Chile Forum

Let me put it this way. If you do not have advanced understanding of computer security, you should not connect a windows computer to the internet (dang, there just went half our members). Really, I am not joking. Windows was never designed, and still is not designed, to be connected to the internet.

Those security companies you used to scan your Linux computer, are in the business of selling security software because windows is insecure.

Open ports on a computer are not by themselves insecure, and I guarantee you there is no such thing as an invisible computer (that is plugged in). Just a computer that is harder to find. Computers all over the world have open ports, that is how the internet works. You would not be looking at this web site right now if it did not have open ports. I spend lots and lots and lots of time and money trying to get people to find my open ports (on my server).

The difference between windows and linux is that when you close a port, it is really closed. It is not going to be opened behind your back by some software update, spyware, or some program you installed unless you give it permission to do so. Even if it is, what someone can do once they are in your computer is carefully restricted.

The problem is how easy or hard it is for someone to do something they should not be able to do on a computer system when they do connect to those ports. That is matter of the OS, and software security setup. One that windows is notoriously bad about. Even when you think things are secure, it is false sense of security as no one has the ability to audit the code of the programs running on your computer. A security expert could not even honestly tell you if your windows computer is secure. Well, not until it got hacked anyway.

Check this for more details.
http://it.slashdot.org/article.pl?sid=08/03/29/1414218
http://www.theregister.co.uk/2008/03/29 ... _standing/

Still your biggest security hole on the internet will always be YOU.

Don't ever click on links in your emails that claim to be from your bank and especially Pay Pal.

Type in the address directly in to your browser.

Make sure you get an encrypted SSL connection to your bank web site, and the security certificate is good.

If you are really paranoid about online purchases, setup a separate ATM enabled account just for online purchases and only expose that card with just sufficient money to make your purchases. That way if it is every breached, you can do damage control.

A second hard drive is not going to protect you in any way shape or form by itself from phishing scams and the like.

In 8+ years of using Linux, and 10 years of online banking, and 10 years of buying stuff online I have never had a problem. Never had a virus either because I use Linux. The only viruses I have had lately where the biological type.

If you still insist on using windows, buy a linux based router to put it behind. Most routers these days use some form of linux or at least the iptables firewall security concept in their operating system. I am not aware of any company making router / firewalls running windows.

El Zorro wrote:I’ll have a dedicated hard rive just for Internet banking with the bare minimum installation and several partitions.

If you're going to do that, just use a bootable USB drive. Puppy Linux (very small) and Firefox. Depending on how secure you want to be, you can go further by using TruCrypt (free) to encrypt the entire pre-boot partition. It uses a boot loader to prompt for the passphrase before proceeding with the OS boot. (If you want to totally gonzo, install Tor (free) to anonymize your network activities. Tor and partition encryption make it slow.). You can take it with you and use it at public computers if necessary (although internet cafes get nervous about people rebooting their systems.). Google for TruCrypt and Tor.

The only problem with this arrangement is that, if something gets on this portable system it will be there every time you boot. If you want to be completely protected from that, you should run the VMWare Player (secure browser appliance) within this isolated (and potentially encrypted and anonymized) OS. Then, as long as you don't use the normal browser (I'd suggest deleting it) nothing could ever imbed itself in the system. The VM guest would be like a DMZ, containing all the web activity, "forgetting" it with each restart of the guest within Player.

To me, that would be the safest, easiest and most flexible thing to do (if you're going to go as far as you described). As you mentioned, you could also boot a Live CD of Ubuntu. But, as security patches come out for a specific release, you wouldn't be able to patch the system. You also wouldn't be able to store files to your environment (notes about transactions you've made, addresses, phone numbers, etc.). But, you're right, booting a Live CD is a very safe thing to do.

El Zorro wrote:By the way, your comment about that “secret questions are shared,” are you talking about sharing by those who elicit them, or by people around you who might also know the answer to a question having to do with your own life?

Both. Never assume financial institutions know what they're doing, or hire quality people. I forget if it was Bank of America or Wells Fargo, but one of them used the "branded image" thing to foil phishers and pharmers. The idea is: you'd upload a personal image to your profile which they'd display when you login, so you'd know you reached the authentic website. The problem is, they implemented it by soliciting your userid, retrieve the image associated with that userid, and display the image when prompting for the password. This meant a phish or pharm attacker could direct you to a fake site, solicit your userid, pass it to the authentic site (using a mechanize script), scrape the image from the authentic site and display it to you on the fake site (prompting for password). What started out as as a great idea was completely bungled -- helping attackers gain customers' trust.

So, rule #1: They don't know anything more than you do about security. If you know a little, you probably know more.

Which leads to the issue of "secret questions." Most secret questions solicit factual answers. Mother's maiden name; first high school; city you were born; favorite pet; first car. If you answer those truthfully (which you have to do if you're going to remember them, especially at multiple sites) you're vulnerable to an employee taking that information and using it to impersonate you at a different institution. Or, a stranger could learn much of this information. It doesn't seem serious -- except these are the keys to calling up and saying "I forgot my password, please reset it." It's the key to everything.

