In This Issue:

• Welcome
  
  
• Director's CorNER
  
  
• A Word About the Name
  
  
• Ill Advised
  
  
• Know Tech
  
  
• Tres Chic
  
  
• Membership Drive
  
  
• Wise Guys
  
  
• Links
  
  

Fun with Internet Privacy and Security

As new technologies and the laws that regulate them change rapidly in the whirlwind of the information age, security and the right to privacy have become important issues to consider for librarians and patrons alike.

Vulnerabilities to confidential information passed over the Internet are many. The frantic rush to produce and acquire internet connectivity often leave users unaware of the urgency to secure their information and activity, while software and hardware released by providers comes replete with security holes left unaddressed in the haste of production. In the name of national security, governments all over the globe are enacting legislation that make ways of protecting privacy illegal or (in the case of demanding back doors to encryption programs) ineffective, and the telescreens of George Orwell's 1984 which "received and transmitted simultaneously" and continuously have become an eerie reality with the public paying to have computers with cable modems, DSL (digital subscriber lines) and web cams installed in their homes.

The focus of this column is to provide an overview of basic Internet security, and to demystify some of the ideas (and their acronyms) that comprise a good approach to keeping private information private. The topic this month is Cryptography. Cryptography is the study of transforming information, or data, into a form that is unrecognizable by anyone without the proper "key" and back again, also called encryption and decryption.

Why are Internet users interested in encrypting their data? Because the very nature of the way the internet transfers information can put it in the hands of just about anyone who wants access to it… Well almost. The Internet is indeed a net of lines connected by nodes by which two destination nodes may have a number of potential pathways between them. It was designed this way, so that in the event of the failure of any number of connecting lines or nodes, information could travel from a source to a destination along some circuitous route. Information transferred over the Internet is chopped up into little TCP/IP (Transmission Control Protocol / Internet Protocol) "packets" that are shot off to travel individually through various routes and routers to their destination address (specified by the TCP/IP), where they are reassembled back into whole files.

The drawback of that technology is that anyone at any network computer along that path could circumvent the filters that mask traffic that is not designated for their specific address, and "sniff" or access and read that information. If that information is unencrypted plain text, it is open to the world. So, with all of your credit card numbers, bank account information, patient medical records, network passwords, grandmother's top secret cookie recipes, and steamy love letters that you've written to someone you just met in an internet chat room bouncing around the world's computers, the only way to ensure their confidentiality is to encrypt them.

Cryptographic systems can range from a kid's spy decoder ring (not recommended for use on the Internet) that shift text "n" letters in code (if n=2 then dog=fqi), to ultra complex mathematical algorithms that would theoretically take machines with the computing power currently available thousands or millions of years to determine though brute-force cracking, that is, trying every possible key solution in succession until the correct one is found.

Cryptographic systems are either symmetric, where one key is used for both encryption and decryption, or asymmetric where a key pair is used: a public key for encryption and a private key for decryption. Asymmetric cryptographic systems provide the greatest amount of security and flexibility because access to the private key of the public/private key pair is restricted to the user receiving data. Each user generates their own public and private key pairs, sharing only the public key with people that would want to send encrypted data to them. This way, anyone can encrypt data destined for the user with the public key, but only the user and the user alone with the private key can decrypt that data.

Sounds good, and maybe not even so complicated that you'll have a headache for the rest of the week. But HOW, you ask, can you use encryption to protect your confidential information on the Internet right now? Well here are a few simple tips:

1. Always choose a secure password for your user accounts, and change them frequently. Use words/phrases that are not found in the dictionary (that's how brute force attacks can crack password files, by solving the encryption key by comparing passwords to words found in a dictionary). Random characters with non-alpha keys are ostensibly the best, but often impractical. Be creative, you can make mnemonic devices that are spelled phonetically and use non alpha keys like ! for i , 7 for L , 3 for E and so forth. And read your logs! (if you have access to them) to determine if your reported logins match your actual activity.

2. Use SSL (Secure Socket Layer) for transferring sensitive information to and from your web browser. It uses strong encryption/decryption, is bundled with most web browsers and is easy to use. Check out: http://home.netscape.com/products/security/ssl/

3. Use SSH (Secure Shell) to open terminals and transfer files through encrypted protocols where you'd normally use telnet and ftp. Check out http://www.ssh.com

4. Use PGP (Pretty Good Privacy) to generate public/private key pairs and to work with your email program to send and receive encrypted mail. Check out http://www.pgpi.org

By becoming familiar with some of the encryption software available today and using a little common sense, you can provide a reasonable level of privacy and security for confidential information that you (and your patrons) transfer over the internet and almost certainly prevent all those curious kids out there from starting a global thermonuclear war from your email account.

Shawn Klejmont, Technology Coordinator