Focus 580; Internet Security and Safe Computing Issues

Well we'll stay here. Hello to our rescue for Mr. Cooper thanks for talking with us. No problem. Good morning. Maybe a talk for a second about true secure and about what you do. Well as surgeon general to secure it's my job to try and promote public safety on the Internet and. Take on our company's philosophy of mitigating risks in order to ensure security as far along into the public as possible and do mostly you deal with businesses and people who have large networks and so forth. Yes in general we do. I run a very public mailing list called an keep track that gives as much information as we can to anybody who's interested in hearing about it. OK. And here in studio fortune. Bob what do you what do you do in your capacity as coordinator of security computer security for campus. Well it is. False to me to take care of the incident response for campus when the network people or other sources overheard us two particular machines that have problems.

It is my task as well as my staffs to go ahead and get out to the departments and inform them of this and in some cases we are in an active attack situation let's say we would go ahead and filter those machines so that they could do no more damage on the Internet. OK and CCS What is the function of this office. Well actually I'm with the operations center in CCS So whose primary mission is to support network administrators and I have been working in our network administrator support group for a couple years and as part of my responsibility to make sure the network administrators have the necessary tools in working with the campus site license for anti-virus software and making sure that the virus fighters on campus have the necessary tools and looking very closely at anti-virus software. OK let's maybe we can talk for a moment again about code red which is just sort of the latest problem that's come along

and if and I think that probably there are people particular people who are familiar that familiar with computers might still be a little unsure what exactly this is and what it does. So maybe. One of you could give a real basic explanation of what what it is and where it came from. Maybe all will ask Mark to do that and anybody else wants to comment after that can do that. Well let me start with some very basics the Code Red is a worm and I think for people that are new to computers understanding the difference between a virus and a worm is important in understanding how these things work. The Code Red worm can infect your system and go on to degrade networks and infect other systems without any intervention whatsoever on your part. Whereas a virus you have to actually trigger the virus for it to happen you know a lot of e-mail viruses. You have to open the attachment before the virus can be unleashed in the sense that you have to have intimate contact with somebody to catch it.

Biological virus you know somebody has to at least sneeze in your face or you know not wash your hands and shake hands or whatever. The way we pass a cold virus with a computer virus the viruses are dormant until they're activated until you actually execute a program to which that virus is attached whereas a worm it can sort of crawl from one system to another on its own taking advantages of the network connections and the vulnerabilities on that system. And this is essentially what the Code Red worm does it takes advantage of some security flaws that got past Microsoft's testing. There Microsoft has released about once a month sometimes twice a month. Major bulletins about drastically major security problems with their software. And this worm is taking advantage of some of those to break into your system so if you aren't patching your system on a regular basis with the latest Microsoft security

updates you're vulnerable. Russ and you connected to the internet do you. Maybe I'll ask you this question. Do people know where this came from. They rushed three versions of the worm and I would just add one little clarification to what a worm is or what this worm is. This is just like somebody coming to your website and asking for any page that you might have on your website. That's how this worm gets to your computer even though you don't have the page that it's asking for it uses that method to get there trying to track down who this is we have a pretty good idea who this latest variant came from the one on Saturday. We just as a little background to secure cooperation certifies all antivirus software we're the only company in the world that does that. So we helped establish what anti-virus software should or shouldn't do. This one because. It isn't actually coming in the normal methods. It's coming as a web page request isn't something that most antivirus software looks for. A couple

companies have released things that will detect it once already on your computer but they don't look for it as it's getting there. They do in the case of email and other ways. But as far as figuring out did the first version and really they were the ones that sort of started to open the door started to to abuse this is probably going to be impossible to ever figure that out. This latest version comes from a group who likes to brag and so as a result it's far easier to figure out who wrote it. Buster's it's a more sophisticated program this time. The first ones were pretty crude in the way they operated this one is it is a bit more sophisticated and so we can see programming style and technique in this one that we've seen in others from the same group. Well see given the fact as you just said if if most anti-virus programs won't can't detect this then what does one do to protect yourself against it. Well first of all this. Isn't going this isn't going to have any effect

