Internet Engineering Task Force INTERNET-DRAFT Joe Williams draft-williams-inet-security-guidelines-00.txt Logical.621.org Expires February 2003 6 June 2003 Windows Internet Security and Privacy Guidlines Status of this Document This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document describes guidelines and good practices for privacy and security while using the Microsoft Windows Operating System. It also gives examples of software to protect the users information. Background information of the Internet is also included as a introduction. A place of seemingly unlimited knowledge and information would appear to be the least likely place for thieves, epidemics and annoyances. But in this place they thrive. This place that was once called ARPANET, is now called the Internet. Many of us use the Internet to work and to play, but who is watching us while we do our daily tasks. Hackers, viruses, spy-ware and Trojan horses can find there way to your computer this makes the Internet a very unsafe place for you and your information. There are many ways that the Internet is unsafe, Hackers, and etc., but what makes it this way and how did it begin? The Internet began as an ARPA (Advanced Research Projects Agency), which is a part of the Department of Defense, project called ARPANET (Advanced Research Projects Agency Network). ARPA was created in response to the Soviet Unions launch of Sputnik in 1957 and to use the computer investment "via Command and Control Research" (Hauben. "History of ARPANET" Par. 4). In the beginning ARPANET was based on the idea of Dr. J.C.R. Licklider, the head of ARPA, of an `intergalactic network' (Leiner et al. A Brief History of the Internet.). After some planning and experiments the first node of the ARPANET was installed at UCLA in September 1969, and then one month later at Stanford. Later there were two more nodes installed at UC Santa Barbara and University of Utah. After this many more were added. The main purpose of this project is to move computer technology forward. At the time the use of punch cards, and batch processing was used, this was very inefficient. Batch processing is a way to process data, which entails saving a large chunk of data and processing it all at once. The opposite of this is online processing which is processing as the data comes in. Licklider wanted a global network that was interactive. According to Hauben, Licklider was the first to get a sense of a `sprit of community.' The idea that many of the men involved had was that the computer was not an "arithmetic engine" it was a medium in which to communicate (Hauben. Par. 15). This is basically how we view it today, more as a communication device than a number cruncher. In many ways the ARPANET project has changed what we do and how we do it, though many people don't know it. It has created new industries, ways to communicate and get work done. But why did the internet become a dangerous place, for one to communicate or store personal information? There are many parts to this question.An increase in computing and networking power, high availability of cheap computers and internet connections, the large discrepancy between the computer smart and not and Spy-ware. Computers have exploded with power, with accordance with Moore's law (computing power doubles every eighteen months), and there has been no let up. The same, though not as rapid, is for networking speed. At the time of the creation of the ARPANET the connection speeds were around 2.4Kbs (kilobytes per second), later they were upgraded to 50Kbs. Currently a dial up connections are at the speed of 56Kbs. They could be much faster, but ISPs (Internet Service Provider) must comply with FCC regulations. DSL (Digital Subscriber Line) and Cable modems have become extremely popular because of there high speeds. In comparison the 50Kbs lines used in the late 60s by ARPA where probably as fast as they could go whereas currently the government uses fiber optic technologies to transfer at OC768 which is equivalent to 40Gbs (gigabytes per second). This is about 100,000 times as fast. The speed increase is very similar for computers. Just ten years ago we were using 30 MHz 486 processors, now we have Intel Pentium 4s running at 3 GHz. Getting to my main point, this increase of speed causes the internet to be taken advantage of. If speeds were still very slow many wouldn't have the time or patience hack, create viruses, or anything else to make the internet an unsafe place. The computing industry has been a great boom for the economy the past few years. The internet has been to us like the steam engine was in the twenties. It has created new jobs, industries and companies. With the popularity, computers and internet connections have become cheap and easy to get. Computer prices have fallen drastically; it is not difficult to find computers for less $600. This is because it has become easier and easier to produce mass quantities of high quality and cheap silicon. Silicon is the material many microchips are made of. Internet connections are also cheap and in some cases free. Many local ISPs cost around $20 for unlimited monthly usage, dial up service. Most high speed connections like DSL or Cable modems are available for approximately $50 a month for unlimited usage. The data than can be transferred over a high speed line, like DSL, is huge when compared to the cost per month. Cheap prices can lead to the same problem as having very fast computers the internet and related technologies become abused and misused. The next reason is the so-called "gap" between computer savvy and computer illiterate. This is very obvious to me because I work in the computer service industry. Everyday I see individuals I work for having problems with their PC that would not have happened if they were more informed and educated. These people can be easily taken advantage of by viruses and hackers. These people do not take any precautions to avoid problems. There are many ways to protect oneself from viruses, spy-ware, trojan horses, and hackers. The most popular and easiest way to protect yourself is to use programs like "Nortons Anti-Virus" or "Mc. Affee Anti- Virus." These programs search your hard drive, memory and boot sector for any traces of know viruses, worms and Trojan horses. A virus is a "A computer virus is a self-replicating program containing code that explicitly copies itself and that can "infect" other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus." (Hakim Pascal. No Virus here at all, 1996.) A trojan horse while similar to a virus is not at all, trojan horses are used to make a backdoor into your computer, letting in anyone with the know how to use them. A worm is usually a Visual Basic script that is sent with an email. This is replicated and sent to all of your friends and family in your address book on your