The Internet is a truly amazing thing. Thanks to it, we can send mail to people on the other side of the globe without paying postage. When we feel that even e-mail is not fast enough, we can converse in real time with talk and IRC. In fact, it is often easier to talk to someone with IRC than in real life, as the worst someone can do in IRC is to ban you from the channel, or (gasp!) ignore you. People cannot punch you in the face through the computer terminal. Also, nobody can listen in on your conversation, because you are not speaking. After all, as long as you shield your terminal screen from view, nobody but the folks on channel can hear you, right?
Well, unfortunately, it is not that simple. Just as someone can hide in the shadows and listen to your conversation in real life, people on the Internet can spy on you, and try to figure out what you are saying and doing. Those people usually don't give many clues that they are spying either. Also, people can try and break into your account, get your files, and send e-mail in your name. They can attempt to destroy your data by sending you programs with viruses, or trojan horses. They can give you seemingly innocuous scripts with "backdoors" in them to let them control your client. Or they can simply harass you on IRC in many ways. However, you are not without countermeasures. By taking proper precautions, you can protect your privacy, your data, and your account from prying eyes.
Note: If you are engaging in illegal activities, all bets are off. Law enforcement officials with a subpoena and/or the cooperation of your ISP can effortlessly monitor anything you do over the Internet. And becoming your own ISP is no protection against a court-ordered tap. If you are unsure of the legality of what you plan to do, wait until you are sure what you are doing is, in fact, legal.
As you may well know by now, not everybody on IRC is nice and well-behaved. Sooner or later, you will find a person who is just being a big jerk, and doesn't want to leave you alone. Or someone will try and take over your channel. Or someone will start flooding you off of IRC. The IRC FAQ is fairly helpful in this regard, and explains how to handle the usual brand of jerk. However, it does not cover everything, and what IS there bears repeating.
You can keep jerks from messing up your channel by managing it well. To do this, it is essential that you learn about channel modes. So, here are the modes that you need to know, and what they do.
+i: Invite only. This means that unless a channel operator /INVITES a person, he/she cannot join the channel at all.
+n: No external messages. You will see this one a lot. It is a very useful mode to set. If you do NOT set this mode, people can send a message to everybody on the channel at once without being in the channel. If you do not set this, someone will usually start flooding the channel from the outside. By setting this mode, you prevent that. We can think of NO good reason not to use this channel mode on every channel you are an op on, as if you don't people WILL flood the channel.
+p: Private. This means that when someone does a channel listing, they can't see the channel's name. They can see the people on the channel who aren't invisible, but they won't know what the channel is.
+s: Secret. This means that the channel won't show up on a channel list at ALL. As far as they know, the channel doesn't exist. This is more secure than private.
+m: Moderated. This means only channel operators can talk. Unless a channel operator gives you a "vop" (+v) if you aren't an op, you can't talk. This can keep people on the channel from flooding it. If you op everyone involved in a conversation, don't op anybody else, and make the channel +m, nobody can flood the channel at all. This has a real advantage over +b in dealing with jerks, in that you can say anything you want about them, and they are totally unable to reply. They will leave on their own, tail between their legs.
+t: Topic Lock. only channel operators can change the topic. This keeps people from constantly changing the topic and interrupting your conversation. This is almost as common as +n.
+o and +b are technically channel modes too, but almost every script or non Unix client has ways to use these simply and easily. +b is used to ban jerks from the channel, of course, and +o means op. Keep in mind that +b is very confrontational, and can lead to channel wars. Also keep in mind that IRC is anarchy, and any op on any channel is allowed to ban any person for any or no reason.
So, there are many ways to keep people from messing up your channel. You should always make it +n to keep people from flooding it without joining it. If people are changing the topic too much, make the channel +t. If somebody is being nasty to the people on the channel, just ban and kick that person off the channel. Kicking by itself is nearly worthless, as most people just automatically rejoin. However, if you make the channel +i just before you do the kick, the auto-rejoin will fail, and then you can take the invite-only back off. Another good way to keep people from messing up the channel is to make it +m, and only op people who you want to be able to talk. If someone on channel is annoying only to you, the user command /ignore nick all will filter everything from that person from your screen, effectively removing them from your universe.
If people are using clonebots and causing major havoc, you should go and find an IRC-op and ask for help. On Undernet, you can usually find them on #wasteland Be sure to tell the op the whois information on one of the clones, and what channel the clonebots are screwing up. This works fairly well, and you can always keep them from flooding the channel by moderating it (making it +m) until you get them kicked off.