on most computers for people on a campus for example or the average person at home. If you're running Windows 95 Windows 98 Windows Millennium Edition a Macintosh computer then you're completely unaffected by this. Other than the consumption of bandwidth your internet connection might get slower because these things that are attacking have no idea who they're attacking they'll attack everybody and anybody. So you may get attacked but there's actually the tools on your computer aren't there to allow this thing to work. So if you're running a web server generally you wouldn't be running other programs on your web server and that would involve the potential for viruses. So in this case crime is not something that you would normally detect by an anti-virus product anyway. You would have to detect this based on the actions of your computer. So there's a there's a program that you can run on your computer that will tell you what all network connections you're currently making and have been made to you and by running that you could see that you were making outbound

connections when your web server normally would only be accepting inbound connections. And when you see that rise then you would know that you are now participating in the attack and therefore have been affected. We prefer instead there's an easier way for you to go and check and has to check whether you're vulnerable because if you. First whether you're vulnerable and you or you can fix it whether you're participating in the attack or not. That check should be made. Has this cured turned to Bob. Has this cause any problems that you have seen on the UVA campus here and champagne. I'd say that we've had our fair share in the last month or so. There's probably been. Maybe a couple hundred machines. We get more and more detected as time goes on but we are working with network administrators to address that sort of problem. Maybe I'll take the second here real quick to introduce everybody we're talking here of this morning about Internet security and safe computing issues and we're certainly open to your questions. Joining us by phone Russ

Cooper who is Surgeon General at TRU secure which is a computer security company forces here who's coordinator of campus security for computing here on the UI campus in marks and so he's a research programmer with the computing and communications services office on your bi campus and questions are welcome that's really the one of the reasons that we're here. If you'd like to call and have particular question 3 3 3 9 4 5 5 that's the champagne Urbana number we do also have a toll free line. That's good. Anywhere that you can hear a sound that is a hundred to 2 2 9 4 5. I've been having some some stories about this. What's kind of striking is that it seems that the party that people have chosen to be irritated with is Microsoft because they say that it that this particular code red deal takes advantage of a problem with the Microsoft product and they say Microsoft should have. Gone over it with the proverbial fine tooth comb and found that and never let that

get out. And they say that in at least as far something like this is concerned that this really is a software manufacturing issue and they're the ones that truly are at fault. Is that fair. I can argue both sides of that. I have to take the non-Microsoft side and I'll take the mike. Well the non-Microsoft side is that the in this is this applies to vendors other than just Microsoft. With the increasing pressure to get products to market quickly it's harder and harder to do rigorous testing long beta periods where these things can crop up and you know it's hard to get enough programmers to carefully review their code with security implications in mind. You know the security people may be off in one corner of the company and they're not going to look at every line of code that every programmer produces everywhere else in the company. And so it's it is a very difficult challenge when you have something

as large and complex as the Microsoft operating system to prevent these kind of things. And it's also very difficult once they have a fix it takes there's about a month lead time before it shows up in their automatic updates as they test that the fix doesn't cause more problems than the problem it solves. So while they may release it immediately for the technical elite who know to look at the Microsoft security bulletins or subscribe to a newsletter such as anti bug tracking to find out about it right away. You know if your average person has decided to run into your windows 2000 because it's more stable than Windows 9x and they just rely on Windows Update to tell them when they need to fix something they're not going to get it. So in that sense Microsoft is not good at notifying the average consumer that chooses to use their higher end

products. And you know they have the same challenges that other companies have. Although I heard something interesting we had a security expert on campus give a lecture a few months ago Gene Spafford who sort of wrote the definitive paper on the Morris Internet worm a long time ago and he said that actually it's going to be insurance that forces Microsoft to either lose market share or clean up their act because the cost of insuring data centers against down time. It is going to be a purely economic factor as as reliability becomes a greater factor. In. While I love staff I don't think insurance companies are going to make as much of a difference as some of them would like to think. But there's blame to go around too. Virtually everybody involved in this unfortunately Microsoft's response to market demand it provides features in their products that the market demands. They also want to provide the functionality that the market expects which is that I turn the computer on

and I can do everything that I've been told I could do and should be able to do 10 things that I wasn't told I could do as well. So in that respect they provide the product to the customer in the way the customer wants it in the way the OEM says. The Dells and Compaq's of the world want to deliver it to those customers and usually that's focused around reduced support costs. So the wider open it is when I get it up and running. The more likely it is I'll be able to achieve what I'm trying to do and I won't call for support. But the public as well has got to accept a certain amount of blame because they have realized for a long time I hope that their got a very sophisticated and powerful piece of equipment in front of them and they've chosen not to do much in terms of learning how to use it or how to use it properly or what things should or shouldn't be done. They've accepted many of the of the myths of the Internet that it's a free anonymous open place to do absolutely anything and everything that you ever wanted to do. Without any form of responsibility of whether or not your computer is or isn't harming it

