My long answer is here: http://www.h-i-r.net/2008/08/defcon-paranoia.html

The short answer: I back up my data. I encrypt all sensitive data on my laptop and don't access it in uncontrolled environments. I tunnel everything (usually with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3) Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin for example) isn't going through the tunnel, it can't even connect out.

It's worth mentioning that I usually operate this way all the time, whether I'm in a risky environment like DefCon or HOPE conferences, or my favorite small coffee shop. Tools like ProxySwitcher, small shell scripts, network locations and stuff that others have mentioned can be used by moderately-savvy folks to make the tunnel setup as painless as possible.

What I do:

I have a reachable personnal computer with an ssh server. Then on my local machine I do:

    ssh -D 9050 username@host

I made a short post about this:

http://goo.gl/zTQM

For the past 4 or 5 years I've been using SSH tunneling. I set up a location in OS X network preferences using the exact technique described in this comment http://news.ycombinator.com/item?id=1828631. I usually tunnel through my router at home which runs DD-WRT. I use SSH Tunnel manager to manage the tunnel http://projects.tynsoe.org/en/stm/.

Once it's set up, all you need to do is switch your network location to the tunnel location before you leave the house, then when you want to get online, press the button for the appropriate tunnel in SSH Tunnel Manager.

I guess my question would be: What additional threat do you thing public wifi poses, as opposed to any other internet access? IMHO, you have to assume that any unencrypted traffic over the internet could be sniffed, etc.

The only additional threats I can see would be threats against your PC directly, rather than your traffic.

Am I wrong?

I loaded Tomato on my Linksys router, then enabled SSH. I proxy through that when on public wifi. This is the best method for me because my Linksys router is always on and uses very little power.

It's also setup so I can use remote desktop through the proxy to my desktop at home. I wrote up some instructions on how I did it here:

http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...

I use an L2TP/IPSEC VPN on a Linode VPS. It works great with OS X and iOS devices - I've not tried anything else. There's a simple toggle switch on iOS in Settings to activate the VPN, or a one-click menu item in OSX.

It's pretty easy to set up, if you're comfortable with Linux. I'm using it on Ubuntu 9.10, and I followed the guide here:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/

SSH, with SOCKS tunneling (and the FoxyProxy extension with Firefox, although I normally use Google Chrome). Works on Windows/Mac OS X/Linux. Note that this doesn't necessarily fix DNS sniffing and whatnot.

If I was paranoid, I'd bother to set up a VPN and use that.

If I'm extremely paranoid, I use Tor (which may have some security concerns).

I have a very cheap, small, Linux VPS for ssh tunneling via SOCKS proxy. It's a couple bucks a month, and it can also host my blog/app prototype/whatever when I get around to putting it up.

Usually I just avoid using public wifi. Tethering is practical enough these days. Worse case I have a few VPN endpoints to fall back on but if I'm going to be using HTTPS sites I don't even bother connecting.

Easy, I open up a terminal and type:

    start_vpn

Getting openvpn working took about a day of hacking around on my vps and my mac. (just read the openvpn tutorial and follow the steps.) I still haven't gotten openvpn working on Windows but it's not something I've never needed.

I have a marcopolo setting on my mac that, if none of my usual networks are found, fires up an ssh tunnel to a vps I have just for that, and turns on my socks proxy.

This takes me remembering to do it out of the equation

I own iPod Touch and I often check my email at university (through both Safari and Mail.app). Is there any good solution for iOS devices?

I bought a cheap VPS at linode.com, installed and configured pptpd and set up a PPTP connection to the VPS on my mac (using standard Network Preferences panel). When I need a secure connection I just connect over PPTP to the VPS. This enables pretty secure connection from the place with wireless access to the VPS for all tcp protocols (http, smtp, etc).

Are there any standard, bird's-eye-view references on IT security?

