News from PANUG

News from PANUG - August 8, 2001
http://panug.org

If you'd like to submit articles to PANUG for publication here,
send it in plain text to info@panug.org.

MORE CODE RED
Bruce Yatvin points out the following article on the impact
the Code Red Worm has on us and how some are just
saying no:

http://www.msnbc.com/news/607667.asp

CORPORATE BAD GUYS - SPRINT
by Ed Sawicki

About six months ago, I responded to Sprint's advertising
campaign promoting their frame relay services. I filled out
a form on their web site and included only the bare minimum
information that their web form would accept.

This morning, I received an email from someone else who
filled out this form notifying me that the information we
entered has been publicly available on Sprint's web site for
month's. I went to the URL he included and, sure enough,
there was my contact information along with about 500 other
people.

This fellow has been complaining to Sprint for the past few
months, trying in vain to get Sprint to remove the
information from public view. Sprint is deaf to these
complaints. The solution may be a class action.

One of the basic rules of running a web site is to keep
private information private. Sprint's webmasters don't
appear to know the basics. If they're incompetent in
something as simple as running a web server, who can tell
whether they're competent to service you in other areas.
Since several complaints about this matter have gone
unanswered, we know they're incompetent in handling customer
concerns.

When you collect private information about others, you're
responsible for the privacy and security of that
information. You must make a reasonable effort to keep the
information from becoming public. When you make no attempt
to secure that information, you're guilty of gross
negligence. When you receive complaints about it and still
don't do anything, you need to be punished.

Your best protection against this corporate apathy over your
privacy is anonymity. Don't send personal information via
the Internet. Use pseudonyms. If you're a PANUG member,
use a email redirection account. See the following web page
for details:

http://panug.org/benefits.htm#email

An associate of mine has created a complete history for a
ficticious person (Ricardo El Grande) that he uses.

You may recall, several months ago, attackers stole a few
million credit card numbers from Egghead's site. Egghead
runs Microsoft's IIS and the attack exploited one of its
many holes. Egghead is still running IIS today. They must
believe that IIS/Windows is now secure and such a break-in
could never happen again. They wouldn't put customer data
at risk - again. Right?

I'll leave you with this question. If your web site holds
private information about others, such as credit card
numbers, and you choose to use a web platform, such as
IIS/Windows, that has a rich history of security
problems, are you guilty of negligence when the site is
hacked and the information is stolen?

Send your reply to info@panug.org.


APACHE SECURITY

The two-day Apache Boot Camp that PANUG is co-hosting on
September 5-6 covers the subject of protecting access to
private information. You can do this by authentication
(asking users for user names and passwords), access controls
(restricting access by IP address ranges and URL names), web
browser identity, and several other methods used
individually or together. Visit the PANUG web site for more
information about this course:

http://panug.org