and so they sit back and expect that somebody is going to push something down to their computer that will fix everything and make it not be bad or be secure or protect their privacy or whatever. And in reality because of that the level of development that we're at right now with the Internet I mean we're in it's raw infancy embryonic stage almost none of that is true. I mean yeah you could expect that to happen and some people pretend to make that happen but in fact it really is incumbent upon the user themselves to take the steps necessary to protect themselves and protect others from them. Well just with this particular problem now Microsoft has developed a fix which they are making available free to anybody who wants it. Does that take care of the problem. Well that's. Let's get this into focus. Over 2 years ago Microsoft produced a recommendation that would have prevented you from being vulnerable to this particular attack which was first announced in June.

So when it was announced in June 6 was simultaneously announced so the fix has been available since it was publicly announced that there was a problem. Should that have fixed it. Yes. Should people have been proactive and have applied the recommendation that even Microsoft was making two years ago. Definitely. But it is this you know I don't think about it I didn't even know I had the web server running on my computer. This is part of the problem why we we still have boxes that are vulnerable to it now. And that's one place where I would criticize Microsoft. The web servers installed by default in any installation of Windows 2000 and so somebody who sets up a new machine comes with Windows 2000 out of the box they don't even know they're running a web server there's no real notification. I would make one correction there that's true for Windows 2000 Server an operating system that costs. And in the States in excess of three four hundred dollars as opposed to Windows 2000 Professional which is the desktop version that most people are

likely running. Most people that I've helped clean up in Patch have been running 2000 professional and they've told me they never activated I guess it's not on there. I'm sorry it's just it doesn't install as part of the default installation. If you install front page or something like that I know you get it too that way certainly. Yeah there's all kinds of ways people get on the computer it just doesn't get on there out of the box and it also could be where they were buying the computers that the some of the oh we have vendors pre-installed options that would not normally be there as part of the default installation because they want to give their customers more features or make it appear like their machines are easier to use. Well it seems it sounds from what you're saying it sounds to me like really one issue here that has to be confronted is that as more and more people have these machines and I would put myself in this category of people who and I really don't. I really don't know how it works. If I have a problem I get one of the first guys to holler for somebody who knows to come help me I barely know which buttons to push to make it

to go. And it sounds as if what you all are saying is that you really can't quite be that way you've got to be a little bit more conscientious or at least try to keep up with the these kinds of problems that might. Come along and you can't you can't just really just take the mindset that says I know how to turn a lawn. I know how to get it to do the things I want. And that's really all I need to know about this machine. There are certainly devices that are being produced today that work more like that than a personal computer a personal computer has you know a lot of scope that it can cover. If you take even something like an x box when it comes out it will have you know more limited functionality and so there may not be quite as much to learn as there would be with a personal computer. But you're right you people do have to get a better grasp on what they have. But we at the vendor community has to do a much better job of explaining to you what you

have and what you should do and what you shouldn't do and how you do that. I mean I send something out to my list a week ago that said you know I tried to go in take a computer in this case the windows and key computer and apply all of the fixes that I should have on this box according to all of the recommendations and I found five different places on Microsoft's website that told me what I should do. No two alike and none of them comprehensive. So you know that's that's. A failing grade there on getting the information to the public. But we have seen that offers a service. And there's another company called Big Fix that offers a service that will tell you every little thing that needs to be done and they try and do some value add by giving you some information. These are a good step forward but that's a far cry from the public's expectation that they should be able to just sit down at the computer and you know go to a website. We have to do a better job. Yeah I think you want to.

