"The Desktop Global Marketer" (tm)
A free on-line newsletter of Sidereal Designs, Inc.,
for Internet Entrepreneurs, and those who are
considering becoming one.
_____________________________________________________
July 6th, 1999
In this issue: "It's unfortunate that we increasingly live
in a world where regular attention to self-protection is a
necessity, but certainly the web is not the only such part
of life. By making some of the things outlined here a habit
you ought to be able to protect yourself from the worst the
net-villains have (yet) to offer."
_____________________________________________________
"The Desktop Global Marketer" is free, and may be
re-published freely with permission. We encourage
you to give it to your friends.
For subscription (or un-subscription) details,
and other information, please see the end of the
newsletter.
For any other purpose, please write to:
jamie(at)siderealdesigns.com
Or visit us at:
http://siderealdesigns.com
_____________________________________________________
Once upon a time all you had to worry about was a disk
crashing. That meant a rational person kept regular
backups. Over time the hazards came to include malicious
actions as well, such as viruses, worms, and cracker
break-ins. Things were still manageable; the Unix systems
used on the net where the data is kept are not susceptible
to viruses, and if there was anything on your site an
intruder would want, you could encrypt it. Combine that with
regular backups, usually a few layers deep, and you had
pretty good protection.
Those of you who have been with us for a bit already know
what happened recently to many of our clients hosted on
Dezines: a very sophisticated cracker planned a long-term
program of attack designed to thwart and incapacitate the
backup system and then destroyed the entire contents of five
servers. Dezines had in place a normal backup procedure
which should have been adequate for anything but archival
financial data or similar records, but it was insufficient
against this level of attack.
At about the same time, government sites -- including even
the FBI site -- have been similarly damaged, possibly by the
same group. We have also seen a rash of new viruses of
increasing sophistication that threaten PC-based
data. Computer security experts agree that there is no sure
defense against a knowledgeable and determined attacker.
These recent site-cracking events, and the proliferation of
really nasty viruses, have raised the level of likely danger
for everyone on the internet and require a new standard for
preparedness for disaster. When very sophisticated attackers
are wiping out whole systems in a manner calculated to
thwart normal levels of backup procedures, what can we do to
protect ourselves?
Of course the first thing is to not make it any easier for
the crackers than it needs to be. You can't do much about
machine security on your hosting provider, but the host's
administrator can. Make security procedures and backup
policy a criterion for choosing a hosting provider. If you
don't know the right questions to ask, have your webmaster
ask. Don't just assume they're doing it right. (I recently
had a phone conversation with the Dezines staff on this and
am satisfied concerning the program they have in place. We
are continuing to host our own site there.)
On the other hand, you can do something yourself about the
security of your own account and web pages. Use a password
that is really unguessable. Remember, there are automatic
guessing programs that try millions of possibilities per
minute, including every word in Webster's Unabridged. I
recently had one guess "5-hydroxy" which I was using as an
account password. Something like "%gdR5hQz9*" is definitely
better, if more cumbersome.
Never ever send a password identified as such in email
together with a way to identify the account it is associated
with. Your email probably passes through a dozen machines on
its way, and anyone with administrative authority on any of
them can read that mail and could set software to check
every piece of mail that passes through and copy any message
that has a word such as "password", or "account", or a
similar phrase in it.
It is possible to make web pages only accessible to a
browser by password. You should arrange that any pages such
as administrative pages on your web site are themselves
password-protected at the browser level. Also make certain
that each directory on your site (such as your cgi bin
directory) has a dummy "index.php" file in it to keep
crackers from seeing your list of files. Ask your webmaster
to confirm that these two things have been done if you
aren't familiar with these concepts.
Doing these things helps, but here is no perfect protection
no matter what we do, so the second line of defense is
multiple backups. This is where you can do the most to
protect yourself. The average user downloads their email to
files on their own PC, but leaves all copies of their web
pages and their mailing lists out on the virtual hosting
server. We need to protect both of these kinds of
information.
