Hacker News new | past | comments | ask | show | jobs | submit login

My long answer is here: http://www.h-i-r.net/2008/08/defcon-paranoia.html

The short answer: I back up my data. I encrypt all sensitive data on my laptop and don't access it in uncontrolled environments. I tunnel everything (usually with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3) Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin for example) isn't going through the tunnel, it can't even connect out.

It's worth mentioning that I usually operate this way all the time, whether I'm in a risky environment like DefCon or HOPE conferences, or my favorite small coffee shop. Tools like ProxySwitcher, small shell scripts, network locations and stuff that others have mentioned can be used by moderately-savvy folks to make the tunnel setup as painless as possible.

Is there any way to do this at the network device level (on Linux) so that individual applications don't have to be configured to use the proxy? That's the main source of my reluctance to do this.

You probably want to use tsocks. It LD_PRELOADs the socket related functions and does the necessary work.


In Linux, most applications respect the http_proxy environment variable. It's the closest thing Linux has to a system-wide proxy setting as found in the more mainstream platforms.

This is actually how I use Chromium with a proxy right now, but it requires that I launch it from the command line and manually specify the http_proxy (and https_proxy) variables (/usr/bin/env http_proxy=" https_proxy=" /usr/bin/chromium). I suppose I could set up some kind of script to launch Chromium (and all other applications) that would check if I'm on my home network and launch all apps with that variable if not, but that seems like a really ugly hack.

In case this gives you an idea: in my linux laptop I just have two different users in the laptop, one that is configured to use a local tor proxy and another "non protected". Depending of if I'm out in the open or at home I use one of another. When I need some data from my protected user when in "unprotected mode" I sftp:// myself, but usually I do it the other way (unprotected data from protected mode). Much simpler, I think...

chromium --proxy-server=socks5:// is what I use, but chromium can also use your desktop environment's settings. On my laptop it allows me to make different proxy settings an define 'locations' that are easy to switch between.

Executed properly, it might be an awesome hack!

That seems like a lot of work. Not that I'm opposed to doing it if necessary, but an automated solution (even if it were graphical) would be wonderful. In fact, it would be great if Wicd could somehow handle all this.

There doesn't appear to be a network-manager SSH VPN plugin, which is a shame. I would love to be able to easily create a VPN with any of my servers...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact