Should the web be like a family reunion?
Question: I recently came across a web page by a guy calling himself Big Ron that claimed to be able to display all the files on my hard drive. I was quite alarmed to discover that it was indeed true. How is this possible, and what can I do now to protect my computer? I’m using Internet Explorer 3.02 with Authenticode 2.0 for Windows 95. Also, is it possible that my data files from my hard drive were copied onto their site? – B.H.
Answer: The link found on Big Ron’s web page is nothing more than a joke. A scary joke, admittedly, but a joke. He’s used a little web page design trick to fool you. He’s set up a hyperlink, which is a clickable element on a web page, to tell your browser to display the contents of your C: drive.
“Essentially, you are showing yourself your own hard drive contents, not anybody else,” explained Dave Carter, marketing manager, Internet Customer Unit, at Microsoft Canada. “This would be a concern if this information could be passed back, which it can not. There’s no security issue here.”
The key here, as Carter points out, is that only YOU can see the files. There’s no programming on the page to capture or collect the file names at his end.
The bigger question this example asks is, “What can I do now to protect my computer?” That’s not a simple question to answer, since it’s a personal decision. You have to decide what level of risk you’re willing to take.
Think of the internet as a family reunion: Family members, like computers, can talk to each other, and sometimes they can ask for information you’re uncomfortable giving. Theoretically, every time you connect to the internet, you are opening yourself to invasion of privacy. When your computer connects to the network, it becomes a part of the network. Just as you can request information from a remote computer, it can request information from your computer. Luckily, there’s a limit on what it can ask. (Not so at family reunions, though refusing to explain to your Great-Aunt Hilda why you’re still not married might be the equivalent of a “404 – Page Not Found”).
The browser companies, such as Netscape and Microsoft, have gone to great lengths to limit who can ask for what. So very little information is available unless you want it released. Some information, like the colour of your underwear or the personal data on your hard drive, is completely out of bounds. Some information, though, is impossible to hide, like your IP address. That’s the unique number assigned to you when you connect to your Internet Service Provider. It’s no secret. Remote computers need to know what that number is so they can route data you request to your computer.
Also available to remote machines is your domain. That is the name of the ISP machine. Often, it’s the same as the information after the @ sign in your e-mail address. In fact, any computer can figure that out from your IP number. So if your ISP’s domain is naughtymonkey.com, then that’s public knowledge.
Another piece of information available to anyone is the address of the previous place you’ve visited. You can hide that by clearing your browser’s cache.
Cookies are also a bit of a liability. These aren’t the yummy chocolate kind. They’re little files that get saved on your hard drive when you visit some websites, and they contain information about you that you’ve provided to a remote computer. In fact, any information you’ve submitted via a web form can be saved as a cookie by a remote computer and retrieved later. You make the decision to submit that information across the internet when you decide to fill out an online form. So don’t put any information you want to keep secret on an internet form. (If you see a small yellow lock at the bottom of the window where the form is, the site is telling you your information is secure. That’s usually reliable but not foolproof.)
The other uses for cookies are for tracking movements on a web page. Pages you’ve visited could be stored and retrieved later. Personal preferences you’ve selected from a website are often stored using a cookie as well.
There are other more serious consequences that are a little difficult to overcome. Browsers are sometimes flawed. Occasionally, bugs crop up in new versions of both Netscape and Microsoft browsers. Those bugs are typically esoteric and tough to reproduce in the real world because a series of conditions must be met to expose and exploit the flaw. They usually involve combinations of programming technologies like Java, Javascript, and ActiveX controls. Both Microsoft and Netscape design such technologies so that their scope of operation on a user’s machine is limited. For example, JavaScript, which is a programming script built into some web pages, is not allowed to delete or create files on your hard drive (except for cookies).
That’s not to say there’s no risk. Bugs still will pop up. The only way around this problem is to keep an eye on bug reports and download fixes from the maker as soon as they are available. A good place to look for bug reports is Cnet’s daily computer news at www.news.com.
Another, more conservative, approach is to wait until a new version of a browser has matured. Downloading it on release day makes you a big guinea pig for that software. Waiting a couple of months until post-release bug fixes have been found or ruled out is safer.
(The same advice applies to a new relationship. Iron out the “toothpaste squeeze” bug before showing your potential significant other off at the family reunion. Failure to do so can result in a recall!)
One other item you should be concerned with is sending secure data across the internet. Netscape and Microsoft have developed encryption features in their browsers that allow the software to make a connection with a secure remote server, so that data passing between them is coded. You’ll want 128-bit encryption for financial data.
Think of it as a more sophisticated version of spelling out messages in front of kids and pets to hide information from them.
Netscape and Internet Explorer have 128-bit encryption built in.