Yeah I just wanted to chime in here that I think I tend to agree with with both of the last comments that it will take a change in mindset on behalf of the user the user is working from the perspective that if it's not broke don't fix it. And clearly in all of these kinds of things the users typically the last person to know that they have a problem. Right. And so the mindset of I do have this fairly powerful machine at my disposal and I have a. I don't know if you want to call it a responsibility probably for sure that my machine is doing everything correctly and I should take some steps as preventive maintenance or something just like you would dust off the keyboard or wipe off the screen and get the dust off except in that Dave's case here. Oh every month or two. But in preventive maintenance one should be looking and saying OK what

new updates are available from my machine. Some of these things will prevent problems others will add to more services and typically these things are at no cost to the user there sort of. Come with the price you pay for the operating system. And so I would suggest that until the users actually have a mindset that they have a responsibility to keep current with their operating system instead of the thinking of it's not broke I'm not going to touch it. I think that we're going to still have these problems. We're about midpoint here and would welcome whatever questions people have We're talking about the issue of Internet security is safe computing and we have three guests here bub force last guy you heard a coordinator of campus security computer security issues for the UAV. Here he is a research programmer with the Office of computing and communications services and joining us by telephone Russ Cooper from true securites a computer

security company. And if you have questions you should certainly take the opportunity to talk to our guest here. 3 3 3 9 4 5 5 toll free 800 to 2 2 9 4 5. Well why don't we talk about what sort of the basics of what people should have and maybe one place we can start is with anti-virus software. She is this something that everybody should have on their computer. Except for hermits. If you have no internet connection and you never exchange information with anyone else you don't need anti-virus software. However the whole purpose for having a computer is to exchange information with other people and so you are exchanging floppies. Other media email connecting to the Internet anti-virus software is only one small piece but it's getting to the point where there are at last count last week there were Network Associates counted fifty eight thousand two hundred eighty six viruses out there and there's somewhere between 50 and

200 new ones coming out every week. And that's not including minor variations of existing viruses. So having an anti-virus package is very important. I used to say if you practice safe computing and you don't boot from untrusted disks and you know you follow a few basic rules you could get by without anti-virus software. But nowadays the virus issues are too complex that you're not going to remember everything on your own that you that you really need an anti-virus package. And there are a lot of them out there there are a few free ones. At anti-virus dot com there's a web based one from the Trend Micro folks Computer Associates has a free one for personal use. And then if you're filling it with the university the university has purchased one of the major vendor products for all the students faculty and staff at the university. And if you're not aware of that you can easily find it from the UA by home page by clicking on

software. So an anti-virus software is a key part and then the other part with any operating system today is regular updates and if you're running Windows I would tell people to certainly take advantage of the Windows Update feature on a regular basis. You know that that's the no brainer. You know eventually the protection will show up there may be too late. But eventually it will show up there. And I tell people always run the critical updates critical updates of the security updates that are really important and you know you don't have to pay attention to the latest Windows Media Player release or the very latest web browser. But the security updates you really want to look at those carefully and thankfully Microsoft has added a utility called the Critical Update notifier that whenever you connect to the internet it will look to see if there's a critical update and tell you it's time to run Windows Update. So between updating an anti-virus software

the third thing that you can do is listen to shows like this and pick up a few other things that you can learn about safe computing to learn you know how these things get from one place to another and what sort of things cause you to be vulnerable. Did you have some more comments Rusty. Sure. I actually had the owners of the Windows Update and the Microsoft Security bulletin the serum I was on that weekend and we went over that lag time issue and that is going to get a lot better soon. So it is a problem but it will get better. I would say that those are really the best ways but I do honestly believe that you can practice safe computing. If you if you take a few simple steps one of them for example is if you use Outlook disable. The preview pane and use auto preview instead which gives you three lines of non scriptable code so you will only see the first three lines of the image and read it before you open it.

I get an awful lot of Sir cam infected messages this week and other infected messages other week from people that I know and and so you know just looking at the top three lines tells me whether or not this really is an email message to me or not and instead of being curious about what it is just delete it. I mean the biggest problem we have is like the I Love You virus where you know a whole bunch of men were telling a whole bunch of men that they love them and men wanted to know why and that curiosity is what caused that particular worm to their virus to spread as much as it did. So they get the curiosity you know look outside your dorm window and see what's going on out there if you're curious about something but when it comes to computing just delete it. Well I have now have you know seen a lot of the stuff that I've read references that people say they're almost to the point where if they get an email with an attachment. Better to them what it is. Who said it to them. It's almost the point where even if they know the person who sent it to them they're simply deleting it.

