THEY TRY ABOUT ONCE A week. Sometimes it’s a college student in Buffalo, or a hobbyist in Minsk, or an AOLer with a little knowledge. They probe my company’s Internet connection for weaknesses, "twisting the doorknobs" of our computers to see if perhaps we’ve forgotten to lock a door. We’d certainly be safer without an Internet connection, but over the last few years the Internet has achieved a critical mass of both information and participation, and we’re now at a point where the value of Internet access for us far outweighs the risk. Understanding potential vulnerabilities and taking certain precautions can diminish this risk.
Keeping the Bad Guys Out
The best way to keep intruders out of your local network is to secure your perimeter, i.e. make sure that intruders either cannot gain access, or must spend so much time and effort to gain access that they will be discovered well before they do. The perimeters of most companies nowadays consist of dial-in modems and Internet connections.
To secure modems means that you must understand the vulnerabilities of the computer to which the modems are connected. Are all accounts on those machine passworded? Are the passwords non-obvious? Are the accounts of old employees deleted upon termination? Do you even know where all of your company’s modems are? If you answer "no" or "not sure" to any one of these questions, then you may be vulnerable to undesired access.
Securing an Internet connection requires a firewall. A firewall is a piece of software, usually running on its own computer, that selectively permits certain outgoing Internet transactions, and selectively prohibits most or all incoming Internet transactions. It allows you, for example, to browse external Web sites from within your internal network, while making it impossible for outsiders to browse your internal Web site. You are asking for trouble if your organization has an Internet connection without the protection of a firewall; it’s literally like building your house without locks on the doors. Firewalls require less money and less technical expertise than ever before; one very elegant, inexpensive (as these things go) example is the GNAT Box (www.gnatbox.com), which will run on a junker PC that you wouldn’t even impose on your kids. It is secure out of the box, and its basic setup is not out of reach of anyone with moderate technical ability.
Another benefit of most firewall software is Network Address Translation (NAT), a clever way of making an entire network behind the firewall look like a single computer on the outside. Many lower-priced Internet access methods (e.g. cable modems, dial-up ISPs) only provide access by a single computer. If that single computer is instead the external interface of a NAT firewall, you can save big bucks while enhancing your networking convenience and security.
For those interested in finding out in detail what it takes to protect oneself from Internet-originated abuse, one of the better books on the subject is Practical UNIX and Internet Security, by Simson Garfinkel and Gene Spafford (O’Reilly, 1996).
The other half of doing business over the Internet is making material available to clients and other business partners. There are safe ways to do this, and some profoundly dangerous ways. Unlike a good, secure-out-of-the-box firewall, it can be much harder for a non-expert to safely configure remote data access. A good data exchange technique should fulfill the goals of 1) privacy among clients, i.e. allowing a client access to only his or her data and none other, and 2) prohibiting unauthorized access by anyone else. You don’t want Coke seeing Pepsi’s material (or your password file, for that matter), and you definitely don’t want random people on the Internet seeing your clients’ proprietary data.
The safest way for a non-expert to deal with exchanging data is not to allow remote access to data at all. Ask your client or business partner to make arrangements for the safe transfer of digital material to a computer on their end of the network connection. Absent this, a data tape sent overnight involves some inconvenience but little risk; the point of this article, though, is to survey data exchange methods that can be used to reduce this dependency on tapes and overnight shipping.
File Transfer Protocol (FTP) is a venerable protocol used purely for transferring data files between a "client" (such as an end-user’s computer) and a "server" (a network-accessible computer acting as a file repository/exchange). Using FTP client software on your computer, you identify yourself over a network to an FTP server using an assigned user ID and password. You may then transfer files in either direction. FTP servers also have an anonymous access mode that allows anyone on the Internet access to a given set of files. FTP is simple, and once configured correctly is very easy to maintain.
FTP is a decent enough way to share data (especially since virtually all Web browsers understand FTP), but it suffers from a few drawbacks. FTP servers can be tricky to set up; it can be difficult to prohibit access to your sensitive system files and other clients’ accounts, falling short of our privacy-among-clients goal. FTP’s anonymous access mode is often misused as a catch-all place to make material available to clients, missing both our privacy-among-clients and our prohibiting-unauthorized-access goals. Finally, FTP sends the user ID and password over the network in the clear; anyone eavesdropping on that exchange can gain access to the data on the server using these.
Using a Web server to make material available to clients is a great idea, especially since so many people are accustomed to using a Web browser. Certain precautions must be taken, though. Obviously, having open links to client material is a big no-no. Hidden links (URLs that have no links to them on any page in the site) is the simplest way to accomplish this, as long as the URL is not easily guessable and the data cannot be discovered in other ways, as can happen with a poorly set up Web site. Access to selected areas among your Web server’s document hierarchy can be restricted via user IDs and passwords in much the same way as is done for FTP. But also like FTP, both this method and the hidden link method are vulnerable to eavesdropping.
Enter encryption. Using a technique known as Digest Authentication, the user ID and password exchange can be scrambled so that an eavesdropper cannot later make use of any intercepted information in order to gain access to the data. The data itself is sent in the clear, however; so for the truly paranoid, this technique is only half a solution.
There are even more extreme techniques for authentication and data protection. Secure Socket Layer (SSL) and Secure HTTP are protocols that encrypt the entire exchange between a Web server and browser. These have the potential to fulfill both of our goals, but are very difficult to set up.
Finally, how you physically connect your Web or FTP server to the Internet is an important factor in keeping the bad guys out. The goal here is to minimize the damage a hacker could do should he/she compromise such a server. Always avoid placing these computers on your internal network; this necessitates poking "holes" in your firewall to provide access to them for the outside world, and leaves your entire network vulnerable should a compromise occur. A better place to put these servers is outside your firewall, directly on the Internet. The safest place of all is on your firewall’s "DMZ" network, a special protected server network that many firewalls offer. You then gain the protection that your firewall offers, while isolating a potentially dangerous machine from your internal network.
Tim Burton Discusses His Dread Of AI As An Exhibition of His Work Opens In London
The imagination of Tim Burton has produced ghosts and ghouls, Martians, monsters and misfits — all on display at an exhibition that is opening in London just in time for Halloween.
But you know what really scares him? Artificial intelligence.
Burton said Wednesday that seeing a website that had used AI to blend his drawings with Disney characters "really disturbed me."
"It wasn't an intellectual thought — it was just an internal, visceral feeling," Burton told reporters during a preview of "The World of Tim Burton" exhibition at London's Design Museum. "I looked at those things and I thought, 'Some of these are pretty good.' … (But) it gave me a weird sort of scary feeling inside."
Burton said he thinks AI is unstoppable, because "once you can do it, people will do it." But he scoffed when asked if he'd use the technology in this work.
"To take over the world?" he laughed.
The exhibition reveals Burton to be an analogue artist, who started off as a child in the 1960s experimenting with paints and colored pencils in his suburban Californian home.
"I wasn't, early on, a very verbal person," Burton said. "Drawing was a way of expressing myself."
Decades later, after films including "Edward Scissorhands," "Batman," "The Nightmare Before Christmas" and "Beetlejuice," his ideas still begin with drawing. The exhibition includes 600 items from movie studio collections and Burton's personal archive, and traces those ideas as they advance from sketches through collaboration with set, production and costume designers on the way to the big screen.
London is the exhibition's final stop on a decade-long tour of 14 cities in 11 countries. It has been reconfigured and expanded with 90 new objects for its run in... Read More