I give an example of my quick and dirty solution here: http://news.ycombinator.com/item?id=1828631

For more robust solutions I set up my own openvpn instance on a home server which I can use that from any coffee shop and I have a Witopia account (which I use when abroad as they have servers all over the world which speeds things up a bunch). I make the greatest use of Witopia from within China as they have servers in Hong Kong.

Here's a different approach to this problem - Take your home network with you!

I recently signed up for Clearwire's CLEAR service. They have a MiFi component that does "4G" with fallback to 3G if necessary. This gives me up to about 3MBs, with portability (up to 3 hours on battery). There is no data limit for "4G", and you get 5GB per month on the 3G fallback network.

Anywhere I travel inside the US, I'm using my home network, and isolated from public networks.

I use a simple OpenVPN or L2TP/IPSec provider + client app on OS X. Minimal setup and I can switch it on/off easily. I reviewed the one I use earlier this year, though this it now outdated because at the time they didn't offer OpenVPN and that was my biggest beef with it: http://paulstamatiou.com/how-toreview-surf-securely-with-vyp...

For quick and dirty connections out, I use PuTTY to Set up a dynamic local SSH tunnel to a host of mine on the Internet. Then I use the tunnel as a SOCKS proxy. It's fairly straightforward to set up.

For remote access and Internet access over wifi for non-SOCKSable stuff I use Strongswan. I have a small scale darknet set up with it (just me and a few friends) so it's already there for me, but I wouldn't recommend it unless you know your stuff.

I used a FreeBSD box to setup Racoon and friends and wound up with a pretty decent setup that used certificates for logging in and was compatible with the built in OS X VPN support (L2TP + IPSec). The resulting solution is painless enough to deal with that I use it whenever I'm on wifi, even at home.

You pay the price with a pretty complicated setup (assuming you're not already an IPSec guru, which I certainly am not), though.

For those who don't want to setup their own vpn, you can try hotspotshield. It's free but they display a ad frame as you browse.

I setup vpn on my dd-wrt router.

I use Witopia from Canada.

In addition to helping secure my connection to the Internet at all times, it enables access to online services that are otherwise unavailable.

These services include BBC iPlayer out of the UK, and Hulu and other streaming services from the US, like sporting events.

I have found Witopia to be extremely reliable and fast.

I recommend their service.

Conceptually, why do all options involve a server? If I somehow can securely "tunnel" to my server, I first have to tunnel through the WiFi hotspot, right? Am I not free to browse, safely, after securing this first step? (Sorry for the vagueness... This is as far as I understand these concepts.)

I don't do anything unencrypted (no sites that don't support ssl, no ftp or telnet, etc). If I absolutely have to do something potentially insecure, I set up an ssh tunnel through my vps slice...I tend to avoid this if possible, because its both a pain-in-the-ass and very slow.

Ideally I'd rather not have to configure my own VPN server, but if I have to then so be it.

I've been trying out sshutttle <http://github.com/apenwarr/sshuttle>. It only tunnels TCP traffic, so you still have DNS and UDP traffic on the local network.

I run a http://www.pfsense.com/ firewall w/ VPN server and proxy enabled at home. My portable system is setup to deny everything that doesn't hit the proxy.

Very similar to ax0ns setup.

I ssh to one of my servers with -D to make a tunnel available via SOCKS5. I could have ssh make a tun device instead, but I'm normally only using git, ssh, tsock'd irssi, or a web browser through SOCKS.

Other than ssh tunneling, I tried http://vyprvpn.com when it was offered together with giganews, and it was pretty fast, if a bit costly.

I use and recommend ipredator.se, the piratebay VPN, for 5 EUR per month.

undefined

Runnig a proxy from home which uses HTTPS might help.

undefined

VPN to our OpenBSD box.

As a side note: Facebook has SSL access, but Facebook Chat doesn't work with it.

I use HTTPS Everywhere, and for any sites that don't use SSL (cough SLASHDOT cough) I just use non-standard passwords and take the risk, and be aware that what I say over unencrypted IM might be intercepted (though it's unlikely).