
Want to use my wifi? - TheJH_
http://thejh.net/written-stuff/want-to-use-my-wifi?
======
IgorPartola
Using a browser in incognito mode does none of the sort. You can still enter
your password into it and it can be stolen just as easily. The true solution
is to only browse over HTTPS, connect to a VPN or not use untrusted networks.

Note that if I can spoof an IP address, I can send you bogus DNS replies, and
send you to a web server that impersonates Google/Facebook/etc. but does not
require HTTPS (unless they use the strict security header). In this case you
do not get a warning, just the absence of a tiny green icon.

~~~
malandrew
How easy is it to fully automate VPN only computer usage so that everything I
do comes out of a machine at Amazon EC2 for example?

I've never set it up and was curious what others have done to make it as
invisible as possible.

~~~
ma2rten
_How easy is it to fully automate VPN only computer usage so that everything I
do comes out of a machine at Amazon EC2 for example?_

Startup idea! Make a tool that automatically tunnels your connection when you
are on a public wifi. Make it open source and offer a hosted service. Also
interesting if you are in a country which censors the internet. The dropbox of
VPNs. For marketing you offer to write articles like this but less technical
for magazines ("on Page 10 learn how easy it is for hackers to steal your
facebook account and how you can protect yourself").

~~~
bradleyland
There are a multitude of VPN services in the market already. The generally
accepted "best practice" for those with VPN service is to use it everywhere
(not just on the road). When you're paying monthly, most people feel
incentivized to use the service as much as possible.

I've set up VyprVPN for a couple of ultra-paranoid friends, and the whole
process was very smooth and end-user friendly.

~~~
ma2rten
And there were plenty back-up services before dropbox.

~~~
bradleyland
I get what you're saying, but Dropbox is not a back-up service. The
distinction is that Dropbox didn't exist before Dropbox. There are unique
aspects of Dropbox that were _new_ when Dropbox was introduced.

There is nothing new or unique in what you described, with the exception
(maybe) of automatic initiation of VPN services when you're on "public" wifi.
I would argue that this is a differentiation of little or no consequence,
because there's no reason to _not_ use a VPN all the time.

You basically described every personal VPN provider in the market as a start-
up idea.

------
malandrew
Is it possible to use the browser in https only mode, or at least have it
force launch any https sites in a new incognito mode window so that you know
it's http-only. Furthermore, it would be nice if you could disable all text
inputs on http-only windows.

I know that I would be more likely to contact a site owner asking for https if
it screamed at me everytime it happened.

It's time to ditch http for all but rare use cases, because almost 2014.

~~~
noinsight
Get the "HTTPS Everywhere" addon for Firefox, or, apparently, Chrome now.

~~~
hnha
that "only" uses a list of known https domains to force the browser to use
them. It does not magically enable "https everywhere".

------
mschuster91
Just for teh lulz, you could do ARP-spoofing on public wifi's too, and achieve
the same effect wthout having the trouble of setting up a hotspot.

I admit of having spoofed a Burger King public WiFi and replacing all img-tag
sources with Goatse. Priceless reactions everywhere ;)

~~~
lotsofcows
I like BT OpenZone in the UK. It seems everyone has connected to one of these
at some point so you just create an ad hoc wireless connection with the same
SSID and most modern smartphones automatically connect and start trying to
download mail and facebook updates.

------
chrissnell
I've been thinking about the possibility of injecting a JavaScript bitcoin
miner into every page loaded through my access point. Imagine the
possibilities for an open AP that's located in a very public place, like Times
Square, or near a busy Starbucks (where access is slow and unreliable).

If you really wanted to take this to the evil next level, you'd just break one
(or several) WPA keys on nearby APs and have your rouge injector AP act as
both an open AP (to unsuspecting users) and a client (using cracked keys) to
other APs, thus avoiding having to actually buy internet access for this spot.
You'd essentially just need to find a place to hide and power your evil AP.

~~~
MichaelGG
Is that even remotely lucrative? As I understand, even a $300 GPU is orders of
magnitude more powerful than any CPU miner, let alone a JavaScript based one.
And even a single GPU isn't remotely competitive these days compared to the
GPU farms and now ASIC setups. So you'd need to inject JS into, I dunno, a
million, devices to make anything worthwhile.