Well that's a very good practice. I mean the biggest threat that we face and have faced for the last 12 to 18 months is attachments. And you know it Trish secure one of our guiding principles is to eliminate 80 percent of the problem with 20 percent of the effort. And so if you say I'll just delete every message I get with an attachment that you have deleted 80 percent of the potential for being infected with anything you can always send an email back to the person not as a reply to that message because typically that will open the message up. But as send a message back to the individual and say Did you just send me an attachment. I have a safe email practices back up on my website at anti-Bob tech dot com that says you know if you're going to send somebody an email with an attachment then send them an e-mail ahead of that that says that I am going to send you an email with an attachment and here's what the attachment is and why I'm sending it to you and then send them a second email that includes that attachment. If we do if you don't know why you're receiving an attachment then you should not be opening it period. We have a couple callers want to find out what's on their mind they're both in Urbana. We do that

starting with the first person on one number one. Hello. Hi there. Yeah I've sort of been following this whole virus stuff for several years and I hear all the time about you're mentioning like Outlook Express and attachments and Microsoft web server and Microsoft updates and isn't wouldn't be a solution to to get a safe computing experience to sort of eliminate Microsoft from your computing life. Is that is that a good option like you know Linux or the Mac OS. What do you mean there's an alternative to Microsoft. Oh well I don't know. If you're joking. Well try not to go down the religious war too far. PENCIL. And if that pencil is not useful to you then get another pencil and unfortunately or fortunately depending on how you look at it there are about 300 million people that use the same kind of pencil and they find it an

enjoyable experience. So convince them all that they should be using something else. It isn't really a viable scheme. There are certainly alternatives to Outlook Express or outlook by the way Outlook 6 will be the lat or Outlook Express 6 will be the last version of Outlook Express to ever exist which is a good thing. But you know you could use Eudora as opposed to Outlook and there's certainly more security conscious people tend to use Eudora rather than Outlook. And these are for people who may have no idea what we're talking about these are email. Sorry yes the email program. I personally use Outlook 2000 so I'm quite comfortable with its ability to control problems. I personally would like to see some alternatives to Microsoft but it's a real chicken and the egg problem. Every software peripheral or every piece of software or every device that I buy to attach to my computer comes with a driver that works with Microsoft Windows and I'm lucky if it supports a Macintosh or a Linux system

or that somebody has written a Linux driver and in an market like that it's very difficult for anything to compete with Microsoft. And I think having some diversity and some other solutions has the benefit that the vulnerabilities aren't as widespread you know. It complicates the issues that you know if a hacker wants to write a virus it can generally only affect one platform although the Microsoft Office suite generated the first major wave of cross-platform viruses with the email virus in word Dokument viruses. But if we did that Mark we might have to double your staff over there at The Help Desk. That's right. Everything is a two edged sword. There's an upside in a downside to everything. I would like to see personally I would like to see Linux succeed in competing with Microsoft just because the competition forces everybody to be a little bit sharper about what they do.

But there was as many vulnerabilities announced Linux of the last 12 months as there have been about Windows 2000. Yes but at least. There are thousands of people looking at the Linux source code and combing it from new vulnerabilities. There are a lot of it's a lot easier for people to secure Linux than to secure a proprietary system that very few people have access to the source code. I would just say too bad that didn't cause us to have fewer vulnerabilities than Windows did. I want to go back to the call here because I'm not sure we've answered your oh yes question. Yeah I'm just listening. But yes thanks for your comments. OK very good I think. Yeah. It makes me think about this whole issue of how difficult or easy it is for somebody to come along and have a competitive product to Microsoft. The Microsoft folks are always saying hey it's an open market. Come on anybody can start their own company and get in here and just go toe to toe with us but if you're like Microsoft and you're already are on what 80 percent of the machines in the world that makes it a little

difficult for somebody else to come along and it's something in the last 12 months that we've sort of started to see a reduction in macro viruses usually propagated in Microsoft Word. And the reason for that is because there are thousands of companies and individual consultants who make a living that don't work for Microsoft make a living writing applications packages or individual customized environments on macros. Their insistence that macros be enabled by default be blocked automatically etc. that help perpetuate macros continuing to be a big virus threat. So you know in Microsoft's defense they created an industry or helped assist create an industry that makes a thriving income off of this relatively and secure feature and luckily for us they were happy to go to the new method which is that macros have a digital signature on them to help avoid the virus problem but nevertheless there was a lot of pushback when Microsoft tried to make a

