 1 There is *NO* such thing as an E-mail text virus!!
 2 Security Holes In Browsers - Leaking Out Your Personal Info.
 3 cokkies
 4 Data-Collection Agents How Companies Obtain Data About You & Your PC.
 5 hackers
 6 SSL

\1 There is *NO* such thing as an E-mail text virus!!

Does this sound familiar: "Don't read or open any e-mail titled Good Times! It will destroy your computer!" Many of you have received e-mails warning you of reading a specific e-mail sent to you going by a certain name (e.g.- "Good Times," etc.). These warnings tell you your computer will face certain doom if you open these e-mails and read them. THESE WARNINGS ARE A HOAX. 

The TRUTH of the matter is, *YOU CAN NOT GET A VIRUS OR ANY SYSTEM DAMAGING SOFTWARE BY READING AN E-MAIL*. E-mails (that is, the ACTUAL message) can not contain viruses. This is why: 

A virus can not exist in an e-mail text message. They also can NOT exist in USENET (newsgroup) postings or simply "float around" the internet. Viruses must be attached to and infect an executable program (.exe, .com). Viruses and other system-destroying bugs can ONLY exist in EXECUTABLE FILES, and since e-mail is not a system file in that sense, viruses can not exist there. While reading e-mail, you are not executing any malicious code to activate! Thus, no virus can exist. 

HOWEVER, if you (or your computer) download a FILE attached to an e-mail or USENET posting (i.e.-binary) and RUN it, there IS a chance that file could contain a virus, since a runable file could contain a virus. 

It is also very important that you DO NOT, under any circumstances, allow your e-mail program to automatically execute an attached file. You risk infection by doing so!

Viruses are generally (almost always) OS (operating system)-specific. Meaning, viruses created for a DOS application can do no damage on a Macintosh, and vice-versa. If you take a careful look at these e-mail hoaxs, you'll notice that very few are specific about which system it "infects." 

There is one exception to the OS-specific rule, which is called the Microsoft Word Macro Virus, which infects documents instead of the program. This virus can affect both Macintosh and PC computers because of the way the application was written (it contains the same source code on several OS's). In the future, we might see viruses cross OS-boundries because Java, ActiveX programming languages break the typical "rules" of how a virus is OS-specific. 

If you carefully read these hoax letters, you can pick out strange, non-sensical technical jargon, used to confuse and scare those who aren't computer experts. This jargon usually talks about systems of a computer that don't exist or things that aren't possible. 

IMPORTANT NEWS! 3. Sep 99 - If you are using MS Internet Explorer version 4.0 or 5.0 you'll want to download the following security patch that will hopefully prevent a recently discovered security breach in the program that might allow a website to get inside your computer and even possibly disrupt your e-mail. 

New Hoaxes - M&Ms for Free Hoax ALL of the Hoaxes A.I.D.S. virus Hoax Ambercrombie & Fitch Hoax America Online Year 2000 Update Hoax AOL4Free Virus Hoax AOL IM Hoax Bill Gates $1,000 Hoax California ("Wobbler") Deeyenda Disney $5,000 Hoax Fax Machine Hoax Free Computer Equipment Hoax Gap Hoax Good Times How to Give a Cat a Colonic Hoax ICQ Hoax - the latest e-mail hoax variation Irina It Takes Guts to Say 'Jesus' Join The Crew Microsoft Pyramid - a "Bill Gates $1,000" variation Miller Beer Hoax NASTYFRIEND99 Naughty Robot Pen Pals PKZIP300 Returned or Unable to Deliver ShareFun.A - an actual e-mail virus? Southern Nazerene Hoax U.S. Postal Service "Bill 602P" Hoax Win A Holiday World Domination What about HTML embedded E-mails? What about .JPG and other image files? 

Oh great, do I believe you or do I believe the virus warnings!? Why should I believe you? Good question. Well, I've been working with computers on various platforms for over ten years and am a graduate from Mankato State University with a degree in Computer Science. I am a computer consultant based in Chicago, IL and have also worked with the Internet for close to 10 years. But, please, don't simply take my word for it. Ask your ISP (Internet Service Provider) whether or not e-mail viruses exist. Also, please check out the following links that prove e-mail viruses can NOT exist. Les Jones' excellent site on the Good Times Virus Hoax PC Magazine's Bill Machrone on Viruses (11/19/96) The FCC's (Federal Government) Response to the Good Times Virus Hoax U.S. Department of Energy - CIAC division - Report on Hoaxes IBM's "HypeAlert" on Good Times Symantec Corp.'s Descriptions of Virus Hoaxes Stiller Research Computer Virus Myths Data Fellows Europe Hoax Warnings HoaxKill 

So how can I get a real virus? You can get a real virus ONLY by downloading or receiving a file which is infected that you run on your computer. Ways that can happen: If you get an e-mail with a file attached to it (an executable program such as .exe, .com.) that contains a virus and you download that file AND run it, your computer will become infected. If you get an e-mail with a Microsoft file attached to it (an Office file such as .doc.) that contains a macro virus and you download that file AND open it, your computer will become infected with that macro virus. If you download a file from the Internet that contains a virus AND you run it, your computer will become infected.

Viruses are also transmitted by computer networks (2 or more computers linked up together) and by infected disks. Don't use someone else's floppy without virus-checking it first! If you were to boot a computer with an infected floppy (boot virus), your computer will be infected (it isn't advisable to boot your computer using a floppy). A great resource for educating yourself on what viruses can and can't do is from Stiller Research. Check it out by CLICKING HERE. 

How can I protect my computer from real viruses? Take these procautionary steps: NEVER download and/or run an attached file on an e-mail from a stranger or from an unknown address. Be VERY cautious when downloading/running one from a friend (most likely if they pass you a virus, they won't know they did!). NEVER have your e-mail program set to automatically run attached files. VERY IMPORTANT! This is especially true for browsers and/or e-mail programs which automatically execute Microsoft Word after opening an e-mail. TURN OFF THE OPTION TO LAUNCH OR EXECUTE ANY PROGRAMS after receiving e-mail. NEVER run an executable file you've just received without first running it through an updated anti-virus utility. If your computer is on a network, make sure you have security steps in place to prevent unauthorized users putting files on your computer. Networks are ideal virus transmitters since they are accessed by many computers and there usually is a great deal of interaction between these computers. MAKE SURE you've got a good anti-virus program that is updated often from the company (check out the anti-virus links below). TAK  CARE in using floppy disks! The more computers a floppy has been used on, the better the chance of a virus infecting it. ALWAYS run floppies through an anti-virus program before using it and be extremely cautious when booting your computer from a floppy disk (it's adviseable not to do so). KEEP YOUR E-MAIL SOFTWARE UPDATED! Software companies are always finding problems with their software and if they are good about it, will post patches to update your e-mail software. Continually check your software company's website for updates to your e-mail software! 

What can I do to stop these hoaxes from spreading? If you are ever forwarded a copy of one of these hoax warnings, simply reply back to the person who sent you the warning that it IS a hoax and suggest they check out this page. The URL is: http://www.gerlitz.com/virushoax/ Remember, don't be angry with the person who forwarded the message to you, they were most likely forwarded the same message by someone else. The more people we can educate about such hoaxs, the better! NEVER forward these hoaxes - it will only continue the problem and waste our precious bandwidth! 

Anti-Virus Links Here are some links to anti-virus homepages across the net. They provide a great deal of information about computer viruses. If you would like to know more about viruses and how to kill them, these sites are valuable. Many also provide anti-virus software. McAfee Homepage- www.mcafee.com Symantec Corporation - www.symantec.com Anti-Virus - www.antivirus.com Stiller Research - www.stiller.com Computer Virus Myths - www.kumite.com/myths/ 


\2 Security Holes In Browsers  Leaking Out Your Personal Info.

No browser is perfect. Thats just a fact of Internet life. It is also a fact that you arent likely to enjoy the Internet unless you are using a browser of some kind. And when you choose a browser, chances are pretty good that youll use one of the big three: America Online (AOL), Internet Explorer (IE), or Netscape Comm.

The features and functions offered by all three browsers are very similar. However, their similarities dont end at their features and functions. All three have some potentially dangerous flaws or bugs that you may wish to know about before deciding which browser to use.

The very nature of the Internet means that browser security will never be completely foolproof. It is easier to find a new way to break through browser security defenses than it is to design a newer, better, and harder-to-break-into browser. That means you should always be aware of the fallibilities of your current browser and make sure you have the latest security patch or upgrade. 

AOL 5.0. AOL has long been plagued with hackers who manage to find a new way to break its security measures. It seems that just as soon as AOL plugs one security hole, some determined hacker manages to find another one.

Unfortunately, because of its historically lax internal security standards, AOL has been its own worst enemy with regard to security. Though AOL apparently plugged the security hole that let users access their internal customer account database in 1995, there are still many, many internal security problems. Even today, many AOL internal file libraries and message boards are unsecured and can be accessed by any user with a little bit of knowledge and determination. 

Groups of AOL hackers still trade user names, adrses, and access information they gather from AOL online staff areas where security is still light or nonexistent. AOL tightened up its internal online security in vital areas, such as customer account management databases. 

Consequently, hackers who break into online staff areas today typically intercept only routine material that AOL does not consider particularly important. However, the fact that hackers routinely attack AOL sites, both internal sites and those related to user accounts, definitely implies that AOLs security in general is not as tight as you might hope.

The latest attacks exploit a weakness in AOLs password security routines. This security breach comes in the form of an AOL e-mail message with an attached Joint Photographic Experts Group (JPEG) file. Users click on what they believe is simply an image file in JPEG format, but the file is actually a disguised password-stealing program that is activated when a user clicks on the image. 

In response, AOL released a security bulletin that says, in part, Trojan horse programs arrive to [sic] your mailbox as e-mail attachments disguised as software, screen savers, photos or some other offer of free products. If you . . . download one of these attachments, the . . . program may . . . damage files on your computer, or it may capture your password and mail it back to the hackers e-mail address. If you receive a suspicious e-mail with a file attachment, do not download the file.  	

You may wish to disable the ActiveX feature in Internet Explorer 5.0 that allows security breaches. 	

This is good advice, of course, but because password hijack programs can be sent from any e-mail site to any other e-mail site, the problem wont improve until all e-mail services and sites improve the security of their user identification and verification methods. In the meantime, you should never, ever open an e-mail attach- ment unless you know the sender. Even then, it is a good idea to use an antivirus program to scan e-mail attach- ments before you open them.

Internet Explorer 5.0.  The latest version of Internet Explorer 5.0 (IE5) is undoubtedly the fastest and most feature-packed IE yet. It has several security holes, however, that are potentially the most serious of the three browsers.  The flaw, called the Guninski ActiveX scripting hole, is named after the Bulgarian man who discovered it. ActiveX has a control used to create software components called scriptlets, which are small programs that run on your computer when you use IE5 to view a Web page or an e-mail message.

Because of the way it works, ActiveX has easy access to your computers file system. Unfortunately, it lacks the safeguards it should have to prevent hackers from using it to overwrite system files, plant Trojan horse programs, or do other damage. It lets anyone use a few lines of Hypertext Markup Language (HTML) code to access your computer if you even so much as visit a Web page that contains the hostile code. Because any public HTML-formatted message posted to a newsgroup can also contain the hostile HTML code, your computer is also vulnerable to the security hole if you use IE5 to access and read Internet newsgroup messages. 

Worse yet, that same hostile HTML code can be sent to you as an ordinary-looking HTML e-mail message; it doesnt even have to be an attachment. Neither do you necessarily have to be using IE5 as your browser to be susceptible. Many e-mail programs, such as Eudora Lite, Eudora Pro, Outlook, and Outlook Express, use IE5 behind the scenes, which means they make you vulnerable to the security hole as though you were using IE for your browser.

So far, Microsoft has released neither a security bulletin nor a patch for the problem. However, there are things you can do to safeguard your system.  Obviously, one solution is to use a different browser. Because IE5 is integrated into the Windows 98 operating system, it is often invoked, sometimes invisibly, by third-party programs, such as Eudora, Quicken, TurboTax, and others. 

Therefore, to fully safeguard your computer, you must disable the ActiveX feature that allows the security breach. Heres what you need to do:  Click the Start button, Settings, and Control Panel. Double-click the Internet Options icon to open the Internet Properties dialog box. Select the Security tab to see the security settings. 	

This is an actual sample of a Netscape cookies.txtfile; the text in red been changed to protect user privacy. 	 Click the Internet (globe) icon to highlight it. If it is not grayed out, click the Default Level button. If the button is already grayed out, go on to the next step. With the Internet icon selected (highlighted), click-drag the Security Level For This Zone slider control upward to set the security level to High and click the Apply button.

Next, click the Custom Level button to open the Security Settings window. The ActiveX Controls And Plug-ins group is at the top of this window. Scroll down the alphabetical list of security settings to find the Run ActiveX Controls And Plug-ins settings. Click the radio button for Disable in that group of settings.

Continue down the list of settings to the Script ActiveX Controls Marked Safe For Scripting group and click the radio button for Disable there, too. Continue down the list to the Scripting group of settings and click the radio button for Disable under Active Scripting. Click OK, then click Yes when asked if you are sure you want to make the changes. Click OK again to close the Internet Options window. 

Another security hole in IE5 makes it easy for unauthor- ized users to access certain secure Web sites without knowing the required user name and password. Once any authorized user accesses the site with IE5, any later users of that same PC and browser can also access the secure site without having to enter the required username or password.

The bug was submitted to MS in Dec 1999, but as of this writing, no fix has been issued.  A third security hole in IE5 makes your Favorites and History lists vulnerable. Obviously, you know when you add file references to your Favorites list because you, the user, do so intention- ally. However, IE5 automatically adds references to your History list. Unencrypted user names and passwords are saved in both lists. That means that anyone who has access to your computer can open those lists and read your user name and password for any secure site ref.  

