My first mention of security on this site was when I did a mini review of the Pepperpad 3 in October 2006.
…I was able to check for software listening on IP ports. It all looks pretty clean and with the automatic updates, there should be no need to worry too much about security. Low maintenance is always a good thing.
In 2020, Chromebooks, also based on the Linux kernel, have hit the mark and are now one of the most secure laptop types you can buy.
PC and smartphones operating systems were not built with today’s risks in mind, and they’ve got worse. There’s more code in the operating system now, more 3rd-party applications, more sensors, more connectivity and more people to exploit creating ‘business models’ that were never imaginable.
The next time you join a new WiFi hotspot think about this: Is the site you’re looking at really the site you think it is? Is the DNS server really serving the correct IP addresses? Is the ISP behind the hotspot someone you trust? Do you trust everyone on the network that you’ve just connected to? How many of your apps have access to your location, permission to use your social networks, WiFi, your contact and SMS information and even to an unencrypted version of your internet traffic?
Last December I was teaching journalists about internet security and privacy in Ukraine. As part of a demo I set up a ‘fake Internet’ using about 150 euros of equipment. I served up a router, DHCP, DNS and even faked a Facebook login page. After I had logged into the Facebook page I turned on the projector which was connected to my Linux-box-Internet, did a search on Wireshark and read out my password. It was easy, cheap and effective and that was just in a class of 20 people. Can you imagine what goes on at the CES show in Las Vegas? At every airport in the world? At the cheap cyber café and on that open hotspot you found from your apartment?
If you are about to connect to an unknown hotspot don’t use a Windows PC unless you’re either a) happy with the risks or b) you’ve taken time to harden your PC with the 13-point checklist below. Easy isn’t it? NO IT ISN’T. The checklist is unworkable for most people.
Windows on a public hotspot checklist. (For increased privacy and security.)
- If possible, use a PC with an encrypted disk. (Microsoft Bitlocker is available for free on some low-cost Windows devices and on all Windows ‘Pro’ installations. E.g. All Surface Pro devices.)
- Turn on SecureBoot in your BIOS if possible and (as a minimum) add a BIOS boot (or BIOS admin) password. Create a long 15+ character Windows password for all accounts.
- Install OS updates and reboot.
- Check Firewall is on.
- Update the anti-virus and run a check.
- Run CCleaner (also check and clean the auto-start-up list.) and Spybot.
- Create a non-admin account. Log out and log back in as a non-administrator account. For more privacy, don’t log in via a provider account (E.g. Microsoft, Google .)
- Use up-to-date Chrome with HTTPS Everywhere, Privacy Badger extensions enabled. Don’t link Chrome to a Google account unless you trust Google. (Run an Incognito browser Window.)
- Hardwire your DNS to your ISP. If you trust Google, they have a good DNS service at 8.8.8.8 and 8.8.4.4. (Don’t use the DNS given by the hotspot)
- Use the Zenmate extension to tunnel and encrypt web traffic or buy a good VPN to tunnel all traffic. (I’m using HideIPVPN’s UK tunnel.)
- Use Startpage.com as search engine if you don’t want Google to store your searches / IP address. Startpage can also be used as a proxy.
- Avoid using cellular data if you don’t want to be location tracked. (Turn off A-GPS / location services on phone too.)
- Do not leave your PC unattended.
Enjoy your coffee!
Fortunately there are easier ways. You can ignore most of this list (points 1- 7) if you use a Chrome OS device and a Chromebook is probably the cheapest, easiest way to do it. That’s why i’m encouraging you all to think about adding a Chrome OS PC to your PC portfolio. I’m not asking you to replace anything, I’m simply asking you to consider spending $150 on your security.
A Chromebook is not 100% secure but it’s probably the cleanest consumer computing device you can buy. Even if you don’t trust Google, a Chromebook is still the cleanest consumer computing device you can buy. When it comes to online security, the Chromebook is the easiest recommendation I can make. Again, if you don’t trust Google, you can still use a Chromebook without a Google account.
