Computer Security and Privacy -- What you should know

Computer Security and Privacy -- What you should know!

1. Encrypting and Authenticating Your Email

Who can read my email, other than the intended receiver?

The systems administrator of your network can read your email, and he or she has the legal right to do so.

What is public key encryption?

Public key encryption refers to a system whereby you get a certificate containing a public/private key pair for authenticating and encrypting your email. You install this certificate into your mailing software. Your public key is posted at the site of the certifying authority who issued the key pair to you. Only you have access to your private key. When you want to send either secure or authenticated email, you use both your key and the receiver's, as explained below.

How do I get a certificate to sign or encrypt my mail?

Get a certificate (along with your public/private key pair) from a recognized certifying authority such as Verisign, Thawte, or E-Certify.

https://www.verisign.com/client/index.html

How do I sign my mail so that the receiver can verify that it is from me?

The basic idea is this: If you want to send a message to person B such that B can be sure it came from you and no one else, use your own private key to encrypt the message. Then B will use your public key to decipher the message. B can be sure that the message came from you because

1. It's impossible to derive B's private key by looking at B's public key, the original message, and the encrypted message created using that key. (It's impossible to derive B's private key in ANY way, in a feasible amount of time.)

2. Only B's private key can create a message that can be deciphered by B's public key into something intelligible.

So...since only B could have had access to the private key that worked with the public key registered in B's name, then B must be the person who sent the message.

In the context of Netscape mail, this is all you do: Get a digital certificate, say from Verisign. Let's say you run the installation software that imports the certificate into Netscape. Once you've run the installation software, the certificate will be visible from Netscape's Security window, under Certificate/Yours. In that same Security window, select Messenger. Then click the option that says, "Sign mail messages, when it is possible." From now on, all your mail messages will be signed. Sending a signed mail message to a friend authenticates that you are who you say you are, and it also gives the receiver your public key. That key is automatically imported into the receiver's list of certificates from others. The receiver can see this list by opening the Security window and looking under Certificate/People. Now that the receiver has your certificate, he or she can send encrypted mail to you.

How do I encrypt my mail so that only the intended receiver can read it?

The basic idea is this: If you want to send a secret message to person B, use B's public key to encrypt the message. (You can pick that up from the certifying authority's Web site.) Then B will decipher the message with his or her private key. We know the message is secret because

1. No one can read the message without the private key. (The private key is the only input to the encryption algorithm which will "undo" the encryption accomplished by using the corresponding public key.)

2. You can't derive the private key from the public key, even if you have a message M and its encrypted form that resulted from using that private key.

So...only B can read your message, because he or she is the only one with access to the necessary private key.

In the context of Netscape mail, this is what you do. Let's assume that you got the certificate from the person to whom you want to sent encrypted mail, as described above. The certificate gives you this person's public key. To indicate that you want to encrypt mail messages whenever possible, go to the Security Window and select Messenger. Then select the option that says, "Encrypt mail messages, when it is possible." Now whenever you send mail to a person who has sent you his or her certificate, the mail will be encrypted. But be sure that you send your certificate to that person also, because they will need your public key to send encrypted mail back. (They will use their own private key to decrypt your mail -- it happens automatically once you've set all the settings in Netscape properly!)

One more thing: Once you click the options for signing and encrypting all mail messages, then a message pops up each time you want to send a message that you can't encrypt (because you don't have the person's public key). This is a bit of a nuisance. To choose to encrypt and sign messages individually, deselect the options in the Security/Messenger window. Then mark an individual message for encyption by going to Options on the tool bar and then selecting Sign and/or Encrypt for that message only.

2. Privacy and Security in Your Web Browsing Habits

Can my boss at work monitor what I'm doing on my computer?

Yes, and there's no legal prohibition against doing so!

Can anyone monitor my Web browsing habits without my realizing it?

Yes, and they do it all the time!

See "Going Private" and "Click and Dagger: Is the Web Spying on You?"

Is government regulation the answer?
Maybe, maybe not. See "States Move to Protect Online Privacy" and "How Privacy Regulation Will Chill Commerce."
What are cookies?

Cookies are small text files used by a Web site (server) to store information on the client machine. They make it possible for the server to record information about the client-- things such as preferences and passwords. See http://home.netscape.com/legal_notices/cookies.html.

What can I do to protect myself from cookies?

In Netscape, you can choose to accept all cookies, accept only cookies that get sent back to the originating server, or disable cookies.

How can I make my browsing habits more private on the Web?

You can use an "anonymizer." See http://www.anonymizer.com/3.0/index.shtml. A tutorial for how to use the Anonymizer is at http://www.anonymizer.com/3.0/tutorial.shtml

What do companies do with the personal information and browsing habits they glean from the Web?

Sometimes they sell it! See "Big Brother Was Listening," "Getting Personal," and "Knowing You All Too Well."

Are there any organizations dedicated to ensuring Internet privacy?

Yes, the Electronic Privacy Information Center. See http://www.epic.org/

Is there anyone to whom I can report abuses of Web privacy?

Yes. Try Truste at http://www.truste.org.

3. Protecting Your Files on Your Personal Computer

What passwords can I set on my computer to protect my files?
What is a SmartCard and how do I use it?

In general, a smart card is a credit card-sized card with a microprocessor chip embedded in it. These chips hold a variety of information. For example, they can store monetary-value used for retail vending machines or cash register, or they can hold medical or health care records. But the kind of smart card we're interested in here is one which helps to keep your data secure on your personal computer.

IBM's Smart Card is a combination of a smart card and support software that can help prevent unauthorized access to your personal computer and the data on it.

See http://www.pc.ibm.com/us/products/options/smartcardtour/index.htmlfor a description of IBM's Smart Card.

What other things can I do to make my files more secure on my personal computer?