However, not all the jerks are trying to mess up your channel. Some of them are trying to stalk *you* around IRC and make you miserable. They can flood you, or they can send you obscene messages. And often, they can change nicks to dodge ignores, or get a friend to bug you. So the simple "just ignore him" advice in the FAQ isn't enough. To protect yourself, you need to learn about User Modes. These are different from Channel Modes. There is really only one you need to know.
+i: Invisible. This prevents your nick from showing up in /who and /whois commands unless it is specified exactly. Example: If you were BigCheese, and you typed /mode BigCheese +i (or the equivalent command with your script or client) if somebody typed "/who Big*", your nick would not show up in the list unless you were on the same channel he was. However, if someone typed "/whois BigCheese", he/she would see that you are on IRC, and what your login and server are. So being invisible makes it harder for jerks to find you. It prevents people from using your login information to find out your nick. Also, notify will report that you are on IRC if you use the nick the notify is watching for, even if you are invisible.
If somebody is bugging you constantly, the FAQ says to make yourself invisible, change your nick, and then join a new, secret, invite-only channel. This works a lot of the time. However, there is something called /note spy. Most servers on EFnet have it disabled, but there are still servers from which it can be used. Note spy not only finds invisible people, but if the person changes nicks, it tells you what nick they changed to! What can you do about that? There IS something you can do. You need to change your nick a second time. The note spy tells the other person the first nick, but because the note spy works by nick in the same manner as notify, it doesn't automatically switch over and spy on the new nick. It just tells the obnoxious person what it is. So if you switch nicks again, the other person won't be informed of it. Now you do have to change nicks quickly, or the other person might be able to put a note spy on the other nick. And if he is REALLY determined, he will put one on the nick anyway to catch you next time you are on IRC. So you may want to vary your nicks a lot.
If this seems like a lot of work to stop somebody, that's because
it is.
If someone is really being that mean and nasty, your best course of
action may
be to make a log of his actions, and send it to root at his system. You
can find
out his system by doing a /whois jerk is lamer@dyn-25.biteme.com (i am mean)
he is probably on slip or PPP. In that case, chop off the first bit, and
send
mail to, in this case, root@biteme.com Basically, if you get an error
when trying
to send to root@(that person's address), try leaving the part from the
character
after the @ to the first . out, and sending again. If you get an IP
address in the
/whois info (something like 213.62.53.127), log it anyway, and talk to
your
sysadmin about it. You can probably get the guy banned from his IRC
server, and
then he will have to find a new server. If he does, and starts bugging
you again,
just report him again. His ISP may even disable his account if you can
show them
logs.
Now you know how to make sure you aren't bothered on IRC.
However, as
we noted earlier, people can eavesdrop on your conversations. When you
send a /msg
to someone, it goes from your machine, to your provider. Your provider
can log this
plain text with ease. It then gets sent to the IRC server you are
connected to. The
person who maintains the IRC daemon on the server could set IT up to log
the text sent
to it. It then works its way across the net to the IRC server the
recipient is on.
ANY server in the path from yours to his could pick up the message and
log it. Finally,
it gets to the other person's provider. Root on THAT machine could log
the text. So
there are MANY places the message could be intercepted, read, and sent on
its way.
Now if what you said was "hello", you have nothing to worry about, of
course. But if you
said something like "I think I'm pregnant," you may not want other people
knowing this.
However, you CAN take the IRC servers out of the loop. You can either
use talk (a non-IRC chat protocol where you work with a split screen and
can both talk at once) instead,
or start a /DCC CHAT with the person. You do this by typing /dcc chat
There is one other way someone could get your IRC messages. This
would be with
packet sniffing. This is a very technical process, and is very time
consuming.
Basically, its not something you need to worry about much. The people
who could do this
simply don't CARE what you have to say on IRC. They would too be busy
hacking government
computers to log you netsexing... :)
Whether you have a PPP account or a shell, when logging into your
account, you use a password. The point of having a password is to keep
other people out of your account. If you choose your password well, it
will do just that. However, what makes a good password is not always
obvious. We will attempt to clear this up in this column. There are many things NOT to do when selecting a password. One thing you
should not do is pick ANY word in any dictionary for your password.
