Monday, July 26, 2010

Who can you trust on the Internet?

Introduction
Who can you trust on the Internet? It's a question we have to face all the time. Everyone knows that they shouldn't email their credit card numbers to that guy in Nigeria who really needs their help to keep his rightful inheritance of $1,988,356.76 away from the evil government (and will pay you an absurd amount of money to do it). But it gets harder than that.

Part One: Malware
There are lots of less-than-reputable websites that would love you to download viruses from them. There are also some sites that offer “ad-supported” software that puts so many ads on your PC that you can't do anything but look at ads (and it often can't be removed through normal methods either). Most of the time, you can easily tell when you've visited one of those sites. (Of course, there are clearly still enough gullible people that they continue making money, but I doubt you're one of them if you're reading this blog.) Unfortunately for us, there are plenty of borderline websites, where you can't tell if the site is reputable or not. I've personally never been burned by one of these sites (knock on wood), but you should always scan even semi-questionable downloaded files with a good antivirus program, and don't run any ActiveX controls or allow other security warnings unless you're sure about the site. Your antivirus software is not invincible, though, and ultimately the best defense against malware is to exercise common sense.

My No-Nonsense Download Checklist
1. Do you really need this program? If you need a word processor or a video editor to finish a project, then that's a good download. If you were just browsing the Internet and said, “Huh, that sounds cool,” think for a minute before you decide to try it. If you install it and don't need it, not only do you raise your chances of getting hit by malware, you also clog your PC with unnecessary garbage and waste time downloading and installing it.

2. Does the program make any mention of being supported by ads or requiring other (questionable-sounding) programs? If so, pass it by and find something else. Although it may seem like a fair tradeoff at the time, chances are very good you'll regret it later—and such downloads are far more likely to contain actively destructive or dangerous software.

3. Does the URL contain a load of unidentifiable characters? I don't mean at the end—that's normal. I mean, instead of, say, http://earth.google.com/download at the beginning, http://6ths7.free67.info/73nds. Junk programs, especially ones that will steal your personal information or reformat your hard drive, frequently have URLs that are cheap to obtain. Another common trick (for phishing sites too) is to use something like http://microsoft.d6shc.com. Although many people say “Oh, it's Microsoft.com, must be good then”, anyone can change the first part (microsoft, in this case), known as the subdomain, to whatever they fancy. The part right before the .com is the only part you actually have to register.

4. If the program didn't pass one of those requirements, or you just aren't sure about it, try googling the function of the program. Chances are very good you'll find another free program with a less questionable background, and quite possibly better features as well.

5. If you really want the program, and aren't sure of its legitimacy, download it, scan it with your antivirus program, and back up your files first or install it on a junk PC just in case. (Of course, you really should have a valid backup at all times; I've got an upcoming feature on making a backup script for yourself.) If your antivirus program comes up with a warning, ditch it and find something better. It's definitely not worth the trouble.


Despite my lobbying for the antivirus industry, I'm not saying the program always knows better than you. If your antivirus program comes up with a warning for a perfectly reputable program, like Microsoft Office or Spybot Search and Destroy, check the warning a bit more carefully, and do some research if you're not sure. Although viruses can infect and damage legitimate programs, it happens less and less nowadays, and it's far more likely that the scanner just made a mistake (or the program was performing a “suspicious” activity, like Spybot accessing a spyware-filled folder to remove spyware).

Part Two: Collected Information
You don't just have to deal with malware, though. Most websites collect information about you, and you have to decide who you can trust with that information. When you visit a website, a certain amount of information can be collected about you automatically, and you can't do a thing about it. This information includes the browser and operating system you're using and your IP (Internet Protocol) address, which uniquely identifies your computer on the Internet. Normally, the website also collects any cookies the website has stored on your computer. You can turn this off, but it has a number of adverse affects on your web browsing, and only total privacy freaks (or the same Internet purists who refuse to use any Web content besides plain text) choose to do so. (One note: Cookies are not programs that can look through your files and steal information. They're not even necessarily bad. That said, cookies can be used to track your browsing and shopping habits; see http://www.tomsarazac.com/tom/opinions/cookies.html for more information about cookies.)

Most of this information isn't really earth-shaking; if you really care about hiding any of it, check out http://the-cloak.com/. It's what you give websites that really matters. For instance, Google, with some settings, collects information about what websites you visit in order to personalize your searches. Most of the time, you have to decide how much privacy you're willing to give up in order to get useful functions.