Microsoft has said that they will address the issue in a future version of Internet Explorer. Until then, you can manually edit your Favorites and History lists to remove user name and password info. 

Right-click the Start button and select Explore from the pop up menu to open the Windows Explorer. Then scroll down the list of files on the left to WINDOWS\FAVORITES. Double-click Favorites to open it in the right-hand pane.
 Next, click Tools on the Menu bar, Find, and Files or Folders to open the Find All Files dialog box. In the Containing Text field, type ftp:// and click the Search button. Finally, delete any links you find that contain your user name and password.

Repeat the process for the WINDOWS\HISTORY folder.  You will have to periodically repeat this whole process to make sure your user name and password to secure sites remains cleared from your computer.

Netscape Communicator 4.x. Despite the apparent attention to security, AOL is one of the  easier browsers to hack into, usually through the sign-on process. 	

Web sites place small text files called cookies on your HD to keep track of info, such as what sites youve visited and how often, what purchases youve made, what your passwords are, and the like. Typically this info shortens the time it takes sites to load and eliminates the need to re-enter your password every time you visit a site. Ordinarily, each Web site can access only the info that it put into your cookies folder itself, not the info put there by any other Web site.  

Under certain conditions, sites that users view with Netscape Navigator or Netscape Comm 4.x can leave your cookie info from other sites on another sites Web server.  Netscape says it is unable to reliably dupe the problem, so they have been unable to fix it. Therefore, it is a good idea to either disable cookies in Navigator 4.x or periodically review your cookies folder to delete any private info, such as user name and PW combinations. 

To disable cookies in Netscape Navigator or Netscape Communicator, open the browser and click Edit on the menu bar and select Preferences. In the list of Preferences on the left side of the window, click Advanced to highlight it and display the Advanced Preferences window.  In the lower half of the Advanced Preferences window, click the radio button next to Disable Cookies. Then click OK and restart the browser.

If you disable cookies in this fashion, however, you should be aware that some sites may refuse you access. There is a way around that problem, though, that usually works quite well with not only Navigator and Communicator but with any other browser. All you have to do is create an empty, read-only cookies directory in the same folder that ordinarily contains the cookies file for your browser and name it cookies.txt (or whatever your browser names its cookies file).

First, locate where Navigator or Communicator stores its cokkies file by searching for cookies.txt. It is usually located in the NETSCAPE\USERS folder. Go to the Start button, Find, and click Files or Folders. Type the name of the file in the Named field and click Find Now. Or you can type in the name of the file and click the Browse button to search for it yourself. 

When you find the folder that contains the cookies, delete the entire cookies.txt file. Next, in that same folder, pull down File from the menu bar and select New, Folder. Name the new folder cookies.txt. Now mark the cookies.txt folder as Read Only. Right-click once on that folder and select Properties from the pop-up menu. In the Properties box, which should be the Cookies.txt Properties, go to Attributes, which is near the bottom of the box. Click the check box for Read Only and then click OK to accept the change. 

Basically, you are tricking the Navigatrr and Comm SW into behaving as if it were accepting cookies in the normal way, but the cookie info is not being written to your hard drive. And, of course, no cookies data can be read from your HD back onto anyone elses server because none exists. 

Patches & Fixes.  Because no browser is completely foolproof, and because there will always be hackers, your best defense is to use good update practices. In other words, no matter what browser you prefer, make it a habit to check its Internet support site regularly for security bulletins, patches, fixes, or updated versions.  You can get AOL support by going to its Member Support area and typing Keyword Support or through http://aol.com.  Microsoft posts its security bulletins at http://www.microsoft.com/security. You can also read about and download the latest updates, patches, and work-arounds from the Microsoft Security site.  For support information for both Netscape Navigator and Netscape Communicator, read and download information from the Netscape Web site at http://www.netscape.com.  All three browser sites offer searchable databases for general technical help, bug fixes, updates, and patches. Likewise, each of the three browsers offers e-mail notification of the most current browser news and updates to registered users, so make sure you register your browser.  Internet newsgroups, user groups, forums, and chat rooms are also great sources for information on how to make sure no one can violate the security of your browser. After all, it only makes sense to use the power of the Internet to help you overcome any weakness in your main Internet tool. In fact, you can usually get information on a work-around or a temporary patch from other users long before the browser company itself has released a fix. There may be no such thing as a completely foolproof browser, but they are getting better and more secure all the time. Meanwhile, keeping your browser version current and using common sense and reasonable caution will go a long way toward ensuring the safety and privacy of your computer system and your data.
  by Betty Champagne Guthrie 	

------------------------------ E-Mail & More 		 July 2000 Vol.8 Issue 7  Page(s) 54-55 in print issue 		
 Security Risks  The Dangers Of Sending & Receiving E-mail  		

Even before the World Wide Web, there was e-mail. People have been exchanging electronic messages for personal and business reasons for a long time, and for nearly as long, bored or malicious hackers have been intercepting and reading them. This has never been acceptable, but as more and more businesses and individuals come to rely on e-mail as a major form of communication, the need to address e-mail security issues has become more urgent.  Right now, the threats are many. When you receive a message, can you be sure of who sent it or that it doesnt carry a nasty payload? Can you be sure the mail you send isnt read en route or that the copies on your computer, the receivers computer, the sending or receiving servers, and the ISP (Internet service provider) backup files are all safe?  OK, put down the paper, pen, and stamps. Even though there are many potential risks associated with e-mail, recognizing them and learning how to lessen the risks really does make it a much more secure medium.  Danger, Danger.   Attachments to e-mail, those cute little paper-clip additions that come with ordinary messages, are still the biggest risk you can face. If they come from people you dont knowparticularly if they have an .EXE (executable files), .COM (command files), or .BAT (batch files) file extensiontoss them out and dont open them. You just never know what theyre going to contain, and the options include some doozies.  Trinoo. This little wonder is especially a threat to DSL (Digital Subscriber Line) and cable users. Hackers send Trinoo, which is a tool/application not a virus, to your computer as an e-mail attachment and then use it and many other computers to mount DoS (denial of service) attacks, which flood servers with messages until they crash. Many antivirus software packages are presently set up to scan for Trinoo and many other attachment interlopers, such as . . .  Back Orifice. Once this Trojan horse (malicious programs disguised as something harmless or beneficial for the computer user) moves from the attachment to your system, youre essentially at the mercy of the hacker. Using Back Orifice, hackers can control your entire system, including copying and deleting files, damaging data, and disrupting systems.  Viruses. New viruses are popping up almost daily, and some are real nasty. The CIH virus, for example, can reformat your hard drive. It renders a computer useless when a user activates it because it overwrites the hard drives mapping system. It can also overwrite the computers BIOS (Basic Input/Output System, software that controls the PCs startup process), rendering the computer inoperable until the user reprograms or replaces the motherboard.  Are you sick of manually mailing viruses to your friends? Meet Melissa. Melissa made headlines last year for its ability to copy and mail itself to the first 50 people in your Outlook address book, making it appear as though you sent it.  By the end of 1999, a virus with new capabilities reared its head. Fashioned after an infamous Seinfeld episode where Jerry and friends visit a bubbleboy, this virus is more annoying than malicious. It changes the computers registered user name to Bubbleboy and the organization to Vandelay Industries (another Seinfeldism), while displaying a message that says, The Bubbleboy incident, pictures and sounds. The real scary aspect of Bubbleboy came with its execution: You dont have to open an attachment to activate it. Just by opening an Outlook e-mail (or even using the Preview function in Outlook Express), a Visual Basic script runs Bubbleboy and e-mails itself to everyone in your address book. Other viruses, such as the Wscript.kak, dont even require you to open an e-mail. After receiving a message with the worm, it reboots Windows and then runs in the background, attaching itself to every e-mail you send. Even though these are more annoying than destructive so far, people worry that Son of Bubbleboy, something really malicious and self-launching, looms on the horizon. One of the best ways to guard against such things is to have the Windows Scripting Host option turned off or to set any browser security options on high.  Browser Mail. So-called Web-based e-mail has become quite popular over the past couple of years, and in addition to offering universal access to your e-mail account, its also had its share of problems. In 1999, Microsofts Hotmail (http://www.hotmail.com) alone had two serious problems (also known as security holes) in which users e-mail passwords were at risk and users entire systems were at risk from malicious JavaScripts.  And hackers arent the only ones targeting these systems. In December 1999, a coalition of consumer and privacy groups, including Junkbusters (http://www.junkbusters.com) and the Privacy Rights Clearinghouse (http://www.privacyrights.org), petitioned the FTC (Federal Trade Commission) to close a security hole with cookies (information from a Web site sent to a browser and stored on a users hard drive so the Web site can retrieve it later). In this case, users who read e-mail with Web browsers were inadvertently allowing snippets of code, or cookies, into their systems. This makes it possible for businesses to track browsing habits for specific e-mail addresses.  If you really cant do without your Web-based e-mail but want to make it safer, you can take a few steps. Switch to a service such as HushMail (http://www.hushmail.com), which offers free e-mail with strong encryption technology built into it. Make sure you also clear your memory and disk caches after reading your mail; the very technology that makes the browser Back button such a convenience will also make it easy for future users to get at your e-mail. Make sure you turn your browser off and on and zap the e-mail cookie to clear any passwords that linger. Finally, always politely decline if your system offers to save passwords for you. Passwords are worthless if someone can access your computer, and sites proudly come up with the keys every time the hacker finds a door.  Other Security Threats. There are any number of ways your information, and your system, could be at jeopardy simply through your e-mail gateway.  Passwords. Anybody with the initiative and a little (often very little) work can find numerous password cracking applications online. Most use a dictionary of common words to compare your password to. A simple e-mail password may be easy for you to remember, but it also makes for very easy cracking.  Spoofing. The e-mail seemed to come from someone legitimate . . . then it turned your hard drive into a toxic-waste dump. Faking identities in e-mail is often as simple as filling in fields in the preferences dialog box.  Spamming. This is when your mail gets flooded, or bombed, with thousands of messages. There isnt much you can do about this but try and report the offender to his or her ISP. See The Spammer Slammer sidebar in the Protect Your E-mail Address article in this issue for information on how to report spammers. (NOTE: See the "Spamitize Your Inbox article for more information on spam in general.)  Subscription lists. Early this year, TWA (Trans World Airlines) accidentally sent out chunks of its Dot Com Deals e-mail newsletter subscription list to subscribers. These lists are worth gold to e-mail spammers (of the You Too Can Make $30,000 A Week! variety), and even if the lists claim they will never share information with others, mistakes do happen.  Beef Up Security. So, what can you do to cut down on some of these risks and gain greater control over your e-mail? Look into some of the new life cycle management software or get encrypted.  Software. Several new software packages are set for release this year that give you much greater control over the life cycle of your e-mail. Packages such as Authenticas MailVault (http://www.authentica.com), QVtechs Interosa (http://www.qvtech.com), and Disappearing Email by Disappearing (http://www.disappearing.com) all let you set an expiration date for e-mail so its only around for as long as you say (as opposed to forever). Other features in some of these packages include the ability to decide whether to let recipients print or copy the message, who can read it, and even the ability to recall e-mail after you send it. Think of it as e-mail management, after the fact.  Encryption. As mentioned earlier, copies of a given e-mail message can reside in several locations, and often hackers can just snatch them up en route. By encrypting (encoding) your e-mail, you make it nearly impossible for even the most determined hacker to read your message. Several free encryption solutions exist, including PGP (Pretty Good Privacy; http://www.pgp.com), InvisiMail (http:// www.invisimail.com), and ZixMail (http://www.zixmail.com). These programs all use strong encryption, and even though they can be somewhat of a nuisance compared to regular e-mail (both parties usually have to have a copy of the software, or the receiver needs to download your key from your Web site), they are effective at keeping both casual snoopers and serious hackers alike from reading your messages. by Rich Gray 
  	 Wall-To-Wall Protection  If you had a castle, you might protect it with a few guards, some gargoyles, and a couple of booby traps. And you would definitely have a moat. However, your home network is a different story. Sure, you have antivirus software and a multitude of passwords, but do you have the all-important firewall?   A firewall protects your network as a moat protects your castle (with only one guarded bridge across it). A firewall is an access-control policy between two networks. It is a gate that lets the good people come and go and turns away the bad. Businesses have been using firewalls for years to protect their networks from unwelcome guests, as well as to regulate what employees are doing on company time and to log traffic. With the growing use of always-on Internet connections such as DSL (Digital Subscriber Line) and cable, individuals with such connections should have a firewall set up to protect their home networks. Software packages such as BlackICE Defender ($39.95; 888/343-2707,650/622-1491;http://www.networkice.com) and Zone Labs ZoneAlarm ($19.95; 800/210-5517, 650/622-1499; http://www.zonelabs.com) offer low-cost or free firewall solutions for individuals.  You can set up firewalls in a number of ways, and they offer a high degree of flexibility as to who and what sort of information gets through to your network. They arent foolproof, though. Firewalls cant protect against viruses, and they cant protect against other forms of attack (such as someone dialing in through your modem or someone physically accessing your computer). For example, people can theoretically use tools such as MailTunnel (http://detached.net/mailtunnel.html) to punch a hole in a firewall, thus gaining unimpeded access to someones network.


\3 cokkies

Cookies are coded files placed on your HD to store info about you and your activity, usually about your params and preferences regarding the pgm you are using, but can be anything. It can rape your machine, steal PW, etc. It can be read by a web site (w/o your knowledge) and limits can be set. To activate COOKIE alert on Internet Explorer 3.0 Choose Options from View menu. 
 Select Advanced tab. Check Warn before accept boc. 

Netscape cookies consist of six parts: Name: Header Unique required Value: Info Domain: Path: Expires: (GMT date) Security property: A code that determines if it can be transfered unencrypted. The cookie file is arbitraily limited to 4K. 

