customers for pre-made? For the same reasons that loaves of bread sell: a significant number of people think they don't have the time nor the skills to bake bread.

I think - and I am preeee-ty sure @Clive would agree with me on this - that a lot of folks could surprise themselves by making a dough ball, setting it aside to rise, and then making a non-data USB in the mean time.

DustDecember 7, 2018 6:33 PM

I'm surprised you would use public WiFi and even with no VPN. I haven't done so a single time (with or without VPN) and can't see any reason to do so even if I didn't care about security.

Nothing is so important it can't wait until you have your own net connection again. If something is, it is too important for public WiFi.

echoDecember 8, 2018 5:57 PM

I don't have the headspace or spare money but otherwise would use a Raspberry PI to make my own VPN. This could be used as a media player too and other low intensity tasks, and a back up Linux desktop for emergencies.

I have only ever connected to a public wifi out of curiosity.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.