I use fake answers and keep them written down. I keep the book secure. I take it with me to Chile. That and two-factor authentication (and the use of a NAT router) are the only things I'm fanatical about.

Mark

admin wrote:Windows was never designed, and still is not designed, to be connected to the internet.

A router with NAT address translation and SPI stateful packet inspection will correct about 99.9% of that problem. They only cost about $40 US.

admin wrote:If you are really paranoid about online purchases, setup a separate ATM enabled account just for online purchases and only expose that card with just sufficient money to make your purchases. That way if it is every breached, you can do damage control.

Some credit cards allow you to generate a one-time "credit card number" to buy things online. The Schwab card has this. But, I've never used it. I should.

admin wrote:A second hard drive is not going to protect you in any way shape or form by itself from phishing scams and the like.

More accurately, nothing will protect anyone from anything. That's the problem with security. It boils down to what a person can live with (risk and effort). Linux is more secure than Windows, but unuseable by a huge number of people. So, there has to be lessor options. And, even Linux isn't 100% secure. Like Firefox's early days, much of its security may lie in the fact that it's not widely used (yet.). Hackers go after the big numbers. If Linux was more popular as a desktop, I bet we'd hear more about exploits (just as we've begun to hear about Firefox).

admin wrote:If you still insist on using windows, buy a linux based router to put it behind. Most routers these days use some form of linux or at least the iptables firewall security concept in their operating system. I am not aware of any company making router / firewalls running windows.

It's not Linux that makes a router safe. It's the functionality of isolating though translation the wide area network from the local area network. BlackIce (software firewall) running on a Windows client is as safe as using a router. Although, security people would delve into behavioral issues (someone might uninstall it, forget to install it, connect another computer... A router makes it easy to set it and forget it.).

Also, I don't think it's true that all routers use Linux. Linksys did, and got hit with not abiding by the terms of the GPL. That router is the WRTGL54L. They replaced it with a new version called the WRTGL54. I'm not sure what they did. Maybe switch to Free BSD which is more friendly to such commercial uses. But, it could be true they all use a form of Unix (for a variety of reasons from customizability to it being free).

Mark

BTW: What's nice about those Linksys WRTG54* routers is that they can be re-flashed with open source firmware (openWRT and a couple others) with more security features. Like multiple WPA keys so you can share broadband with others without revealing your own WPA key. And, putting each connection in its own vlan (so shared users can't get into each other's subnet, and more importantly, yours). Also QoS features (to give priority to sensitive protocols like VOIP). Re-flashed routers can then be used with some other software to create true hotspots (various authentication to gain access, like purchased time, password of the day, etc.).

I think there are other brands that can be re-flashed. But, it seems like most enthusiasts go with the Linksys models because that's where it started (after Linksys was forced to release their source code to comply with the GPL a few years ago after using Linux.).

Mark

El Zorro wrote:is it a common feature or just something that is not that common?

Common. Normally you use the bank's online system and setup "external accounts" using the bank's routing number and your account number (information on the bottom of a check. However, savings accounts can be setup too.). After it's setup, you just get online and initiate a transfer (from or to) the external account.

Institutions have different ways of setting it up (and letting you specify if it's just "from" or "to" or both). Some, like PayPal will make a couple deposits (of a few cents) to your account to confirm it. You see the deposits (using that institution's online banking system) and go back to PayPal and enter the amounts you saw. If they're the correct amounts, you're done. Schwab's setup is more manual. You make the request online. They do something. A few days later you have to call them and verify your identity (secret questions again).

I don't set this up at every bank so I can push/pull from every bank to every bank (like a network). I only set it up at Schwab and PayPal (like a hub and spoke) because they have two-factor authentication, which makes it less likely someone can get to my "hub." I really use Schwab as the hub. PayPal's just a backup in case something goes wrong at Schwab. (PayPal pays good interest. I keep some cash there. Now that I think about it, I could use eTrade if they have two-factor authentication.).

All the transfers I've seen are free. They're treated like an electronic check. They go through the automated clearing house (ACH) like checks. Shwab takes 1 day (if you schedule it before a certain time of day). PayPal takes 3-4 days. (Someone's making money on the float.).

Mark

eeuunikkeiexpat wrote:Be aware there are daily and monthly caps on ACH transfers. For poor expats like me, not a problem. For high rollers, you may have to resort to electronic checks or wire transfers.

Isn't that usually on savings accounts? All the checking accounts I have are unlimited ACH.

I'm not a high roller. My multiple bank accounts are just backups. They have nothing in them.

Mark

Any restrictions/paperwork attached to large cash deposits to Chilean banks? Here it's gotten weird, $3K or more in cash and they start filing out a form! I may bring $9k with me when I go in July and wondered if there was a protocol to follow.

over $10,000 US you have to do money laundering law compliance paperwork. You need to prove where money is coming from and where it is going.