Web Informant #173, 24 October 1999

      My friend Fred Avolio makes his living being paranoid. (He’s a security consultant.) And he warns me that while I boast about not carrying a laptop when I travel, I still should be careful where and how I get my e-mail when I am on the road. Especially at computer industry conferences. Here’s why.

      Most conferences now provide a group of public-access computers, so attendees can check their e-mail and get work done during the show. But few really understand the implications of using these public PCs, or the importance of deleting any traces of your electronic correspondence when you walk away from the keyboard. That can be a problem. Because in truth, public PCs are one of the worst places to read e-mail.

Self-promotions dep’t Thanks Fred. Next Monday, I’ll be teaching a new all-day class at the Next Generation Networks conference in Washington DC on new Web technologies. It is a survey of products such as Web conferencing, Web switching, and Web storefront technologies, and I hope to see you at the show. If you can’t make it, you can view the presentation and my notes here. And the lead article for a new Web and print in-house magazine from Dell called Browser mentions some of my experiences with home networking. You can read it all here.

      For starters, data could be captured intentionally (or not) by someone demonstrating a packet sniffing device elsewhere on the show floor. Someone might be trolling for passwords just when you login for your e-mail. The only way to avoid this is to encrypt your session using a virtual private network, which isn’t usually available on public PCs.

      David uses MailAndNews.com’s Web mail service: at the bottom of the home page is a link to establish a secure session to read your e-mail. You should always use this option and get the extra protection, even though it still doesn’t hide your password. To do that, try e-mail programs such as Eudora, which provide a mechanism called APOP to avoid sending unencrypted passwords. But few ISPs support this mechanism.

      Speaking of passwords, you should change them today when you have a moment before you have to head out on the road to your next conference. If your e-mail password is the same as your dial-in or login password, you are running a big risk. Use different passwords for each, and aim for ones you can memorize, so you don’t have to write them down.

      Of course, your company should have an information security policy regulating the circumstances in which employees can use public PCs for company business. I almost always read e-mail from my hotel room if I cannot read it over an encrypted connection. Even then, it can be a problem. At the last hotel I stayed in, each room had its own Ethernet jack. Who knew what lurker was capturing what data over THAT network? Even at less equipped hotels, someone could be bribed to tap into your dial-up connection. The likelihood of this happening is directly related to the business you are in and how much the information is worth to, say, a corporate spy.

      Another problem is the public PC’s configuration. You can’t tell if you are using a “real” copy of IE or Netscape or a facsimile holding a Trojan horse that captures your password information or data. Granted, this is an unlikely scenario, but it has happened.

      Even if the public PC you are using is pristine, you still have to clean up after yourself. For example, if you change the personal information in the browser (name, e-mail address, POP mail account, password, etc.), remember to delete all this before leaving the PC. If you forget, the next person can download e-mail from your account or send messages masquerading as you.

      Similarly, if you downloaded and read any e-mail, delete it all before leaving the PC. Otherwise anyone stopping by will be able to read your correspondence. Lastly, don’t forget to clean out the In, Out, Sent, and Trash mailboxes. Some software prompts you to delete the messages in each mailbox and empty the trash before exiting the program. Some don’t.

      Finally, if you are using the more recent vintage of either browser, make sure that they are not set to store passwords or to fill in forms automatically before you type in personal information. These browsers can recall this information for the next user.

      It is amazing how many people forget these last steps. I have seen many PCs with mail from the previous user. It is more likely than you think. So be a little paranoid and protect your e-mail correspondence. And enjoy your next conference!