|Adwords on my vacation!|
Can I access Adwords on public computers securely?
I'll be travelling in Asia for a month or so.
I need to monitor my Adwords account during this time, using public computers. But that's obviously not secure at all. I do have some scripts to download reports via the API. But sometimes you need to adjust bids and more advanced things.
Is there a secure way to access my account through public computers? Maybe some proxy server, a complete webbased api interface, vpn...? I have a dedicated linux server with apache etc, to install stuff on.
I don't mind other people seeing my account data, I just don't want to type in my password on a public computer. I would need some kind of use-once-only passwords.
I hope someone can tell me what to look for!
What about a live CD with a linux like OS installed. That way you are not really touching the hard disk of the computer you use. It's a question of will the owner of the public PC allow you to do this.
There will also be issues of browser support, but sometimes you can click ok to proceed.
I don't think there is a secure way to access your account through a public computer. It's not your computer - you have no idea what is installed on it. You must assume that it contains spyware.
A GOOD Internet Cafe will have a means to re-load the hard disk quickly with a clean image. You might be able to request that they do that.
In any case, always clear the browser cache after you are done.
It would be better to take your own notebook computer. If you don't have Internet in your hotel, many Internet Cafes will allow you to plug-in your own notebook. And, of course, you will probably be able to find some wireless access points. An additional precaution would be to use VPN software on your notebook. You would connect via VPN to your home computer, and go back out to the Internet from there. The connection between your notebook and home is off-limits to any prying eyes along the way.
Dunno about proxy services with auto-resetting passwords. Sounds like a great idea, though! This could be done with a pre-printed "code book", or with a security appliance (such as the one my stock broker sent me).
The proxy would have to have your Adwords user ID/password stored. You would have to trust the proxy with this, which is not something I would trust a third party with. (So best to run this software on your home machine.) It wouldn't have to change your Adwords password. What would change after a session is the password used to access the proxy server.
This wouldn't protect the account information displayed during a session. But, then, you've said you are not concerned about that. It would protect your password, though.
Since this has the gears in my head working thinking about developing such a product myself, that makes me almost certain that somebody else has already done this. ;) So, it's probably just a Google search away.
If you have windows xp, and the computer you are using has it, you can connect to your computer at home using Remote Desktop Connection. It's a program built into XP that allows you to connect to other xp computers remotely over the internet.
I use Remote Desktop when I'm on vacation. I connect to my computer at home remotely, and then surf the net from my home computer. My home ip address is used when I do this.
|I use Remote Desktop when I'm on vacation. I connect to my computer at home remotely, and then surf the net from my home computer. |
It would be a partcularly bad idea to do this from a public computer. You'd be potentially exposing your home computer to total control by somebody who has installed a key-logger on the public computer.
Don't do it.
From what I understand, you can get a version of Firefox that will run from a USB key. I believe that when you log into Adwords, it defaults to https, which is an encrypted session. I'm assuming that any cached info will be stored on the USB key (although don't quote me on that - you'll want to make sure beforehand), which should be more secure. Remember though, there's no such thing as a completely secure system.
Public access advice for the paranoid:
Hardware key loggers are inexpensive and can be easily incorporated into keyboard casings.
If you don't notice a hardware logger then you have no defence, no matter what you do with software.
Although the likelyhood of being the victim of such a stunt is low, think of the damage that could be done if you were unlucky.
It's your decision.
Thanks a lot for your thoughts!
* A bootable Linux CD. A good idea. Should be secure, but hardware keylogger can be a problem. I didn't know about such devices.
* Take a notebook. Good idea as well, but I don't like the extra weight.
* Remote desktop, that would be the ideal way! But from what I can see, you log into your home computer with a username/password. With a keylogger on the public computer, somebody can catch that combination, and log into your home computer later, very insecure!
* A proxy server with disposable passwords. Jtara, you are into what I'm thinking about. I've searched for such a software but so far found nothing useful. I've sketched on something to code myself, but I got stuck. Server is no problem as I have one always online.
Here's a thought: the Apache web server has pluggable authentication modules. There are quite a number available, (for example, to authenticate against user ID/password stored in various kinds of database such as MySQL, against LDAP, etc.).
Apache also has mod_proxy, which can make it act as a proxy server.
