By Jonathan Yarden
While recently on vacation, I needed to check my e-mail. By nature, I'm wary of any type of Internet cafe. I don't have anything to hide, but I don't like the idea of someone being able to monitor my activity.
Someone can easily monitor your activity at an Internet cafe, and don't think that using HTTPS or SSL guarantees your privacy. For example, hardware keystroke loggers can fit inside a regular keyboard. But that requires some effort, and there are far simpler ways to lose your privacy.
I use about a dozen e-mail addresses, not counting the ones I use to collect junk e-mail. When I'm away, I typically use either my Hotmail or Yahoo account, since many Internet cafes don't offer much more than Web access and online games.
But this time I forgot to notify people to use my Hotmail account for contact while I was out of town. So here I was, in the middle of Eastern Europe, in desperate search for Telnet or Secure Shell (SSH) so I could check my e-mail on my workstation back in the United States.
I thought about the risks, and I even considered using Telnet to gain access to my workstation and subsequently my e-mail before I caught myself. I was going to Telnet to another system and then use SSH to gain access to my workstation. It seemed like a good idea for about a millisecond, but it didn't secure anything.
I decided to figure out another way to do it. I asked if I could download PuTTY, a simple SSH client for Windows, but they said no.
One of the attendants suggested I use Outlook Express, which was available on all of the Internet cafe workstations. I didn't reply back, but I thought the suggestion to download all of my e-mail to a publicly accessible computer was absolutely crazy!
I decided to see how many people willing to do just that frequented this Internet cafe, so I launched Outlook Express and found several e-mail profiles on the computer I was using. But you have to know the password to be able to switch profiles, right? No: Nobody who wants to read your e-mail needs passwords. The computer doesn't protect the files on the hard drive in any way, and you can read them with Windows Explorer.
Just for fun, I decided to snoop. To put it mildly, I know a lot more about some of the people who use that Internet cafe than I should. I finally decided to talk to an attendant, introduce myself, and tell him what I found, hoping that I might be able to leverage the installation of PuTTY on one of the computers so I could use SSH to read the e-mail on my workstation.
I was expecting gratitude for bringing attention to this glaring security problem. Instead, they threatened me and accused me of being a hacker trying to steal people's information.
Trying to avoid problems, I apologized and explained that I just needed to access my e-mail. I smoothed things over by showing them some of my online articles to prove I wasn't a bad guy, and I paid a little more for access.
I decided to just use my Hotmail account and e-mail my office to tell them to forward my mail to the Hotmail account. By mistake, I forgot to check the Do Not Remember My E-mail Address check box. By the time I returned to the United States, I had about a dozen junk e-mails.
Whether these were the result of leaving my Hotmail address on a computer in an Internet cafe in Eastern Europe, I'll never know. But I'll think twice before using another Internet cafe, that's for sure.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.