Some thoughts about security on the web

  * Not security expert - speaking as person who uses the web: like all of you --
        and a person who makes the web: like all of you.
        Yes, all of you! 
        If you have a FaceBook or Hi5, if you use Yahoo Messenger
        or Skype, ... you are making the web.
        If you have Gmail or Yahoo mail you are making the web!  
            - Google is searching your email all the time, in order to choose ads
                to show you.
                Your email is their databases - for how long? forever?
            - go look at your CPanel page access logs and see how many are coming
                from clicking on a link in their email.
        
        But because my life for past 15 years has been *only* making the web,
        on a professional level ... maybe i have had the time to follow up on 
        some ideas, that might make me a little bit knowledgeable on this.

So. I have two things to say to you here. 
    One: how the web has changed and why "security" is important.
    Two: some practical things you can do. Which will the same as what
        everybody else is telling you. You just have to do them.
  
One: What is the web, why is it important, why "it's too hard"
  
  * A class IX student said way back in 2002:    
        "Internet technology is the strongest means to propagate the Tibetan cause
            throughout the world."
        Unfortunately it is possible that your manager, director, boss, haven't
        figured this out yet. My challenge to *you*, is to be as smart as this 15-year-old kid.
            
  * Two questions with same answer:
        why i am here 24x7 9 years 
        why China is spending billions of dollars [1] to block your website.[2,3]

  * Internet is now a battleground - we have to wake up and realise this
    > "It's too hard" - Well i have two answers to that, one as mr nice guy and
        two as mister mean guy
    
        - "it's too hard": really, it's not! 
            It's just new, and it can be confusing because it is new.    
        - confusion between this world of fun, communication, and commerce of youtube and facebook,
            (where we can just relax, don't have to think or analyze)
            and threats of invisible, hard-to-understand "viruses", "malware"
            (where the thinking is so hard we don't even want to start!)
            I'm here to tell you: they are both the same world, and it's time
            to face reality and deal with it.
        - "war" has changed. It used to be, the battleground was "there"
            and we, the non-military, were "here". (Until they invaded "here")
            Then with long-range missiles etc we started feeling more part of "there" ...
            but now, the internet *is* the battleground, and there is no "here" and "there"!
 
    > "it's too hard" :  well, that's too bad. 
        It is not to protect you! 
        I don't care if your personal email gets hacked, if your facebook photos
        get destroyed. That is your problem.
        It is to protect your friends, your associates,
        and most of all, the people inside Tibet and China who are doing the
        real suffering as a result of *our* easy passwords and sloppy security.
  
    > "it's too hard" :  well, that's too bad. 
        If we are in the 50s and the PRC army are invading your country and
            shooting your father and brothers and sisters, and someone shows you 
            how to fight from the mountains and jump out of airplanes and use radio equipment ...
            Do you say "it's too hard"??
            And how would you expect them to respond if you did?
            
Two: So let's get practical! What to do?
        1. Number 1 number 1 number 1:  SECURE PASSWORDS! 
            http://netsecurity.about.com/cs/generalsecurity/a/aa112103b.htm
            - letters cap and lower, numbers, punctuation
            - NOT the same password for every account.
            - NOT your name, your girl/boy friend's name, your birth year - 
                unless you really want to be loved -- when you do that,
                the hackers just loooove you, feel the love!
         I can't say it enough. This is number 1. 
         Most hacking results from easy passwords.

         
      Using the web:
            http://netsecurity.about.com/od/newsandeditorial1/u/securitybasics.htm#s2
        1. If you log in somewhere and it has an option for secure connection (https),
                use it.
        2. Don't use M$Windows. Ubuntu Linux is now very "user-friendly" ....
            - If you have to use M$Windows
                - Don't use MeSsIE. Use FireFox
                - Don't use Yahoo Messenger, *especially* if you are communicating
                    with people in Tibet or China. Yahoo put people in prison CHECK
        3. Keep your web browser and other apps updated.
            On Ubuntu this is *really* easy - Update manager will do it for you
                whenever you go online.
        
       Making the web:
            http://webdesign.about.com/od/security/Web_Security.htm
                
        1. If you are using a CMS on your website (WordPress, Joomla)
            Keep it updated. URL
        2. If you are writing programs for the web (such as in PHP)
            Always check and clean your input, no matter where it comes from.
            http://php.about.com/od/security/Security_for_PHP_and_MySQL.htm
                
        2. Do not send passwords in email. SMS or Skype chat.
        3. Check your logs (CPanel AWstats) for high bandwidth use, ...
        4. Check your site with URL to see if it has gotten cracked.
        5. Again, my concern is not if a website gets destroyed.
            You can build another one. The concern here is the personal information
            that can be compromised ... XXX
        
      Anywhere, everywhere:
        1. Pay attention.

        And use secure passwords! Different passwords for different accounts!
        Number one!
        
 OK - Now relax and have fun. You've done the best you can ... 
 and after all ... "it's life and life only" ... 
    http://www.bobdylan.com/#/songs/its-alright-ma-im-only-bleeding


----------------------------------------------------------------------------
References:
    1. http://organharvestinvestigation.net/events/ZHOU_061008.htm
    2. http://en.wikipedia.org/wiki/Golden_Shield_Project
    3. http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_of_China
Info:
    http://netsecurity.about.com/
    http://www.tibetangeeks.com/using_tech/security/
ADD links from bookmarks.

More -
http://www.webappsec.org/ - web application Security Consortium    
80/20 rule: "20% of the defects cause 80% of the problems"
http://www.webappsec.org/projects/articles/013105.shtml
    Fix the basic things listed on this page, and close 80% of your security holes!
    
Computer security basics: http://netsecurity.about.com/od/newsandeditorial1/u/securitybasics.htm
    
SQL injection - http://databases.about.com/od/security/a/sql_inject_test.htm

More programming security:
   http://python.about.com/od/cgiformswithpython/ss/ProgramSecurity.htm
      (this is about python, but it's very good, and the principles apply to any language.)

NOTES - security talk/post - 3 april 2010
==========================





This site built with Open Source: html/css, php, apache, linux, vim, air, water.
— and also with the awesome Lenovo ThinkPad —
which is made in and working for — thank you, China!