Chrome OS was built from the start with security as a key consideration. Chrome OS is also simple and fast and that’s the bit that makes it so easy to recommend. My only problem with ChromeOS is that I can’t get it as a dual-boot option or on a mini, lightweight 2 in 1 that I can take everywhere. Like the ASUS T90 Chi for example.
The Lenovo N20p [N20p review] is my most-used device at home because it’s a no brainer. Which one of my 10-20 PCs is likely to be the fastest to boot? The Chromebook. Which one is most likely not to have to be rebooted after booting just to get the latest security patches installed? The Chromebook. Which one is not going to take 2 minutes before I can use the full speed of the disk and CPU? The Chromebook. Which one is likely to have some battery life left after a week of not being used? The Chromebook.
Again, a Chromebook is not 100% secure but unless you’re into air-gap computing, sharing files over a temporary Intranet (I find the MiFi with microSD card and no SIM card to be a useful solution in this case,) have dumped your smartphone and are very familiar with the Tails Linux-based distro on a PC where you change the MAC address daily then don’t knock it. The Windows security landscape is terrible in comparison and the average Linux distro is rarely a problem-free experience when installed on a modern laptop. OSX might be a reasonable solution, it’s true, but there’s also a lot of unknown quantities there. [Note: I have never assessed an OSX PC for security and privacy. Your comments are welcome on that topic below.]
For security’s sake, get a Chromebook. Add the HTTPS Everywhere and Privacy Badger plugins. Enable them for guest-mode/incognito mode usage. Consider and research ZenMate as an HTTP VPN and use Startpage.com as your default search engine to avoid Google having a list of searches against your IP address. Get a real VPN solution and learn how to configure it in Guest Mode on ChromeOS. Learn the 60-second Power Wash. Configre DNS to use Google 8.8.8.8 or find and configure your own trusted DNS and you will be in a position to switch-on and go browsing without any significant worry, unless you’re doing something naughty!
Related article: 7-steps to the best Chromebook security.
If you’re concerned to the extent that you go into in this article, DON’T USE CHROMEOS. You should be using linux. It’s really not that hard. Dell sell laptops with ubuntu, but installing it yourself is easy on the right hardware (incl. most chromebooks).
If you want a windows PC most of the time, but occasionally want extra security on the road, don’t buy a second device, disable that secureboot and boot linux from USB.
If “public hotspot” = unsecure hotspot, then yes, doing all those steps is wise and appropriate.
I don’t know about the situation in Germany/Europe, but here in Korea every hotspot is using WPA2 with AES encryption as any open wifi would get abused in no time. And since it’s such a technologically-advanced country with a rather nefarious set of neighboring countries and plenty of skilled domestic citizens also bent on abusing any potential loophole, the ISPs are extremely serious about setting things up properly, and the average cafe either uses companies that specialize in security or direct from the ISPs – who provide every router with a complex password and unique login passwords/IDs as well. Yes, someone could easily use the same SSID and password as the “official” router and get some people, but given the amount of wifi noise there is in this country, and how dense most building’s structures are, it’d be a drop in the ocean. To elaborate on the “noise”: from my plucky little apartment on the 12th floor of an antiquated apartment building, I can pick up over 100 different routers after just a few minutes of scanning with WirelessNetView, all without moving my laptop an inch. (And the building is a giant mound of concrete and steel. There’s a reason why people call Seoul a jungle of concrete, glass, and steel.) But I digress.
The standard advice is likely still the best advice: don’t do anything sensitive (banking, logging into primary email, etc.) on a wifi connection that you aren’t 100% confident is secure. And use UAC for goodness sake! (The pretentious crowd that complained about UAC back in the days of Vista are the ones that deserve the consequences of using weaker default settings. They’re also likely the ones that would disable secure boot so they could dual boot, and also mess with firewall settings–which in Windows 8 is kept on by default for all private and public networks.)
I guess I’ll be pinging Mark Russinovich and other MS folks on Twitter to get a response regarding the current state of security (wifi and otherwise) with Windows. If I spend $150 on a placebo, it better be something that helps me to do the work I need to get done.