Future V1. RFC 2109. No browser yet avail. 5/98. 

Before deleting NB: some (email) sites store PW in cookies.

Cookie Central cookiecentral.com Cookie Crusher 6.zdnet.com/cgi-bin/texis/swlib Cookie Explanation netscape.com/newsref/std Cookie Master 6.zdnet.com/ NSclean & IEclean wizvax.net/kevinmca Who's watching cdt.org/privacy

Cookies. Simon St. Laurent, 98.

 Ckie Utils: Anonymous Cookie from: luckman.com, setupac_b2.exe

COOKIES by Simon St.Laurent, McGraw Hill. 1988.

 PC Privacy Apr 2000 Control Your Cookie Consumption Keep Servers Out Of Your Hard Drive 

Keeping the kids out of the cookie jar can be a frustrating task, but its even more maddening to know that many Web sites have access to the cookies inside your PC without your knowledge. Unless youve learned how to manage the cookies on your system, your computer is probably accepting and releasing personal data every time you jump on the Internet. 

 Cookies are small data files a Web site stores on a users hard drive that are used to identify the person when he or she returns to the site later. Many times, the cookie is stored on your hard drive without your knowledge. As you surf around the Web, sites are constantly placing and retrieving cookies from your PC to track your browsing habits. Although cookies were originally intended to let users log on to their favorite Web site without registering every time, they can be a potential privacy risk.

 There are a handful of reasons that cookies pose a risk to your privacy, but taking control of them will reduce those hazards. The first thing to note is that each time you provide personal information online, it is stored on a server. If you are constantly registering at a number of different sites or frequenting sites where similar ads are always appearing on your screen, its possible the servers are using cookies to determine your shopping habits. When you revisit a Web site, the server can retrieve your cookie files and trace which Web sites youve visited. They can also track the advertisements youve clicked to develop a profile of your spending habits. 

 By deleting cookies from your hard drive, it will be difficult for servers to trace your surfing or spending habits. For specific instructions about deleting cookie files from your hard drive in Windows 98, read the Find & Destroy Cookies In Windows 98 sidebar to this article. Its important to keep in mind that the Web site can access your personal information only if youve shared the information with the site and the site saved it as a cookie. 

 If youre concerned about the private information you might be providing online, you may want to buy one of the cookie-management software packages we talk about later in this article. These programs will provide manual control over the cookies that are sent to or retrieved from your system. You can also instruct your browser to accept or decline cookies. For more information about these instructions, see Cookie Crumb Trails  in this issue. 

 Cookie Advantages. Although the idea of having data placed on your hard drive without your knowledge is disturbing, some cookies are important to your Web browsing. Even though cookies can be a threat to your online privacy, there are some advantages to cookies. For example, if youre an online shopper, youve probably registered with a few sites, provided a credit card number, and included shipping information. Most of these sites, such as Amazon.com, keep track of your settings on their servers so you dont have to spend five minutes logging in and providing this information each time you visit. 

 Another advantage of keeping a cookie for an online shopping site is to avoid entering your credit card number each time you make a purchase. This saves you from pulling out your wallet every time you are at your desk and sending the number across the server. 

 Without cookies, some Web sites may not recognize you as a registered user. For example, if you register at our Smart Computing Web site (http://www.smartcomputing.com), the server will store a cookie on your hard drive when your registration is complete. Each time you log on to the Web site, the server retrieves the cookie from your hard drive and recognizes you are a registered user. If you delete the cookie, you will need to register again. 


 If youve registered with a site and paid for a subscription or membership, we suggest keeping the cookie to avoid the possibility of having to resubscribe and pay again. Some software, such as Internet Junkbuster, will allow specific sites that you designate to retrieve cookie information from your PC so you dont lose any pertinent cookie data, but new cookies wont be let in without your permission. 

 Cookie Cutters. There are a number of programs used to delete cookies and prevent servers from accessing cookies on your system. Some packages let you create anonymous identities while others can delete unauthorized cookies without disturbing your Internet surfing. Most of the software is designed for use with Windows 95 or Windows 98, but not all products will work with all browsers. For example, Zero Knowledges Freedom wont work with America Online (AOL). 

 We looked at some of the packages that are available and picked a few favorites that offer comprehensive control over cookies. Whether you want to empty your pockets for a premium cookie-buster package, or youd rather try one of the free software packages available, we recommend any of the titles in this stack. 

 Cookie Crusher $15 The Limit Software http://thelimitsoft.com If youre tired of manually deleting cookies every time you log off the Internet, Cookie Crusher is a solid option. This shareware (copyrighted software that is distributed on a free-will donation basis either via the Internet or by being passed along by other customers) displays the cookie contents when a Web site sends a cookie. 

It also tells you what function the cookie serves, such as whether its for advertising, Web site registration, or online shopping. You can even configure the software to reject or accept cookies from certain sites, in case you frequently shop at sites such as Amazon.com and want the server to immediately recognize you. Like other cookie-control programs, you can view and delete cookies already on your system with Cookie Crusher, and the software only runs when your Web browser is active. 

You can download Cookie Crusher for a free 30-day trial period before you purchase the $15 license. Cookie Pal $19 Kookaburra Software http://www.kburra.com Cookie Pal is an affordable cookie-management software system from Kookaburra Software. It works with a variety of Web browsers, such as Internet Explorer, Netscape Navigator, Opera, and AOL, and it can accept or reject cookies without any interaction from you. In other words, the software eliminates the annoying cookie warning messages that constantly appear if youve made that selection in your browser.

 Instead, the first time you reject a cookie from a specific site, Cookie Pal automatically rejects it transparently from that point. Cookie Pal keeps a running list of cookies youve rejected and accepted while you were online, and it features the option to view and delete the cookies you had on your system prior to installing Cookie Pal. 

 A few options really stood out with Cookie Pal. First, you can customize the program to reject all cookies from servers on the same domain. We also liked that Cookie Pal works in the background to reject cookies so you dont have to constantly be bothered with incoming cookies. Cookie Pal is shareware, which you can register for $19 per copy. 

Freedom $49.95 Zero Knowledge http://www.freedom.net If you like the idea of maintaining an anonymous presence on the Internet and want all the cookies sent to your PC stored in a virtual Cookie Jar, take a look at Freedom from Zero Knowledge. Using Freedom, you can manage your privacy by creating a pseudonym to surf the Web, chat, or even for sending e-mail. For $49.95, you can purchase Freedom and create five pseudonyms that are active for one year, or you can create a new pseudonym each year for five years. Freedom works with either Netscape Navigator or Internet Explorer, and it restricts the cookies to the pseudonyms youve created to maintain your privacy and personal info. 

Every time you use a different pseudonym, the cookies are placed into separate Cookie Jars, even though you are using the same PC. So, if you return to a Web site under a different pseudonym, it will identify you as a new user. If you dont want to shell out $49.95 before you try the product, there is a free 30-day trial period download available. 

 IEClean 5 provides a number of options for removing cookies from your PC. IEClean $40 Privacy Software http://www.nsclean.com/iec50.html Privacy Softwares IEClean offers complete control over the cookies you receive or want to block.

 The software offers a multitude of options for controlling your online identity and recording cookie history. We were impressed with IEClean because it features a Windows-like interface with tabs such as Cleanup Data, which provides the option to remove your unwanted cookies, and Examine, which you can use to see how many cookies you have stored on your hard drive. You can also use the Cookies tab to see all the Cookies Youve Collected. 

To manage your cookies, highlight the files in the Cookies Youve Collected window and click Remove (or Keep if you would rather save them). Another field on this tab keeps a list of the cookies youve decided to keep. With the Options tab, you can refuse cookies entirely. IEClean also includes features for creating aliases, which you can set up in the Settings tab. The software is designed for use with Internet Explorer 3.0 or newer and sells for $40.

 Internet Junkbuster Proxy Free Junkbusters http://www.junkbusters.com If you want to test out a free software package before purchasing a licensed product, you can try the Internet Junkbuster Proxy from Junkbusters. This package doesnt feature a friendly interface like IEClean, but it will block requests for banner ads and delete unauthorized cookies. The software is able to block cookies on a per-site basis, and you can specify for cookies to be sent to, but not retrieved from the PC. Internet Junkbuster Proxy includes a wafer option so you can make fake cookies.

 These cookies allow you to write a message in the fake cookie, which is also known as a signature wafer. In a signature wafer, you can write a message to the server retrieving cookies from your system. This is useful if you want the server to know you dislike receiving cookies. The software also features a cookie jar to store records of all the cookies in the PC. 

 One Cookie At A Time. Some computers have more willpower than others when it comes to eating cookies, depending upon whether youve instructed your browser to accept or decline cookies, or if youve decided to use a software packages to control your cookies. If youre looking for a more hands-on approach, you can manually delete the files each time you log off the Internet. 

Regardless of whether you think cookies are a threat to privacy or just another drain on your limited hard drive space, in the end, the avenue you choose for managing your cookies is up to you. Whatever you decide, youll probably still have a difficult time keeping the kids out of the real cookie jar at home. by Buffy Cranford-Petelle 

Find & Destroy Cookies In Windows 98 If you want to manually delete the cookies already lurking on your system, here are the instructions for finding and deleting cookie files using Windows 98. 

  Click the Start button, select Find, and then select Files And Folders 

  Type cookies in the Named window and click Find Now 

  All the folders that contain cookie files will appear in the Find: Files Named Cookies window. The folders typically appear as: C:\WINDOWS \Cookies, or C:\WINDOWS\PROFILES\ (YOUR NAME)\Cookies. You can find and delete the cookies that are on your system using the Find option in Windows 98. 

Downloading Free Trialware & Shareware Some of the best anticookie software is available on the Internet as trialware and shareware. If youve never downloaded one of these programs before, here are some instructions. 

  Most sites have a download button or link you can click to initiate the download. 

  After selecting to download a file, the File Download window will appear, giving you options to Open This File From Its Current Location or Save This File To Disk. Click the Save This File To Disk radio button and click OK. 

  The Save As window will appear. Select the location where you want to save the file, such as My Briefcase or My Documents, and click Save. 

  The majority of software is in Zip (compressed) file format, so make sure you have a program on your PC for unzipping (decompressing) these files. If you dont have one, there are some proprietary titles available, such as ZipMagic from Mijenix (http://www.mijenix.com), and a number of shareware and freeware programs you can download at QuickFiles.com (http://www.quickfiles.com) and ProgramFiles.com (http://www.programfiles.com). 

  Print out the instructions, if available, from the download site. Some programs will begin installing immediately when you double-click the file from its saved location, but others have special installation instructions. 
 
 Double-click each folder to see every cookie file. If you want to see where a cookie file originated from, either right-click the file and select Open or double-click the file, and the cookie code will appear, usually in a Notepad window. By looking at the cookie text, you can determine if it came from a Web site you visited or if it is an advertisement cookie. 

  To delete the cookies, either highlight each cookie individually and press the DELETE key or open the Edit menu, click Select All, and when all of the files are highlighted, press DELETE.  To completely remove the cookies from your system, be sure to open the Recycle Bin and delete all of the files. To do this, highlight each file and click the Delete button. 

------------------ PC Privacy April 2000 Vol.8 Issue 4 
 Cookie Crumb Trails How Sites Know Your Identity & Can Track Your Web Travels 

Picture this: You log in to an online shopping site, such as barnesandnoble.com, and explore much of what the site has to offer. You find a book youre interested in buying, but you want to compare prices first, so you put it into your shopping cart and plan to come back later. The next day you return to barnesandnoble.com, and without entering any information about yourself, you click the shopping cart icon, and there sits the book you selected the previous day. How in the world did barnesandnoble.com know to call up your shopping cart rather than one belonging to any of its millions of other online customers? 

The answer lies in a mechanism used by a wide range of Web sites as diverse as e-commerce businesses, online publishers, gaming sites, and financial networks. Cookies are tools that Web sites use to keep track of certain aspects of your computers visits. They can remember information such as your login name, password, pages you like to visit, and even which banner advertisements youve seen on a particular Web site. 

 Sound mysterious? It isnt, because although cookies work behind the scenes for the most part, they arent little gremlins that frolic around on your hard drive; theyre relatively straightforward pieces of code that Web servers send to your browser for later use. Cookies get their name from magic cookies, objects used by Unix machines (a type of operating system often used by programmers) that change depending on areas that a program or user enters. 

 The Chocolate Chip Recipe. Heres how a typical cookie might work. You visit a Web site that asks you to fill out information about yourself, such as your name and a password. That information is bundled up into a cookie, and the Web server sends that cookie to your hard drive, where it is stored in a special cookie file or folder with many other cookies. The next time you return to the Web site, your browser sends that particular cookies information from the file to the Web server. During such a process, you may not even have to enter your login information again at the site because it will be able to identify you based on the data stored in the cookie. 

 Well get into more details about what cookies are and how they work in a moment, but given the misunderstandings about cookies, its worth a quick discussion on what cookies are not. 

 A cookie is not a program; its a piece of data. Therefore, it cannot carry a virus. (Viruses attach themselves to programs in order to run.) Since a cookie is not a program, it cannot do anything to your system, such as scour through it for personal data you havent provided, such as your e-mail address or the credit card numbers stored on your system. 

 In addition, cookies are not universal nn that they cannot be read by every Web site (also known as domains) on the Internet. Only the Web site that sent a cookie to your computer has the ability to read it. 

 Cookies are pieces of code that Web servers place on hard drives to record user preferences. Here is a list of eight different cookies sent by four different Web sites.
 

It also should be noted that some security concerns related to cookies have been discovered in the past few months. Cookie Central, a Web site containing everything you want to know about cookies and more, describes how a third party can fool cookies into being passed to an unrelated domain; although, Cookie Central mentions that this does not pose a major security threat because cookies must be set in a certain way for this exploitation to work. For more information, see http://www.cookiecentral.com/bug/index.shtml. 

