Tag Archives: hacking

Get online as safely as possible while traveling

I’ve backpacked all over the world, and a friend embarking on a similar trip asked for my advice about how to stay safe when using internet cafés and youth hostel terminals. This advice might be helpful to other budget travelers, so here it is.

It’s important to understand that you’re putting yourself at significant risk every time you use a computer that’s not your own (and sometimes even when you’re using your own computer). The safest way to access the internet while traveling is to only use your own computer or smart phone. But budget travelers can’t always afford to carry a computer or a smart phone. The risk of theft of an expensive laptop or smart phone is much higher when traveling, especially when staying in shared rooms in hostels. And, as every backpacker knows, every single pound (or kilogram) you carry counts tenfold when you have to run a mile to catch a train. Traveling with your own, trusted internet device is often not feasible.

Another option is to just never go online while backpacking, but this often is not feasible either. The internet has become a tremendous source of tourist information plus an amazing tool to meet and coordinate with other travelers. And the long-term traveler must go online from time to time, to check their bank balances, pay off credit cards and mobile phone bills, and communicate with loved ones. The only alternative to this is the telephone, which requires staying up late or getting up early, and navigating an expensive and foreign telephone system.

All this adds up to the uncomfortable fact that you sometimes absolutely must get online in the next few days, and your options for doing so range from mildly to completely insecure.

The general idea is to first categorize your online activities by how secure they need to be, then, make an educated guess about the security of each computer you use, and use that as a guide for what you are willing to do online on that computer.

Step 1: Categorize your activities

Reading WikiTravel, finding hostels, or getting bus or train schedules doesn’t need a safe connection. If someone steals your password to a social network or CouchSurfing, the worst thing that can happen is that they use your account to say weird things to your friends, and you’ll have to reset your password or (worst-case) create a new account. Not that serious, in the great scheme of things. This, of course, assumes that you use different passwords for your different accounts, which is a good idea.

Checking your email needs to be a bit more secure, since with access to your email, anyone can impersonate you or steal your accounts on sites that use that email address. And lastly, making reservations with a credit card or logging in to your online banking are high risk, since with your credit card or bank details, you can be out of a chunk of money quickly.

Step 2: Categorize the available computer

Since I’ve never seen a single internet café running anything but Windows1, and since I’ve seen only one youth hostel with Linux computers2, I’ll only talk about judging the security of Windows computers.

The more professional internet cafés and hostel computers require you to log in, and usually you can tell if you’ve been logged in to a temporary, sandbox account, or if it’s the same account that every user gets logged into. If it’s the same account that every user uses, you’ll see personal files left on the desktop, in the trash, in the documents folder, and in the browser you’ll see browsing history and bookmarks and toolbars and plugins installed, etc, etc. If it’s a sand-boxed account, it should look like a pristine, clean install of Windows.

If it’s a Windows computer that you can just sit down at, don’t trust it. If there’s lots of random software visibly installed and files lying around, this means it hasn’t even been cleaned up recently. Use it to do research, but don’t type your passwords on it, and certainly don’t ever log in to online banking or type in your credit card details.

Sandbox accounts are much less likely to have malware installed, because only the owners/administrators, or someone who used an exploit to get administrator access, could have installed malware. If it’s sand-boxed, I generally feel ok logging in to my email, but I’m still wary about using it to log on to my online banking. In a pinch you could use Mint just to check bank balances, since it has read-only access to your financial information. Oftentimes I find myself making hostel reservations with my credit card on computers like this, but I’m never very happy about it.

Then there are places like EasyInternet, where users don’t have access to the filesystem, CD drive, or USB ports, you’re not allowed to download and run any programs, and where the entire Windows installation–not just the user account–appears to be wiped over the network each time the user is logged out. You can tell that the entire Windows OS is being wiped because the computer reboots as soon as you log out, and the startup process indicates that it’s booting over the network. These kinds of computers are the safest. These are the only places where I feel comfortable logging in to my online banking. There’s still a chance that someone administering the café is capturing your passwords, but there are probably only a few people who have enough authority to do so.

I also judge hostel computers to be more secure than internet cafés. Internet cafés are open to the general public, including locals who would have the time, and the motivation, to regularly visit the café, install malware, gather collected data. Hostel computers are generally just used by hostel visitors, which would mean a traveler installing malware would have much less time to install and troubleshoot the data-collection process, no chance to reinstall it when it gets removed, and they’d have to gather the collected data remotely. You still have to worry about a member of the hostel staff installing something malicious, but again, there’s fewer staff members, so a smaller chance that it’s been compromised.

If the computer has Firefox3 installed, I usually take that as an indication that they aren’t total morons about security. Even better if it’s set to the default browser. Installing Firefox yourself, and using it, protects you against malware in Internet Explorer, but not against malware installed on the system.

If you know anything about Windows, you could check the version of Windows it’s running and see how recently it’s had security updates installed, which would give you an even better idea how security conscious the administrators are.

