How to survive
(This page is wildly under construction, and copied from https://events.ccc.de/congress/2015/wiki/Static:How_To_Survive )
Feel free to edit/update this page if you see anything outdated!
Also, as usual and as this is a wiki, do not trust everything blindly.
Contents
- 1 Introduction
- 2 Protecting your person
- 3 Closing/securing open ports/services
- 4 Physical Security
- 5 BIOS-Password
- 6 Bootloader configuration
- 7 Access control for the running System
- 8 Saving your data from others, deletion or yourself ;o)
- 9 Checklist
- 10 Surfing
- 11 iStuff
- 12 Reading mails
- 13 SSH
- 14 Useful programs
- 15 Useful hardware
- 16 Other Information
- 17 Secure Internet Access
- 18 Operating System Specific Security
- 19 Authors
Introduction
SHA2017 is a huge event with people from very diverse backgrounds. If not just the fact that this environment is largely driven by curiosity, an event of this size makes it inevitable that there are individuals with less noble motives.
This makes it advisable to take extra care in securing one's own equipment and also paying attention to the stuff around oneself.
If you don't feel comfortable or competent enough in doing so, please consider leaving your devices (laptop, smartphone, etc.) turned off. After all you might be there because of the people, who, in turn, might be able to help you learn how to secure your devices.
There are many ways to gain access to a system, physical – including theft and booby-trapped USB devices – and remotely over the network where the possible security holes are manifold – be it different services running on the machine, the sniffing of passwords and other data of the wired and/or wireless network or the active distribution of malware by social engineering or phishing attacks.
Please read the code of conduct: https://sha2017.org/coc. An entertaining (and somewhat important read) is EFF's guide to threat modelling. You might want to consider this when you come to SHA when thinking about protecting your data and personal items.
Finally: Just think of the netiquette in real life; don't be rude, stupid, selfish and whatnot. If you have any problems, talk to a volunteer (they will have a noticeable badge, or a t-shirt indicating their status), or talk to us on IRC/Matrix.
Protecting your person
Just as your network equipment during SHA2017 your own body ventures into a new and unknown land. With people from all over the world meeting, we have a wonderful exchange of ideas, and of other things you might not think of. Just as in daily life, it’s worth to pay attention to hygiene and protection. For your devices, and for yourself!
Common sense goes a long way in keeping yourself clean and healthy. Actually, it’s easier than being safe on the network. Wash your hands after using the toilet & before you eat, drink enough water (when you think it’s enough, have another bottle), store your food in a fridge, prepare it correctly and cook it properly. If you don’t trust it, don’t connect^H^H^H^H^H^H^Heat it.
We put great pride in our sanitary facilities, but to offer clean toilets and showers we also need your help. Rule 1: don’t make a mess, leave it as you would like to find it. Rule 2: if it’s dirty and awful, call Team Volunteers (VLNT on the DECT system) to report is. Rule 3: don’t do laundry or wash fruit or dishes in the toilets and showers.
If you become ill during the camp, please visit our doctors in the First Aid tent or talk to our First Aid crew on the fields (or dial 2222). We want to know, and we will help you get better and prevent contamination. Our team is constantly checking all the food-outlets, Villages etc and you can always ask us for advice.
Do you have a medical problem or using medication, please come to the first aid tent and let our doctors know. Medical confidentiality is in the law in the Netherlands, so don’t worry about giving your secret key to them. They would not know what to with it anyway, but they can help your body survive SHA2017. We have a fridge, with limited space and no warranty. If you have medical equipment that needs power to function, bring a UPS, as we cannot guarantee permanent power.
The best DDOS attack on a Summer camp is a failure to take care of yourself. Not sleeping enough, not enough water.. keeping an eye on your body is like checking for network activity and processes on your own equipment. It’s routine maintenance and it will make sure you can make the most out of SHA2017.
It's all very well talking about securing our devices, but personal safety should always come first. If you feel uncomfortable with how someone is behaving toward you (threatening behaviour, etc), tell someone! Volunteers/angels should be clearly marked, and they are friendly, and can ask someone to stop, or if need be, leave.
The basic rule of thumb should be, be somewhat vigilant, but remember, people at SHA will be on the whole very friendly, so make friends! We hope everyone can get along.
Closing/securing open ports/services
http://www.williamhpeters.net/syb_eng.png
How do I know, what services are secure?