At worst, then, you'd have to modify an example authentication module so that it changes the password after each use. But perhaps such an authentication module already exists. (It does - see below!)
Better yet would be to use a SecurID device. This is a little keychain-fob device that has a numeric keyboard and small display. These are used by banks, brokerages, etc. My stock broker provides me with one of these to access their site.
|RSA SecurID® hardware tokens provide "hacker-resistant" two-factor authentication, resulting in easy-to-use and effective user identification. Based on RSA Security’s patented time synchronization technology, this authentication device generates a simple, one-time authentication code that changes every 60 seconds. |
First, you enter a PIN into the device. The website displays a number before logging-in. You also enter this number into the device. It then displays a temporary passcode, which you then enter into the website. Upon next use, it generates a new temporary passcode. This scheme is one means of implementing so-called "two factor authentication".
And, of course, RSA (the manufacturer - I'm sure there are other manufacturers of similar devices) provides an Apache authentication module! (RSA Authentication Agent 5.3 for Apache Web Server).
I dunno the costs or if this would be practical for an individual to implement. It does appear that the authentication agent is a free download, though. I also see that they are offering a free Authentication Manager and SecurID Token trial for developers. :)
I see a couple of intriguing commercial opportunities here:
1. A third-party proxy service. Not as secure as running this on your own home computer, of course, since you would have to trust the service. Probably best if done by a trusted big name.
2. A website explaining just how to do this. In my searching, I did not come across a site explaining just how to do this at home. I think it would make an intriguing mini-site (which could potentially draw high-value security-related ads). If you have the time, you just might develop such a site as you poke though the RSA documentation and experiment with your server. :)
If you do a search for "SecurID" you will come up with all sorts of intriguing possibilities, both in the natural search results and in the ads. For example, somebody has a password scheme that uses your typing rhythm for authentication.
Oops! This still doesn't solve the underlying problem - how to log-in to Adwords without having to type your password on an insecure system.
But once you have a secure proxy server using one-time passwords, it isn't too much of a stretch from there.
For example, you could put a PHP page (or Perl, or whatever) on your server at home that would do the login for you, and then hand control over to the proxy. (Not sure just how you would do the latter - possibly just an HTTP redirect to the proxy server.) The password(s) (as obviously this could be used for sites other than Adwords) could be stored in a database on your server, or just embedded in the PHP code.
I've used remote desktop for years without a problem from several locations around the world. Of course I don't keep anything worth stealing on my home computer. It's just not smart in my opinion to keep anything worth stealing on a computer that's connected to the internet. Hackers are always one step ahead of the software to prevent them. Otherwise there would never be a reason to buy the updates.
reset your password every couple days from your phone if your phone works there. Otherwise maybe call your account rep and ask him to help you out--not sure if i'd be important enough to get that kind of service.
You might be able to get around hardware keyloggers by using the On-Screen Keyboard program that comes with windows (It's in the Accessibility Program Group in All Programs on Windows XP. It allows you to enter text into an application by clicking on the keys of the on-screen keyboard with your mouse. Since the signal is not going through the keyboard I think you would be safe from hardware keyloggers. I would assume that software keyloggers pick up the keys another way so you might still have to worry about those.
Another idea is to type a bunch of random characters into notepad and then copy and paste the individual characters of the password together in the password field using the characters in notepad. This seems to offer some sort of protection.
"Take a notebook"
That is what i would do :)
"Good idea as well, but I don't like the extra weight."
Buy an ultraportable, I have a Sony TX2XP/B - its tiny and weighs almost nothing!
Alternativly, you can get some mobile phones with a built in browser, good enough to do adwords account maintainance etc.
What about about a PDA?
I was just thinking that too. If you can find wireless access then a Palm TX would be perfect. Small, light and useful.
Defintely you need to carry the laptop if you have one.
That's what I'll do in my incoming vacations.
There's no safe way. I've read horror histories of people being robbed while using public computers on hotels!
It happened to people in my company. It was even worse, they logged to their bank!
Now, if you don't have, and have money and don't like the extra-weight, get a PDA.
SSH with a secure tunnel will do it.....or....a remote desktop system utilizing some type of encrypted tunnel.
There are also cheap services that will do it as well.
I guess you could develope a custom script which you could access at X URL and once you access that URL the script should connect to your Adwords account and pull the data to you