vpn
Latest
How to guard yourself and your Mac from Firesheep and Wi-Fi snooping
The prevalence of free/cheap and open Wi-Fi networks in coffee shops, airports, offices and hotels is a great boon to the traveling Mac or iPad user; it makes connectivity and remote work much easier than it used to be. Unfortunately, since most of those networks don't employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that's transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open. Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be 'sniffed' by a nogoodnik on the same network segment; that's what Firesheep does automatically. With the cookie in hand, it's simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites. That process is known as "HTTP session hijacking" (informally, "sidejacking") and has been a known problem for several years, but many sites have not changed to protect their users. Firesheep has made this process of sidejacking very easy, and a reported 104,000+ people have downloaded it. It is important to realize that the security problem exists for users of all browsers. Firesheep is available only for Firefox, but that's just the exploit side; it will gladly harvest cookies from Safari, Chrome, IE or anything else. Unfortunately, you've got to assume that any unencrypted site you go to while on an open Wi-Fi network is susceptible to compromise by this attack. Read on for some suggested ways to combat this security challenge. Photo by adactio | flickr cc
iPhone OS 4.0: Enterprise Features
Apple has posted an outline of what it believes to be the key enterprise features of iPhone OS 4.0. Third-party multitasking, enhanced security and mobile device management are among the marquee features. As a former IT director, I'm drawn in by mobile device management (MDM). Setting up individual pieces of hardware is a time-consuming hassle. New MDM APIs let developers integrate features like wireless configuration and update, remote wipes and policy compliance (no games, please!) into their apps. Additionally, wireless app distribution lets managers then install those apps over Wi-Fi and 3G. Apple also touts the unified email inbox and SSL VPN support along with pre-existing features like Exchange support. Still, there will be users who feel that the iPhone is a plaything when compared to the all-business Blackberry. May they enjoy their plastic QWERTY keyboards and multi-tasking prowess for years to come.
Ask TUAW: Silencing iPhone notifications, remote control a PC, printing over the internet, and more
Welcome back to Ask TUAW, our weekly troubleshooting Q&A column. This week we've got questions about controlling a PC over the internet, silencing iPhone email notifications at night, replacing a MacBook Pro SuperDrive with a hard drive, printing over the internet, setting iCal as the default calendar, and more. As always, your suggestions and questions are welcome. Leave your questions for next week in the comments section at the end of this post. When asking a question, please include which machine you're using and what version of Mac OS X is installed on it (we'll assume you're running Snow Leopard on an Intel Mac if you don't specify). And now, on to the questions.
LogMeIn to Mac users: No Hamachi² for you!
I'm not a fan of setting up Virtual Private Networks (VPNs). In fact, I've had so many issues with VPNs in the past that I now subcontract that work to a fellow geek who seems to have a knack for understanding the various settings. That's why I have been following Hamachi with great interest for the past several years.Hamachi is described in the Wikipedia as "a zero-configuration virtual private network (VPN) shareware application capable of establishing direct links between computers that are behind NAT firewalls without requiring reconfiguration (in most cases); in other words, it establishes a connection over the Internet that very closely emulates the connection that would exist if the computers were connected over a local area network."LogMeIn, a commercial firm that produces both free and subscription services for controlling other machines, sent out an email to customers on Thursday touting Hamachi², their implementation of Hamachi. LogMeIn has been deeply involved in Hamachi development, so the announcement was expected. What I didn't expect to see was that they've left both Mac and Linux users out in the cold. I quickly jotted off an email to LogMeIn and received this response: "Mac is not currently supported, we do plan on adding support for other platforms but do not have an ETA at this time." For quite a while, there was an open source project called "Hamachi X," but it's no longer supported. Another developer took on the task of creating a Mac OS X and Linux Hamachi client called Hamachi Sidekick, which is a GUI to a command-line Hamachi tool. Unfortunately, LogMeIn also pulled the Mac OS X command-line interface (CLI) version of Hamachi, so there's no way to even try the CLI tool or Hamachi Sidekick now.LogMeIn may tout Hamachi² as "a VPN that just works," but for Mac users, it just doesn't work.