Try this: Head over to http://www.google.com/dashboard and log in with your Google account. (If you don't have one, just follow along.) Scroll down and check out all the stuff Google has stored about you. Bet you didn't know they stored all the websites you visited after searching while logged in, and all the searches themselves. And even though you knew they stored your contacts, emails, voicemails, and so on (if you use Gmail or other Google products extensively), it somehow seems a lot more impressive and scary when it's all in one place.

Check out these three screenshots:
http://www.thetechnicalgeekery.com/images/Google1.png
http://www.thetechnicalgeekery.com/images/Google2.png
http://www.thetechnicalgeekery.com/images/Google3.png

In the first one, you can see most of the Google searches I made in the last two days, and that I've made 4,913 searches since Google enabled Web history. This catches nearly all of the searches I've made on my home computers, since I'm nearly always logged into Gmail, but I'd say that it probably still only represents about half my searches. (Interestingly, I found that there were searches on my history page I hadn't made today, meaning that I had accidentally left myself logged in on the family computer—oops. If you ever accidentally leave yourself logged in on another computer, you can log in to Gmail, click the Details link at the bottom of the page where it says “This account is open in x other locations...”, and choose Sign Out All Other Sessions.) Still, Google has stored, and still has accessible, about half of my searches all the way back to January 2008. That's kind of cool, and a neat way to look through what you've done on the Internet in the past, but it's also naturally a concern if someone else gains access to your Google account (besides being able to log in and represent you on any Google service, and some others). The other two shots show other parts of my history, including all my stored emails, documents, and many phone calls and texts I've made through Google Voice. Not displayed is also contact information for over 100 people.

The good news is that if you're scared by the web history, you can easily stop it from collecting items or clear some or all items from the history. Just open up your Web History from the dashboard and select Pause or Remove Items, on the left. (It should be noted that Incognito Mode in Chrome does not prevent Web History from collecting items, although you are not logged into your account in a new Incognito window and therefore cannot have your searches collected. If you want to browse totally privately, stay logged out of your account or pause the web history.) Other services like Gmail are harder—you can't really use email without leaving tracks with *someone*, be it Google, Microsoft, or your ISP. However, I generally trust Google with my information; they've had a fairly good record of not throwing your information out the window, especially compared to some other websites. (I've heard some people worried about what might happen if Google was bought out and had a change of ownership; I say that's not currently a valid question, as Google is not within reach of any purchases.)

Facebook is much more questionable. It seems that they change their privacy policy about every six months, and every time they seem to have some absurd clause designed to make them more money that quickly gets picked up by the media and causes public outrage. (Then they provide a public apology and reverse that change, but some others may remain.) Although (at the time of this writing), the privacy policy is fairly reasonable, it's still clear that they track everything you do and keep all your information and posts, and who knows what could happen with them, especially since the privacy policy can change at any time. (For a while there was even a note that stated that Facebook gained ownership of anything you posted on the site.)

The most important thing you need to worry about with your Google, Facebook, and other accounts is that nobody steals your password. If anyone ever gained access to my Google or maybe even Facebook accounts, they could easily impersonate me—they immediately have many of the websites I've visited and therefore know what I'm interested in, all my email, contact information for all my friends, family, and more people, and can change my Google Voice settings so they get my calls. Besides being much easier to do than, say, a cracker stealing half their database or the company deciding to release your information to the public, having your password stolen is one thing you can easily guard against. Choose a strong password, don't write it down, and make sure nobody gets it. Sign out of the computer when you leave it, and immediately change it if there's a chance someone else has stolen it. See http://thetechnicalgeekery.blogspot.com/2009/10/ten-ways-to-keep-your-passwords-safe-we.html for more information on the ways passwords get stolen and how to protect yourself.

I'm seriously considering keeping any information I'm even the least bit concerned about off Facebook and maybe even off other websites, and put it on my own website instead. I run the server, so nobody is going to mess with my information except by breaking into it.

EDIT: The blog was capitalizing the image links, causing them to break. I renamed the files and the links.

--
Soren "scorchgeek" Bjornstad
http://www.thetechnicalgeekery.com

Yesterday it worked
Today it is not working
Windows is like that

Copyright 2010 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this work
is permitted, provided this notice is preserved.

No comments:

Post a Comment