- Bugtraq: http://www.securityfocus.com/archive
- Mailinglists
- Usenet
- follow the tech-news
Tools to find out what services are running
- netstat -tulpen (Linux, Windows, Mac)
- lsof -i -P
- ps (Linux, Mac)
- nmap -p- localhost (Linux, Windows, Mac)
- fuser (Linux)
- Network Utility (Mac)
- filemon
- Regmon
- TCPmon
Disabling services in Windows / Linux / Mac (/ other *BSD)
- Linux (System V style init)
-
/etc/init.d/$service stop
or/usr/sbin/$service stop
-
- Linux (systemd, system and service manager)
-
systemctl stop $service
-
- {Free,Net,Open}BSD and others (RCng-style init)
-
/etc/rc.d/$service stop
-
- Windooze
- '/ Start / Systemsettings / Services' -> Properties of service -> Stop
- If you want to make sure that the service stays stopped then set the Startup Type of the service to 'Disabled'
- Good documentation about disabling services in windows (only german?) http://www.dingens.org/ && http://www.ntsvcfg.de/
- Another (detailed) documentation on how to disable unnecessary windows services: http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
- Mac (OS X)
- Go to System Preferences -> Sharing -> Services and uncheck all the things you don't need running. On the second tab you can also enable your firewall (which would be the 'smart thing' to do).
Physical Security
Introduction
What good is a secure operating system, if the computer it is running on is rebooted or stolen? With one 40Mb boot CD all your security measures may be ignored.
Prevention of theft
- When a laptop or hard disk is stolen there is a financial damage through loss of hardware. But often the loss of data is much bigger when there is no backup. And then personal, classified or business data will then be in the hands of the thief.
What you can do:
- Backup your data before going to SHA.
- Encrypt your hard disk.
- Label your hardware:
- Put your name and cellphone number on it, so anyone can check whose hardware it really is.
- Put stickers on it. This usually makes it a unique piece.
- If you're scared that others might see your real name or that if stickers get lost: label phones and laptops inside the battery compartment.
- Set a BIOS password.
- Encrypt ALL the disks
- Backup your data.
Also, as a side note: Please make backups of your data.
The insecurity of locks
Some people may know how to pick locks. Keep this in mind. Do not trust the security of Kensington products! These are only a partly effective simulation of security, which can not stop thieves who can cut cardboard.
Being prepared, in case shit happens
But if you take other variables, for example the normal "Verpeilungsfaktor" (german, "mess-up factor"), into account, you should always assume that it is possible that your computer or your data get lost. There is no such thing as a absolutely secure system! (Also every system needs regular care in terms of security updates etc.). Accidents happen.
Therefore you should as a matter of principle make a backup of all important data! Additionally it is important in case of theft to note down all your serial numbers in advance somewhere (especially of your hard disk, using hdparm -I, because data thieves might only steal your disk) if they are not already on your hardware invoice (which you should have available if you should need to contact the police).
The most simple rule for decent security is: Never lose sight of your laptop. The best thing is to carry it around with yourself all the time (greatly increasing the ability to take notes during lectures as a side effect). In addition you can as well ask trustworthy persons to guard your (portable) computer. This is especially useful if the box is hanging hard wired on the network, transfering large files, while you rather want to go to a lecture.
What to do if your equipment is gone
First of all, don't panic!
Check the area around you, sometimes people put equipment under the desk or shift it to the next desk and/or it may get buried under lots of other stuff.
If you can't find it, ask the people around you and ask your friends, maybe someone put the equipment in a safe place for you.
Check Lost+Found at the Ministry of Information. If your hardware was labeled it might happen that they contact you!
If the equipment is still missing, please contact Security (HonkHase or BugBlue) via DECT 110. They will clarify the next steps, e.g. complaint of an offence at the police to possibly get the money back from an insurance company, check the outgoing equipment at the exits of the Camp, search for it in the whole building, note your contact details to check if your equipment popped up at the end of the congress as "lost+found" stuff, etc.
Check Lost+Found afterwards!
BIOS-Password
In order to ensure that nobody can break your password barriers with simple physical access, for example by booting a Knoppix live CD or something like that, you should prevent that directly in the BIOS. To do this, configure your BIOS to allow hard disk boots only and protect this setting with a BIOS setup password.
Some more or less smart people can in individual cases (insecure BIOSes) still boot from other media. Therefore we suggest (at least for the time of the congress) to set up a general boot password in the BIOS.