There exist programs like CRACK that can try every word in a dictionary
file and guess your password within a reasonable amount of time on
modern computers. Sure, it seems like there's a lot of words in the
dictionary, but it is actually a very small subset of all of the legal
strings of alphanumeric characters that make up a password. Words NOT in
the dictionary aren't much more secure either. If you think something is
a word, more than likely some crack dictionary writer thinks it's a word
too. One solution many people come up with to this problem is to use two
words, separated by a character such as a slash. However, this only
works at all if the two words are totally unrelated. It is too easy to
unwittingly select two words that have some sort of association with each
other so you can remember the password. If you can see an association
between the words, so can the crackers. A rule of thumb is that if you
think you are being really clever with your password choice, the crackers
will already have thought of your idea, and will guess your password
very rapidly. One example is entering "password" as your password (it
says "enter password" so I'm entering "password".. heheh no one will
guess that..). EVERY cracker guesses that one first. Another example of
trying to be "clever" is making substitutions of numbers for letters,
yielding something like "41w4y5" (always). The crackers have thought of
that too, so that password must be considered a word that is in the
dictionary. People also may think using wEiRd CaPiTaLiZaTiOn is a good
way to make their passwords more secure. It isn't. So, if you can't use words, and you can't be clever, what can you do?
You can choose a random combination of letters and numbers of more than
eight characters. Many systems require at least six letters, and that
there be both letters and numbers in the password. Now, we know what you
are going to say.. you are saying "How can I remember a password like
that?" Well, it IS harder to memorize a bizarre string of characters
than a real word, but it really is much more secure. Let's do some
simple math and see how many nine character passwords there are... 26 letters * 2 (upper and lowercase) = 52 letters
+ 10 digits (0,1,2,3,4,5,6,7,8,9) = 62 alphanumeric characters that the
first character of the password can have.
since there are nine characters, we must raise this number to the 9th power
to yield the number of nine-character passwords. Now 62^9 is more than
one quadrillion passwords to choose from. That's a LOT of passwords, and
that is MUCH greater than the number of words in the dictionary. And
that doesn't even include use of punctuation characters, which would more
than double that figure. So random passwords are much more secure. Now, there is a compromise that can be made. If you find yourself unable
to remember such a random string of characters, you can try writing a
sentence, and using the first letter of each word as a character in the
password. An example would be "Time to pick the password for my 4th
provider." To make this into a password, you would take the first
character of each word and type "Ttptpfm4p", thinking "Time to pick the
password for my 4th provider". Putting a "4th" or other such number into
the sentence ensures that your password has a number to pass the check
for a numeric character. Now if you didn't know the sentence, you would
probably go "huh?" when you saw the shortened form that is used in the
password. But, by memorizing the sentence, you memorize the password. Now you know how to generate a secure password. One way NOT to generate
a secure password that meets length and alphanumeric requirements is to
run your fingers along the keyboard and do something like this.... 1qaz2wsx3edc (hey, it's twelve characters, looks random, and I can
remember it easily! It's GOTTA be secure..) Again, that's trying to be
clever, and the crackers have thought of it. If your communications software has an auto-password generate function,
use it to generate a random password instead. If you are a dial-in user,
you can set up your com program to enter your random password for you so you
don't have to remember it. This makes your account secure as long as nobody
else uses your computer. :) Now that you have a secure password, for crying out loud, DON'T TELL
IT TO ANYBODY! The whole point of a password is that nobody else knows
what it is. Telling other people defeats the purpose. Also, don't write
it down by the computer unless you never let anybody else near your
computer. That's kind of like leaving a hidden key outside your house.
If you forget the key, you can get in, but someone else might find the
key. Recently, we were the victim of an interesting attempt at a password
hack. Somebody got our email address through IRC, and faked an email
from root at our site telling us to change our password to TARDIS. We
thought about it, and realized that root never NEEDS to know your
password to get at your files, so the request had to be a fake. If we
had done what the guy on IRC requested, he would have hacked our account,
unshadowed the password file, and caused a lot of trouble. The lesson to
be learned here is NEVER believe ANY email telling you to change your
password to a specific value. Root at your site doesn't EVER need to
know what your password is anyway, and there is no reason to obey anyone
else. If your system password file has been compromised, you may receive
e-mail from your admin telling you to change your password. By all means
do so if this happens, but change it to a new, secure password ... not
one anybody else knows. You now know how to pick a good password, and what to do to keep it a
secret. However, there are ways for people to gain access to your
account without your password. One way is to break into the root
account, but you cannot defend yourself against that, so don't worry
about it. It may happen, it may not, and if it does, it's not your
fault. However, there are two files that you need to watch out for in
your own directory if you are a shell user. These are .rhosts and
hosts.equiv. Some discussion on what these files are for and what they
do is in order. One method of going from one machine to another is with rlogin. This
logs you into the other machine. Usually, unless your ISP has set things
up so that you can move about from machine to machine within the ISP
without requiring one, you will need to re-enter your password. However,
if there is a .rhosts file, or a hosts.equiv file, when someone tries to
do a rlogin to your account, it checks their userid to see if it matches
yours. If it does, it then checks their host against these files. If
this host is in these files, then it lets the other person in without a
password. This is fine and dandy if the other person is really you.