 Now that we know what cookies are not, lets explore what they are. Cookies are generally small text files that contain up to six different components: the cookie name, its value, its expiration date, its path, its domain, and the level of security the cookie needs. Heres an example of a cookie: www.khow.comFALSEFALSE1017683651 lname Anderson 

 In this example, a user has logged into the home page of a radio station in Denver, KHOW, and the station sent a cookie to her cookie file. She registered with the site, and now when she returns to the KHOW page, she wont need to retype login information, including her last name (which is what is displayed in the above example). 

The cookie name is lname, the cookie value is Anderson, and the domain that can access the cookie is http://www.khow.com. (There is no explicit path.) There is no explicit expiration date, and the site does not require a secure connection (that is, one that encrypts information passed between the browser and the server), so the security value is set to FALSE, the default value for most Web sites. 

 This is a fairly typical model of a cookie. Some are slightly larger, and some are slightly smaller, but for the most part, cookies look similar to our example. Some are easy to understand (the partial cookie represented by the text www.smartcomputing.com USERID 933653 shows the ID number for someone who uses the Smart Computing Web site), and others are harder to figure out (the partial cookie represented by .microsoft.com MSBENELUX BNLLANG=1 is probably obvious to Microsoft, but is a mystery to the rest of the world.) 

 Okay, enough about cookie codes. While its interesting to see the nuts and bolts of cookies, whats really important about cookies is how they are used. So lets examine some of the reasons why cookies are placed on your system. 

Kneading Cookie Dough. 
 Web surfers can configure their browsers so that they receive warnings before sites send cookies. 

Much has been made of the insidiousness of cookies; they can act as Big Brother, watching your every move online. But cookies have benign and beneficial uses, as well as not-so-admirable ones, so lets take a look at what cookies can do. Cookies as personalization tools. The Web can be a confusing place, with sites tucked away on remote corners that could be served up from Tahiti for all the Web surfer knows. Some sites try to make themselves appear friendlier by greeting the visitor by name. Hi Jose can be an attempt to make the Web visitor feel welcome at a site, rather than seeing a generic page. 

 This approach can backfire, however, when instead of coming across as friendly, personalization seems spooky. How did the site know my name? What else does it know about me? are some of the questions that visitors might ask themselves. For this reason, many sites tend to avoid using cookies as personalization tools, although you might still see personalization used on certain types of sites. 

 For instance, FreeLotto (http://www.freelotto.com), a site that lets visitors play the lotto online at no charge, greets returning guests with the message Welcome Back, followed by the name they registered under. Another type of site that often uses cookies as personalization aids are portal sites such as Yahoo! (http://www.yahoo.com). If you create an account for My Yahoo!, youll be welcomed by name each time you log on to the site. 

Online ordering. If youve ever bought anything or tried to buy anything online, you know what a hassle it can be to create an account. Not only do you have to input data about yourself, such as name and address, you also have to type in shipping information, billing details, and more. If you had to input all that information each time you logged on, even when all you want to do is browse the store, youd quickly leave in frustration. 

 Some sites use cookies as personalization tools, such as this greeting page that My Yahoo! presents to users. 

Cookies can help eliminate some of that work. Many e-commerce sites use cookies to identify you when you first visit, so you dont need to input all your personal information while browsing or shopping. (Although it should be noted that for security reasons, most sites rely on more than simply cookies to identify visitors; most require users to input some information while purchasing goods or services.) 

 To see this in action, well go back to the example we used to begin this article. A consumer goes to the barnesandnoble.com site and without typing in any data, he can click the shopping cart icon to see which items have been saved for future purchases. When hes ready to check out, however, he must either create an account or type in his e-mail address and password before he can actually buy the items. 

Advertising banner rotation. Imagine visiting 50 different Web sites and seeing the same advertisement at the top of each one. While its debatable how much of the ad you absorb and how much you skim over, its clear that you wouldnt pay much attention to it after seeing the ad for what feels like the zillionth time. Plus, if you find that ads often provide you with beneficial information and links to useful external sites, youd be missing out on valuable information if you only saw one ad repeatedly. 

 Thanks to cookies, though, advertising can be rotated so that you dont see the same banner time and again. Most ads are provided by a third-party site, such as DoubleClick, and it might create a cookie that helps track which ads youve seen and which are yet to be viewed. The data can then be used to determine which ads youd be interested in seeing. When you log on to a site, the cookie tells the ad warehouse which ads you have and havent viewed and then indicates which ones should now display. All this occurs in the background, most likely without your knowledge. 

 Cookie Central, a site containing everything you want to know about cookies, also addresses related security concerns. Click the Bug Alert link on the home page to display the page above. 

This leads us to explain one of the less benign uses of cookies. Because all of this is hidden (unless youve set your system to alert you about cookies, a procedure well cover shortly), the third-party ad network is gathering information about you that you may not want to reveal. Even if this data isnt linked to your name and address, you might still be uncomfortable with anyone knowing that you click any ads promising cures for hemorrhoids and halitosis. Plus, in some cases, the information your browser provides each time you visit a site that uses the DoubleClick network, for example, is enough to identify you as a unique user. (For more information, we recommend that you visit The World Wide Web Security FAQ page at http://www.w3.org/Security/faq/wwwsf7.html#Q66.)

 Track Web site movement. In fact, its this hidden gathering of data that we just described that makes many concerned regarding the use of cookies. Individual Web sites, not just ad networks, can use cookies to track your progress throughout the site, and while this may not seem like such a problem on the surface, you may not want a site to note every time you visit a particular area. Web surfers tend to value their privacy, and not knowing when sites are recording their every move is disconcerting. Therefore, it will be helpful to know how to tell if a Web site is sending cookies and how to change your settings. 

 Change Cookie Settings. By default, the major Web browsers pass cookies from servers to Web browsers without notifying the user. Users can, however, change the cookie settings so that they have more control over how cookies are transmitted. 

 Netscape Navigator users have three options for cookies: to accept all cookies, to accept none, or to accept only cookies that get sent back to the originating server (which means that cookies could not be sent by one server and shipped back to a third-party server). In addition, users can configure their browsers so that a warning message displays before a cookie is sent, giving them the option of rejecting individual cookies. 

 To change cookie settings in Navigator, open the Web browser window and click Edit, Preferences. In the resulting dialog box, select the Advanced option under Category on the left side and then locate the Cookies box on the bottom of the screen. Choose the appropriate radio button (accept all cookies, etc.) and place a check mark in the warning box, if desired, before clicking the OK button. 

 Internet Explorer (IE) users have the same options as Navigator users for cookie settings. To change the settings, click Tools, Internet Options, and when the Internet Options dialog box opens, make sure the Internet icon (a globe) is highlighted under the Security tab. Next, click the Custom Level box and scroll down through the Security Settings until you see the Cookies section where you can enable or disable cookies or be prompted for acceptance each time a site tries to send a cookie to your hard drive. Click OK after youve changed your settings and then click OK again to close the dialog box.
 Viewing The Entire Jar. Individual cookies are made up of just one line of code, but the entire collection of cookies can be quite large. To see how big your cookie jar is, open Windows Explorer by clicking Start, Programs. Then, expand the hard drive (usually C:) listings by making sure the minus symbol is in the box to the left. 

 Navigator users can find the cookies file located under PROGRAM FILES, NETSCAPE. Most likely it will be in the USERS folder where theres a text document called, appropriately enough, Cookies. Double-click the file to open it, and youll see the entire listing of cookies placed on your hard drive over time. IE users will also find the file on their hard drive, but it will be located under WINDOWS. Rather than locating a text file, look for a folder called COOKIES and double-click it to open it. Each cookie has been given its own text file, and you can tell at a glance when the file was created. Double-click any text file to see the contents of any cookie. 

 Once youve visited your cookie storage, you can delete these files at will, just as you would with any other file you can locate via Windows Explorer. Simply highlight the file (Navigator users) or files (IE users) and press the DELETE button on your keyboard. One thing to keep in mind: to delete all cookies, you must close your Web browser first. Otherwise, the cookies that are being created during that online session will be stored in your cookie file or folder after you log off. 

 Managing Cookies. Finally, if it seems like a complicated process to track cookies via browser settings and files buried within Windows Explorer, dont fret. A number of software companies have created programs that help you track and manage cookies on your system, and for many, these programs are easier to use than scrambling through the guts of a system. For more information about these programs, see Control Your Cookie Consumption in this issue. by Heidi V. Anderson 


Create & Avoid Cookies. To those outside the fold of the Internet, a cookie is a delicious snack that is good to eat any time of day. But to those who are familiar with the ways of cyberspace, a cookie is a small file that stores information about where you have been on the World Wide Web. Cookies are placed on your hard drive when you visit some Web sites. Web site developers find cookies useful for tracking the Web browsing habits of those who visit their sites. 

 After a Web site gives you a cookie, the cookie is sent back to the site every time you return to it. The Web site uses the data contained in the cookie to customize the information it transmits to your Web browser.  

 Cookies can be used to allow only authorized users to access certain areas of a Web site. For example, when a visitor enters a valid password at a sign-on screen, the Web site places a cookie on the visitor's computer. Only those users who have obtained this cookie can access this Web page. In short, the cookie allows a Web site to recognize you so you aren't treated as a first-time visitor at a Web page you visit often. 

 Another place where cookies are used is at online shopping sites. When you browse an online shopping mall and add items to your virtual shopping cart, a list of the items you've selected is stored as a cookie so you can pay for all the items after you've finished shopping. It's much more efficient for the browser to keep track of information like this than to expect the site's Web server to remember who bought what, especially if there are thousands of people using the Web site at the same time. 

 Cookies also are used to customize information for computer users who have visited a site more than once. By using cookies, the Web site can keep track of the special interests or annoyances of each visitor. For example, if you have a slow Internet connection, the cookie will note that you avoid large files. 

  A fourth way cookies are used is to track how often certain people access a specific site. By placing a cookie on someone's browser, the Web site's developer (also called a Webmaster) can keep a record of each time that person returns to the page. The cookie also can tell the Webmaster which pages the visitor accessed at the site.  A complete technical explanation of how cookies work is available at http://home.netscape.com/newsref/std/cookie_spec.html.   

Ending The Myths.   Although they sound menacing, cookies aren't. (Cookies also are called HTML cookies, magic cookies, and Persistent Client State HTTP cookies).  A cookie is not a secret way for a Web site to find out everything about you and what you have on your hard drive. There is no way a Webmaster can retrieve any information from your hard drive other than the cookieand even access to the cookie can be restricted or eliminated. 

 There's absolutely no way a Web site can access any private information about you or your system through a cookie. The only way private information can be contained in a cookie is if you personally give that information to a Web site and it then puts that information into a cookie file. 

  A Web site only can retrieve cookies that it sets. Each cookie is marked with the Web site's address. Also, there is no possible way that a virus can be spread through a cookie.  As you browse the Web, any cookies that you pick up are stored in your computer's memory. Some are only temporary; others are set to last beyond your current session and are stored in a cookie file on your hard drive so they can be reloaded the next time you run your browser. 

In Windows, it's called Cookies.txt. You can look at this file with any text editor to see which cookies are stored there. You also can delete the file to get rid of all the cookies. This is harmless and won't cause any problems. You also can edit the file, removing individual cookies.  Here is an example of a cookie entry: edmund.com FALSE FALSE 874028199 Apache 170-62-5829830866252199272    Each cookie is labeled with the Web site that set it (in this case, www.edmund.com). The rest of the cookie entry is meaningful only to the Web site that placed it. 

Avoiding Cookies.  Netscape Navigator 4.x gives you the option of whether you want to accept a cookie, but you have to activate this option yourself. To do so, choose Edit on the menu bar and select Preferences. On the bottom half of the Advanced tab, click the check box next to the Warn Me Before Accepting A Cookie option.  

 When this option is activated and a Web site tries to send you a cookie, a window will pop up on-screen telling you who is sending the cookie, what the cookie contains, and how long the cookie would last on your computer if you accept it.  If you want, you can automatically refuse all cookies by setting the Disable Cookies option in the Advanced section of the Preferences window (accessed through the Edit menu).  

 However, this may prevent you from entering some restricted access sites that use cookies to verify your identity. If you ever have to enter a password to access any Web pages, chances are you need to allow those sites to set a cookie on your hard drive.    

------------------------------------------------------- Sep 1998 How To...Control Cookies               

Cookies always produce some ambivalent feelings. Eating a few provides a nice snack, but you still have to worry about the long-term results of all those sugary treats. Youll find this two-edged nature of cookies remains the same even on the Internet, where youre exposed to so many new experiences. A few Internet cookies provide some nice conveniences, but many users worry about what illicit things cookies may be doing behind the scenes.  

Internet cookies, youll learn after a little time online, are worrisome, yet helpful, little files sent out to inform Web sites about their visitors. When you drop in on a cookie-dispensing World Wide Web site with Internet Explorer, the server, or computer that provides the Web page itself, helps itself to some of your hard drive space by dropping a small file on your computer. The next time you request a Web page from the server that left the cookie, the server will check the cookie file and instantly know a bit about who you are and what youve been up to online. 

 This kind of unsolicited spying hosted by a users own hard drive causes a lot of concern. The obvious questions revolve around the fact that a server is reading data on your hard drive. What, besides the cookie, is the foreign computer checking out on your drive? Cookie experts say the answer is Nothing because cookies can get data only from within cookie files.       

Internet Explorers Advanced Internet Options let you shut off the cookie stream completely or personally approve each submission.        

Many users also wonder whether cookies track users every online move by reporting on all sites visited, in addition to just providing updates on usage of the site that left the cookie. Again, the answer is negative. A site can only access cookies sent from its own domain. 

