Internet Waves: Through the Virtual Back Door

—James Fallows, “Frontier Days,” The Industry Standard, November 22-29, 1999 (http://www.thestandard.com/article/diplay/0,1151,7618,00.html).

Right up front, let me say that I do not consider myself to be at all paranoid about privacy and security in cyberspace. Heck, I was probably one of the first 10 customers through the virtual doors back when Amazon.com first opened up shop on the Web. And I’m pretty slipshod about managing my logins to all those sites requiring registration, etc. While I am kind of cranky about being tracked by those ad banner servers (FocaLink, DoubleClick, etc.), I use a simple little shareware program called Cookie Pal (http://www.burra.com) to manage the bread-crumb trails on my hard drive. As far as I’m concerned, most cookies are benign, even helpful, when they enable functions like logins to favorite sites (e.g., The New York Times) or “shopping carts” at online merchants.

Security Is a Real Concern
But since having cable modem service installed last year in my home, I’m rapidly learning that I can no longer be quite so cavalier about privacy and security issues. And if you, like me, have one of those high-speed, on-all-the-time Internet connections (cable modem, xDSL) either at home or at work—particularly if you’re a Windows 95/98/NT user—you may have some serious security issues going on.

To see what I mean, browse on over to ShieldsUP! at http://grc.com/default.htm. Under the “News and Events” headline, there’s a small banner with a logo and the intriguing words: “Can anyone crawl into your computer while you’re connected to the Internet? You may be VERY surprised to find out!”

When you hit “Click Here,” you are transported through a series of Web pages that “sniff” your Internet connection for a number of common security problems that may be leaving your system wide open to snoops, hackers, mischievous adolescents, etc. You may be astonished at what you’ll learn. The default Windows installations for the types of high-speed Internet connections becoming more common in homes and small businesses leave your system vulnerable to the scary outside world.

What Can You Do?
ShieldsUP! offers in-depth tutorials for battening down the cyber-hatches, from simple things like turning off file sharing to fairly geeky stuff involving network adapters and protocols. But the information is presented in step-by-step format with screen shots, and the fixes are eminently doable by anyone with the persistence to read through this stuff. None of these fixes will cost you a dime, unless you want to get super-serious. In that case, you can purchase, install, and configure personal firewall software. Several relatively inexpensive packages are reviewed in detail by ShieldsUP!, and there’s lots of good information for those of us who have zero experience using software like this. (To cut to the chase, see http://grc.com/su-firewalls.htm.)

Steve Gibson, the techno-brain behind ShieldsUP!, recommends a product called BlackICE Defender (http://www.networkice.com). “I favor BlackICE over the others,” he writes, “because it appears to do everything all of the others can do with dramatically less learning and configuration required from the user. It just works and does what the typical user wants. It is not the least expensive firewall; two others are less costly. Nor is it the most expensive. But … I think it’s clearly the best choice for 99.9 percent of typical home and small office computing users.” For what it’s worth, this $39.95 program also garnered positive reviews from several of the mainstream computing magazines.

Personally, I’ve been playing around with a package called AtGuard, which not only offers a personal firewall but also strips out annoying banner ads, animated GIFs, and any number of other Web “features” that many of us would gladly forego. Admittedly, it’s somewhat tedious to configure correctly; I managed to accidentally block my 8-year-old son from playing online chess at Yahoo!.

Alas, at the end of 1999, AtGuard got sucked up by the system utility and anti-virus giant Symantec. It has been incorporated into a product called Norton Internet Security (NIS) 2000, which is available for purchase by download (43.9 MB) from Symantec’s Web site (http://www.symantec.com) for $53.95 or on Windows 95/98 CD-ROM for $59.95.

Gibson says he is “(m)ourning the passing” of the original AtGuard. “I’m not happy … because there was a lot to love about AtGuard. Although any sort of rule-based, fine-grained firewall will demand a lot of detailed Internet protocol knowledge from its user, AtGuard did a good job with their particular spin on the solution. And, even though the product has survived virtually unchanged as a component of Norton’s ‘re-packaging’ inside NIS 2000, I’m not a big fan of hybrid solutions, which inherently force their owners to pay for and install features which might not be needed or wanted.”