Often people do this to make things more convenient for themselves so
they can rlogin from home to work and vice versa without a password.
However, this means that if ANY site in those files is compromised, the
cracker can get into your account without a password. Using these files
makes your account less secure. If you (or your provider) care about
security, you should delete them. Also, some versions of Unix ship with comment lines in those files. The
problem there is that instead of functioning as comments, these lines
instead allow anyone who hacks themselves a domain of "#" (which isn't
hard) to get into your account. Basically, don't use these files at all,
or only put other hosts at the same ISP into them (IE,
netcom2.netcom.com, netcom3.netcom.com, netcom4.netcom.com, etc.), and
don't put comments in the files. Now, things have changed a lot on the internet, and some new
developments have caused us to have to revise our advice some. We still
reccomend against usage of .rhosts, but in the age of broadband, packet
sniffing to discover cleartext passwords has become a lot more
commonplace. As mentioned earlier, plaintext sent over the internet can
be captured and read, and rlogin/rsh send whatever is typed over the
internet in plain text. So in fact, we recommend that rsh and rlogin
never be used at all. And telnet is just as insecure in the way it
transmits passwords. But fear not. there is a solution. Quite some time ago, people realised the security hole in transmitting
passwords in the clear, and decided to come up with a solution. The answer
is something called Secure Shell, or ssh. This program is intended to be a
rsh/rlogin relacement. It works rather similarly. But there's an
important difference. The information sent between the computers is
encrypted with a unique session key. This means that even if the packets
WERE sniffed, they'd only get a bunch of gibberish. Not only is
everything you type encrypted, so is the password you send. SO it can't
be intercepted either. And it's possible to configure ssh and sshd (the
part that runs on the other computer) such that instead of a password, you
can use public key ccryptography, similar to PGP to authenticate. The ssh
manuals explain it pretty well, but we'll sum up. You create a
public/private keypair. You put the public key on the other server, using
secure copy (scp), the replacement for the insecure "rcp" program. You
then edit the ocnfiguration files, and from now on, as long as you are on
your machine, with your private key, you can log on with no password, but
no one else can. If you use Linux or any other UNIX
variant, you most likely already have ssh and sshd. If you are using a
Windows operating system, you most likely do not have it. But fear not,
as you can download it. Many commercial SSH packages exist, and SecureCRT
comes highly reccomended. But there are also freely available versions,
in various states of completion. Also, there is the danger of people gaining access to your account in
some fashion through IRC. You don't have to worry as much if you are a
SLIP/PPP user, but this info is useful to everybody. As mentioned earlier,
people can send you a seemingly ordinary script that has a back
door in it, to let them control your client. The rule of thumb for IRC
scripts is to not load one unless you understand every line of it. If
you want to run something like Phoenix or Lice, get it from a well-known
archive, not some "nice person" on IRC. The person offering it may have
put a backdoor into it, or may himself be using a backdoored version of
the script. Even if the person is trustworthy, he might not have
noticed the backdoor. If you DO get a script not known to be safe, look
at it very carefully. If you understand IRC scripting, you should look
at EVERY ON statement, as that's how backdoors are placed in IRCII. In
mIRC, you should look in the remotes section, and look over the settings
there. An example of a backdoor would be: /ON PRVMSG *^AJUPE * or something like that. What this means is that if somebody sends you a
CTCP JUPE, everything following the word JUPE is executed by your client.
The other guy could do a /CTCP Another thing people may try to do if you are on a shell account is
to tell you that they need you to compile a program for them. This is
utter baloney, as programs compiled on one UNIX box cannot run on
another one. What the person is trying to do is to trick you into
compiling and running a C program to unshadow your password file and
e-mail it back to them. This is not a smart thing to do, as it lets the
other guy run CRACK on your system's password file, and maybe break into
some accounts. If somebody tells you that they need you to compile a
program for them, simply tell them that it wouldn't run on their system
anyway. If they say "oh, sorry", then they probably are just ignorant, and
you can't help them anyway. But if they go on to say that they want you
to run it, DON'T! Get it if you want, but don't compile it, and DON'T
even think about running it. Instead, get the person's email address, and
inform root at their site about the other person's hack attempt, being
sure to email a copy of the C program the person sent to you. Now is as good a time as any to talk about viruses. First, as to Unix
viruses that oculd magically infect your windows PC, there aren't any.
