

Need to develop on insecure wifi? Use protection - nikisweeting
https://github.com/nikisweeting/security-growler

======
jamescun
The biggest problem you will face (or at least need to worry about) is MitM
attacks on the insecure wireless, which can be solved by a VPN, ssh tunnel or
just forcing SSL with extensions like HTTPS Everywhere[1].

Rather than having alerting for connections to services which provide remote
access (assuming authenticated using vulnerabilities or defaults), you should
evaluate if you need your laptop running an FTP server or whatever other
service. And if you do, firewalling that off or only enabling the service when
in use.

[1] [https://www.eff.org/https-everywhere](https://www.eff.org/https-
everywhere)

~~~
SomeoneWeird
This is only effective if you do SSL pinning too.

~~~
xyzzy123
Random MITMs in Internet cafes don't have access to root CAs.

If you need certificate pinning on insecure wifi, then you need it everywhere.

------
alimoeeny
Little Snitch is what you need, I am a user, I am not affiliated with them,
and I love their product, I cannot imagine having a personal computer without
little snitch.

~~~
shimms
+1

I have it set to deny everything except openvpn, Captive Network Assistant and
UserEventAgent on all networks by default. Only explicitly whitelisted
networks have access beyond these three rules.

On an untrusted network (the default state), you can still connect to public
wifi (using the Captive Network Assistant and UserEventAgent), and once
connected to the insecure wifi, connect to the secure VPN. The VPN connection
is whitelisted, so once it has connected to VPN everything starts flowing
again.

As soon as I disconnect from the VPN no traffic goes in or out.

Couldn't imagine using public wifi at airports, or coffee shops without it
now.

------
matdrewin
Was I the only one expecting the github repo to be named "condom"?

~~~
cordite
Yeah, but it is more of a snitch than a condom.

------
nav1
How does this protect you? Wouldn't it be better to just run a firewall? Once
someone gets access to your computer it's probably too late.

~~~
zhemao
Presumably this also detects failed login attempts, so if someone is trying to
brute force your login password, you would know immediately.

I agree though, that setting up a firewall would be much more effective.
Alternatively, disable password authentication in OpenSSH and just use
keypairs. But why exactly would you be running any of those services on your
Mac anyway? As far as I know, these forms of remote access are disabled by
default on OSX (for good reason).

~~~
nikisweeting
Yes all of these protection measures are better, I personally use SOCKS over a
VPN, but on the rare occasional that I need to develop on a client's possibly
compromised network, I like to run this handy tool.