post to make macros less easy to work. Let's take another call here this is also Urbana. It's a link to hello. I would like to go back to this issue of user responsibility that you discussed a little bit ago over the over the years I've worked with many many people on. Education and use of computers and found the you know the people that that know what they're doing like you guys sometimes seem to forget that we have a just it you know average joe there that may not be able to to get there to get their VCR to work very well let alone have to go out and look for the documentation necessary to learn about the kinds of things that we're talking about. I think part of the problem is plain and simple it's marketing. Companies like Microsoft that want to spend a lot of money telling us how easy the computer is to use and LOL the users into thinking that all I have to do is turn it on and use it. That's the kind of message that they get and that's what they expect. So it's.

I agree that users do have a responsibility though I also think that that companies like Microsoft have a greater responsibility to educate the users in the hang up and listen any comments that you might have. Thank you. OK you want to. So I don't think so. I think you're absolutely right that it's definitely incumbent upon the marketing departments of companies to to ensure that they're not creating false expectations. As a Canadian watching American TV as I do I'm always amazed at what I think is false misleading advertising that seems to go out at the same time. I don't know about in the Chicago area but certainly here in Canada you're not allowed to stand on the side of the highway and hitchhike or walk down the middle of the highway the highway is meant for cars and people that know how to drive them and so on. And you know maybe there's a point where we have to say well you know you can get into the inside of AOL without a license but if you're going to go out onto the internet then you have to show that you've been able to learn a certain amount of things.

Yeah. Very good point. And as you said before there are things like Internet appliances that are much more limited in their capability. That may be more suited for somebody who doesn't want to learn a whole lot about general purpose computer. And again it's another one of these double edged sword thing. A general purpose computer can do all kinds of things but it's much more complex and requires a significant investment in education to learn how to use it properly. I would just add that there are there is a whole other economy surrounding all the computer software stuff and that's the training and certification efforts. At some point the software becomes so complicated that you do have to go out and get specialized training on it and then carry around your certification if you will. MSEE is one of the big ones that people go after and I think the caller has brought up a valid point that yes there

is some responsibility and there is some marketing there on the part of the software vendor but I think that's a most mitigated by the fact that they do provide the software update things that are fairly simple to just point and click and it'll go and download all of the current stuff and update your system to the appropriate levels. So in that regard I think all the vendors are pretty much doing the same sort of thing and that but I would like to hear what Russ might think about this. Alternative economy if you will of training and certification. Well I think training and certification has its place but I think the public perceives that as being one person amongst 50 who's had that training and certification and then they become the translator to them to show them how they do the four things that out of the 100 things that should be done that they that they need to do someone else fix my computer I'm going to get a coffee.

Is is is a common mentality unfortunately and it is to a certain extent it should be I mean the public should be able to sit down at a computer in a web cafe and go to hotmail and read their email and walk away and not have to worry that you know they've they've lost all of their privacy or that or that the web cafe should worry that somebody could sit down and go and attack the Internet from that computer so we want that appliance we're just not there yet and the infrastructure that we're building on the Internet as it is today doesn't really do that. So we sort of have to either evolve it into a new internet that does do that well or create another space where more things happen. I was going to bring up the point about how the campus is probably to me the ideal example of what the internet needs to become in the sense that within the campus the campus has its firewalls to the Internet and does or doesn't allow traffic into certain computers and people within the campus have a helpdesk environment that they call when they have problems. But they also exert. Control that

if a computer in the campus is doing some really bad stuff and they'll disconnect it or block its address throughout the campus and they regulate it and if it's there for the betterment of everybody that's using it in a diversity of ways that they're using it. But the at home network or the roadrunner network or the AT&T DSL type networks don't see themselves as having to do that. They don't feel any responsibility over what the computers on their network are doing and what they may be doing to the rest of the Internet. They don't make very little attempt at protecting their customers from what the Internet could do to them. And that difference to me is where is one of the biggest things that we need to change so that if we should create communities of responsibility like the university does now so that we can avoid the risks that that that the end user has to learn about as much as possible. We have a caller here our toll free line in the brassica. Well go

right there you are you listening to us over the Internet. Absolutely. Very good. Go ahead. Good morning. I teach you to university here and I'm working on a collaborative project with with some other people. And I give them access to files on my hard drive by assigning the directory permissions so that they do so that their user names are allowed to access the folder. I'm running Windows 2000 now. Our computer folks here said that they detected the fact that I'd done this in a security sweep and they said that that's not safe and that I should change it. So far they haven't Porth me to do so but I expect it will too. Can you tell me. I can't really get a straight answer from them about what the dangers are. Can you clarify this for me and what I can do about it. I'm assuming you're giving them access via SDP or something.