End of subject. For those of you
using Unix shell accounts, you are virus safe unless you download
something to your PC, because the programs you run on UNIX are either
protected system files, or compiled by you.
Many of you have heard rumors of viruses attached to gifs. THERE IS
NO SUCH THING! Viruses are attached to executable files (files that end
in .bat, .com or .exe) and nothing else. The file containing the virus
can, of course, be zipped along with other files, or emailed as an
attachment. A virus is dormant until it is executed. Most viruses are spread from computer to computer on floppy disk.
Many viruses are set to go off at a certain time, and the person who
gives it to you may not even know they have it. Viruses have even been
spread on distribution disks of legally purchased software. They are
also commonly attached to shareware programs by cybervandals. To make
things even more difficult, new viruses crop up every day. Some
cybervandals have even circulated a virus construction kit. Viruses range
from annoying to something that will cause you to lose everything on your
hard drive. There is at least one virus that is known to cause damage to
your monitor as well. The first step in virus protection is being prepared. Make an
emergency diskette with system files, an image of your CMOS, FAT, config
files, and a good virus check and virus clean program. Keep it handy. A good
suggestion for virus protection software would be F-Prot, which is
available free of charge for personal use. Update your detect and clean
software regularly to keep up with the new viruses. Run a virus detect program on your system. Never run a file from a
diskette without performing a virus scan. While this may seem like a lot
of work, it is far less of an inconvenience than losing everything on
your hard drives. Only download software from well-known archives, and
check it before you run it. Never execute a file received via DCC
without a scan. Even then, the virus could be newer than your detection
software. We practice safe computing, and have still had 4 different
viruses, one of which did severe damage. Chris also inadvertently passed a
virus on to his boss on distribution diskettes. The boss was not amused. Despite all of your precautions, a virus may slip by your detection
software. If that happens, you may not notice for a while as it lies
dormant waiting for its activation key to kick in. However, often there
will be signs that can tip you off to the presence of a new virus before
it attacks. For example, if the mem command says there is less than 640k
main memory total (not the amount free, the amount total), you almost
certainly have a boot sector virus, which became resident in memory
before DOS did. Sometimes a BIOS shadow will remove main memory, but if
this is the case, we suggest you free the memory by turning the shadow
feature off in CMOS. If a DOS command like MOVE or DELTREE suddenly stops
working, we can guarantee that you have a resident infector virus. DOS
commands ALWAYS work when they are clean. If they don't work, you can be
sure they are infected. If the sound support in a previously working
program suddenly stops working, no matter what you do, that is also a sure
sign of a resident virus. To sum up, if something that has generally worked
on your computer suddenly stops working, assume a virus. Of course,
with the advent of Windows, notorious for it's instability, we can't
rule out other things, such as registry corruption, or botched
installs, but if nothing else helps Once you have disinfected memory by turning off your computer for 30
seconds and booting from your emergency write-protected floppy, then
disinfected your hard drive with your detection and cleaning software, be
sure to scan EVERY floppy disk that has been in your disk drive. The
best way to rid yourself of a virus is not to catch it in the first place.
AS the times change, bad people keep discovering new tricks, and virus
writers are no different. There are a few thing worthy of discussion.
The first new trick was the "macro virus". Many popular office programs
have the ability to store macros, or sets of instructions that can be
executed y the software inside of document files. It was only a matter of
time before people decided to start exploiting this. Word documents, word
perfect files, Excel spreadsheets, powerpoint presentations, all must be
scanned now to catch macro viruses. Relying on Microsofts security fixes
to attempt to disable these hostile macros is not very wise. Raw picture
formats, such as GIF, jpeg, or PNG are still completely virus safe, as
they contain no executable code. Another technique is the new, and yet also very old, self propogating
"worm". A virus attaches itself to other programs, and replicates that
way. A worm is different in that it does not attach itself to other
programs. These have long been used to target insecure UNIX servers.