Securing your iPhone web traffic with Hotspot Shield
Have you ever wondered whether the wifi data you send and receive with your iPhone or iPod touch at the local coffee shop or airport is secure? Well, I bet if you hadn't wondered that before, you are now. It's easy to forget that inside that cute little handheld device live the guts of an actual computer, and likely a lot of personal data. Depending on your surfing habits, you could be sending and receiving personal information in a non-secure way over public wifi. If you're concerned about your data's safety, consider using Anchorfree's Hotspot Shield free VPN service. Hotspot Shield has been a great way to lock down your laptop's wifi for a long time now, and just recently they have released instructions on how to take advantage of their service on an iPhone / iPod touch. Pleasantly, the service does not require that a program be downloaded to your device, but rather takes advantage of the iPhone and iPod touch's built-in VPN functionality. My only gripe with Hotspot Shield is that it can sometimes be challenging to get the VPN to successfully connect. Anchorfree recommends performing a quick reboot of your device to get your connection going, but in my experience even that can be a hit-or-miss scenario. But it's still better than letting that creepy guy that keeps hitting on the barista peruse my http requests. 'Cause I'm not paranoid, but I'm sure that's what he's doing.
Friday Favorite: ShareTool
Another Friday Favorite, our weekly opportunity to get all sloppy over our most-loved applications. If you have an always-on Mac at home, a decent upstream connection and another Mac anywhere outside of your home network, you might find ShareTool to be as useful as I do. It allows you -- with an amazing degree of simplicity -- to access your Bonjour services on a remote machine as if you were still within your home network. It does this over an SSH encrypted connection (and also automatically sets up a proxy for secure web-browsing over the tunnel). Yes, you can get some of these benefits with a simple SSH tunnel, or you could set up a VPN using HamachiX, but the simple fact that ShareTool "Just Works" makes it my favorite choice for everything from screen sharing to iTunes streaming. I use ShareTool on a Mac Mini, with an Airport Extreme Base Station on a connection that gets about 800k average upload speed. iTunes streaming is flawless, and remote drive access is as good or better than just using SFTP. Setup is as simple as choosing a port (defaults to 22, the standard SSH port) to share on and hitting "Share" on your home Mac. After that, you can set it to start at login, and begin sharing on launch. Then, on your remote machine, you just need to enter an IP or domain and the port, and the rest is automatic. You can select which Bonjour services to enable or just go for broke and enable everything. I've got a static IP these days, but services like No-IP and DynDNS work great if you have a dynamic IP address. ShareTool can even handle updating the dynamic IP service for you, so you don't have to run any daemons. ShareTool is provided by YazSoft, and a free trial is available for download on the main page. The pricing structure requires a license for every computer, and a pair of licenses costs $30USD (5 for $75USD). YazSoft provides free updates within a major version number (1.x customers get all 1.x updates for free). If you're looking for an easy way to keep your entire home network handy anywhere you go, it might be worth a try.
Dragontech's ioBox-1000, your own private network
Have you ever dreamt of having your own, self-contained network in your house or office? Have you ever wanted to take full control of every aspect of a network -- banning, blocking, adding, limiting and deleting whomever you choose? Well listen pal, your egomaniacal dreams are about to come true, thanks to the ioBox-1000, a "network appliance" from Hong Kong-based Dragontech. Designed to eliminate servers and "centralize" networks, the company's odd looking purple box does a little of everything. The system, which acts as a wireless router, firewall, and VPN, as well as a mail, FTP and printer server, can also house your own, quasi-unique domain names (blank.ioboxusers.com), and includes a p2p blocker for when you really want to put the kibosh on your worker's / children's fun. The mysterious Dragontech claims all this power can be yours for less than $5 a day, which, assuming they mean $4.99, is $1821.35 per year. Enjoy, root.
