Public Internet Security


Introduction

Publically available internet sites are similarly subdued to regulation and rules by legislation from fro instance the European Union, the US, or the netherlands my homeland and current place of residence.

As a direct results of at least 2 major observation of me and others lately, I think I want to use some of my weight also for the benefit of my own privicay protected effectively in the future, and make awareness enough to raise technical and organisational issues concerning the safety of computer networks, and where such safety may be hard to find.

Mainly, I disagree that computerworld is subjected to different rules than lets say public streets or plumming, it should be completely possible to track what we are letting exist, what certain parties
build, and how we allow ourselves to cooperate to make networks and systems with resonable degrees of safety and guarantees against illegal taps, dataloss, infringement on privacy or copyright rules, and reasonable guarantees of quality of service.

As always, and I have participated in a university course 15 years ago containing ideas about the security of software, which in certain ways has similarities, there are technical matters involved, definitions of the services and the problems, and the desirable and maintainable legislation we can all agree with and find back in our countries or continents' legal system.

Being defininately qualified to produce some serious points, the main I'd want to make is that at least it would seem reasonable possible to take any correctly functioning data connection and use it to transer protected data in almost uncrackable form, meaning at least when it is realy needed safety can be had between parties who can exchange some key data reliably.

I'm sure many technical issues can be better resolved in this area than they in my opinion are too oftern, which is a call for quality, and I gues a mesure of self imposed or legal decency.

Preface

I've been involved in using computer networks from at least 15 years ago onward, with the unset of email covering wider areas then one university section, starting to make the publically available internet which allowed one to use ftp to transfer files from and to all over the world.

A bit earlier I built my own network interface for a at the time hip new fast local area network time for synthesizers, called midi, which I sucessfully run from an ancient trs80 clone computer. Not all but very basic data transfer issues also at stake in other types of networks are present in such a design, and with added courses on TCP/IP at university as part of the electrical engineering curriculum, which I found enjoyable enough because at least such a subject in practice is certainly not pathetic, I had the basic knowledge which still forms the foundation of my more than sufficient understanding of the contemporary internet and its basics and building blocks.

Later on, I programmed a newish type of client server setup, intended for the running of distributed applications on a workstation network, which worked satisfatory and nearly without error.  That tought me the practical interfaces to the application layer and some others and the parameters of various underlying layers of the OSI model, and also that in computerland, specifications, for instance such as possible in various telecom based approaches such as SDL, at some point after the number of megaherzes, specmarks and bustypes stops, and that a decent overview of an operating systems multitasking facilities in quantitative and qualitative sense is hardly ever likely to even exist at al for normal customers, and that the same holds for various not unimportant networking parameters, including even quite obvious ones such as buffer types, abundance and length. Bad practice, as every decent electrical engineer knows, specification during design phases are completely needed of parts which should together make a machine.

When buying a PC or a place in a library or internet cafe or of an internet provider, certain technical data are commongood, though probably mainly the terrain of moderate experts, such as adjustments for name servers, and the bitrate of a modem, but detailed specifications of the various components of for instance an internet information path are mostly not there, unless one asks an expert who happens to have information about that particular combination of web tools and browser, ppp connection toos, tcp/ip libary, operating system version, modem brand and version, provider side modem specs, server software, proxy idiocyncracies and a lot more.

Apart from that, it is not very trivial even for an expert to have good guarantees of safety, because so many parts are involved, and only a clean installation of known and trusted components without additions, viruses and errors in adjustments makes it credible one can perform safe and overseeable data processing. Linux has in that sense an attractive open source approach which allows at least experts to check all source code, make a custom compile for a given system, and be pretty sure nothing is realy very wrong with the resulting system. When then the internet link is run by processes mainly limited to a known and limited user account, the systems can operate relative safely with pretty much anything connected to its modem or network card, assuming the linux version used is as file access safe as it can be relatively easily. I think windows XP is another story in that respect, and quite frankly windows 2000 is not exactly easily overseeable or verifiable enough for me to easily guarantee various forms of safety, though I guess reasonable speaking I too can make it reasonably safe to use, with proper limitation of the network components.

Copyright rules

In shot, we all know software is protected from copying, I don't have much contemporary knowledge of the exact legal whereabouts in that area, when I did delve into the subject, either special legislation or inclusion in copyright laws was considered.

Works of art have their intellectual ownership safeguarded in most western countries by simple enough law, and clearly it is not legal to 'steal' work from another can claim it for oneself, or to redistribute or sel another persons work of art without permission.

As a practical exampe, one may not even have permission to use someone else's photograph on a web site, and that could be legally enforced, i.e. checked, fought and corrected by official and founded exisiting legal means.
 

Mail propriety

Under dutch and US laws I am certain the letter secret is safeguarded by official rules.

In short one may not open, read, disclose or spread someone else's mail without permission, or at all.

In holland, some years back I remember news messages that the gouvernment had included email messages in the laws for regular mail, so that anyone who opens or reads email messages not clearly addressed to them is into an official offense, and can be persecuted by law, and I seem to rember even punished quite severely when caught.