However, soem features of consumer operating systems allow them to be
targets of worms as well. One feature is "file and printer sharing for Microsoft networks". If
yo uhave multiple computers, and a network card in each, this is a handy
way to get files from on ecomputer to another, without the slow access
time, unreliability, and size limits of floppy disks. However, this same
feature can, if improperly configured, leave you wide open on the
internet. Depending on your networking setup, you may have fiel sharing
bound to the internet protocol, TCP/IP. In this case, people can access
your files from the internet. Fortunately, this is possible to stop. The
process is a bit technical, but well documented. If you only have a
modem, and no network card, you don't need fiel sharing, and can simply
remove it. However, if you have both a modem and a network card, or a
broadband connection, it's not so simple. Typically, you want your other
home users to be able to access your drives, but don't want anyone on the
Internet to do so. One way is to assign secure passwords to your shares,
and never try to access them from away from home. However, it's
much better to unbind File and printer sharing from tcp/ip, beause there
is a well known exploit that lets people steal your share passwords if you
click on a malicious web link. Also, Windows XP home edition will refuse
to let you password protect a share at all! The process depends on yor OS
version, but is fairly well documented on a number of sites. This site has good
information for Win95/98/Me, and instructions are here. The
process is more complex under NT, though. With sharing unbound,
people can't peek at your cmputer without tricking you into using a
trojan. The other major way worms spread to consumer PCs is by exploiting
security holes in e-mail software. Some programs have helpful "auto
preview" functions, that can not only open the e-mail you ahve highlighted
in a seperate panel (fine) but they can automatically open attachments as
well. Now, as you well know atttachments can have viruses, and need to be
scanned before they are opened unless they are pure data. Additionally
Active X controls can be automatically activated by certain e-mail
programs, as part of their HTML mail viewing features. This is bad news.
To date, there is one e-mail program that has allowed many famous worms to
spread the instant a person click on the e-mail to read it. This is
Microsoft Outlook. We do not reccomend the use of that particular e-mail
software. Also, if your e-mail program has ANY option like "Use
Microsoft's viewer" (some version of Eudora) disable it! If you must
insist on usage of Outlook (or your company insists on it!), disable all
of it's auto-preview features, and apply all Microsoft security patches.
Recently, a number of nasty programs have started to show themselves.
Going beyond simple fake programs that wipe your hard drive, they now open
your computer up to access, and can even make your PC do bad things to
other people's computers! A lot of what has been said about viruses also
applies to trojans. They can attach themselves to other programs, or
propogate themsleves as worms. Because they propogate the same ways, they
can also be defended against with the same methods used to block viruses.
However, the consequences can be much worse if one slips through. Your
computer can be commandeered for illegal activities, such as crashing
other computers, or preventing them from being accessed. A second line of
defense is needed to prevent that. A good personal firewall is the best thing for stopping a trojan and
alerting you to it's presence. Zone
Alarm is the simplest effective solution. The inner workings of a
firewall are complicated, but the idea behind them is not. What a firewall
does is sits between your computer and the internet, and only lets the
stuff you want through. A fireall can stop people on the internet from
peeking at your computer. This is another way to keep your network shares
safe. But it can also block bad stuff from coming FROM your computer, and
this is what makes them so useful when dealing with trojans. If a trojan
does get onto your computer, the firewall will block people from
controlling it, and when it tries to phone home, the firewall will alert
you to it. This allows you to trap it, deny it permission, and continue
to operate your computer. Zone Alarm is simple to configure, especially if
you aren't involved in online gaming, and their web page has a lot of
useful information on dealing with problems. Also, it is free for
personal use. It is not a replacement for a virus scanner, but it's a
very good second line of defense against the current breed of popular
trojans. Firewalls will also help you detect something called "Spyware."
Spyware is sofware that sends back information about you to it's creators
without warning you about it. Such software usually has something buried
in the boring license agreement stating that you are authorising this
activity. Most commonly, spyware is put in free programs that show
advertisements, which will keep track of the ads you click, and send info
back to them, so they can sell it. But your .mp3 player might have
spyware in it that tells the company what songs you liek to listen to, for
example. Sometimes they are buried completely
within the software, but other times they are seperate programs. Anyway,
if you are concerned about your privacy, as we are, you have a right to be
angry at these sneaky tricks. A firewall can alert you to suspicious
activity on the part of spyware as well. When a program you don't expect
to try to access the internet suddenly does so, Zone Alarm will tell you
about it. There is software to let you remove spyware, such as Ad-ware. Spyware has been known to
make computers more unstable, so it's usually desireable to only run
spyware-free software.
