VPN options

Since I’m moving into a hotel for a couple of months at the end of this week, I’ve been shopping around for a Virtual Private Network.

The type of VPN I’m talking about is not the kind that one uses to connect securely to an office network. What I’m talking about is a VPN that provides encryption from a PC to a remote VPN service. This type of VPN protects data while the bits are ‘in the air’ over a public WiFi connection. Once it reaches the VPN company, it’s decrypted and sent along to intended destinations via a wired connection. What you get out of this kind of service is, essentially, a greater level of insurance that your internet activity over public WiFi will remain safe and secure.

When I first started looking into this, I found that there’s a question of whether or not this is really necessary. I found two categories of opinions in my research. Some people feel that it’s generally OK to forego the use of a VPN while engaged in general browsing at a public WiFi hotspot, but it’s best to wait until you get home to do anything sensitive involving passwords. Mail is a particular concern here. This camp notes that it’s generally safe to engage in password-protected activities provided you ensure you’re on a secure connection (i.e. https). However, this is generally not the safest option. Most of the comments I came across suggest that it’s a best practice to use a VPN connection whenever you tap into a public WiFi hotspot (even if you’re on a wired hotel connection), and doubly so if you are going to be on said public network for an extended period of time.

I’m opting for the more secure solution. It’s a low-cost security measure. It’ll give me peace of mind. But which trusted service should I use?

I started out by trying two free options. The first is the popular HotSpot Shield. This service works as advertised, but I found that it notably decreased my connection speed. It also requires the installation of an application that resides in the menu bar. When it’s launched, it fires up an ad-based browser page that is a bit obtrusive, but not too bad. All considered, I concluded that it’s a good option if you’re looking for an occasional-use VPN while, say, at a coffee shop for a few hours. Hotspot Shield also offers a free iPhone VPN option. While the iPhone service was very simple to set up, I could not get it to work on my iPhone after trying for several days.

The second free VPN option I tried is called ItsHidden. The caveat with this free service is that you’re booted off of your connection every 20 minutes. If you don’t want to be disconnected after a set period of time, the service offer a pay option for $12.99 a month. There are two things I liked about ItsHidden. First, it requires no software installation. Second, it was a lot speedier than Hotspot Shield. However, I felt uneasy about entrusting my longterm online activity to the service. Their website offers no clues about who they are, where they’re located, or how long they’ve been in business. And, frankly, it looks like the site was put together in someone’s basement. It doesn’t inspire confidence. I read in one forum that the main reason this service was set up is to accommodate BitTorrent traffic. I’m sure there’s a lot of legit BitTorrent traffic taking advantage of this service, but I couldn’t shake the feeling that it was, well, kind of shady. So I moved on.

I narrowed down my options to two popular pay options from long-established VPN companies. One is called WiTopia. The other is called HotSpotVPN. Both appear to be great options. The deciding factor in my case was that WiTopia only offered a year subscription, while HotSpotVPN offered month-to-month (and even daily) rates. If you are looking for a long-term relationship, WiTopia is substantially cheaper. They offer one year of 256-bit encrypted SSL service for $60 (in comparison, HotSpotVPN would cost about $138 for a year of 256-bit SSL).

The nice thing about HotSpotVPN—in addition to short-term rates—is that the SSL option offered by the company comes with an additional free PPTP connection, ideal for setting up VPN on an iPhone or iPod Touch. I opted for the cheaper $10.88 month Blowfish 128-bit encryption option after reading in several forums that this amount of encryption, while on the low end of the spectrum of what’s available, is more than adequate.

So there you have it. I signed up yesterday. It works great on my Mac and my iPhone. Significantly, I’ve found no noticeable speed difference while using it. Setup is quite easy: HotSpotVPN e-mailed me a zipped file with my encryption keys and certification files with easy-to-follow instructions about how to install them in my user Library. They also offered up the option to install Tunnelblick, an open source GUI for OpenVPN on the Mac (OpenVPN, I’ve learned, is used by most consumer VPN services).

I can’t comment on Tunnelblick, however, because I didn’t install it. I use an alternative paid VPN client called Shimo for my VPN connections, which I highly recommend. If you’re curious as to why I use Shimo, the main reason is that it seamlessly imports Cisco VPN settings (which is what I use for work). If you’ve ever used the abysmal Cisco VPN client, you’ll understand. Shimo allows me to easily switch between Cisco and, now, my new HotSpotVPN service. I can connect and disconnect from each VPN service in seconds.

One final note: I learned during this process that SSL is generally the best option if you’re looking for the fastest solution that will work anywhere. If you decide to use a VPN service whenever you access a public network, SSL is the way to go.

in tip | 987 Words

Mac Security

Just came across an interesting article on MacWorld. Here’s an excerpt:

Two well-known Mac hackers are updating a widely used hacking toolkit, making it easier to take control of a Macintosh computer…Although there are still many more exploits available for Windows software than for Macs, the new payload code means there is now “more or less the same functionality if you want to target a Mac box or a Windows box.”

No need to get too worried here, but it’s a good reminder that we are not immune from the problems that plague Windows users. And, as this article suggests, it may be only a matter of time before we face similar problems.

There’s a lot of brouhaha over the necessity of installing Mac antivirus software. I didn’t run AV software on the Mac for a long, long time, but now I do. Why? It doesn’t cost me anything. It only slows down system performance a tiny bit. And it makes me feel better. Here’s a full rundown of the steps I take to ensure a basic level of security:

I’ve used ClamXav (free) in the past and just started using iAntiVirus (free for noncommercial use) in the hopes that it’s a bit speedier. It’s not a bad idea to run an AV package, if only to prevent transmission of viruses to colleagues on Windows.

I think a good password vault is essential. The excellent 1Password is my choice. It generates complex passwords, ‘remembers’ them, and protects against phishing and keylogging.

I also use LittleSnitch to control and monitor outbound network traffic. I use this in the interest of privacy, but it will alert me if any unknown malware on my machine tries to phone home.

Next, I’ve set up my Linksys router with a kick-ass password and have set it to only accept connections from known MAC addresses that I’ve manually added (household Macs, my iPhone, my wife’s iPod Touch).

Finally, I use Apple’s built-in Firewall protection. It’s a good idea to make sure it’s turned on (go to System Preferences > Security > Firewall. Choose ‘Set access for specific services and applications.’ Also, I have both boxes checked in the ‘Advanced…’ preferences to enable logging and stealth mode). I also use NoobProof. Taken together, this establishes application and network firewall protection. See this article for more background on that.

If anyone has an alternative or better set-up, please share.

As an aside, if you use FinalCut Studio and keep getting an annoying prompt to allow incoming net traffic from ‘qmasterd‘ every time you boot (even though you’ve already added it to the ‘allowed’ list), try adding /Applications/Utilities/Batch Monitor.app/Contents/MacOS/Batch Monitor to your list of applications that allow incoming connections. To do this, command+shift+g to paste in the file location.