 In short, dont lump cookies into one big evil category. Many cookies provide handy services for their hosts. If you subscribe to a Web site that requires a password and user ID for access, for instance, a cookie can automatically enter this information when you reach the Web site so you dont have to enter the password each time you visit. Some cookies also let you customize your view of a Web page and have those settings automatically appear each time you visit. 

 The worst fate youll probably suffer from cookies is being greeted with banner ads targeted at your demographic group on certain Web sites. If youd like to investigate the cookie phenomenon further, and you probably will as theyre a hot area of discussion among users, check out Cookie Central at http://www.cookiecentral.com. Here youll find great explanations and examples that will help you get the lowdown on cookie activities. 

Monitoring The Jar.  Of course, its always nice to be in control. Explorer provides simple tools to help you control the cookie parade streaming through your browser by letting you head them off to varying degrees before theyre left on your system. Open the View menu and choose Internet Options. Click the Advanced tab in the upper-right portion of the window. Then use the scroll bar on the right side to scroll down in the window until you see a lock icon designating the Security section. Below this is an exclamation point icon beside the Cookies entry. 

 The default option here is Always Accept Cookies. This does just what it says and lets any site that wants to drop a cookie on your drive. The Disable All Cookie Use option is similarly clear, as it bans all the little files from your PC.  You can clean out your existing cookie jar by searching for cookie* in any Windows search tool such as Windows Explorer. 

You should find the cookies in the WINDOWS/TEMPORARY INTERNET FILES directory. The cookies will be in the form of simple text files with names such as Cookie:rack system-39@my.yahoo.com. If you take the fairly heavy-handed approach of deleting cookies, dont be surprised when you lose the convenience of having a lot of Web sites retain your customized settings.

  Now start fresh by controlling which cookies you accept. Check the Prompt Before Accepting Cookies option to take the active position of accepting or declining each cookie that tries to get in. Be forewarned, however; many sites play the cookie game, so youll spend a lot of time making the call on whether to accept cookies (even a cookie information site wanted to drop a file on our drive). If you want to learn a little more about cookies, turn this confirmation feature on for a while. When a site wants to place a cookie, Explorer will tell you a little about it, such as what sites will be able to read it and how long it will hang around your drive.  by Trevor Meers    

--------------------------------------------------------- Setting Cookies. If you have a Web site and want to set a cookie on your visitors' PC, you must write a script in either Java or common gateway interface (CGI). Java scripts are easier to learn and use, but CGI scripts are more powerful. Your Web site must be able to execute CGI scripts to use them. Ask your host service (the company or organization that maintains the computer on which your Web site is stored) if it supports CGI scripts. 

Below are two short examples of Java scripts that set cookies. They can be used as is on your site. As cookie scripts go, these are quite simple.  To learn more about cookies, look on the Web. A tech explanation of how to write a CGI pgm to set and read cookies is avail at help.netscape.com/kb/server/960513-111.html.   

The following script displays a counter that tells people how many times they have visited your Web site. Enter this script in the <BODY> section of your HTML code.    <script language="JavaScript"> function GetCookie (name) {  var arg = name + "=";  var alen = arg.length;  var clen = document.cookie.length;  var i = 0;  while (i < clen) {  var j = i + alen;  if (document.cookie.substring(i, j) == arg) return getCookieVal (j);  i = document.cookie.indexOf(" ", i) + 1;  if (i == 0) break;  } return null; } function SetCookie (name, value) {  var argv = SetCookie.arguments;  var argc = SetCookie.arguments.length;  var expires = (argc > 2) ? argv[2] : null;  var path = (argc > 3) ? argv[3] : null;  var domain = (argc > 4) ? argv[4] : null;  var secure = (argc > 5) ? argv[5] : false;  document.cookie = name + "=" + escape (value) +  ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +  ((path == null) ? "" : ("; path=" + path)) +  ((domain == null) ? "" : ("; domain=" + domain)) +  ((secure == true) ? "; secure" : ""); } function DeleteCookie (name) {  var exp = new Date();  exp.setTime (exp.getTime() - 1);  // This cookie is history  var cval = GetCookie (name);  document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString(); } var expDays = 30; var exp = new Date();  exp.setTime(exp.getTime() + (expDays* 24*60*60*1000)); function amt(){ var count = GetCookie('count') if(count == null) { SetCookie('count','1') return 1 } else { var newcount = parseInt(count) + 1; DeleteCookie('count') SetCookie('count',newcount,exp) return count } } function getCookieVal(offset) { var endstr = document.cookie.indexOf (";", offset); if (endstr == -1) endstr = document.cookie.length; return unescape(document.cookie.substring (offset, endstr)); } //  End Hiding Here >-> </script> </head> <body bgcolor="#FFFFFF"> <script language="JavaScript"> <! Hide this script from old browsers -- document.write("You've been here <b>" + amt() + "</b> times.") //  End Hiding Here >-> </script> 

2. This script dspys the names of visitors to your Web pg each time they visit.    <script language="JavaScript"> <! Hide this script from old browsers -- var username = GetCookie('username'); if (username == null) { username = prompt('Please enter your name (otherwise press cancel)',""); if (username == null) { alert('Its ok if you don't want to tell me your name'); username = 'Visitor'; } else { pathname = location.pathname; myDomain = pathname.substring(0, pathname.lastIndexOf('/')) +'/'; // set expiry date to 1 year from now. var largeExpDate = new Date (); largeExpDate.setTime(largeExpDate. getTime() + (365 * 24 * 3600 * 1000)); SetCookie('username',username,largeExp Date,myDomain); } } function getCookieVal (offset) { var endstr = document.cookie.indexOf (";", offset); if (endstr == -1) endstr = document.cookie.length; return unescape(document.cookie.substring (offset, endstr)); } function GetCookie (name) { var arg = name + "="; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return getCookieVal (j); i = document.cookie.indexOf(" ", i) + 1; if (i == 0) break; } return null; } function SetCookie (name, value) { var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); } document.write('<p>Thanks for coming,' +username); //  End Hiding Here >-> </script>     by Douglas Giles 
         --------------------------------------------------------- Cookies.   A lot of confusing information is floating around the Internet about cookies. As a result, Web surfers can, and often do, refuse them. And if you rely on cookies too much, your site may malfunction for visitors who choose to refuse them.  What is a cookie? Although the name is enticing, the reality is far less tasty. A cookie is just a small amount of text that a site's server places on the hard drive of visitors' computers. Then, every time that same visitor returns to the site, the server recognizes the cookie, and thus recognizes the visitor and the specific information about his or her activity on that site.  The key is that cookies relate to online activity, not to your personal information. Contrary to popular misconception, a cookie doesn't tell who you are, your E-mail address, or your hair color. Most of the information included in cookies, such as an IP address, is the same data that gets fed into log files every time you stop anywhere on the Web.  What cookies do differently is assign a unique serial number to each visitor. By doing this, the server recognizes the visitor each time he or she visits the site. Cookies also can match visitors with their previous online sessions to specialize content or product offerings just for them. For example, if a cookie says a certain visitor only clicks banner ads that are related to music, then the site may choose to show that visitor only music-related ads.  What cookies can do for users is eliminate the need to continually input their E-mail addresses and passwords when entering a site that requires registration. After visitors register once, the site recognizes them by their cookies and simply lets them in.  So how do cookies fit into the tracking mix? Cookies can add to your tracking efforts by allowing you to track individual users' activities over time. Are they returning? Are they buying the same products or different ones? Are they missing opportunities on your site because they can't find what they want?  Cookies also can fight two problems that are unique to larger sites. First of all, providers like America Online (AOL) often maintain a copy of heavily visited sites on their servers to save bandwidth. This is called caching, and it has created quite a controversy regarding genuine ad tracking.   Second, larger providers often can have two users using the same IP address within a short span of time. If those two users hit the same site within 30 minutes, tracking systems perceive it as only one user session.  Another word of caution: Cookies should be considered as secondary to other tracking methods because by using them, you are narrowing your ability to track visitors. That's because many visitors simply do not accept cookies, and therefore, they set the default on their browser accordingly so they never have to be bothered by them.  After analyzing all of your options, no matter if you stick with log files, invest in a tracking tool, use registration, or decide to try cookies, the bottom line is to utilize some method of obtaining the answers to your nagging site traffic questions. Also, you may want to employ more than one method of tracking so you can compare results.


\4 Data-Collection Agents How Companies Obtain Data About You & Your PC.

Every couple of months, the headlines remind us that when it comes to computers, privacy is far from a given. For example, in the summer of 1999, it is reported that the code of Microsofts operating systems might have a backdoor that the NSA could exploit. MS denies this, claiming it holds all the keys for the backdoors, including the one it inexplicably called NSAKEY.

In the fall of 1999, streaming media giant RealNetworks admits that a hidden function of its free RealJukebox player lets it track users listening habits. After a public outcry, it admits to an error in judgment, changes its privacy disclaimer, and posts a fix to its Web site. Another privacy story broke in the winter of 1999. According to Comet Systems, 16 million people and 60,000 Web sites were set up to use its customized Comet Cursor technology, which lets sites change users cursors into fun shapes. However, it also let Comet Systems track reg users across the Internet with a hidden serial number. 

Negative consumer reaction led the company to post a patch to its Web site that would delete the serial nbr. These are all examples of companies that, regardless of their reasoning, have tried to slide one by consumers with the use of stealth features. But what about when we invite companies to look at our systems? A growing number of manufacturers are including spiders, which are also known as bots, with their products. These pgms allow the manufacturer to access your computer over the Internet. 

With this link in place, they can scan or read your system, upload files and information, and even manipulate the registry, applications, and settings on your computer.

These products fall into roughly three categories: Those that help you to find software and hardware updates on the Internet Those that allow you to fix problems on your drives or identify and eliminate viruses on your computer Those that give outside users complete snapshots of your system (popular with tech support folks as the best way to diagnose system problems).

(NOTE: All the products listed below do what they do in the name of service to the user, and we chose them purely on the basis of the types of services they provide, not on any inherent proclivity to abuse.) Awash In Stale SW? This situation should be a familiar one in this age of multiple-gigabyte hard drives: You have a computer packed with software but neither the time nor the energy to troll the Internet looking for upgrades and updates for it all. It would be much easier to have someone or something do it for you. 

This first class of products, to varying degrees, does just that. Essentially, these products go into your computer, scan your drives for information, and then compare what you have with a master database of updates and upgrades. The most advanced of them will even download and install updates with a single click of a button. Known to some as maintenance software services, these have become popular timesaving tools. 

Microsofts Product Update area. Not surprisingly, the company with the most upgradeable products on the market has its own online service bay set up to keep your operating system, Web browser, and other Windows goodies up to date. Built on a catalog of fixes, updates, and enhancements, the Product Update section of the Microsoft Web site (http://windowsupdate.microsoft.com and click Product Updates) first scans your system to see what you have installed. 

Then, it recommends a variety of SW updates and add-ons you can choose to download. It then automatically installs the products you download. This is a particu- larly effective way for Microsoft to wheel out what it calls critical updates, which are fixes for bugs that seem to pop up with a certain regularity on your system. 

Win Update checks your system against its list of avail product updates before offering you download options. 	

Even though Microsoft Product Update has to scan your system to determine what it will place on your updates list, it assures users at the outset that it doesnt send any of the information it collects in this way to Microsoft. Manageable Software Services Catch-Up. The free application Catch-Up, from Manageable Software Services (http://www.manageable.com), performs a similar function to Microsofts Product Update area; the main difference is its not limited to Microsoft products. 

After downloading the software and installing it, you can have Catch-Up scan your system for files. (It keeps a list of your files locally.) The application then gives you the choice of selecting what you want to update before going to its own db to check for relevant SW. This feature of letting you choose what info to send out is rather unique in this field; most just compose a list and shoot it off to the server, only letting you pick and choose between updates after the list comes back.

Catch-Up doesnt maintain personal info profiles about who is using the service, and the appn itself works as a helper application with your browser (which means everything is viewed through a Web browser). Symantecs Norton Web Services. Symantec takes many of its popular Norton products to the Web with its subscription-based Norton Web Services (nortonweb.com). This product straddles the line between updates and system fixes with its combo of LiveUpdate Pro and VitalCheck. 

LiveUpdate Pro works like other update SW; it scans your system and makes a list of all the SW and HW it detects. It then compares this list to its db, finding fixes, updates, drivers, and patches for a wide range of prods. (NOTE: LiveUpdate Pro is different from LiveUpdate, another product from Norton that is used by desktop-based appns, such as Norton Utilities and Norton AntiVirus, to search the companys site for pgm and virus updates.) With VitalCheck, Norton takes its service to the next level: scanning and fixing your system.

Surfing The Virtual Service Station. McAfee Clinic's 15-piece PC diagnostic center offers tools to repair most "fixable" computer problems. A bit more intrusive are programs that can enter your personal computer, look around, and sometimes even take a cyber-wrench to problem areas. Anyone who has ever run Windows ScanDisk or a virus-detection program is familiar with this area. 

These products poke through your system looking for trouble, and when they find it, they attempt to fix it (or in the case of viruses, stomp them out). Unlike the first group of products, where the potential for abuse is primarily in a loss of information, the stakes increase whenever you are dealing with a product that has the ability to alter your PC.

As mentioned, VitalCheck from Norton Web Services is one example of this type of service, dealing with both virus and disk-error (such as damaged boot records and lost clusters) detection and repair. The following is a list of services of this nature: McAfee Clinic. Trying to corner the one-stop market for online diagnostic tools is McAfee Clinic (http://www.mcafee.com/centers/clinic), which is a collection of 15 Web-based appns you can use to test, repair, and optimize many areas of your PC. Included on the clinic Web site are: 

VirusScan Online: This section allows you to scan your system, install ActiveShield to receive continuous protection from viruses, and create a rescue disk to clean disabled PCs.