For someone who wants to keep track of what you do on the net, your
home dir in a shell account is a good place to start. Most people have a
.newsrc file which shows the newsgroups that you are subscribed to, and
which posts you have marked as read. Other files will tell them what
Gopher sites you have bookmarked (.gopherrc), what ftp sites you have
bookmarked, and who you have on your IRC notify and ignore. This data
is, of course, always accessible to you, and to anyone with root access
at your site. If you have set the Unix permissions on the dir and files
to allow it, many more people could read these files. Even making your home
dir readable, and permitting finger can tell someone your real name, whether
or not you have unread mail, and the last time you logged on. Unix permissions (similar to DOS filespecs) are a little tricky to
understand. If you were to request a long form directory listing in Unix
with a ls -la command, the settings of these permissions will be
displayed at the far left of each entry. The permissions will look
something like this: drwxr-xr-x The d in the first position indicates that this item is a directory, not
a file. The next three positions relate to the things you can do in
the directory. They are the owner permissions of read, write and execute.
The next three positions are for the group owner of the listing. In most
commercial shell accounts, the group is comprised of every shell user at
your ISP. The final three apply to the rest of the world. On the
example above, the Owner has read, write and execute, the group owner has
read and execute, and the rest of the world has read and execute. Each directory and each file has its own set of permissions, (We know
this is pretty dry, but it is important), and the file owner can set them
using the Unix command chmod (Change Mode). To protect your .newsrc and
other configuration files from prying eyes, make sure that the group and
world permissions are turned off. A file set this way would like like this:
-rwx------ The command syntax to set your .newsrc file this way would be: chmod 700 .newsrc To learn all about the chmod command, go to your Unix prompt, and type
man chmod. ISP's can log virtually anything that happens on their machine.
Examples include xferlog (for ftp activity), failed login attempts, WWW
access logs and many more. The number of things logged varies widely
from ISP to ISP, as does the policy for access to these logs. Some
providers believe in privacy, and don't log many things. They also
restrict access to the logs they do keep. The other end of the spectrum
would be some universities that keep a secret machine to log everything
that occurs on all of their other machines. These universities are
under no obligation to tell you about their secret logging machine, so
unless you know for a fact that no detailed logs exist, treat everything you
send from a university account as a postcard. On most systems, the
xferlog is world-readable, which means that anyone can search the log for
your address, and find out if you have been there and what you have been
doing. The only recourse you have with this logging is to find out what your
ISP's policies are. For those who have a choice of providers, we
recommend that privacy be one of the criteria you use in making your
selection. Many people realize that posting to a Usenet Newsgroup exposes them to
flames, ETC. and use an anonymous remailer service. Keep in mind that
the Anonymous remailer service might be owned by someone intent on
snooping into your business. Also remember that including your email
address in a Usenet post or a maillist reply exposes you to email
harassment, and possibly inclusion on junkmail lists. We have seen how our privacy can be invaded via our shell account, in
logs and in learning our email addresses. It is also possible to record
your activities on your own hard drive, and to read them at a later
time. This is done with something commonly known as "cookies." Most WWW
browsers support the creation of a file called cookie.txt which can be
written to and read by a site that you visit. The intended purpose was
to keep your preference information for the next time you visit. We have
two problems with this practice. First, it feels like an invasion for
someone to write to the hard drive on our computer without even asking
us. Second, it would be possible to inadvertently fall prey to a law
enforcement sting operation simply by following the wrong link
sometime. The information in your cookie.txt file would be the "smoking
gun." At best, it would be a hassle to fight the attempted sting and
win. The possibility that you may lose the fight is not to be ruled out
either. Netscape was concerned enough about this privacy issue that they
have allowed users to disable the cookie feature in version 2.0. For
those using other browsers, your only defense is to periodically erase
your cookie.txt file until you get a version that allows you to disable
cookies. A somewhat similar feature has been developed by Microsoft and others
to combat software piracy. When you use the on-line registration for
Windows-95, it also sends an image of your hard drive directory to
Microsoft. The US Department of Defense (DoD) was concerned enough about
the security and privacy issues here to require Microsoft to make a special
government build of Windows95 that did not have the registration wizard
before any staff member could install it. The people at the DoD
considered it a national security risk to allow Microsoft to retrieve
information about the contents of their hard drives. It is possible for
Microsoft to read anything on your hard drive via this on-line