I can’t help but feel like your suggestions and the way you present them are a little off-kilter with the topic. While the steps you show above are good advice, steps 1-7 are not as difficult, or as strong in this situation as you imply – in fact none of them would help in the demonstration you yourself did. Particularly from the context of the article, these suggestions are not unique to public networks, but apply to every typical Windows installation in current times.
1) Good advice but only protects you from physical security concerns, not remote attacks. Also, this is not unique to Windows, the same advice applies to OSX and Linux.
2) BIOS/UEFI mostly the same as step 1 and less important except in very particular and rare circumstances.
3) Should be automatic on most current Windows installs unless the user actively disabled them.
4) Again, default on all modern Windows installs, especially for public networks where the firewall rules are more strict. The point should really be don’t pick “Home” or “Work” when you are on a public network – or heck, unless you know you need them.
5) Yet again, default on most modern installations thanks to Windows Defender in Windows 8 including the av components from Security Essentials.
6) This isn’t bad advice per se, but be careful unless you have a known problem, as CCleaner and Spybot can cause problems via overly aggressive cleanup. I also don’t recommend actively using both at the same time except for when you are trying to do cleanup after infection by persistent malware, as that can lead to performance and other problems at times. Neither are that effective at preventing problems anyways – or at least little more effective than Windows Defender is these days on its own – they are more for damage control.
7) Good advice – though not as critical as it used to be before UAC, one of the benefits of UAC is the very fact that you don’t need to be logged in as an admin to do admin tasks, and that can help protect you if an exploit normally bypasses UAC somehow.
For the average user, nothing above solves the single biggest security problem with Windows – the user themselves. The main reason Windows is a vulnerable platform is because of malware out there that users willingly install by clicking on the wrong thing, or going to dubious sites where you find modules that exploit vulnerabilities in flash and java – these days from links on facebook streams as much as pirating and porn sites. As a system administrator, most infections I have seen in the last 10 years have been due to user behavior, and I believe every infection except for one that I have seen since the release of Windows 7. Thankfully, due to UAC and non-admin accounts most of these infections are isolated to the user profile and easy to clean, but if they are particularly bad there’s no easy way to clean it beside reloading, and often having antivirus and Spybot on and up to date made no difference.
If you are concerned about malware and don’t feel comfortable protecting yourself from it via the methods above and smart behavior, then yes *anything* but Windows is going to be safer. As you say about ChromeOS, don’t expect it to be 100% fullproof – OSX malware pops up on occasion now, and while the Chromium engine is solid, Google is not perfect at keeping the underlying OS secure – most android devices out there are still running with known Linux-originating exploits that only aren’t an issue because they aren’t easy or popular to exploit. User-space malware that mines your data or runs for someone’s DDOS network is technically possible on OSX and Linux as well, just much, much less common because the lower profile and added difficulty means it’s harder to spread around.
But really, if you are a concerned Windows user and are trying to be smart, all these first steps should be taken at home as much as at Starbucks. They all apply to either physical theft or web browsing anywhere on any network, with the one exception of remembering to choose that you are on a public network so you have the correct firewall settings.
The rest of the steps you list are all great for ensuring privacy and avoiding sniffing or man in the middle attacks, which are the real risk that is more unique to public and spoof networks – and those suggestions apply regardless of what OS you use. They are also the most difficult steps for the average user to understand and follow correctly, so again, I don’t understand the focus against Windows being the hard part. The point you are making makes sense, yes ChromeOS *is* less vulnerable and a good alternative if it serves your needs. But the way the point is made doesn’t, because getting on a public network for an even moderately secure Windows 8/8.1/10 user does not significantly *increase* their risk any differently than it does for a ChromeOS user.
Per one of my comments above I do have one more suggestion to add for Windows users – Use Flashblock, and keep Flash and Java up to date! – The one infection not due to user error I mentioned on Windows 7? Happened on my own machine and I was able to track it back to a flash ad that had been slipped into a trusted ad network and used a vulnerability to install an obnoxious little piece of adware. Flash is a horrible little piece of software from a security standpoint, and it’s a good thing it’s dying out. :)
Nothing is secure. Not even Linux. It is known that government agencies have their guys contribute to the Linux kernel codes. No body have time to audit everything.
Your option is to go with the devil you know. ChromeOS is unknown.