Craig Brougher wrote:
> I just received this note from MSN, warning me that I am at risk on
> the Internet when I do the following things:

> If I am not mistaken, they are telling their subscribers that _if_ they
> shop on the Internet, they are in serious danger of being ripped off,
> intruded upon, or "digitally challenged" in some other way that is not
> very nice.  They also did not even address the scenario by Ron Yost in
> regard to "Form" viruses as a result of using the MSN Internet Explorer.
> To me, their reply smacks of politics, and lacks conscientiousness and
> honesty.  Their warning would apply to ANY search engine, seems to me.

Craig has a few observations about his latest experience with Microsoft
in the last Digest.  I sympathize, and I decided to digress from the
normal topic of this digest to make just a few comments that might help
some of the folks here that aren't all that familiar with the net.

Microsoft discovered the Internet much later than most other computer
companies, and it rushed pell-mell to get on it, with a business plan
that involved adapting a lot of existing software to Internet use, and in
using some of their Internet software as part of their "next generation"
operating system.

It is that close integration that got them into trouble.  You can do
things to a Windows 95 system using a browser that could never be done to
a Unix system.  For example: among the nasty possibilities that the
recent patch is supposed to fix, you could click on a link that could
turn around and delete the "Windows" directory on your hard drive - in
effect, deleting your operating system and trashing your computer.

Microsoft left itself open to these kinds of problems because they
really never, ever had to deal with a "hostile" environment before.
Up until now, the only people who could "use" your computer was you,
and YOU obviously don't WANT to hurt yourself - all anyone needed was
"dummy-proofing" to avoid deleting important files by accident, and
similar problems.  Anyone who deliberately _set out_ to damage their
computer hurt no one but themselves.

But in the real world of the Internet, crackers and vandals live that
seem to have nothing better to do than to find loopholes in operating
systems and try to destroy things.  Microsoft is very, very lucky that
the people who first discovered these holes in Internet Explorer (IE)
were students of operating system security, and not vandals out to wreck
people's computers.  The next time, they - and we - may not be so lucky.

Internet Explorer is popular because it is Microsoft, and comes with
Windows.  But there is another browser that was developed in the Unix
world where security has been a way of life for a quarter of a century
and where dealing with crackers and vandals has become a fine art:
Netscape.

Netscape for Windows has none of the integration with Windows that is
Internet Explorer's claim to fame, and thus has no _opportunity_ to
damage your computer.  Netscape was immune all along to the security
holes that Microsoft is trying to fix now, and will likely continue to be
so for at least several years until Microsoft figures out what's what in
the world of computer security.  If you are nervous about the potential
for having some innocent-looking web page trash your computer, I urge you
to download and install Netscape.  It will lack some of the nifty
features that IE has, but it is safer.

For those of you who are really, *really* paranoid, you can simply
dodge the whole issue and get Linux, which is version of Unix for the
PC.  Linux, as a member-in-good-standing of the Unix family of operating
systems, has lived for years in hostile environments and is far, far
harder to crack in this way.  Anyone who is interested in it can check
out any number of web sites that are dedicated to it - a good place to
start is

    http://www.ssc.com/linux/

Be aware, however, that Linux is a completely different operating system
that is totally incompatible with Windows and only "sort of" compatible
with DOS.  It _can_ coexist on your computer _with_ Windows, so you can
use Windows for applications work and Linux to browse the net, but there
is a significant learning curve involved and this is not undertaken very
lightly.  Bbut that _is_ the ultimate in safety at the present time.

On the subject of encryption: as someone whose name I do not recall once
observed, there are two kinds of encryption, the sort that keeps your
little brother from reading your diary, and the sort that keeps major
governments from reading your diary.

Most of the so-called "encrypted" web pages are using DES, which is a
government-approved encryption algorithm.  In the version most often used,
it isn't quite up to keeping the government out of your affairs, but it
is more than adequate to keep anyone else out.

If a web page is encrypted, Netscape (at least) will display a key in the
lower left corner of the browser window (the key is broken - with a white
bar through it - when the page is not encrypted).  Any information sent
to the web page server will be encrypted with DES, and anyone inter-
cepting those packets will have to figure out the key before they can
read your VISA card number, and that is very, very non-trivial -- at
least, it's very non-trivial for anyone but the National Security Agency.

It's probably slightly more trivial for them, DES, particularly.  In the
lesser strengths that are allowed for export, it can be broken by massive
computer power; but anyone with that much computing power is not trying
to steal your credit card number -- the average card couldn't pay for an
afternoon's worth of air-conditioning in the computer room !

Bear in mind that encryption guards against a theoretical danger.
Even if you send your MasterCard number un-encoded, someone has to be
(a) listening with a packet sniffer on the route, and (b) looking for
card numbers.  I am aware of no one whose number has been stolen in this
manner.

Since it is far easier to harvest these numbers from discarded register
slips and receipts in the average parking lot, even un-encrypted transfers
aren't all that unsafe.  I mean, there are a million people in the
country that could, in theory, tap your phone and _record_ your American
Express number when you make a phone order, because there is no encryption
on an open phone line.

The U.S. government right now is trying to suppress industrial-strength
encryption schemes that are commonly available in the US and Europe.  One
of these is PGP, which is a public-key system that is often used by banks
for "digital signatures" - your ATM machine is using something along these
lines.  You can use PGP yourself: check out Yahoo and look up PGP for
some introductory material about PGP.  PGP can make any transaction over
the net safe from prying eyes, but it doesn't help unless the software
is designed to use it, and no browsers are yet, to my knowledge.

Myself, I use Netscape on Windows 95.  I am very sure that Netscape
cannot be tricked into blasting my hard drive away no matter what kind of
link I click on.  I do sometimes use Internet Explorer, and I downloaded
the patch, but I used Netscape to do that, and I don't browse the net with
IE; I only use that for local Java work when I'm off-line.

As for sending data by email, the advice about using encryption is valid
and worth taking.  And as a general observation, no one should _ever_ ask
you for a password.  Never give one out.

And that's your primer for safety on the Internet.  If anyone has more
questions or needs help they can email me, and I will help or send them
to a Usenet newsgroup where the answer can be found.  The problems with
Internet Explorer are not worth panicking over - but they should remind
people that monopolies are a Bad Thing.

regards,¶
Larry Smith

 [ Editors note:
 [
 [ Right on, Larry!  I am a big believer in PGP as an encryption
 [ tool for the masses, and I feel strongly enough about this that
 [ my public key is published at the bottom of the foxtail web page.
 [ I invite those Digest members who understand what this means to
 [ exchange PGP public keys with each other.
 [
 [ Jody

 [ Relief Editors note: Jody is helping me learn Linux on the PC.
 [ It's not that I have much against Windows 95, but the music
 [ tasks I'm doing aren't well-suited for a Microsoft environment, for
 [ many of the reasons Larry Smith cites, and I fear that the future
 [ is bleak for my trusty old Macintosh.    -- Robbie