computer. Theses can cause security holes in your system. Using anti-virus software can rid you of many of these annoyances, but as I said all they can do is search for known viruses. They are other ways to protect yourself against viruses too. One is to turn off any macros; these are small programs that you may be using in "Excel" that do repetitive jobs for you. These macros are made the same way worms are, with Visual Basic. Another way is to always back up your important and irreplaceable documents. This is easily done with floppy disks or a CD-RW. With the proper steps anyone can be virus free. There are many ways to secure you and your information from hackers. The ways I will discuss are firewalls, VPNs and encryption. Firewalls are gaining in popularity because of there ease of use and simply the need for them. What a firewall does is it blocks traffic in and out of your computer. This blocking mechanism can be configured by the user, according to the needs of the individual. Everyone using broadband should use a firewall because of the nature of there connection. Broadband, like DSL or cable, have connections that are always on and have an IP address that is static (never changes). Whereas a person's IP with a 56k connection dials-up every time, in order to receive an IP. An IP (internet protocol) is the way that most computers are addressed in order to communicate between one another. Some individuals have the need to transfer files from home to work and vise versa. VPNs are used to keep this connection secure. A VPN (virtual private network) is just that. Its virtually private in the sense that the software on the switch at the company site is separating the physical port the individual is using from the rest in order to make it private and secure from intruders. A switch is a networking device that specifies addresses to physical ports and sends information directly to the specific physical port. An example is if computer A at my home connects into a VPN at Joe's Soap Company,on port eleven on the switch. No one else can use that port unless they are part of the VPN i.e. other employees, thus making it secure. Another way to protect your information is to use encryption. There are many free and inexpensive encryption programs floating around on the net. These are base on algorithms and passwords. There are many specific algorithms examples would be PKI and PGP (Pretty Good Protection). Documents that need to be secured can be encrypted and password protected using these types of programs. Suppose a person has a financial document that they want to get to there CPA by email. The sender can encrypt the document and send it to the CPA. The CPA or anyone else cannot look at the document unless the sender gives him/her a key for the encrypted file. A precaution with encryption is that with as much computing power as many of us have the algorithms can be deciphered. When making passwords/keys use many letters, numbers and symbols in a random order, this makes them harder to figure out. Spy-ware is a huge problem with the internet right now. This isn't like the problems with viruses and hackers, which is obviously illegal. The problem with spy-ware is deciding its illegal and what is public information and what is private. The questions I will be answering are what is spy- ware and is it illegal? First of all, spy-ware is any program on ones PC that can take information, without one knowing, you enter and send it to another PC somewhere else. This is why it gets the name spy-ware, software that spy's on you. Some forms of spy-ware include cookies, downloading software, instant messaging software, and many others especially free software. I am sure most have heard of cookies, these are files stored on ones PC when one visits a website. The information stored is how long they stayed, what type of website it was, and etc. This is not the problem, but what happens next is. The next website one visits can then read those and collect demographics. The rest of the examples of spy-ware run this way. Once one installs a program with spy-ware on it on to the PC, that program then monitors your activity. The program monitors much of the same information that cookies do, including web addresses. All this information then can be sold to companies to find marketing and demographic information. I believe that spy-ware should be banned and that it is totally illegal. Cookies and others are infringements of my privacy. What I do in my own home is no one else's business, unless I am hurting myself or another. This spy-ware gets information about me and what I do on the net. So, if I buy a shirt from the Gap.com not only does the Gap know, but the Gap's competitors know as well. This is total misuse of the internet. My information is just that it is mine. I can deal with taking surveys and that sort of thing but, the involuntary take of my information is wrong. To solve this problem the government needs to set guidelines on really what is public information and what is private. Europe has done this with great success. Their guidelines are basically and information taken involuntarily form a individual is wrong and that information is private. For example, if a business person wants to collect information about the people walking down the street for cotton products he can't sit on the corner and write down information, he must gain consent from the person before collecting. This is how the U.S. should take care to the problem. Because I value my personal information and don't want XYZ company know everything about me. With all this in mind the internet becomes a haven for underhanded schemes and individuals. The stealing of information and basically making things hard for everyone else is common place in the once secure ARPANET. Even with the problems we face with the internet, it is still an amazing source for information, including all that was used in this document. As long as one is knowledgeable in protecting their information the internet is a safe place for all. References Delger, Henri. Computer Virus Help. 1995. . Home PC Firewall Guide . Hauben, Michael. "History of ARPANET, Behind the Net - The untold history of the ARPANET." . Ludwig, Katherine. "Security Awareness: a Lack in Security Consciousness." 25 May 2001. . Leiner, Barry M., Cerf, Vinton G., Clark, David D., Kahn, Robert E., Kleinrock, Leonard, Lynch, Daniel C., Postel, Jon, Roberts, Larry G., Wolff, Stephen. "A Brief History of the internet." 4 Aug. 2000. . Pascal, Hakim. No Virus in here at all. 6 Oct. 1996 . Stein, Lincoln D., Stewart, John N. "The World Wide Web Security FAQ." 4 Feb. 2000. < http://www.w3.org/Security/Faq/www-security- faq.html>. Schlesinger, Lee. "Your Biggest Threat." 1 April 2002. . Tyson, Jeff. How VPNs Work. . Wiggins, Richard. "Al Gore and the Creation of the Internet." 1 Oct. 2000.