Member Rara Avis
Recent threats made in OP have, apparently, made a few people concerned about security on the Internet. Last night, I received an email (circuitously) from one of our Members detailing what her fairly knowledgeable boyfriend thought were possible ways a troublemaker could attack our forum and those who post here. With her permission, I've decided to post my answers to her list in hopes it would both alleviate some of those concerns and, more importantly, provide everyone with some simple precautions all Internet users should take regardless of threats.
>The primary things are:
>1 - The software being used to develop Passions - various options (ie
>passwords, entry etc.) are available from the net and thusly...
>2 - There are already hacks for the software (and IP masking/camoflage)
>that are easily available on most hack sites (not necessarily the same version
>but you get the point). Thus anyone with access to these and a "creative"
>mind can cause some real trouble for both Ron and anyone he wishes.
Yes, there are hacks of the UBB software available. While of possible educational value, they are otherwise useless unless an individual can gain direct access to our web server. Even intimate knowledge of the software does no good unless our software can be reached, modified, or replaced. Even the possible educational value is dubious - because our version of the UBB has been so heavily modified I doubt the original author would recognize it.
As for IP spoofing, it's a technique used to gain unauthorized access to computers, whereby the intruder sends messages with an IP address indicating that the message is coming from a trusted port. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted port and then modify the packet headers so that it appears that the packets are coming from that port. In the US, IP spoofing is a Federal crime and, more importantly, it ain't easy. Here's an article that describes in nauseating detail exactly how to perform spoofing: IP Spoofing.
Why would I post an URL to such potentially devastating information? Two reasons. One, once you've read it you'll see it requires a bit more technical acumen than is commonly found. Two, it would be absolutely useless in attacking our server. Ceres, our web server, has no trusted ports. She doesn't identify me by IP number, but rather by password. Unless you can guess my password, you ain't getting in. And, believe me, the password - a long string of random letters and numbers - is not guessable.
>3 - Everyone probably accepts every single cookie when is comes without
>inspecting it - here, the virus scanner doesn't scan it probably (it's
>Norton, but either way it doesn't inspect everything)
A virus is a program. It requires three things: a computer language sophisticated enough to control a computer, access to the computer, and the ability to execute.
Access to the computer is gained when you download a program. Execution is only gained when you actually run the program. In other words, I could download viruses all day long, but nothing will happen to my computer until I run one. Only then does the virus gain control and go about its nasty little tasks.
Historically, viruses are written in C or C++, though a few famous ones were hand-coded in assembler. Those computer languages are powerful and can result in programs that have FULL control of a computer. More recently, the macro languages behind many software applications have become powerful enough to support viruses. Microsoft, as the primary example, now embeds a subset of Visual Basic (VB) into many applications - including Excel, Word, and Outlook. While not nearly as powerful as C, VB can produce programs powerful enough to cause serious damage to a computer. They can format your hard disk.
Besides being so ubiquitous, the real danger to VB viruses is the fact they blur the line about "running" a program. What we once thought of as "data," like a word processing or spreadsheet document, can now contain powerful macros that run the instant you "open" the document. So, in just the last year or two, looking at a poem written in MS Word can now activate a virus - even though you theoretically didn't run a program downloaded off the Internet. Fortunately, newer versions of Word and Excel allow you to turn off all auto-run macros, meaning you can again look at the data without worrying about a macro-program-virus running by doing so.
Unfortunately, not everyone is aware of either the danger or the precautions. The worst offender is MS Outlook: It contains a "Preview" feature that can automatically preview an attachment the minute it comes into your email box. To do that, however, Outlook must "open" the document, which obviously has the potential to "run" any macro-viruses it contains. For more information about the virus that originally exposed this Outlook weakness - and for steps to prevent it from happening to you - take a look at this article: Bubble Boy Virus
A cookie on the Internet is a very tiny piece of data. It's not a program. It can not contain a virus. The only ones that can give you a cookie are web servers - not other users on the Internet. If you'd like to see what cookies our software passes to you, you'll find a link in the Members area, off the "Preferences" screen, that will list each of the cookies used by our software. As you'll easily see, they are nothing more than bits of data. While not pertinent to viruses, it's also important to realize that only you and our web server are able to examine your cookies. All of the browsers are specifically instructed to return a cookie only to the domain that originally gave it. That's why, when we moved to the new server, everyone lost their cookies from the old forums. The new server was completely unable to access cookies from another server - even though it would have made all our lives easier.