The Norton product adds anti-virus filtering and “parental control” features—which can be customized for different users—to AtGuard’s firewall, ad blocking, and cookie control. Since these features are combined within a uniform interface, and since Symantec generally offers above-average technical support, NIS 2000 may well solve more than one problem for a user who could benefit from this mix of features—someone working in a small special library, for instance, where there is one Internet-connected computer.

DSL Reports.com/Secure-me (http://www.dslreports.com/r3/dsl/secureme) is another site offering Web-based security checkups for high-speed Internet connections. Despite the name, the site will also probe cable modem connections. You do need to register (free for basic scan) and log in to use the site. Incidentally, there’s also plenty of information here for anyone considering a high-speed xDSL Internet connection. You can check to see who the providers are in your area and read reviews/critiques.

Are They Watching?
Okay, now that you’ve been caught with your TCP ports wide open, here’s a few other tidbits to ratchet up your paranoia level.

Customizable computer cursors from Comet Systems (http://www.cometsystems.com)—a small download via a Web site that changes the little pointer into a distinctive icon—were found to contain a “tracking mechanism” that could monitor the online movement of users. In a press release (“Comet Systems Reaffirms Commitment to User Privacy”), Jamie Rosen, founder of the company, explains: “Because our software sends anonymous cursor-counting information to our servers, people have assumed that we are trying to collect information about our users. I realize and regret that we haven’t been clear enough about this. I’d like to clarify this matter by saying once and for all that we have never tried to track our users and we never will. Our business is about changing boring arrow cursors into cool custom cursors, like a rose, a snowman, or Dilbert.” Nonetheless, Al Gore’s presidential campaign folks decided to yank this small Web site embellishment—which changed the “boring” cursor into a small “Gore 2000” button—from http://www.algore2000.com when there were concerns that users’ privacy might be violated.

In December, “consumer and privacy advocates” asked the Federal Trade Commission “… to close software loopholes that potentially allow bulk e-mailers to identify consumers by exploiting ‘cookie’ technology.” Apparently, spammers are now depositing cookies on our computers via e-mail messages. According to security consultant Richard Smith, if someone reads his or her e-mail through a Web browser (e.g., your account on Yahoo! or Hotmail), and a message contains links to graphics that are pulled from remote servers, cookies can easily be placed on that user’s hard drive. Then, when the user surfs the Web later, the cookies can be read by the originating servers and matched with the user’s e-mail address. DoubleClick, Inc., the large ad server company, acquired an “opt-in” e-mail marketing firm last December. Privacy advocates warn that the result of such mergers is that companies will possess both the “anonymous profile” based on cookie data, plus the e-mail address to match it (ZDNet, December 3, 1999). Note however that, although they try to talk you out of it, you can “opt out” of DoubleClick’s cookie program at http://www.doubleclick.com/privacy_policy/privacy.htm.

You don’t even have to own a computer to experience electronic privacy rape. I wasn’t aware of this, but apparently rumors have been floating around concerning the presence of identification codes in color copies. According to Lauren Weinstein, moderator of the PRIVACY Forum discussion list (http://www.vortex.com/privacy), one recent story involves a customer who was refused permission to make a color copy of his driver’s license at a Kinko’s copying center. The Kinko’s employee supposedly told the customer that such copies were illegal and “could be traced back to the store through a ‘hidden ID code.’” Weinstein checked with the Xerox people and, to make a long story short, yes, “(t)he ID is encoded in all color copies/prints from the Xerox color copier/printer line. It does not appear in black and white copies.” This has to do with anti-counterfeiting measures. You can read all the gory details at http://www.vortex.com/privacy/priv.08.18. Note that the information discussed is specific to Xerox equipment only; there’s no mention of whether similar measures are employed by other manufacturers.