Clean Hard Drive: You can eliminate unwanted files and applications and restore applications using this software. Software Update Finder: Similar to the applications in the first category of products, this application can compare your existing software with the McAfee database. Windows Advisor: Use this area to obtain help with a variety of appns for Windows.
 The clinic not only reads your system but also has the ability to alter it through deleting files and altering settings. WinTune 98. From Winmag.com (wintune.winmag. com) comes WinTune 98, a system that lets you test your PCs performance from the comforts of your Web browser. The only fixes here are the suggested kind; WinTune wont repair areas for you. 

WinTune uses ActiveX technology (not Netscape, just Internet Explorer 3.02 or above) to enter your system and run a variety of tests on the CPU, memory, hard drive, video, and other areas. The product walks you through the various areas, accessing information from your registry and certain program files as it runs a variety of diagnostic tests before finally offering tips on how you might improve system performance. 	

Norton Web Services' LiveUpdate Pro compares your system to its extensive database and then gives you the option of downloading and installing updates. 	If you are uncomfortable with the online version, you can download this as an application and run it on your system. One of the features that both versions incorporate is the ability to compare your results with that of other users, which is really the only potential for abuse with the downloadable ver. (You have to give your e-mail address to use the program.) The Service Station Comes To You.

You call up Tech Support with a PC ailment, and a person asks you to describe what the PC is doing. You spend the next 20 mins detailing the various peculiarities, lapsing into such technical terms as thingies and whatchamacall- its. Tech Support sighs deeply and then asks you to describe what the computer is doing again. 

Does this sound familiar? This is probably why so-called remote control SW was developed to help the beleaguered technical support people. This software lets you access, view, and in many cases, control what happens on another computer. A great solution for telecommuters, demonstra- tions and interactive training, management, and the local help desk, these products are also a possible source of concern for computer users.

Compaqs Carbon Copy. A version of this program has shipped with all Compaq desktops for the past couple of years. Carbon Copy (compaq.com/services/carboncopy) lets Compaq technicians easily diagnose problems that users have with their computers. Compaq computer users call up the computer maker, and technicians can then interact with the PC, gathering a wide array of information that aids in the diagnosis of problems. However, computer users do have the ability, through Global Security options, to limit who gets access to their computers and what they can see.

Wind Designs SupportAbility. South Wind Designs SupportAbility (http://www.supportability.com) doesnt let people run your computer, but it does give them an extensive amount of information about your system. When installed on your computer, it collects information from your machine and uploads it to the SupportAbility server, where technicians on the receiving end can wade through the data and diagnose your system problems. 

The system ... delivers accurate, detailed, and complete info across all Internet/intranet connections, and works with firewalls and proxy servers. The receiving end gets the information; users have the option, after the fact, of viewing a report detailing the data that went out.

Big for businesses, intranets, and other groups huddled around a tech support unit, SupportAbility can access a lot of system information, including: Contents of directories on any drive Contents of any registry entry Total and available memory Tasks and modules presently in memory Contents of the Autoexec.bat, Config.sys, Win.ini, and System.ini files.

Symantecs pcAnywhere. Symantecs pcAnywhere (symantec.com/pcanywhere/index.html) is hands-down the most popular remote control software on the market. Telecommuters and support services have a tremendous set of features to work with here, including enhanced Internet functionality, synchronization, and multiple platforms, and the security features include the use of wizards (for ease of configuration), password protection, encryption, restricted drive access, and more.

The Bot Business. So why is it that these diagnostic spiders are gaining in popularity? According to Eddy Hsia, director of McAfee Clinic, a lot of it has to do with how easy they are to use. McAfee Clinics customers cite ease of config, installation, and update simplicity as primary reasons why they are attracted to the Clinic. With the online version, Hsia says, all this is handled through a browser and designed for the novice user in need of virus protection and PC security.

Dr. Daniel Miranker, CTO and co-founder of Liaison Technology, which creates spider technologies, agrees. Computers, and more notably computer software, are becoming increasingly complex, Miranker says. He notes that as computers become progressively easier to use, the software to run them must become more complex as a result. As time goes on, he says, we can expect the trend to continue. 

Basic maintenance and diagnostics will become increasingly difficult, not easier. One way to protect yourself from abuse is to be aware of whats going on with the products in question. The U.S. Consumer Gateway (http://www.consumer.gov) contains a wealth of consumer information from the federal government. 

Web sites such as The Internet Junkbuster Home Page (junkbuster.com) and The Privacy Page (privacy.org) are great sources of information on a wide range of Internet privacy issues. As we mentioned at the start, the more a product tends to stray into discomfort zones, the more vocal users become. Do a newsgroup search for products on Deja.com (http://www.deja.com) to get the latest buzz. 

As far as security features in products, some standard features you should try to get in a product include: Password protection Encryption Restricted drive access File transfer rights Host screen and keyboard locks Even so, none of these are a guarantee. People in general should understand that computers on networks are not private devices, Miranker says. In a world where Bugs Bunny cursors and your own CD player are ratting you out behind your back, anything goes. Know what info you're giving outside computers access to, and whenever possible, minimize your risks. by Rich Gray 	

--------------------------------------------------------- April 2000 Vol.8 Issue 4 		

Keep Your Private Life Private Some Common Safety Tips To Help Protect You Online. Going online can expose you to a whole new world of information, but if you arent careful, it can also expose your personal information to a whole new world. The May 99 Georgetown Internet Privacy Policy Survey found that 93% of Web sites collect at least one fragment of personal info, such as a name, e-mail address, or snail mail address. Help protect your privacy online by following some general safety tips. 

Choose passwords wisely. Weve all seen it on tv or in the movies; the computer gets broken into because the user chose a common password such as his birthday, her maiden name, or the dog's name. Unfortunately, life does imitate art, and too many of us use common words or numbers as passwords for our various accounts. Choose a password that isnt found in a dictionary or isnt made up of numbers that represent a significant date in your life. Consider using a combination of letters, digits, and symbols and be sure to change your password from the one that was originally assigned to you. 

Look a gift horse in the mouth. Trojan horses, pgms that carry harmful code inside what appears to be benign pgms or data, can be placed on computers in many ways, and the damage they can do is even more varied. Trojan horses are known to gather personal information, such as passwords and banking records, and they exist on both public and private PCs. 

For that reason, its wise not to use public PCs, such as those found in a library, to log on to something as private as an e-mail account because Trojan horses can capture your password and use it to gain access to your personal data. Public networks can be especially vulner- able because almost anyone has physical access, and some Trojan horse programs are built to dodge the firewalls designed to protect the networks. 

Clean up your act. If you suspect a Trojan horse has hit your personal computer, consider installing a detection program such as Privacy Softwares BOClean (nsclean.com). RememberTrojan horse pgms are not viruses, so virus detection software (which is bundled with many new computer systems) will not protect you against these programs that gather personal info. 

 Secure your financial data. Most sites that request financial information, particularly credit card numbers, establish a secure connection between your computer and their servers. What this means is that the information is encrypted before it is shipped over the very public network of the Internet. Still, it isnt safe to assume that all sites that ask for your credit card numbers use encryption, so check the security of each connection.

Most vendors will promote their security scheme on their site. Plus, your Web browser should tell you whether data is sent over a secure link. You can determine this on Microsoft Internet Explorer (IE) and Netscape Navigator by looking for the tiny padlock icon at the bottom of the browser window. If the icon appears locked, the connection is fairly secure. 

Use a safe browser. True, many Web surfers use IE and Navigator to go online, and although these browsers have built-in encryption features, it isnt safe to assume that all browsers do. If you arent using one of these two Web browsers, especially if your Web browser is relatively old (the std for encryption levels is continuously being upgraded), be sure to find out what its encryption features are by reading its Help file. 

Read the fine print. Along with providing encryption information, a reputable Web site will tell its users how any information it gathers will be used. Before giving a Web site personal facts, including your e-mail address or telephone number, find out whether the site guarantees how it will use that information and whether the data could be sold or rented to a third-party. In addition, you may have come across the logo for TRUSTe, a watchdog organization that awards a seal of approval to sites that follow its established privacy principles. A seal from TRUSTe is one indication that a site appropriately protects its users privacy. 

Review signatures. Encryption is accompanied by another tool that helps ensure that information passes between only the intended parties: digital signatures. A digital signature is like a handwritten signature in that it identifies a unique computer or user, and it can be used to help authenticate the identity of a sender or recipient over the Internet. 

When you use a digital signature, you encrypt the data, and only the intended recipient can unencrypt the data and verify that the message is really from you and not someone pretending to be you. For more info on how digital signatures and digital certificates work, visit VeriSign (verisign.com), a provider of digital certs. 

Double-check your work. Unfortunately, its easy to make a mistake when typing in a URL, and some sites have even been set up to take advantage of fingers slipping on a keyboard. Plus, many sites have similar URLs and names. So, before you hand over your e-mail address or other personal data, check to make sure that youre shipping those details to the intended org. 	

A reputable Web site openly tells its users how it will use any information it gathers, so be sure to read a site's privacy policy. For instance, in its FAQs section, Smart Computing clearly posts its policy to not rent or sell names. 	

Be wary when talking to strangers. Usenet newsgroups and online chat rooms can be great sources of information, but be extra cautious, or you might find that youve passed out more information than you were aware of. Some software programs cull e-mail addresses from these public groups, and soon after participating, you might end up on a junk e-mail or spam list. 

It probably isnt worth panicking over, but if you notice an increase in junk e-mail after posting a public message, try contacting the list or chat room admin. In many cases, its best not to reply to spam, even to request to be removed from a list you didnt sign up for, because youre only confirming that the spam sender has found an active account. 

Fight spam. As we just mentioned, it often isnt a smart plan to reply to spam, but that doesnt mean you have to sit on your hands as your e-mail inbox fills with unwanted mail. A number of orgs fight spam for a living, and you can do yourself and others a favor by passing on unsolicited commercial email to them. These groups include SpamCop (http://spamcop.net), the Mail Abuse Prevention System Realtime Blackhole List (MAPS RBL, found at http://mail-abuse.org/rbl), and the Coalition Against Unsolicited Commercial Email (CAUCE, cauce.org). 

Consider an anonymous remailer. Its often said that on the Internet, no one knows if youre a dog or a human, but that isnt quite true; with your e-mail address, an individual or company can learn quite a bit about you. Thats why some individuals choose to use anonymous remailers, programs that strip identifying information from e-mail messages and forward them to the intended recipients for you (a useful tool for posting to Internet newsgroups, where you may not necessarily want your e-mail address listed.) 

For more details on how remailers work, what services are available, and how safe remailers are, we recommend you take a look at the Anonymous Remailer FAQ page (http://www.andrebacard.com/remail.html). You can also surf the Web anonymously thanks to a number of third-party proxies. For more details, visit the Anonymizer site (anonymizer.com/3.0/index.shtml). 	

 Anonymous remailers allow you to send e-mail messages that don't include any identifying information. 	

Relax with a cup of Java. Java can be used to greatly enhance a Web page, such as adding animations, and for the most part, its relatively secure for a Web browser to access a site that takes advantage of Java. A small number of security holes have been reported, however, and youll find a comprehensive discussion on the security of Java and JavaScript on the World Wide Web Security FAQ (http://www.w3.org/Security/faq/wwwsf7.html). 

 Monitor your cookies. Cookies, small pieces of code that Web servers send to Web browsers to help keep track of visitors, have many benign uses. For example, cookies can help save time by remembering users login names and passwords so that they wont need to re-enter data each time they return to the site. Cookies also have some not-so-nice uses, though, such as being used to track the pages traveled within a site and then taking that information and creating a profile of the userall without the user knowing he or she is being monitored. To be notified when cookies are being sent to your machine, or to turn them off altogether, Navigator users should click Edit, Preferences, and the Advanced category; IE users should click Tools, Internet Options, and the Security tab. 

 Double-check on DoubleClick Inc. Speaking of cookies, theres one application that all Internet users concerned with privacy should be aware of. Many ad banners are served by a third-party known as DoubleClick Inc., and it has recently been reported that DoubleClick, with the help of cookies and a direct-marketing database, is tracking users by name and address as they navigate the Internet. DoubleClick then uses this data to compile a profile that can tell marketers who lives in a household and what their buying preferences are. If this sounds too much like Big Brother to you, watch for related complaints filed with the Federal Trade Commission by privacy groups. And, of course, to protect yourself, read the privacy policies of individual sites to find out how to opt out of this information-gathering process. by Heidi V. Anderson  	

------------------------------------ Oct 2000. Keep Your PC Secure & Info Private Always-On Internet Connections, Viruses & E-mail Pose New Security Threats. You're pretty excited about getting your new DSL (Digital Subscriber Line) Internet connection. Youre looking forward to, or perhaps have already been enjoying, instantaneous, 24-hour access and those super-fast download times. No more dialing up with a glacially slow 28.8Kbps (kilobits per second) or 56Kbps modem; youre now on the information superhighway whenever you want, barreling along at speeds of up to 500Kbps or higher. But youve heard rumblings at work or among your friends. Disconcerting talk about security, privacy, hackers using your connection to come unbidden into your home. Should you be worried? In a word, yes. 

 A superhighway is great: It will get you where you want to go quickly and efficiently. But the thing about a highway is that anyone can travel it, and not all of those travelers are people with whom youd voluntarily go on a road-trip. 

 Your DSL, T-1, T-3, or cable-modem connection to the Internet is no different than that highway; there are some bad folks out there, and youd be better off not traveling with them. Whenever youre online, you open yourself up to a variety of security issues. And with a DSL, cable modem, or other direct connection, whenever your computer is on, youre online, and therefore vulnerable. (And if you have a small business or home network, your vulnerability is multiplied, perhaps exponentially.) Are there things you can do to reduce this vulnerability? Absolutely. Well describe the problem in some depth and then discuss some possible solutions. 