In summary, the only way to get a virus from our forums is for another Member to email you one as an attachment to regular mail. You should never "open" such an attachment without taking the proper precautions.
>4 - E-mail bombing is incredibly easy via Hotmail and other "free" e-mail
>servers. Also, it is possible to trace IP addresses and determine people's
>locations precisely (by accesssing Windows 9x user information direct
>online - it has happened to me!!!).
The term Email bombing simply refers to excessive, unwanted email. It can be darn irritating to receive dozens or even hundreds of identical email from the same individual. It's a waste of shared Internet resources and it's harassment. In severe instances, when thousands and thousands of messages are sent very quickly, it can even crash your email server and possibly get you booted from your ISP. The latter case, however, requires both programming experience and access to an Internet mail server and is fairly rare. It's becoming even more rare since the US Government classified it as a form of domestic terrorism and subjected such individuals to Federal prosecution.
Less extreme examples of email bombing can, indeed, be done using Hotmail and other such services. All it takes is a lot of time, patience, and prodigious use of the Back button. The good news is that it takes the sender a WHOLE LOT more effort to send than for you and I to delete. A complaint sent to the free mail service will usually result in a complaint to the sender's originating ISP - and they will be the ones looking for a new ISP very shortly.
As for IP numbers, yes, they can be traced. When "Soup 81" sent an AOL instant message to Columbine sophomore Erin Walton, saying he was going to "finish what begun," the FBI was able to trace the IP directly to 18-year-old Michael Campbell in Florida. And it only took them about 48 hours.
Fortunately, most people don't have the resources of the FBI, and IP numbers cannot be easily traced to specific individuals or even geographical locations. The exception to the latter can, however, occur if your ISP is a local one. Give me an IP and I can tell you in 30 seconds who owns it - i.e., who the originating ISP is. You can do the same thing by going to http://arin.net/whois/index.html and entering an IP number. If the ISP is a local ISP, obviously I can surmise the user resides in the same GENERAL geographic location. A few of the larger ISPs (but not AOL) also use different IP blocks in different parts of the nation - so, again, with the proper information, a GENERAL geographic area might be determined. But except in rare instances (usually involving a business that owns their own IP block), only the proper authorities can track an IP to an individual.
>5 - Not everyone is in the know - people can open e-mail attachments that
>aren't stored as an "attachment" (ie included via binary encryption inside
>the document) which when opened can also cause some nasty damage to files
> on hard disk which not every virus scanner is equipped to prevent.
Agreed - not everyone is in the know, and the best protection is always knowledge! The general advice is to never open attachments except from people you trust. Personally, I don't think that's good enough. An email attachment is like sex in at least one respect - you aren't trusting just one person, but all the other people that person trusted in the past, creating a chain that can include hundreds of thousands of individuals. USE PROTECTION!
As for including a "binary encryption" within a plain-text email message, that is indeed possible. However, just as with downloading virus programs, nothing will happen. Remember - one of the three criteria includes execution of the program and there is no way to execute plain-text email. It just looks like garbage on your screen (which it is). The only possible exception to this (and I know of no known instances) would be email sent as an HTML document. Theoretically, an HTML email message "could" contain anything a web page can contain, including ActiveX controls. The answer is to simply turn of HTML encoding within with your email program, though honestly, I doubt it's even worth the trouble.
In Summary Participation on the Internet will never be 100 percent safe. I'm not entirely unaware of the dangers, and I think I've taken reasonable precautions to protect us, but there are certainly no guarantees. You should be careful about viruses, but your best protection is simply to insure you have backups of valuable data. Just in case. If someone successfully attacks our web server, the worst that's going to happen is we'll be down for several hours while I restore the system and we could potentially lose about 24 hours worth of posts. If you backup your data regularly, you can enjoy the Internet with equal confidence.
As for the specific threats recently made, perhaps our best protection lies in a very simple truth: Bigots, almost by definition, are notoriously stupid people.