Heer, heer, I gues, having legal backup even for my yahoo mail account is a good idea, why not have people officially deny access to my private or professional files, if they want access let them ask me or official authority (which is probably rare).
 

A practical motivation

Because I was faced with a practical 'break in' sort of problem lately, I'll shortly describe what I think is important in what I observed and what I have as an answer, too.

I was regularly unpleasantly surprised at my mouse behaviour in place with a massive battery of PC's for internet use I happen to spend more than a few hours on, and at some point got the idea some may have more than healty interest in my activities, because it seemed certain mouse response anomalities were not random or caused by mouse terrain unevenness or mouse mechanism failure.

Is that relevant? Probably it is, though one may argue checking may happen without making a noticable impact on system operation, I don't like the idea that appearently the will and the way exists for certain probably not too advanced persons to pick on someone's computer behaviour and mess with it. Clearly.

So I thought of at least a trick to have the stupid sort of feedback reduced, which mainly exists of making clear such unwanted effects will not go by unnotices, which is probably normally on of the prerequisites and desirabilities for certain not to highly to be estimated behaviour. 'Things don't work right here, come and see' nothing special going on, suddenly...

So I decided before going technical to play the engineer (the real kind) a bit, and make sure at least all to annoying or clear interfearences would be tracable objectively, and, unfortunately for certain lesser life forms, recordable for future replay, analysis or proof, in line with normal and and decent 'check things when they go wrong, and what cannot bear the light will probably disappear'.

At least I'd have normal computer use back, not knowing how much at least partly for certain illegal 'checking' still would be going on.

A more technical approach would be to cut the network cable or port during normal use except when needed, which may be impractical, or us simple enough network port scanning to figure out where the systems 'suck' module resides and disable it, or possible have its communication interestingly modified... Both not a technical tour de force, actually, except a system which reboots from unknown source may be a touch hard to crack in short time in that sense, but then again taking a simple network monitor and see some udp or tcp port raise its activity in sending and receiving mouse patterns is not nasa level work, and requires no PhD in computer design, not even in computer software.

Bear with me to see my little fun enough experiment.
 

The experiment

To be able to make clear the mouse behaviour on a certain station (I won't currently bother writing down the IP addresses appearing during normal machine reboot and initialisation, even though my experience is that the dhcp server seems consistent in the numbering per node), I wanted to make a credible experiment to at least make clear the most obvious trickery will be doomed to fail when a serious engineer is pathetically challenged or lets say has a sor tof attention for a problem.

Little boys with pc anywhere are not too interesting or general powerfull or special, but lets say there are principles at stake. Let them prove they can actually write such a program at least, then probably they'd be intelligent or interesting enough to occupy themselves with something a bit less base, useless and undesirable.
 
 

Video footage

I've made two short enough video fragments in windows avi format to illustrate what I'm talking about.

The first one contains the recording of my watch with large second counter to give an impression of the video systems responses and the way mouse movements, 'coincidently' uninterupted look on the screen.

The second one shows the carrying out of the experiment, where I've attached a 'fin' to the mouse to make its physical motion part of the video, and where the red window which tracks the mouse around the screen is visible on the cam's recording to see wether they coincide logically, as the first and main check for undesired malbehaviour.
 

For the advanced: the tcl script to record mouse behaviour

Luckily the very install friendly tcl/tk package is easy to set up on most decent enough and even undecent computer systems, also the ones with limited user install possibilities, and as some may know it comes with powerfull and very usefull command set, up to most desirable jobs.

In short I made one of my maybe infamous sort of 'oneliner' procedures to produce a list of time - mouse position triplets, which together with a few well chosen screen dumps give an excellent impression of the tracks my mouse make during the time I work on anything I like.

Clearly enough , the scipt is visible even decent enough through the jpg encoding, the red window near the 'activeate motion detection' button is the window which as a result of the shown script simply 'follows' the mouse around the screen as javascript sometimes does within a webpage, and xeyes for those who know what that is, and still appreciate the fun in them after 15 years..

While it with adjustable rate tracks the mouse pointer (which is not in the standard screen dump), it records every tracked position and stores a time stamp with every move, so it is completely possible to reconstruct the mouse curves and motions later on from a simple text file.

Internet provider blues

Perfect enough data encryption and FM radio noise

 

Philosophically tainted considerations

It seems when a new medium such as internet computers arise and become publically desired enough and available certain types of people which may have been called annying tax collectors in the past, maybe not, seem to be keen on trying claims on that all to some form of maybe power maybe influence, maybe just idea sucking, to make clear they somehow find it interesting to manifest themselves as conscious impacters on normal enough human behaviour concerning privacy. In a world where child abusers recieve gouvernment protection and can easily enough escape from prison, probably that is nothing much, in comparison, but one has to start somewhere and make clear nothing of all such ranges of behaviour will be tolerated, I'm sure.