 But first, a caveat: If you have a direct Internet connection, you will never be 100% safe. After all, on a highway, you take a variety of safety precautions: seat belts, spare tire, defensive driving techniques. All help mitigate the risk you take. And yet, no one can guarantee that you wont have an accident. Similarly, despite the precautions well discuss here, there is no unqualified guarantee that your system or network wont be attacked over the Internet. There will always be some risk. If you want to ensure that youll never have an automobile accident on the highway, leave your car in the garage. If you must have an ironclad guarantee that no one can intrude on your system over the Internet, the solution is simple: Dont get on the Internet. 

 Why Is It A Problem? If you could soar above the Earth, peer down through the clouds, and somehow see a schematic representation of the Internet as it crisscrosses the planet, youd see that it really is a vast web of interconnections: Certain central points would seem to act as hubs, with lines of connectivity apparently converging there and then radiating out to other hubs, and from there to others, and on and on. Hundreds of thousands of hubs, connecting millions of individual connections called nodes. 	

 SonicWALL is a midrange hardware firewall device. Its easy to use, affordable, and not too complicated to set up. 	

Moving along this web of connectivity, streams (packets, really) of data flow at almost the speed of light. Data may originate at a single node, bounce to a hub, and then to another and another and eventually make its way across the state or the country or the world. (Ironically, the data you send to a friend down the block could well have traveled to a hub many miles from your home or office, and then have traveled back through the Web, finally to arrive at your friends computer.) And thats the first part of the problem. When you log on to the Internet, youve just become part of the worlds largest network. By definition, everyone on that network can communicate with everyone else, including people youd just as soon avoid. And since all the data must pass through a number of hubs, anyone who knows how can tap into the hubs themselves and examine data as it passes through. This is called sniffing, and it is one way a hacker (see below) can locate potential targets. 

 The bottom line is that when you connect to the huge network we call the Internet, you are sending data that can, under certain circumstances, be viewed by others on the network. And youve provided those with the expertise and the interest a pathway to your computer or network; not only can they examine data you send out, but they can also examine the data residing on your computer or network. 

 As with any network security, your Internet connection is only as secure as its weakest link. If you have no security devices installed at your node (and lets not forget that your node may act as a gateway to your own personal or business network), and if your ISPs (Internet service providers) security devices dont provide the protection you need, then youre an inviting target. After all, the purpose of the Web is to allow information to pass unimpeded; relying on the Internet itself to know what information you feel comfortable sending (and receiving) is asking it to work against its purpose. If you want to safeguard your security and your privacy, its up to you to provide the tools. 

Another part of the problem has to do with the way data is sent over the Internet. It would be inefficient for millions of people to send billions of contiguous streams of data across the Web. After all, some streams would be fairly large, and many would be quite small. And some could be very, very large, indeed. The end result would be that the Web would choke; some people who were attempting to send (or receive) small pieces of data would have to wait while others sent large pieces across the Web. And a long stream of contiguous data, once it is sent off, would have to continue on the same path along which it started, even if that path had become congested.

This condition would quickly escalate into a tremendous digital traffic jam. The way around the traffic jam is to break up all data into packets of equal size and to route them around the Internet based on available access, current throughput speeds, load balancing, and other such criteria. So the data you send across the state not only bounces from hub to hub, it is first broken up into packets, and then the packets are sent outpossibly through different hubsto be rejoined upon reaching their destination. 	

 D-Links DI-701 firewall device is easy to set up and operate. When used in conjunction with virus-checking and other software-based security, its a good choice for a home-office network. 	

Therein lies both a safeguard and a serious security issue. Data broken up into packets is hard for a hacker to recognize; after all, if a packet is intercepted, it is difficult to recognize that the information contained in the packet is a piece of, say, a credit card number. Thats one point for our side. On the other hand, if a hacker sends you a virus or a Trojan horse (see below), its equally as difficult for you to know that this seemingly innocent fragment is a small part of a destructive larger whole. And every packet contains some information about the entity of origin. Score a couple of points for the bad guys. 


\5 hackers

Who Are The Bad Guys? There is a stereotype that the typical hacker is young, smart, unemployed or under- employed, and has some serious social development issues. The funny thing about stereotypes is that sometimes they're true. (Note that the computer community itself uses the term HACKER to refer to those who possess consi- derable knowledge about computers, but who, for ethical reasons, refrain from using that knowledge to perform unauthorized break-ins. To them, one who breaks into a system or destroys data is not a hacker, but a cracker.

Since the world at large insists on using the former term, however, we'll use it here.) Rarely is a hacker out to get you, personally. Instead, most hacks (or exploits) are committed simply for the fun and the challenge and to earn the admiration of the hackers peers. Only occasionally do such joyriders destroy data, except accidentally. Its possible that youve been hit by a joyriding hacker and don't even know it. 

There are some worrisome exceptions to the rule, though. A disgruntled employee (or former employee) may indeed hack into your personal or business system just to get at you. Also, if you or your business is high profile, and especially if youve angered someone or if you're identi- fied as The Enemy (which is to say, big business or the government), then youre a potential target. The main point here is that if youre connected to the Internet, youre not simply a target, youre a vulnerable target. 

What You Can Do. You have a wide range of security options. Some are quite inexpensive, and some can cost many thousands of dollars. A few are free. Well cover the most popular and useful. Knowledge is power. This should go without saying, but well say it anyway. Learn about Internet security, privacy issues, and hackers. Youve begun doing that simply by reading this article but dont stop there. Ask questions and visit security-oriented Web sites. 

If it turns out that you need to pay for knowledge (for example, hiring a consultant to set up a firewall), do it; its cheap insurance. A hacker we know (see the Ask A Hacker sidebar) had this to say: More knowledge beats less knowledge every time. If [your data or systems] are important to you and you dont have the time to learn all there is to know about them, find someone to do it for you. There is no substitute for this. Knowledge beats everything even luck. 

Keep a low profile. You know how the police say that your best protection against burglary is to get a small but very noisy dog? They know that any burglar with half a brain will simply skip over your house and move on to a quieter and saferfor the burglar, that istarget. Internet security for your home and office system or network is like that. No, a dog wont do you any good, but one of the first things you should do is also the simplest thing: Dont get noticed. Keep a low profile.

Don't join a lot of newsgroups (and if you do, dont get involved in a flame war), don't host a Web site and invite everybody in the world to come visit. If you dont need one, dont get a static IP (Internet Protocol) address. (Dynamic IP adrses are assgn per session. 

The fact that they change constantly makes it harder to figure out who you are. If you're a typical home user, your ISP almost certainly generates dynamic IP addresses for you, unless youre hosting a Web site. If youre maintaining a small-business network, that may not be the case. Thats where a firewall comes in, since, among other things, it hides your network stations individual IP adrses. See below for more on firewalls.) 

Turn off file sharing. W9x systems have a config setting for sharing files (and printers, and other devices). If you can live without it, and you almost certainly can, then turn it off. Even if you have a firewall, proxy server, or other security tools in place (see the discussions below), leaving this turned on opens up a large security hole. After all, its purpose is to let others see (and use, copy, and modify) what you have on your drives. 

This is fine when you have a few machines linked together in an informal (say, peer-to-peer) network to let colleagues share data. But as soon as you hook that network up to the Internet, any hacker worth the name will be able to get in, and he or she will have the same rights as your colleagues. 

Use a virus checker. While most of us own a virus cker, we dont always use it. Even if we do use it, we dont always keep it up to date. (New viruses are released every week. If you dont update your virus checker every week or so, it becomes almost useless.) Gen speaking, firewalls and other such devices cannot protect you from viruses; instead, that protection must reside on every workstation or PC connected to the network. So purchase a good one, use it daily, and update it regularly. 

Symantecs Norton AntiVirus and McAfees VirusScan are probably the two most popular such tools. Visit symantec.com or http://www.mcafee.com for more info. 

Use an additional Internet agent or protective layer. There are several software agents, such as Network ICEs BlackICE or McAfees Internet Guard Dog, that can help keep your system or network secure. This category of utility is not a firewall, but it can add an extra layer of safety to your Internet-connected PC, especially when used in conjunction with a firewall. Most of these products include antivirus and privacy protection. Many will let you configure the agent to filter content by category (for example, disallowing Web pages containing references to the occult, drugs, or sex). Some will even check chat rooms for offensive text.

Remember that agents such as these are not a replace- ment for a firewall or for common sense. But they do add valuable levels of security to your system, and theyre inexpensive insurance. Check out BlackICE 2.0 ($100 per node) at http://www.networkice.com, or McAfees Internet Guard Dog (about $40) at http://www.mcafee.com. 

Watch that e-mail. E-mail clients have become more sophisticated to the point where most e-mail programs are HTML (Hypertext Markup Language)-savvy. This means that e-mail can now include graphics, borders, background images, and other elements, just like a Web page. And like a Web page, e-mail can run destructive or intrusive scripts or applets. One way around this problem is to use products or services such as HushMail (http://www.hushmail.com), Mailsafe (http://www.mailsafe.org), or ZoneAlarm (http://www.zonelabs.com) that can mitigate this risk. 

Most of these work either by requiring that the sender and receiver exchange certificates or by temporarily turning off Internet access while they open HTML-based messages. ZoneAlarm is actually a fully functional software-based firewall, so it also includes several other features. See Use A Firewall, below. 

In addition, many of the newer viruses are sent as e-mail attachments. If your antivirus software is up to date, it should render this new threat ineffective, at least until the next new e-mail virus appears. (Again, keep your virus scanner up to date and use it often.) 

Corporate or educational networks should use a proxy server. If youre running a business or educational network, you should consider using a proxy server. This is a piece of software best suited for screening outbound traffic. Why would you want to do that? Well, if youre a corporation, you may want to restrict your employees access to certain sites. And if youre a school, you almost certainly want to restrict students access. 

 Proxy servers work by breaking the direct link between the server and the client. They use a technique known as NAT (network address translation) to map all of the networks internal IP addresses to a single address; thus, no one outside your network can see what the real IP addresses are. This makes it impossible to use a hacking technique known as spoofing, or faking the sending address of a transmission in order to gain access to a system. Proxy servers are not inexpensive. 

Microsofts product, Proxy Server 2.0, lists for $1,000 (http://www.microsoft.com). Installation and configuration, while simpler than for some other proxy servers, is not for the fainthearted. But if youre protecting a corporate or school network, a full-featured proxy server is a worthwhile investment, and so is paying a consultant to set it up.  

Use A Firewall. The firewall in your car separates the engine from the passenger compartment. A firewall in a building serves to separate a (possibly) burning room from ones that have not yet become engulfed in flames. Computer firewalls screen inbound and outbound traffic and serve as a choke point, sitting between your network (or single computer) and the Internet. They are the main (and best) line of defense against Internet-based vandals, snoops, and thieves. 

 Essentially, a firewall allows a security administrator to set up rules determining what sorts of traffic are permitted and which are prohibited. They also use NAT to ensure that internal IP addresses remain invisible to the Internet. Finally, most firewalls use packet filtering to look at where packets are coming from or going to and decide whether or not to let the transaction take place. Do you really need a firewall? Heres a bedtime story guaranteed to give nightmares to managers of small companies: A small software startup had been running for some months with no firewall protection. This wasnt smart. After all, a software companys value lies not in widgets on a shelf but in its intellectual properties, all of which reside on the companys computer systems.

 The company hired Mark W. (the hacker featured in the Ask A Hacker sidebar) to see if he could get into the companys network over the Internet. In one evening, Mark hacked into the companys network, got through the companys servers, and managed to leave little notes on individual users desktops. With no firewalls up, it was easy. One more time: If you have a permanent connection to the Internet, and especially if youve connected a network to the Internet, you do need a firewall. 

Where once firewalls were the exclusive domain of large corporations, they have now become available at prices that are more attractive to small companies and home offices. Just as importantly, especially for the home or home office user, theyve become much simpler to install and configure. (Some are essentially turnkey installations that require only a few minutes of working with an online wizard to set up.) Firewalls are available either as software packages or as hardware devices. As you might expect, the software-only versions are somewhat less expensive than the hardware-based variety. And as you might also expect, hardware-based firewalls tend to do a better, or at least more thorough, job. 

 Software firewalls. At prices in the $40 to $50 range for software-based products, you simply cannot afford to be without a firewall if you have a full-time connection to the Internet. And if youre connecting only one computer (as opposed to a small network) to the Internet, one of the software firewall suites will almost certainly do an adequate job for you. The two most popular software firewall products are McAfees Firewall and Symantecs Norton Internet Security 2000 Family Edition. 

The former runs $39.95 per year and, while it lacks some functionality (content filtering and antivirus software, for example), its effective and easy to use. The latter (which lists for about $80) is both more flexible and more powerful, and it includes virus protection and content filtering, both of which are lacking in the McAfee product. If youre protecting only one computer, either of these two products will do the job for you with a minimum fuss and maximum effectiveness. 

 Hardware firewalls. If youre connecting a small network to the Internet, you may wish to consider a hardware firewall device. Home and small-office models range between $115 and $500 or more. This is significantly more than the software-based firewalls but, with a network, youre protecting a considerably larger investment, one which may include crucial data or which may require a stronger guarantee of privacy than that needed for a simple home machine. D-Links DI-701 sits at the low end of the price scale at $115. This makes it ideal for small offices and for home users. It will support up to 32 users on one network and includes NAT functionality. Visit http://www.dlink.com for more information. 