registration, and may also be possible for them to do the same thing
anytime you access the Microsoft Network. One more word on the subject of deleting data you don't want to be
seen. If the file has not been overwritten, undelete will, of course,
recover it. If you enable deletion tracking in your version of DOS,
that's a risk you take. Many programs such as Xtree can "wash" the
deleted files, and make use of undelete impossible. However, if your
opponent is the intelligence community, simply overwriting the file is
NOT going to be able to stop them. They can often recover the last 15
values a sector on a disk held. Now, unless you were in possession of
classified information, you have nothing to fear from the intelligence
community. However, commercial data recovery firms can use similar
techniques, so if you are worried about something such as industrial
espionage, you might want to spend the time and take the required
precautions to truly erase the files on your drives you don't want found
again. We won't go into detail on this process, but suffice it to say
that it takes a large amount of time, and in the case of floppies, it's
best to destroy them instead. As a curiosity, and for the sake of completeness, we would like to
mention an eavesdropping technique that is known as using "TEMPEST"
equipment. The principal involved here is that any electrical signal
passing through a wire radiates an electrical signal that passes through
the atmosphere. Is is possible, with a sensitive enough receiver, placed
close enough to your computer (up to hundreds of yards away) to receive
this radiated signal, and by using a device called a spectrum analyzer, to
reconstruct the data. In the case of a computer system, this data would
be the picture on your monitor, every keystroke you type, and any data in
the computers memory. This is heavy duty spy stuff, and isn't something
your home computer is going to be subjected to. As we have seen, anybody using a shell account is vulnerable to
snooping on the part of their sysadmin. Even if you use SLIP or PPP, the
modem traffic can be logged. Also, the machine the mail is stored on
before you download it can be monitored just as easily as it could be
on a shell account. If you are really concerned about your privacy,
there IS something you can do to prevent snooping around in your e-mail.
That would be to make use of a program called PGP. PGP stands for Pretty Good Privacy. What it is is a system for
encrypting messages. This means that even if somebody intercepts the
message, they won't be able to figure out what it says. It is based on
something called public key cryptography. As opposed to private key
cryptography, which uses the same key to encrypt and decrypt, public key
cryptography uses two separate keys. One key is your public key, which you
give to everybody, and the other is your secret key. To send a message
to someone, you get the person's public key. You then run your PGP software
and tell it to encrypt the message you wish to send with the recipient's
public key. Then, when the person receives this message, the secret key
is used to decrypt it. Nobody else ever needs to know your secret key,
so there is no chance of it being intercepted without heavy duty
intelligence work. This is a good time to define what secure means. There are two tests
that you can apply to determine if something is secure. One test is that
if it costs more to decrypt the information than the information is worth,
the information is secure. The other test is if the information
would be useless to would-be snoopers by the time they manage
to decrypt it, it's secure. Basically, if something takes too long to
crack, or isn't worth the money spent to crack it, nobody will try. But
if the information that is being protected is priceless, and not time
critical, it is nearly impossible to make it secure. However, almost
everything a home user would want to safeguard passes at least one of these
tests if PGP is used to encrypt it. How secure is PGP, exactly? Well, as opposed to simple substitution
ciphers, which can be broken by means of frequency analysis (the letter
that appears most often is probably E..), there is no way to break PGP
short of trying all possible keys until you find the one that works. Now,
PGP keys are pretty big, so there are a LOT of keys to try.. When you
choose your keys, you can decide how big to make them. The bigger the
keys, the more secure your message is. Generally, unless you have a
really slow computer, you will want to use a 1024 bit key. This means
that it will take even the intelligence community YEARS to crack it.
So PGP is indeed strong cryptography, capable of making most classes of
communication secure. Besides encrypting text, PGP can also encrypt data
files, such as spreadsheets or executables. We will not go into more
detail on the inner workings of PGP, as there are much better sources for
this information. Suffice it to say that PGP lives up to its name. We have presented the worst case information regarding privacy and
security in this article. Most of you will never have a problem with
most of these things, but now, at least, you have some knowledge on your
side. We wrote this article because we firmly believe in the individual's
right to privacy. It is our hope that others will help us in
safeguarding this right. We have listed some sources below to further
explore the information we have presented.Passwords
UNIX Security Holes
IRC Security Holes
Viruses
New Developments in Viruses
Trojans
Logs and Snooping
Site Logs
Usenet
Cookies
TEMPEST
PGP
Summary
Workshop | Home
Page
HTML by Chris and Chuck
Cochems. Last updated 3/20/96.