Shimo 1.0
VPNs are a staple of corporate life nowadays. They create a secure connection from your computer to your company's computers using a 'Virtual Private Network.' This allows you to access company documents via public networks in a secure fashion.Cisco is a big player in the VPN market, and luckily for us OS X users there is a Mac client that allows connections from Macs to Cisco VPN appliances. Sadly, it sucks. The interface isn't Mac like, and while it works it doesn't offer up any nice features like Keychain integration or automatic reconnects. Enter Shimo, from nexUmoja. This little program offers up an alternative UI to the Cisco client that adds a number of features including Keychain integration, Growl notifications, and auto reconnecting.All of this is great and as a user of Cicso's VPN client you would think I would use this without hesitation. Sadly, the whole point of VPNs is to make your communications more secure, and I simply don't trust a third party app sitting between my encrypted data and the Cisco VPN appliance. That's just me though, I'm slightly paranoid.
Ask TUAW: GPS, Hamachi, student questions, and more
Wednesday is Ask TUAW time! This week we tackle questions on GPS solutions on the Mac, zero-configuration VPN with Hamachi, dealing with a slow starting Mac, as well as a couple of student questions on taking notes and using the Summarize Service, As always, please leave your own comments, and ask more questions for next week either in the comments to this post or using the tip form. Now let's turn to the questions.
Take your PC anywhere with RingCube's MojoPac software
If your remote access setup just ain't cutting it, RingCube Technologies has developed software that allows your iPod, external HDD, USB drive, or other fancy form of storage to be utilized as a "private and portable PC." MojoPac manages to cram your Windows XP desktop, settings, accounts, and even programs and preferences onto any portable storage medium to be accessed as a virtual desktop. The software essentially relocates your data to an on-the-go device, while it borrows the resources from any other Windows XP computer you manage to locate. RingCube touts the software's ability to run "side-by-side" with the host PC, allowing you to work in both domains while keeping all of your private info secure; since all data transmissions reportedly occur on your MojoPac-equipped storage device, no traces of your work (in cache form or otherwise) are saved on the host PC. Of course, the utility of such a setup is greatly reliant on the speed of your storage device, so attempting to render a Photoshop document from a USB 1.1 thumb drive would likely create a fair amount of frustration. Nevertheless, satisfying your curiosity here won't cost a dime -- MojoPac is currently available for a free month-long trial, after which the "introductory price" is $29.99 for the initial license ($14.99 for add-ons), while the late bloomers will pay nearly double that.[Via SiliconValley]
One Time Password DisplayCard heightens transaction security
While we were a bit skeptical when Chase sent us one of their questionably-secure RFID-equipped "Blink" cards last year, we're gonna be all over a new technology from several companies that actually gives credit cards a heigtened level of security by generating a one-time passcode for each transaction, viewable on an embedded e-ink display. The OTP DisplayCard, as it's being called, was developed by InCard Technologies in conjunction with security firm nCryptone using technology from SiPix Imaging and SmartDisplayer, and is being targeted at financial institutions or at other companies as a replacement for the password-generating key fobs used to enable VPN access to their intranets. While the added security feature would come into play for both online and in-person transactions, it will probably be most useful for Internet purchases, making your credit card info almost worthless to identity thieves who can't get their hands on the card itself. Oh, and to answer the inevitable question: no, these cards will not be able to play Doom.[Via mobileread]
Setting up OS X as a VPN server
If you have spent any time in the corporate world you have probably heard of VPN. Virtual Private Networks are a way to securely connect to one network, say your work's network resources, from another place (like your home broadband connection). OS X server has a VPN server baked right in that allows both OS X clients and Windows clients to connect securely, but how do you set it up?Maclive.net has just posted a great article that explores setting up an OS X VPN server as well as connecting to that server from a Mac or a Windows box.