- Note
- In this text we will assume that you already know about password security (e.g., don't use passwords like "root", "$PASSWORD", "GoGetNaked", "hackme", "Jenny" or "Oak"...)
Macintosh Computers
Set an Open Firmware Password: https://support.apple.com/kb/HT1352
Please note that this also applies to Intel-based Macs although they're using EFI.
If you're using OS X Mavericks or later: https://support.apple.com/en-us/HT204455
Bootloader configuration
As another security measure you should take care that it is not possible to override the normal boot process by adding init=/bin/bash
to the kernel parameters in your (Linux) boot loader. This would fire up a bash with root privileges and even without a prompt for the root password.
This step is very important! You can as well configure it so that you are only asked for the password if you want to add special parameters.
LILO security
To configure LILO for using a password, edit the /etc/lilo.conf:
password=""
If you want to be prompted at boot, if you try to append stuff to the kernel:
restricted
start /sbin/lilo -p
and provide the password you want to use. It will be stored in /etc/lilo.conf.shs (or something)and gets encrypted.
If you want to use special characters, you have to change the heyboard layout:
/usr/sbin/keytab-lilo.pl de > /boot/de.ktl
and add the following line to /etc/lilo.conf:
keytable = /boot/de.ktl
GRUB-Security
First you should create a password using /sbin/grub-md5-crypt, which is returned as an MD5 hash. Then you add in GRUB's configuration file /boot/grub/grub.conf the line "password --md5 <hash>", replacing <hash> with the password returned by grub-md5-crypt.
If you require a more secure hashing algorithm, you can use /sbin/grub-mkpasswd-pbkdf2 and enter a chosen password. It will return a hash, starting with 'grub.pbkdf2.sha512', then edit your /etc/grub.d/00_header file, to include the following:
cat << EOF set superusers="root" password_pbkdf2 root <hash> EOF
Where the hash is the string starting with 'grub.pbkdf2.sha512.10000' returned from the '/sbin/grub-mkpasswd-pbkdf2' command.
An additional "lock" will make it necessary to enter the password everytime you want to start an image. You should use this, if there are "other" operating systems available on your computer which don't have privleges management. They could be used to override your protection.
Access control for the running System
Leaving a running system unguarded is a big risk for the security of your system.
- Always lock the screen / log out of your session
- Never leave an open rootshell
If your desktop environment does not have an obvious "Lock screen" or "Log out" feature, you can use programs such as "vlock" or "slock".
If you don't want to take your equipment with you everytime you go to take a leak, you should definitely, before handing your box over to others to guard it, close or lock all sessions.
These measures still don't protect you from attacks against hardware components as e.g. the usb, network or firewire ports which could be used to autoexecute code or even read out the computers memory.
Passphrase security
Use strong passphrases _everywhere_. Never use the same passphrase twice. Never let people see you passphrase (lower your laptop lid while typing it, sit with your back against the wall, ...). Depending on who you defend against, don't type in your passphrase while your laptop is hooked to the powerline.
Saving your data from others, deletion or yourself ;o)
If you want to be sure that one cannot access your data if your hard disk gets stolen, you can for example use dm-crypt to encrypt your hard disk or single partitions (e.g. /home, /tmp and swap). You can find links to the "Disk Encryption HOWTO" and the "Encrypted Root Filesystem HOWTO" below under "Additional Information".
For Mac OS X there is an option called FileVault in the system settings, which cares automatically and transparently for encryption (which means: you just have to check a check box). See https://support.apple.com/en-us/HT204837 for more info.
Checklist
- Set BIOS-Password (at least setup password)
- LILO/GRUB-Password (at least restricted!)
- Password security (characters, non-trivial, etc.)
- Never leave a rootshell open!
- Backup all important data!
- Watch over your hardware, or ask someone trustworthy to do so
- Think of more access control
- Encrypt your hard drive and usb sticks.
Surfing
- Don't use outdated/EOL web browsers. This includes Internet Explorer, that version of Netscape Navigator you found on your granma's PDA, some Firefox you found on that computer from the tip.
- Chrome/Chromium have a fairly secure sandbox (the best of any web browser today), while Firefox has privacy (at least in the program itself). Use of the Tor browser (based on Firefox) may also be desirable with the caveat that all programs are tools, and using them wrong can make your day very bad.
- Uninstall Flash (and leave it uninstalled, you don't need it for anything) and its ilk.
- Consider installing HTTPS-Everywhere from EFF.