It is possible nowadays for crackers to actually break into
your home PC while it's on line, or for some viruses to
email all the files in your PC into waiting hands. If you
have very sensitive email or other files, you might consider
keeping it on a separate floppy disk, or encrypting
it. There are numerous encryption programs available very
cheaply. You can get tape backup accessories for PCs for a
few hundred dollars. This also protects you against crashes
of your hard drive.
What about those web pages and mailing lists on the web
server? The web pages are probably not anything you'd mind
anyone seeing, but if they were destroyed they could be
costly to replace. The best protection you could have is to
have backups on two completely separate machines. Thus, if
your hosting service keeps proper backups and if you also
back them up on your home machine, then a cracking attempt
or a physical disaster is most unlikely to destroy both
backups.
How do you do backups for web pages on your home machine?
One way is simply to use your browser to save pages to a
directory. The problem with this is that you won't get all
the non-visible files that configure your mailing list
server and do other behind-the-scenes work on your site. The
best way is to regularly move all files over by use of a
process called FTP. FTP is available from the DOS prompt and
there are many free or cheap windows-based utilities that
make it relatively simple to do. We use one called WS-FTP
which costs about $30.
We used to keep backed up copies of all our client's web
sites on a section of our own web site. The reasoning was
that there might be a disk crash, or an account might be
broken into, but it was most unlikely that both our site and
theirs and the host's backups would all be destroyed at
once. Well, it happened.
Now we are taking more precautions. First, for all clients,
we are making a complete copy of all software on their site
and putting it on a zip-disk (this is a removable disk that
holds much more than an ordinary floppy.) We then give the
client the zip-disk to keep. When we or anyone else adds to
the site for them they can have the disk updated.
Next, for those clients who have contracted for regular site
maintenance, we are backing up their entire site by FTP
every week to files on our local machines so that the latest
information exists in duplicate on widely separated
systems. Since most web sites are not static you should do
this regularly yourself or have someone do it for you.
Finally, we have the problem of mailing lists. Web sites are
continually taking subscriptions in an automated fashion and
the lists keep growing. Losing a few names to a disaster is
probably unavoidable, but what if you just had a big
promotional event or mailing? Clearly the timing of a weekly
backup could be very bad in such a case. Ideally we want
people to be able to back up their own lists whenever they
feel the need.
Of course this can be done by FTP just as for any other
file, but not everyone is sufficiently computer-literate to
want to do that. Some list-servers will permit you to get
your list by email or on the web, but others wont. We wanted
an easy solution for everyone. To solve this problem we have
retro-fitted all our clients' sites with a special program
that will allow them to call up their lists on their web
browser and either save the page or cut and paste it into
any file they like (it also counts the subscriptions for
you.)
The hope is that we can make it easy enough that people
actually will back up their lists. Unfortunately, it's
something that takes regular attention. It's a bit like
starting an exercise program with good intentions; the hard
part is keeping it up. It's unfortunate that we increasingly
live in a world where regular attention to self-protection
is a necessity, but certainly the web is not the only such
part of life. By making some of the things outlined here a
habit you ought to be able to protect yourself from the
worst the net-villains have (yet) to offer.
Best,
Jamie
_____________________________________________________
To subscribe, send email to:
newsletter-request(at)siderealdesigns.com
and include the word subscribe as the only item in
the body of the letter.
To unsubscribe, send email to:
newsletter-request(at)siderealdesigns.com
and include the word unsubscribe as the only item in
the body of the letter.
If you have problems with either of these, write directly
to jamie(at)siderealdesigns.com for prompt attention from
a human.
If you would like to re-publish any of our newsletters,
at no cost, please contact jamie(at)siderealdesigns.com.
"Sidereal" is pronounced sy-DEER-ee-all, and means "of
or pertaining to the stars, the heavens, etc."
______________________________________________________________________________
Sidereal Designs, Inc. "Making The Web Simple." http://siderealdesigns.com
|
sidereal
designs, inc. all rights reserved.