Some Information (From Chris)

As of 10:00pm Tonight, (Sunday, 20th May 2001) Olsh2001 is down. the following is an explanation as to why.

I've heard recently that some of the people in year 12 (lets call them users for the purpose of the exercise) Have become uncomfortable over their "details" being displayed to the world with no security, (apparently some fear they may be 'stalked').

Now i wouldn't necessarily call an e-mail address and in some cases an icq number as "Details". If you choose to have your address in your icq members directory that's your problem, YOU are responsible for YOUR 'security' and while on the topic, lets have a look at just what 'security' could be implemented on the site.

We could have a password system. (This would most likly be written in java), Which gives the users (being regulars) a feeling of security, however provides about as much as if you put up a 'try to break in' sign on your front door. People with any technical knowledge, upon finding any means of security will try to break in. And why not? It makes them feel better about themselves, and it's proving their skills, fair enough I say. The other problem with this method of security is you have to have a java compliant browser, and some of us (or at least my self) don't use java compliant browsers, and some people even use text-based browsers, Further more, java itself can be insecure, as the user is not always aware just what commands the java code itself is performing on your system.

So what other security methods are there? We could implement a 128bit encryption method, using a secure connection (the kinda stuff you see when you're banking online) (i'm toning this down for the non-technically-minded here btw). However, this would be EXTREAMLY costly, and again, cause the users to have some form of client software (ie a capable broswer). Other encryption methods would require the users to either have dedicated decryption software, download the site and THEN view it, (not to mention downloading the software itself) and/or a 'key' (a file with specific decryption information.)

...And so we must ask why. Why go to all the trouble (and/or expense) of having a secure site, and/or pretending it's a secure site to simply protect a few email addresses/icq numbers? Which brings me to the security risks associated with both.

Firstly, icq is probably one of the most dangerous things a user has on their machine. If you're running icq, and someone either has your icq number, or looks thru the whole white pages thing, they can quite easilly (actually extreamly easilly) get your ip address. (IP stands for internet protocol, every connection to the internet (including websites) has a unique IP address, such as 192.168.0.100 for example (actually, 192.168.x.x has been reserved for local area networks, ie it does appear anywhere on the internet, but you get the point). Now if a user has your ip, essentially they have a direct conneciton to your computer, allowing them (with the right tools/knowledge) to get into your machine, control your mouse, pop your cd tray out, or even format your computer (delete the entire contents of your harddrive). So you ask why do people use it? Because it's conveniant, and the majority of people who use icq either do NOT have critical information on their computer, or if they do, they're very very careful about it. (they use firewalls, block ports, etc.) I use icq, and i'm not concerned about my security in the least. About the only important thing on this machine is perhaps a couple of save-games. It's more the inconveniance of re-installing everything that annoys me..

Secondly, E-mail, now if someone has your email address, essentially they can send you things you don't want, bother you with messages, and send virii and stuff to your computer. However, you don't have to run these things, and most (if not all) email places, be they free or otherwise, offer some sort of 'block sender' option. Which is away around this 'spam' (Unsolicited emails).

IRC, or to some of you, mIRC. (mIRC is actually an irc client.) now irc can be used either thru a client application (such as mIRC) or thru a java applet on a website. Now the dangers with irc are up there with icq, essentially other people can send you all sorts of virus's/trojans/other files, that can look quite harmless. (eg: hello.txt.vbs .vbs is a known extention to windows, so it will be hidden, thus making the file look like hello.txt, which as some of you may know, a text file can't run or execute anything, so it's safe, however the .vbs extention means it's a visual basic script file (part of a program which is designed to execute numerous commands, which can result in a range of outcomes, from being invisible (you send the trojan to other people however aren't aware you even have it) to totally rendering your machine in-operable, but again, people weigh up the benefits and the cons of the whole thing, and generally people don't mind the slight risk of some down time (worst case scenario) in exchange for being able to freely communicate with millions of people.

In no way am i attempting to create a panic amongst the users of the site, however the idea of people being able to find out your address is nonsence (unless you have it in icq, which icq even warns you not to do). Nor can people even find out the address of your school, theres atleast three olsh colleges in australia that i'm aware of, if not more, and to my knowledge the country we're in, let alone the state isn't even mentioned anywhere on the site.

Further more, who the hell wants to know YOUR email address, or YOUR icq number, don't flatter yourself and think that 4000 people out of 3 or 4 BILLION want your email address so they can send you stuff, or ask for your home address and come and molitov your house, chances are they don't. And if they REALLY REALLY do, having the site or not having the site will not hamper their efforts. No form of security is totally secure. A system can be made very very difficult and/or very very time consuming to get into, or you can even log what users are doing, but all in all NO system EVER is 100% secure, UNLESS that is, it'd not connected to ANY other machines, it doesn't have a keyboard (or keyboard port) and it doesn't have a monitor. (essentially it's a hard-drive, alone in a locked room.)

IIS (Microsoft's web-server type application) itself had a rather HUGE extreamly concerning bug descovered in the past fortnight or so, which proves even those seen to be the leaders in it can get it wrong. But it all comes down to the value of the information at hand, and a couple of email addresses, a few icq numbers and some names aren't really bulletproof glass necessitating information. Further more, information was ONLY posted about those which had approved it.

In conclusion i'd like to express that this was not written to concern the users of this site, nor was it written to degrade those who had expressed concerns, it was simply written to provide some education to those who were concerned/interested, and to explain the reason of the site being no longer available, and in the end, it isn't, perhaps permanently. Please speak to/email Ness about the future of the site, be it 'keep it down, the risks are too high' (in which case i suggest you read the above one more time) or 'bring the site back we miss it'. Any feedback i'm sure she'd appreciate. Any questions about the above/other questions relating to similar issues (or anything for that matter) can be directed to me.

- Chris, arkenstone@goconnectnet, ICQ: 41045133, IRC: #gencorp on oz.org server, or visit my website at www.arkspage.cjb.net

(If you're just getting in touch to inform me of spelling/gramatical errors, don't. It wasn't the purpose of the article.)