- Also remember that while ad-blockers are definitely not security-focused applications, they arguably make browsing the internet marginally less awkward. If you are concerned about malicious ads (but not malicious scripts in general - this doesn't really make sense, but whatever) then this may be of limited use.
- On the note of malicious scripts, blocking the loading of scripts may be desirable, for example through NoScript for Firefox. In Chrome/Chromium, it's possible to block images, scripts, and cookies by going to Settings -> Show advanced settings -> Privacy, then content settings is under this heading.
Assume that there will be many people at the camp who try to exploit security holes in the aforementioned outdated/EOL browsers. Using an up-to-date browser in any case is very important, and Firefox was always more secure than Internet Explorer anyway. Today, Chrome/Chromium have the best sandboxing of any web browser.
Something about encryption on the web: On an encrypted and authenticated site, Firefox displays a closed padlock to the left of the address bar. Locks may appear elsewhere, and many websites put them inside the webpage, but these are useless and should be entirely mistrusted. Besides a lock, also watch for the domain. By default, Firefox has a slight contrast difference between the domain (in black) and the rest of the URL (in grey). Despite this, make sure that the domain is followed by a slash (/). For example https://paypal.com.index.php.sessionida9c9e776d49388.tk is not actually PayPal, but https://paypal.com/index.php.sessionida9c9e776d49388.tk is. So-called punycode domains are also something to watch out for: see https://аррӏе.com/.
If you are warned about a certificate error, you can either continue to the website or not continue. If you continue, the site will be equally secure to http (without s!), so all traffic may be read by a third party and all traffic may be modified by a third party. Do never ever enter personal data on unencrypted http or untrusted https websites. If you ever get these errors on websites like Gmail or other big companies, it means you are being attacked (either personally, randomly, or everyone there is being attacked). Also if you continue upon certificate warnings in Firefox, be sure to uncheck the "store exception permanently" box. You should be warned every time. If you don't, Firefox will always say it's a perfectly secure website and you might (e.g. next year) have forgotten that it was actually a security exception.
It's also recommendable to use private navigation mode or incognito mode (ctrl+shift+P in Firefox, ctrl+shift+N in Chrome) for https websites. Long story short: if you open incognito mode and only use https websites in there (and you don't get certificate warnings), that is rather secure. One could argue that it's safe enough to log in to your bank. If you open a single website with http (or a single website with a certificate warning) in that same incognito session, the security of the https websites may be partially compromised by the BREACH exploit. Installing the aforementioned HTTPS-Everywhere is desirable here.
If you are german-speaking, you may want to read Einfallstor Browser on heise.de
Unencrypted - HTTP
Don't give personal data, when surfing unencrypted at congress, e.g.:
- Username and password for ANY SERVICE WHATSOEVER
- Cookies with user/pass (if you get logged in automatically)
- Personal data like address, name, gender, sexual desires ;o)
It could be a good idea to delete all your cookies before congress. If you need a backup of them, they are in ~/.mozilla/firefox/default/$chaos/cookies.txt (or cookies.sqlite). In preferences you can choose to be asked if a site wants to give you a cookie.
Use the SSH feature called "SOCKS port forwarding" (ssh -D) to tunnel HTTP connections through your SSH host at home.
chromium-browser --proxy-server=socks5//:localhost:3129
Or in Firefox you can simply set the SOCKS proxy in the preferences (see preferences->advanced->network->settings).
Encrypted - HTTPS
Encrypted connections generally have the advantage that the data cannot be read by anyone sniffing on the network, because they are transmitted encrypted to the web server. You need to take some safety measures, though: It's still possible to perform a Man-in-the-middle (MITM) attack over HTTPS. Your browser will usually throw up a security exception if it detects the content it has received does not match the certificate (discussed above). Do not click continue in this case! In some cases, certificates can be issued in error or fraudulently (one of the problems with "trusting trust"), so hardening your browser is important as well.
iStuff
Secure your iPhone:
- Backup your iStuff before congress. See Backing Up, updating, and restoring your iPhone,and iPod touch software. Backup your backup somewhere else, just to be on the safe side.
- Erase iPhone content: Tap Settings > General > Reset > Erase All Contents and Settings*
- Enjoy congress. Optional: remove your sim-card
- At the end of congress: Transfer all your data of your iPhone but don't sync
- Click the "Restore" button in your iTunes-iPhone page. DON'T BACKUP! DON'T!!! It may erase your previous backup, you wouldn't want that.