 At the high end of the home and home-office scale is WatchGuard, which does everything that the DI-701 can do and adds Web-based configuration and an array of additional filtering technologies. It will handle 10 users for $449 or 25 users for an additional $199. You can find more information about WatchGuard at http://www.watchguard.com. In between (in price and functionality) are NETGEARs RT311 Gateway Router ($180 for up to 10 users; http://www.netgear.com) and SonicWALL SOHO ($495 for 10 users; http://www.sonicwall.com).  Somewhere in this list you can find a hardware firewall that will do the job for you at a price you can afford. And if youre running a small home or office network, a hardware-based firewall is something youll want to consider.  

There's More. If youre worried about your privacy and about the security of your system or network, then you need to take steps to ensure that security. Hiding your head in the sand is a mistake. If your system or network is connected to the Internet, chances are you will be hacked eventually. This is serious business. Your security and your privacy are important, so its worth investing a little time in considering some of the products listed here or using this article as a springboard for more research. Yes, youll end up spending a little time and money. But isnt your peace of mind worth that expense?  by Rod Scher 	

Ask A Hacker  Mark W. (a pseudonym) has spent years hacking into various systems and networks, mainly for the challenge it offers. Here he offers some comments and advice that may shed some light on why your system or network is a target. 

 Q.Why is a hack called an exploit? A. That comes from the idea that youll be exploiting a vulnerable target. Actually, most exploits are simply proofs of concept. 

 Q.Why hack? A.There are people who, for fun or profit, will go looking for holes in software. Most of the time, these holes result from poor system design or programming decisions. There are cases in which you may be specifically targeted by someone who wants to find out as much as possible about you or about holes in your setup. 

 Q.Why would someone hack into a system? A.Profit or pride. Pride in the sense that they know they can do something that makes them feel smarter than the person who set up the system. They canand willannounce what theyve done so that others will respect their skills. Hacking for profit isnt nearly as common. 

 Q.What about hacking into a home system? A.Pride is normally a reason for hacking a corporate site, but you dont get much respect for breaking into a system thats unprotected, and most home systems are unprotected. Besides, if profit is a motive, the amount of profit to be gained by breaking into a home system is small. Theres a risk-vs.-reward issue that comes into play: If youre good enough to break into an e-commerce site and steal 5,000 credit card numbers, why waste your time getting, say, three numbers from some home users system?

 Q.What should a typical user do to protect himself from being hacked? A.Have a firewall. Raw Internet access is bad for most people: They dont need it and shouldnt have it. A firewall will not do it all, but it will help. Dont run canned software. That is, most viruses target people who are running a Windows operating system and a Microsoft mail reader; make it a non-Microsoft mail reader on a Windows operating system, and the virus wont work. When people write viruses, they look for the largest number of potential targets. Since most people run Windows operating systems and readers, throw a monkey wrench in the works by doing something different than everyone else.


\6 SSL

Secured Sockets Layer, SW that automatically sends a security protocol certificate that announces that the site is secure and authentic. Only the merchant shd have access to this on a secure server. This is indicated by a highlighted lock on the browser screen and a dialog win explaning its security.

There are diff levels of security depending on the area and browser used. 256 bit encryption is used domestically and 64 bit mostly used outside the US. To find out about Netscape security, click HELP, ABOUT COMMUNICATOR. RSA from Australia offers 256 encryption.


Oct 2000 Vol.11 Iss 10. Security Five Keys To Help You Lock Down Your PC. We all know people like the Internet because it lets them do such things as send e-mail, browse the Web, shop, and chat, but not everyone knows being online puts your privacy and security at risk. Many Internet hackers would love to steal your credit card numbers when you make online purchases or send you a virus that could threaten your hard drive.

In addition, many Web sites store cookies (small text files that can store passwords, login names, or site preferences) on your HD to track your browsing habits. Other security risks include hackers accessing your personal files and other people using your PC to visit illicit or obscene Web sites without your permis- sion. And, all this doesnt include minor annoyances, such as unwanted banner ads that can slow down Web site dlvy. 

Unfortunately, you cant use one simple key to protect your computer from hackers and unauthorized users, but there are programs that can reduce or eliminate these risks.  Digital Millenium Dr. Salmans Win Security Toolkit 2.88 Shareware ($10 to reg) (530) 325-5086  http://sensor.hypermart.net Those interested in only basic security for their W9x PC should ck out Dr. Salmans Win Security Toolkit, which is a shareware pgm designed to equip your PC with Win NT-like security features. 

The pgm is avail as a free download with a seven-day trial period, and the registration fee is only $10. The small 251KB (kilobyte) file takes approximately one min to download using a 28.8Kbps (kilobits per second) modem. Once the software is installed, you can set security settings for the Control Panel, Start menu, Desktop, Network Security Panel, and MS-DOS Security Panel. 

To adjust the security settings, click a particular section, such as Control Panel Security, and click the boxes to restrict access. Some of the restrictions youll find are Restrict Access To The Network Settings and Hide All Items On The Desktop. With just a few adjustments, no one can access your personal files or change printing or network settings. This program would be beneficial in a Win9x small-business environment where employees need access to only a few programs or at home to keep the kids from changing important settings on the PC. 

Network Associates McAfee Internet Guard Dog Pro $49 (800) 338-8754, (972) 308-9960 http://www.mcafee.com  Theres nothing like a good guard dog to keep your family safe from illicit Web sites, Internet security threats, and chat room predators. Guard Dog Pro offers such features as chat filtering that keeps obscene language from reaching your browser, Web site password protection, VirusScan (for removing viruses), and a firewall. In short, this canine is an excellent choice for anyone with an Internet connection. 	

McAfee Internet Guard Dog Pro lets you perform a Security Ck on your PC and view the Internet activity of ea user. 

After installation, the program takes you through a detailed walk-through so you can set different security and privacy settings for each user. The Password Mgr lets you store all the usernames and passwords you use to log on to various Web sites to make purchases or access mbrs- only areas. The passwords are encrypted and available in one location so you can retrieve them as needed. 

During the firewall-setup process, you decide to allow, filter, or block all Internet traffic. You can also configure the program during installation to receive a detailed display or a summary of the activity log so you can view any breeches of security and determine which applications should have access to the Internet. You can change these initial settings at any time.

Another program highlight is the File Guardian, which limits the programs on your system that others can access without your permission. We also were impressed with the Web Trail Cleaner feature. This tool cleans out your cached files, the list of the Web sites youve visited, and history files to prevent others from viewing your browsing activities. With its integrated firewall, PWord storage, and chat filtering, Guard Dog Pro is a solid SW package that will protect your home or business PC.

Network Associates McAfee PGP Personal Privacy $19.95 (800) 338-8754, (972) 308-9960 http://www.mcafee.com PGP Personal Privacy is an affordable product that provides encryption protection for hard drives and e-mail msgs. This pgm lets you send and receive encrypted data, encrypt files individually, and delete confidential docs so they are unrecoverable. 

PGP includes the Personal Privacy toolbar, which has seven icons you can click to perform encryption, decryption, and other functions. When youre ready to send encrypted files to other people, make sure you use the Self-Decrypting feature. With this tool, when the recipient receives the file, he or she enters a password that you provide, and the file decrypts itself, even if the recipient doesnt use the PGP software.

Although the software is simple to use, it comes with comprehensive documentation. Youll find a thorough users guide and a large booklet that provides plenty of information about cryptography. Whether you want to encrypt e-mail messages or all of the files on your hard drive, PGP Personal Privacy software can handle the task.
 Symantec Norton Internet Security 2000 $69.95 (800) 441-7234, (541) 334-6054 http://www.symantec.com 

If youre searching for a security suite to protect your PC from hackers, viruses, unauthorized connections, and sensitive Web site material, Norton Internet Security 2000 is the package to choose. The suite includes Nortons Privacy Control to prevent cookies from landing on your hard drive, Norton AntiVirus to ward off viruses, and Norton Personal Firewall to protect against hackers. (Personal Firewall is also a standalone security product we review below.)

After you install the program, the Main Status Window appears so you can immediately set your security settings. The sections in this window include Security, Privacy, Parental Control, Ad Blocking, and Accounts. The first step is to create different accounts for each PC user. Next, youll move on to the Security section, where youll use a slider to determine the security settings. Minimal will protect your PC while you use the Internet without security alerts, 

Medium will close access to hackers, and High blocks Internet access to everyone except those permitted access by the administrator. Youll find similar adjustments in the Privacy section. The Parental Control section lets you establish the Web sites younger users can access while the Ad Blocking area allows you to block all banner ads from Web sites. The program also features an event log with a list of ads the software blocked, sites that requested cookies, and Web sites the PC visited. 

This suite is the most comprehensive security software because of its numerous security settings and built-in firewall features. Internet Security 2000s integrated firewall protects your PC from unauthorized intrusions by alerting you when others are attempting to access your data. In addition, it blocks your credit card or cookie info from reaching the Inet if a Web site is not secure.

This suite would be a great investment for those who use an always-on broadband connection. Internet Security 2000 is our top choice among the security software packages weve reviewed here.  Symantec Norton Personal Firewall 2000 $49.95 (800) 441-7234, (541) 334-6054 symantec.com  If you have a broadband connection or spend a lot of time shopping online, 

Personal Firewall 2000 is a solid program for keeping your personal data private. Personal Firewall blocks hackers from accessing your PC and sends you an alert if there is a security risk. The software also blocks Java applets and ActiveX programs from running without your permission, and it blocks the cookies of unfamiliar sites from entering or leaving your system. 

After installing the program, you can establish security and privacy rules in the Main Status Window to prevent hackers from wreaking havoc on your PC. The Status button features a current calculation of how many unauthorized users, Java applets, ActiveX programs, and cookies the program blocked. Similar to Internet Security 2000, 

Personal Firewall includes the Security and Privacy buttons in the Main Status Window. You can adjust these settings by using your mouse to drag the slider among the Minimal, Medium, and High levels. Personal Firewall includes many valuable features for anyone who uses the Internet. 

The program will not send your personal information to a site if it determines the site is not secure, and it can prevent your browser from sending data such as your e-mail address without your permission. Finally, you can use the LiveUpdate feature to connect to Symantecs Web site and download free updates to keep your system secure.  by Buffy Cranford-Petelle  	

Buying Tips: First determine if you need basic security settings to protect against Internet hackers or a comprehensive package with an antivirus program, parental controls, and credit card-information protection. Look for a package that can create different security levels for each user. Adult users in the house might be upset if the security setup only allows access to the Disney home page. Develop a family Internet policy at home and decide as a group which type of security package everyone is comfortable with. 	

Sep 2000 Vol.11 Issue 9 Page(s) 22 in print issue 		 Lock Down Your System. ZoneAlarm 2.1 Free for personal use; $19.95 per PC for businesses Zone Labs (415) 547-0050 http://www.zonelabs.com
 	 As convenient as an always-on broadband Internet connection may be, having a persistent Internet connection can be a serious security hole. After all, vandals and other Internet outlaws can access your system over the same network you use to access news and sports scores. As always-on connections become more popular, so will personal firewalls. A personal firewall protects your data by letting you control access to your computer. Firewalls can be extremely complicated, but Zone Labs personal firewall, ZoneAlarm 2.1, provides an easy way for you to protect your system. ZoneAlarm has a pleasingly simple interface that lets the user easily configure the software with a minimum of options. When you run an Internet application, ZoneAlarm asks whether you want that application to be able to access the Internet. This may seem like an annoyance; after all, if you start Internet Explorer, you naturally want to access the Internet. However, the number of programs that access the Internet without your knowledge may surprise you. Once we had our applications set up, we had no problem with Zone-Alarm accidentally refusing them Internet access. ZoneAlarm also can help protect you from outside intruders by making your computer invisible to hackers. In addition, MailSafe, a new feature in Zone-Alarm, helps protect against Visual Basic script viruses, such as ILOVEYOU, which ravaged systems a few months ago.  Another nice feature is the Lock button that completely shuts down all access to the Internet. You can configure  some programs to bypass the lock, so you can use your e-mail application even if no other applications can access the Internet. Also, the programs large Stop button lets you instantly stop any data transmissions.  Unlike some commercial packages, ZoneAlarm is strictly a personal firewall and lacks the privacy guards and content filters found in some commercial packages. As a result, its a bit more limited than a package such as McAfee GuardDog, but ZoneAlarm is available free for personal use ($19.95 per computer for businesses).

SSH is an encrypted remote login, remote command execution, and file copy tool - a compatible replacement for the Berkeley rlogin/rsh/rcp suite that's got strong cryptographic authentication and session encryption, to the point where it's suitable for running over the inet.
  Ck out www.ssh.org/ for refs to the comm vers, and URL:net.lut.ac.uk/psst/ for the many free ones.

The Internet works by sending info from PC to PC until the info reaches its destination. When data is sent from pt A to pt B, every PC in between has an opportunity to look at what's being sent. This can pose a security problem. For example, you are viewing a clothing catalog on the WWWeb and you decide to buy a shirt. This requires that you type info into an order form, including your credit-card nbr. 

You know the clothing co in question is reputable, so you type your credit-card nbr and other info, and then send the completed form. Your info passes from PC to PC on its way to the clothing co. Unfortunately, one of the PCs in between has been infiltrated by criminals who watch the data passing through that computer until they see something interesting, such as your credit-card nbr.
 How often does something like this happen? It's hard to say, but the important thing is that it's technically possible. And, as the Internet grows, it will happen more and more.
 How does MS Internet Explorer help protect you and your data? Many Internet sites are equipped to prevent unauthorized people from seeing the data sent to or from those sites. These are called "secure" sites. Because Internet Explorer supports the security protocols used by secure sites, you can send info to a secure site with safety and confidence. (When you are viewing a page from a secure site, Internet Explorer displays a "lock" icon on the status bar.) 

Internet Explorer can also notify you when you are about to do something that might pose a security risk. For example, if you are about to send your credit-card nbr to a nonsecure site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself. To specify when Internet Explorer should warn you, click the View menu, click Options, and then click the Security tab.