~~~
dave1010uk
You could probably use WebCL, Flash or Silverlight to use the user's GPU. A
quick Google shows this has been done with WebCL already:
[http://webcl.nokiaresearch.com/jsoclbm/](http://webcl.nokiaresearch.com/jsoclbm/)

~~~
MichaelGG
There's a neat hardware comparison here:
[https://en.bitcoin.it/wiki/Mining_hardware_comparison](https://en.bitcoin.it/wiki/Mining_hardware_comparison)

Seems like ASICs are measured in the thousands to tens or hundreds of
thousands of MHashes/sec. Whereas powerful GPUs drawing ~1000 Watts don't even
break 1000MH/sec. High-end laptop GPUs seem to be in the 10s of MH/sec, a
quad-core Atom shows 2MH/sec, and the Galaxy SII comes in at 1.3.

The vast majority of devices connecting to public APs are not going to be
high-power systems. Not to mention the time they'll spend connected is
unlikely to be 24/7\. Even if it was, mining will probably drain batteries
pretty quickly. Plus power-saving is likely to be on for mobile devices and
reduce peak perf. And if it's just injecting JS, then backgrounded tabs should
get much less CPU time. And WebGL/etc. are unlikely to be running in
background tabs.

If you assume a device stays connected and open for 1/4 a day, and stays for 3
days on average, and gives you 1MH/sec (seems optimistic, all things
considered), 1 million devices compromised a month gives you ~$300 a month. If
the assumption is that you can persistently own a machine, then you'd need
less machines. But that's going beyond simple JS injection on HTML pages.

I used this calculator:
[http://www.alloscomp.com/bitcoin/calculator](http://www.alloscomp.com/bitcoin/calculator)

------
fmavituna
Inject something like XSS Tunnel ([http://labs.portcullis.co.uk/download/XSS-
Tunnelling.pdf](http://labs.portcullis.co.uk/download/XSS-Tunnelling.pdf) that
gives you a local proxy that you can point your local browser and then sends
all of your traffic through the victim, so you'll see and use the website(s)
with your victim's session), or BeeF -
[http://beefproject.com/](http://beefproject.com/) for tons of exotic XSS
based exploits.

------
davidbanham
These attacks could be given longevity by using a cache manifest.

------
loser777
Situations like these are how I justify keeping a low power 24/7 box on at
home. In situations where I don't have my own (trusted) connection, I'll just
ssh tunnel a SOCKS5 proxy to my home server. I only have a residential
internet connection at home, but 2mbps is surprisingly snappy for casual or
emergency on the go web browsing. With boxes out there (e.g. rPi) that push
power consumption far south of 10W, it makes even more sense to do this now.

Of course, it also doubles as an IRC idler/whatever else you can think of.

~~~
voltagex_
Yep, I have a Dreamplug with dual ethernet and an attached USB hard drive.
Last I checked, the hard drive used more power than the machine itself.

SSH is done through key authentication and there's an OpenVPN server if the
network I'm connecting through isn't too locked down.

Next trick is to do IP-over-DNS and I'll be all set where ever I am.

Now if only someone would come out with a USB3-capable board with dual-gigE (I
don't mind if it can only push 500Mbit each port)

~~~
icebraining
_Next trick is to do IP-over-DNS and I 'll be all set where ever I am._

iodine[1] is a fairly easy way to set that up. I just made a
tunnel.mydomain.tld subdomain, pointed the NS records at my VPS and run
"iodined 10.0.0.1 tunnel.mydomain.tld"

[1] [http://code.kryo.se/iodine/](http://code.kryo.se/iodine/)

------
pocketstar
Using a VPN would protect you against all of this right?

~~~
cenhyperion
Assuming you can trust the VPN and the encryption is good it should.

------
quasque
I wonder if this attack would also work on the
[http://www.gstatic.com/generate_204](http://www.gstatic.com/generate_204)
page that Chrome uses to detect captive portals if you are accessing https
pages.

------
matiasb
Has anyone tried ICMP tunnels?

------
odonnellryan
It's pretty easy to set up a VPN on EC2. Probably not the BEST solution out
there (the instances certainly aren't designed for that use) but better than
nothing.

~~~
btgeekboy
At $0.07/hour for 1TB/month, with <1min startup time, DigitalOcean is actually
a decent host to do this with.

------
simgidacav
> Commandline snippet poisoning

Really? So would you blindly copy-paste things into your shell? Then I don't
need to hijack your connections, I just put malicious pastes on the website.

If you are moron enough to copy-paste the first thing you find, you are
probably not reading the other users' warnings about "this answer is wrong".

~~~
Lazare
The attack mentioned is to change the text when you go to copy it; that will
get even people who carefully read every forum post before copying and
pasting.

How many people review the snippet, copy, paste it into a text editor, _re_
-review it, copy it, and then paste it into their shell?

~~~
andrewaylett
Ctrl-X Ctrl-E in bash will open an editor for the current command, which is
executed when the editor is exited. After the potential for exploit was
publicised a few months ago, I use this every time and it's really not much
more effort than just pasting into the shell. As a bonus, it means I don't
have to worry about embedded newlines stopping me from tweaking the command
before running it.

~~~
TheJH_
You can embed \x1b (escape) into a webpage. When you copy-and-paste that, it
has the same effect as hitting ESC in the editor. So, I'd just have to make
you copy "<evil command>#\x1b:wq\n" to also catch the case that you're using
vim instead of directly pasting. However, I can't figure out a way to escape
from nano.

(Tested it with the combination chromium+xterm+vim.)