- Wait for your iPhone to reboot and restore your last backup*
* I never tried Erasing All Contents and Settings and restoring it from a backup. Don't hold me liable if it doesn't work [for you].
- Jailbreakers should change the standard Appel mobile pw and root pw.
Change the standard Appel mobile pw
- Open the terminal ( you see something like "your iPhoneName": ~ Mobile$)
- type: ‘passwd’ (without the quotes) Your old PW should be ‘alpine’ (without the quotes), Make a new stronger pw, type this one twice.
- Type: 'logout'(without the quotes)
Change the root pw
- type ‘login’ command (without quotes) and press enter.
- Then type ‘root’ (without quotes) as your login and ‘alpine’ as your current root pw.
- Once are root, type ‘passwd’ command (without quotes) again and press enter.
- Enter a new password (twice).
- Type: 'logout'(without the quotes)
- done
Reading mails
Webmail
Use an encrypted connection, like described above! Otherwise, you'll have to get your password from a blackboard. ;-)
POP3/IMAP
Use SSL/TLS and check for certificate validity (see your mail retrieval agent documentation for info on how to set it up).
SSH
Use it to open a secure connection to your home PC. You can also use it to tunnel other TCP/IP connections through your home network... and be sure to know your home-servers fingerprint and authenticate with keys instead of password...
How to tunnel?
ssh -D 1234 user@example.com
This opens a SOCKS tunnel/proxy on port 1234.
How to tunnel everything (TCP, UDP and ICMP) transparently?
The following howto has been a great help in recent years:
http://blog.crash-override.net/index.php/206
On OS X
Problem: Ensure that ALL traffic from your laptop goes over your proxy. Including apps that don't take proxy config, like Skype.
- Answer
- ping yourserver.com; note its ip [we're going to tunnel DNS in a sec, don't want a catch-22]
- ssh -C2fND 9999 yourserverip
- The flags are: compressed, ssh v2 only, go into background and don't do anything on the remote other than proxy, and open up port 9999 as a socks proxy.
- AFAICT this doesn't require root on either client or server. (Real tunnel devices do, on both. I wasn't able to get a tunnel device [ssh -w any:any] working on my VPS.)
- install http://www.proxifier.com/mac
- launch it and configure in 'options' menu:
- proxy settings: 127.0.0.1 port 9999 socks 5
- proxification rules: add; rule name: your server name; ip range: your server ip (NOT dns); click 'add' next to IP entry; ok. Most of the fields left blank.
- these are the *exceptions*, by default - there's a radio button to invert that. Obviously we can't tunnel the ssh tunnel over itself, which is why we're making it an exception. :-P
- add more exceptions if you want to access something on the LAN
- name resolution: enable
The end. It also supports proxy chaining if you want to be fucking paranoid - in proxy settings just set it up from the perspective of each successive hop.
Just tested it, works perfectly. Might have some holes (e.g. low level stuff?), but I'm not seeing anything on local iftop other than LAN stuff and incoming direct connections.
It's a lot easier to use than tsocks, and more respected than merely setting a proxy in system settings / network / proxies (which e.g. Skype ignores).
If you run plain ssh commands now, they'll first get proxied - e.g. "ssh pony.noisebridge.net" will go via the proxy without any further config. Ditto everything else that's not in proxifier's exception list.
I suggest installing (via macports) iftop or the like on both machines; it's a nice tool to watch what's happening.
Too much work.
Try https://github.com/apenwarr/sshuttle
Useful programs
- Chat client: An IRC client, e.g. mIRC or X-Chat. SHA2017's IRC channel is #sha2017 on Freenode. There is also a Matrix room linked to the IRC channel at #sha2017:chat.weho.st. You can access this with Riot, and there is also a Weechat plugin.
- Web browser. Good choices are the Tor browser, Firefox, Chromium [Chrome]. Most others probably have poor security support/render pages like a cat can preside over court.
- Some way of connecting to the internet. Competent technologists are usually entirely inept with the things toddlers can do on their iPads. Make sure to have standard tools installed e.g. dhclient. Network diagnosis tools may be useful too. For SSL tunneling, programs to do this may be useful, as would a VPN client if you intend to access that.
- FM Radio if you hate smartphones.
- Sleep: Alarm clock
- Screen locker
Useful hardware
- Tent/roof over your head.
- Notebook
- Cellphone. Call for help/pizza/NSA.
- Reusable cutlery/crockery. Waste is bad.
- Networking equipment e.g. switches (but you probably won't need this. Probably ignore)
- Camera (but please respect other peoples privacy!)