No I'm sending to the folder permissions to allow access over the network using Windows or window file window file share. Yeah the problem is rather is a couple of problems. The first is that over that same connection that they're using to get access to your files they can do a variety of other things. That window supports using that what we call the protocol and unless you are auditing there's a feature in your computer that would allow you to audit and checking that auditing on a regular basis you really wouldn't have any idea that they're doing this and so they could be trying your own User ID against your computer for example to learn what your password is. Or they could be trying the administrator user ID to learn what its password is the other problem is that how they're getting into you through whatever. The Gateway firewall might be if you have one. If there

is no blocking If you're just open to the Internet then the same thing could be occurring on lots of other computers inside your network. We have a firewall and everybody who is authorized to do so is operating with inside the net. You rant so so you have gotten permission to have this facility open to your computer from the internet. So so it really. Here I'll box that's at risk. I mean it's not it's not a high risk that you're presenting other than you know your your own data may get compromised and if you are doing auditing then you can control that. And if corporate security people or the university security people have the ability to take your audit logs then they they could be including those as part of regular analysis. But it probably would be better to find another way to do that. It is a bit more secure and certainly if DP is not it but using a web server with SSL set outside of your firewall and you can sing your files to their for sharing and people going there and downloading them based on

that occasion against the web server would be a far more secure way of doing what you're doing. The problem is that database work that is being continually updated. And so more than one person would need access to it. Because they all did all these people updated right. And what security are you using to verify that they're providing you with the correct updates. I you know I run at our seat I don't want to see a I will happily walk through all of the problems but this is a problem of security when you try and talk to the average person and I don't mean the caller in particular but in general for you know just one risk you know right you the problem if you say something that sounds absolutely right as far as I know but I just get a blank look over my face and I'm thinking what is he talking about he just lost it. Oh well I think I'll hash it out with our folks here. Put Thank you. You did clarified for me a little bit.

All right well thanks to the CO. Sure. We're coming down the point here we have a couple minutes left. I guess I did want to come back for a second to the the issue of the fire wall. We did talk about the fact that we're now saying that virtually everyone should have virus protection software and their computers should if anybody was say anybody who does use the Internet should anybody like that also have a firewall for their machine. Russ do you want to start. Sure definitely I think you know there's absolutely no harm in having a firewall on every computer on the planet. Marcus Ranum who basically created Internet firewalls and I had this debate about three years ago and he strongly disagreed with me but I think he's sort of come around a bit. If nothing else it lets you through to the threats that are out there. At a bare minimum and better than that in most cases it will prevent connections that you don't want to have happen so definitely a zone alarm or

a similar thing Symantec makes PCs are well as well are both very reasonable products to use. Don't rely on them to protect you from absolutely everything and anything. I was reading about an Activision game the other day that would happily accommodate computers that were behind a network address translation which some people think is a form of security and take both the hidden address and the public address and send them both up to the game server and put them together and the whole idea of the network address translation is to stop that combination being put together. So you might run something on your computer that would totally make your Harwell obsolete but nevertheless having it there is a great start. Yeah I think it's a good point firewalls are useful tools but they can create a false sense of security where were really just about the point where you have to stop. I'm sure that on the other day it will come back to some of this again but I guess I'd like to say is there anything that you liked at last thought that you'd like to leave with people before we end up

going. Russ maybe. Well you know I appreciate the opportunity to talk to everybody and I just hope that your audience grows because that shows that we're having an effect. OK. And if people are interested in investigating true secure and what you're all about they just to go to. I know you have a website stepped up to secure dot com PR you and see you Ari. OK. And for people who are here on the campus who have computing questions if they have some kind of problem they're not quite sure where to go or what to do. They can start with the CCS Help Desk our Resource Center at 2 4 4 0 6 0 8. Well I want to thank all of you very much. Russ Cooper surgeon general at true secure. Thank you for talking with us. Thank you very much. And here in Studio 4A and marks in so pleasure thank you. Thank you appreciate it.