ARE YOU NUTS?

Since you have arrived at this page, I must conclude that one of the following is true:

you have a death wish
you are a thrill seeker
you have a criminal streak

Assuming that it's one of the first two, let's have a discussion about security (or the lack thereof) for the world wide web.

The truth of the matter is that all of the attacks that were described on the previous page are possible to carry out, and will succeed with varying probabilities depending on the configuration of the machine. In order to put your mind at ease, there are no viruses or attacks carried out from web pages on this machine (that I know of!). All of the links on the previous page lead here.

The world wide web carries quite a bit of risk with it for both servers and clients. The reasons for this are too complex to discuss in detail here, but can be summarized as follows:

machines connected to networks have no mean of defense against denial of service attacks.
the programs that are running both as clients and as servers are far too complicated to be trustworthy. Hackers are trying every day to find new ways to cause failurs in programs, and they are succeeding.
the base protocols used by the internet (e.g., DNS, SMTP, and TCP/IP) were designed under the assumption that machines and users on the network were cooperative rather than adversarial. The historical restrictions on security technology have inhibited the improvement of the situation by preventing deployment of more secure systems.
if you think about it, web browsers are retrieving data from the internet and then acting on it (i.e., they are using foreign data as program input). This is an invitation to disaster from importing viruses.
Companies are getting interested in the internet as a means of telemarketing, but some web browsers are happily supplying more information about you to the world that you realize. Your email may soon become as irritating as the phone system.

It's a dangerous world that we live in, and you should be careful about what you do. Practice safe computing and communicating.

Here are some guidelines about how to safely use a browser:

Look carefully at a URL before you click on it.
Limit the number of external helper applications that can be invoked by your browser.
Limit the number of MIME types that you accept. If you accept postscript, make sure that you are running a safe previewer. If you are accepting images to xv, make sure that it is not invoking ghostscript (gs) externally. DON'T trust PC programs that accept word processing or spreadsheet files, because they have access to your file system to overwrite files.
Either turn off JAVA or restrict it so that it cannot access the network or the local file system in any way.
Get your machine behind a firewall to protect against side door attacks.
Don't put your email address into your browser information. It opens you up to mail attacks to advertise your email address, and you may have to give up your current email address in defense. Click here to find out what information your browser is giving out about you. In particular, it may show the following information about you and your computer:
- the version of browser.
- the operating system you are using.
- the IP address of your machine.
- the types of documents that you are willing to accept.
- your email address.
- your name.
- the last document you were looking at before visiting a new site.
All of these can assist a hacker in an attack, or reveal things that you might not want to reveal.
For further information about protecting your privacy, you may wish to consult the following sources:

If you are configuring a server, there are some additional cautions:

Pay attention to the CERT and CIAC advisories on vulnerabilities or new attacks.
Keep your configuration as simple as possible so you can understand it.
Don't put your server on a machine with mission-critical data or functions. Also don't put your server machine on a common broadcast network (e.g., ethernet) with machines having such data or functions.
Watch the logs on your machine to detect unusual activity.
If you are using the NCSA http daemon, make sure that you install the most recent version. The early versions had a bug that allowed people to overflow the stack and end up running programs on your server machine.
If you are using the NCSA http daemon and you allow cgi scripts to be run, then make sure that you check these scripts or apply the patch to protect the log files.
Don't get smug if you are running a server other than the NCSA server. The reason that bugs are found in this one is that the code is available, and many people work on it. The other servers are just waiting to be hit.
If you choose to allow scripts to run from forms, make absolutely sure you know what you are doing. Remember that he environment and arguments for a script can be manipulated by their input. Read this.
DON'T run anything as root that gets invoked by your server. This applies particularly to running setuid programs on UNIX.
Don't put much trust in the authentication and access control methods used in http. Sending cleartext passwords across the internet is a laughable practice. The *supposedly secure* alternatives that have been suggested are only slightly better.
Don't accept credit card numbers for services unless you clearly understand your liability. Under the current environment where issues of liability have not yet been tested, this probably means don't take them.
This is only a list to get you started. See the CIAC document for further information.

This may serve to scare you into not using the internet at all. If it does, then you can always go back to using paper (but check your mail to make sure it is not ticking before you open it). I'll be out there using the Internet because I think there are overwhelming benefits from widespread dissemination of information. Remember the following quote:

Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. -- Hellen Keller

It has been brought to my attention that there are many similarities between this page and the one of Cheswick. Return to the previous page.

Return to my home page.