- $Multimediatool aka geek gadget (MP3-player, PMR, PDA, bluetooth stuff, etc.)
- Please tell us beforehand if you bring BIG hardware with you
- Notes/docs/props if you are doing a talk or a workshop, make sure your laptop can connect to projectors if applicable (probably VGA, but some modern ones use DisplayPort or HDMI.
- Curiosity. But keep in mind it killed the cat. Stay safe!
Other Information
- Again we emphasize reading the Code of Conduct.
- Look at What_to_bring.
- Medical help in the CERT
- Go to the Facilities#Infodesk
- Look at the Program!
- Look at information about Camping.
- Help out with organizing. See the Orga Wiki
- Look at the left panel on this wiki. There are interesting things, self-explanatory things, cruel and evil things!
Secure Internet Access
If you do not have access to a trusted VPN but want to access insecure sites or services outside the congress network without being eavesdropped on by fellow hackers, feel free to use the CAcert Community VPN tunnel. Basic documentation is available on the CAcert Wiki or call / find User:Natureshadow (DECT 3128)!
Please note that the tunnel will most likely not be available this year. If you still need this very desperately, User:Natureshadow might still be able to help you!
Operating System Specific Security
*nix
Terminal access
There are tools like xscreensaver or vlock, which can be used for this. Additionally, most window managers have a special "lock session" function.
If a person has physical access to a box where these preparations have been made, i.e. there are no open sessions, there are still ways of attacking. Here you should make sure your login.defs and login.access are configured reasonably (see the man page and the commented example files).
Additionally you can limit the consoles where root is allowed to log in in the configuration file /etc/securetty. A little "security by obscurity" hint: Don't allow it on the first console, this one's going to be tried most possibly. You could for example just allow console 13; seldom someone thinks of trying it there. It should be clear that manual "brute force" logins are nearly impossible, but you never know. Maybe somebody was looking over your shoulder... (My computer science teacher always sent everybody out of the room when he was entering important passwords.)
Physical access
Another thing worth mentioning: Even when all consoles are locked and the passwords theoretically unguessable, most recent notebooks and desktops are equipped with Firewire, which can be quite a lot of fun as well: http://www.ccc.de/congress/2004/fahrplan/event/14.de.html (German only) And who knows, maybe somewhere in the RAM there's a clear text copy of the necessary password...?
Firewall
Hint: If you rely on your packet filter to block incoming traffic, do not forget to filter IPv6 as well! (ip6tables on linux)
Mac OS X
An extensive OS X security whitepaper is available from Corsaire
SnowLeopard Security Config: SnowLeopard Security Config
A little screencast in german covering the most important things can be found here
Screensaver/suspend lock
You should enable a password prompt when waking from sleep or screensaver. Do so by going to 'System Preferences' -> 'Security' and enable 'require password to wake this computer from sleep or screensaver' option. More options like 'disabling automatic login', 'logging out after a specific period of inactivity' and 'requiring a password to change any of secure system preferences' can also be enabled here.
Keychain Access
Also, you might want to prevent people from accessing your keychain (where all your passwords, from safari, IM clients, etc are stored). Start the Keychain utility (it's under Applications -> Utilities -> Keychain Access). Select the 'login' keychain from the sidebar and go to the menu 'Edit' -> 'Change Settings for Keychain "login"'. There you can choose to lock your keychain as you suspend your computer or after a specific time of inactivity.
By default, the password used to unlock your keychain is the same as the one you use to login to the system. You can change it in Keychain Access by going to the menu 'Edit' -> 'Change Password for Keychain "login"'. If you have some room left in your menubar you can also add the keychain status icon there (enable it via the Keychain Access preferences).
Pair your Mac with your Remote
Just point your remote at your IR-Receiver (mostly next to Power-LED) and press <Menu> + <Next> for 5 Seconds. (a big acknowledgement screen will appear, showing a chain and a remote control). You need to be logged on as administrator, though.
Preventing traffic when (Open)VPN is not connected
Windows
Disable the automatic logon feature. Don`t work as admin!
If you run an Windows XP Home Edition, boot your computer while holding the Shift key and log in as "Administrator". By default there is no password for this hidden admin account: you should change this! Patch your system with the newest updates and make sure to have at least the windows firewall running. Just don't, really.
Authors
This document seems to have been originated by aleχ and Scytale.
So:
"Have fun on the Congress, aleχ (translation by Scytale)"