Freedom (http://www.freedom.net), from Zero-Knowledge Systems, is a client software application that combines “alternate IDs” with several encryption techniques plus its own maze of servers that route your Internet traffic “through a series of privacy-enhancing detours called the Freedom Network. Your identity, your location, and your message recipients are all protected from prying eyes.” The download and 30-day trial are free. If you like it, you pay $49.95 a year to create and use five different “nyms” (anonymous pseudonyms).

Identity theft is not a crime that reared its ugly head only when the general public began arriving online en masse. But the popularity of the World Wide Web has certainly increased the potential for this sort of malfeasance. CNet explores the privacy aspects of this issue in Net Confidential (http://coverage.cnet.com/Content/Reports/Features/NetCon), which details the efforts of an editor to see how much information he could dig up on one of the writers. You can see what’s available “out there” for free, and what it costs to get the really good stuff. The report includes good information on how to protect your privacy online (http://coverage.cnet.com/Content/Reports/Features/NetCon/ss05.html), mainly by keeping a low profile. For example, there are links to the major online white pages directories so you can visit each site and ask to be removed from the database.

Speaking of online white pages directories, PC Magazine’s John Dvorak delivered a blistering rant a couple of months ago about how lame they are, concluding, “I’m convinced that the traditional phone companies have no interest in keeping their online databases updated; this way they can rake in easy money with high charges for directory assistance.” Worth a read if you, like most of us, make regular use of these resources (http://www.zdnet.com/pcmag/stories/opinions/0,7802,2394347,00.html).

Sites of Interest
National Library Catalogs Worldwide (http://www.library.uq.edu.au/ssah/jeast)—links to all of them are listed alphabetically by country. The person who maintains the site cautions, “Bear in mind that most catalogues are not available twenty-four hours a day, so if you cannot gain access, it may be necessary to try again at another time.”

The Lycos 50 Daily Report (http://50.lycos.com)—the 50 most popular searches performed at Lycos; updated weekly. Pokemon. Britney Spears. Pamela Anderson. WWF. Publishers Clearing House. Profoundly depressing.

Publications
A good book to check out is The Whole Internet: The Next Generation, by Kiersten Conner-Sax and Ed Krol (O’Reilly & Associates, $24.95). How long have you been on the Net? If you’ve been doin’ the cyberspace thing since the early ’90s, there’s a good chance you bought, borrowed, or at least consulted The Whole Internet: Users Guide and Catalog, published in its original version back in 1992. The newest version, issued in October 1999, is definitely worth a look—if only as a benchmark on the current state of the Net. There are topics discussed in here that readers of the original edition could never have contemplated: Spam Busting, PalmPilot Browsing, Children and Privacy, Digital Cash, Buying Merchandise Online, and High Quality Audio with MP3, among others. You’ll also find good, basic information on browsing and searching, creating Web pages, networking your home, and managing e-mail. There’s also a decent catalog of Web resources that are chosen for quality and likely stability.

A couple of opinions, tossed out by The Whole Internet’s authors, did kind of throw me for a loop. The Children and Privacy section begins with the almost shrill declaration that “(t)he Internet is no place for children,” opining that none of the resources or educational opportunities to be found online “are worth the risk that either your child learns information objectionable to you, or that someone objectionable finds your child.” The section goes on to offer some good, common-sense rules about protecting yourself online, rules that can be readily transmitted to and understood by any child capable of using the Internet. Why the need for the scare factor, I can’t imagine.

I also did a double take at the author/author’s recommendation that people who are particularly concerned about computer viruses should “consider an alternative operating system such as Linux.” Uh, Linux has gotten a wee bit more user-friendly, at least in its shrink-wrapped, commercial incarnations. But it’s definitely not a no-brainer, especially for someone who may be intimidated by the idea of installing, configuring, and keeping a good virus-scanning program updated.

Of course, what do I know? If you want to go the Linux route, O’Reilly & Associates can help you there, too. Pick up a copy of Learning Red Hat Linux by Bill McCarty ($34.95). Included is a complete copy of Red Hat Linux on CD-ROM.

Shirl Kennedy is Webmaster for the City of Clearwater, Florida. Her e-mail address is sdk@reporters.net.