Computer Security Primer-The Internet:
First a quick statement about privacy:
Don't count on it. Don't trust your life to it.
Your computer, like anything you write down, or speak in public could
be copied, or later repeated. Your data, stored on another computer,
such as that provided on a shell account at your ISP, is completely out of your
control. This does not impugn the honesty of your ISP, nor even of employees
there. It is merely a statement of fact. Whereever in the world your
data is sitting at any given time - unless it is on your computer, disconnected
from any network, and within your physical supervision - there is a chance
that someone else could have access to it. Because the screen of
your computer is, in effect, essentially a low-power radio transmitter, even
what you look at on your screen in privacy could be viewed by
others if it is worth their while to use expensive and complex methods
of capturing that information.
By definition, your data is that data that you created, or that
should be in your control and deals with you or your personal or commercial
That definition means that when you make a purchase with a credit card, your
data is out of your control. When you make a purchase from anyone who
keeps records of that purchase, your data is out of your control. When
you pay taxes, or register to vote, or have an untoward encounter with a public
official or with the police, however trivial, your data is out of your
control. Many of these things are beyond your capacity to prevent. What you
type into your own computer should not be beyond your capacity to reasonably
safeguard against normal hazards. When you use a public access
terminal, even what may remain on the local computer when you leave is
unguarded information. You should realize that, and use it accordingly.
Before you Connect
Many things we do with computers are personal, today. It may be the
writing of a letter, calculating and displaying with a spreadsheet,
even playing a game is really usually nobody else's business.
But, it is possible for us to safeguard that information, such that
even if another gains access to our computer it is difficult if not
impossible for them to ``get to'' our data. The tool used for this
is a computer program which uses encryption. Encryption merely
takes the data and stores it in a different format. That encrypted
format is unavailable to anyone without the correct passphrase or password
using the same, or compatible program. Also, not all encryption is equal
in strength, just as not all locks on a door are of equal strength.
The use of strong encryption is possible in most of the world
today. Some of the strongest available escaped US export restrictions
several years ago, and is maintained in a world-wide volunteer effort.
In most of the world, it is legal to use it. Noteable exceptions
are some of the republics from the former Soviet Union, where government
sponsored encryption must be used if any is used, and in France,
where special government permission is required. China, Iran and Iraq
seemingly also have restrictions on all use of encryption technology.
This is not a guarantee that it is legal where you, the reader, is
located, but rather the result of occasional doublechecking. One listing
is maintained within the various PGP distributions.
But the use of such encryption technology is only as solid as your practices.
If you make your pass-phrase easily guessable, it is like using a door lock
with a simple (skeleton) key. If you leave it written down, it is like leaving
your keys laying around for someone to borrow. If you only sometimes
use it, it is like leaving the door unlocked at times. And because this
is about privacy, if you leave copies around which are not encrypted,
even in a WINDOWS\TEMP\ file or comparable place on other system-types, it is
the same as keeping private papers in a safe, with a copy laying on the desk.
... and other things on the net depend upon security on your end, on the other
end (the remote site), and even in between.
Even though, we know that data left on your shell account are outside
your control, it does not mean that you will wish to leave such things open
to everyone. Usually, your login is protected by a password or pass-phrase.
Yet, that password MIGHT be, and today, normally is sent without that encryption
we spoke of above, between your computer, where you type it, and the account on
your ISP's machine. This means that anything between your machine and that
machine, including your password, could be ``sniffed'' by anyone with
physical access to any part of the network between your keyboard and the
software at your ISP which receives it. But even with this hole in security,
it is probable that only the telephone lines between you and your ISP, and
perhaps your ISP's internal network are between you and your shell or E-Mail
account, when you are at home or your normal office. If you use that account
from a public access terminal, or across the net from a friend or associate's
computer, however, it may be that a copy could even be stored as you
type it, either within this other computer you are using, or somewhere between
it and your account. Only you can determine if this is too great of a risk.
For most people it is not too great a risk. Yet other technologies are
available even for a shell login, if your ISP supports it and compatible
software is available for your computer operating system, such as
Web Pages - Secure?
When entering credit card numbers to place an order through a web page, for
example, it may, indeed, be too great of a risk, to allow that information
to be captured by someone else. While a public access terminal may be just
fine for casual use, it may not be the place you wish to enter your credit
card number into a web page. Also, not all web pages are the same, and
telling the difference is reasonably easy, but requires you to understand it.
We'll cover this technical point first, then touch on some things that may
Two main ``protocols'' are used on the World Wide Web. You may notice them
in the slot on your browser that displays web addresses. Each URL has several
letters at the front which identify the ``scheme'' or ``protocol''. http
is the one most often seen, and it is so common, that some browsers will
insert it if you do not. This is actually an acronym for
HyperText Transport Protocol. A second adds the
letter s to that (S for Secure). Plain http is
much like the plain E-Mail we spoke of above. There is no security, except
that there may be noone in a position to look, or with the interest to look.
With https, though, the data passed in both directions between your
computer and the server your computer communicates with is encrypted. This
means that someone in between should not be able to decypher and view the
content. This is not absolute, however. Some of the servers released
prior to mid-June 1998 (which at this writing includes most), had
some debugging code inadvertantly left in place, which allowed their security
to be broken. Similarly, some servers are themselves insecure (like locking
the door and leaving the window wide open). Hence, according to the truism
stated above - when the data leaves your control, it is out of your control.
It should be safer if transferred via https whether or not
a window on your browser pops up to tell you about it, or if you check the
security of the current page with a menu option in your browser. Much more
information is available elsewhere, as the actual strength of the encryption
used may also vary.
Now for the obvious part. When you send such sensitive information to someone
else, you must judge their fitness and reliability to both properly
protect it, and to use it properly. Anything in a computer can be easily
copied. If you know the business or person, or have done business
with them in the past, you may know something about the risks, or at least
be able to form an opinion. Size does not imply reliability!