Other tips

If you can’t get to a secure computer and absolutely must access your bank account, most ATMs will let you check your balance and make transfers (and watch out for ATM skimmers). And staying up late or getting up early to call your bank, while a hassle, is much better than finding yourself stuck in a foreign country with cancelled credit cards and not much cash.

Always make sure you’re using SSL. If your bank doesn’t use SSL, switch to one that does. Gmail and most of the other major email providers allow you to log in using SSL. Use it. Don’t make credit card reservations if the site doesn’t support SSL. And don’t do any of this if the browser on the computer you’re using doesn’t support SSL.

The last step in staying secure while traveling is to change all your passwords and pin numbers as soon as you are back at your home computer again. That way, if anything did leak, it’s rendered useless.

Those are my white-hat, benevolent-hacker notes about internet while traveling. Soon, I’ll post some true black-hat tales of hacking internet café to get free, or cheap, internet.

  1. No love for Mac OS X. []
  2. High praise for Hostel Ruthensteiner, Vienna, Austria, running some sort of sand-boxed KDE, and where I felt almost as safe as on my home computer. []
  3. I’ve never seen Safari or Opera in the wild, and Chrome was released after my most recent trip. []

PottyMouth moved to BitBucket

I’ve moved PottyMouth to BitBucket.org, where you can keep up to date with PottyMouth releases, subscribe to feeds, request features, and contribute patches. (It’s also on PyPi.)

In the last few months, I’ve fixed a bunch of poor design decisions on my part around encoding and repr() within PottyMouth, and added new syntax suggested by users. The latest version is 1.2.0.

A tiny fix to the jQuery hint plugin

Here’s a tiny fix to Remy Sharp‘s excellent jQuery Text box hints plug-in. Without this fix, jQuery‘s val function will return the hint text if the text box hasn’t been filled out by the user yet.

Here’s the patch:

@@ -20,7 +23,7 @@
       $win = $(window);

     function remove() {
-      if ($input.val() === title && $input.hasClass(blurClass)) {
+      if ($input.realval() === title && $input.hasClass(blurClass)) {
         $input.val('').removeClass(blurClass);
       }
     }
@@ -41,4 +44,17 @@
   });
 };

+
+$.fn.realval = $.fn.val;
+
+$.fn.val = function (value) {
+  var i = $(this);
+  if (value === undefined) {
+    return (i.realval() === i.attr('title')) ? '' : i.realval();
+  } else {
+    return i.realval(value);
+  }
+}
+
+
 })(jQuery);

And here’s the full plugin with the patch applied:

/**
* @author Remy Sharp
* @url http://remysharp.com/2007/01/25/jquery-tutorial-text-box-hints/
*
* better val() method added by Matt Chisholm, 2009/07/27
* http://glyphobet.net/blog/essay/878
*/

(function ($) {

$.fn.hint = function (blurClass) {
  if (!blurClass) {
    blurClass = 'blur';
  }

  return this.each(function () {
    // get jQuery version of 'this'
    var $input = $(this),

    // capture the rest of the variable to allow for reuse
      title = $input.attr('title'),
      $form = $(this.form),
      $win = $(window);

    function remove() {
      if ($input.realval() === title && $input.hasClass(blurClass)) {
        $input.val('').removeClass(blurClass);
      }
    }

    // only apply logic if the element has the attribute
    if (title) {
      // on blur, set value to title attr if text is blank
      $input.blur(function () {
        if (this.value === '') {
          $input.val(title).addClass(blurClass);
        }
      }).focus(remove).blur(); // now change all inputs to title

      // clear the pre-defined text when form is submitted
      $form.submit(remove);
      $win.unload(remove); // handles Firefox's autocomplete
    }
  });
};

$.fn.realval = $.fn.val;

$.fn.val = function (value) {
  var i = $(this);
  if (value === undefined) {
    return (i.realval() === i.attr('title')) ? '' : i.realval();
  } else {
    return i.realval(value);
  }
}

})(jQuery);

Hacking the Constitution

A vote for the President of the United States is actually a vote for an “elector” who pledges, but is not legally obligated, to vote for a specific candidate in the Electoral College. Forty-eight states then allocate all of their electoral votes to the popular vote winner in that state. This means that a candidate receiving the most votes nationwide is not necessarily the one that receives the most electoral votes and becomes President. If the popular-vote loser many states by small margins, and loses some of the others by large margins, they can win the electoral vote, despite losing the national popular vote.

This winner-takes-all system of allocating electoral votes also has the side effect of making a few “battleground” states the primary focus of election campaigns. Candidates descend on these states, funneling money and advertising into them, and tailoring their campaigns to win over voters there. Voters, of either party, in the remaining “spectator” states are effectively disenfranchised, and the small percentage of voters in the battleground states elect the president.

This isn’t even how the electoral college was intended to work. The framers intended that the electoral college would usually fail to choose a clear winner, instead nominating the most popular candidates for election by Congress. This hasn’t happened in over two hundred years.

Programmers have a term for something that’s neither operating as originally intended nor guaranteed to do what their users ask it to do. The Constitution is buggy.

Yet the Constitution is notoriously hard to change. A programmer might use the term legacy.

How would a programmer fix this? Find a way to hack1 a bug fix into the legacy system.

What should the goal of the fix be? We should elect the president in the same way that every governor, mayor, senator, representative, city council member and dog-catcher2 is; by popular vote. If popular vote is good enough for every single other elected office in this country and in many other democratic countries around the world, it should be good enough for the President of the United States of America.

How do we change the Constitution? Turns out we don’t have to. The founders left the allocation of electoral votes up to the states:

Each State shall appoint, in such Manner as the Legislature thereof may direct, a Number of Electors…
-U.S. Constitution

The appointment, and mode of appointment, of electors belong exclusively to the states
-U.S. Supreme Court

And the fix? The National Popular Vote Plan allocates all of a state’s electoral votes to the national popular vote winner. It only goes into effect once enough states pass it to command a majority of electoral votes. The electoral college won’t go away, but it will become obsolete. In programming terms, this plan ensures a buggy legacy system will never (again) get fed the kind of data that triggers the bug.

The National Popular Vote plan has been making its way through state legislatures for the last few years. I’ve brought it up in conversation a few times recently (because of my Visualizing the National Popular Vote plan project), and I’m surprised how many people don’t know about it. There should be a huge grass-roots movement behind this plan to re-enfranchise the electorate, but even smart, well-informed, thinking people haven’t heard of it. So please, if you agree with me and think the National Popular Vote Plan is a good idea, forward this page or NPV’s website to your friends, bring it up at parties, or support it with a donation. And if you don’t agree with me, forward this page or NPV’s website to your friends, bring it up at parties, or… well I guess I can’t expect you to support it with a donation.

Let’s get rid of this obsolete, broken, idiotic electoral college system once and for all.

  1. Note to non-technical readers: Among programmers, hack generally means a quick, clever, “outside-of-the-box” solution to a difficult or intractable problem. That is the sense in which I am using the term hack here. If you think the National Popular Vote plan is about subverting or circumventing the constitution, you have misunderstood it. []
  2. My thanks to Hendrik Hertzberg, National Popular Vote’s bulldog, in whose writings in the New Yorker I first heard about this clever plan. I believe the inclusion of dog-catcher in this list is due to him but I cannot find the exact quote. []

Another Ubuntu release, another core regression

It’s business as usual over at Ubuntu headquarters. This time the “Root Terminal” menu item, installed in the system menu by default for at least the last few years, is suddenly broken. Irate users commenting on bug reports in Launchpad are dangerously close to starting a full-blown flame war:

Sebastien, your comment seems to imply that Launchpad bug reports are a waste of time. Is this really what you meant? I had been under the impression that Launchpad was intended to be a gateway/portal for bug reporting. If Launchpad reports do not get forwarded upstream automatically once triaged then what purpose does it have?Russel Winder

and:

With all due respect Sebastien — I can hardly believe that
I’m reading this: “ubuntu only distribute it”.

(why even have a bug reporting system in the first place,
one wonders, btw.). –bjd

(That’s right, those are in response to the same Sebastien Bacher I took to task for unhelpful comments on other bugs last year.)

The bug itself isn’t Ubuntu’s fault, but the fact that the menu item survived intact in the default Ubuntu configuration despite being non-functional for (at least) the last four months speaks volumes about what passed for testing on Jaunty Jackalope1.

Temporary workaround, until Gnome fixes this regression and Ubuntu inherits it: change the menu item to gnome-terminal -e 'sudo -i'. It took me longer to write this paragraph than to change that.

  1. I’m not even going to get into how the “upgrade” process left my system unable to find the root filesystem and therefore unbootable. My memory, and a judicious application of grub-fu, saved the day, and since I’m unwilling to downgrade to Intrepid and then re-upgrade to Jaunty, this bug must remain un-duplicable and un-reported. []

The Fifth Bottleneck

CodingHorror points out that the game of “find the bottleneck” that is computer performance optimization is always looking for a bottleneck in CPU, disk, network, or memory.

But there’s a fifth bottleneck — a fifth resource most applications wait on. The user.

If an interface is too difficult to understand, or if an action takes too many clicks or keystrokes, the application will be stuck waiting on the user. If an interface is really bad, the application will sit idle while the user is searching for “how to do X in ProApp 8.0,” or reading the manual, or asking their friends for help, instead of working. And the ultimate interface failure, when a user decides to stop using an application, means, from the point of view of performance, that it will never complete — it’s blocked forever.

Sure, a bad interface won’t slow down a computer. But it does slow the user down. And that’s why programmers care about performance – because we humans want to complete our tasks faster, not because we want computers to complete their tasks faster.