Changes between Version 9 and Version 10 of WebInfoPamphlet
- Timestamp:
- May 21, 2008, 4:27:58 PM (16 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
WebInfoPamphlet
v9 v10 1 1 = Making Good Internet Decisions = 2 2 3 3 We all use the Internet; most of us don't know more about than we have to. That's logical; most of us learn what we need to and the Internet's powerful technology allows us to do a lot without really knowing how things work. And that's good because most activists have plenty to do and the easier things are to use, the better. 4 4 5 But the Internet isn't a "neutral" tool like a hammer or a calculator. Because it is a mass movement, the Internet is an arena for very inte rnse political struggle. There are people who want to use it primarily to make money and to continue the kind of society most of us are still living in. There are those of us, and our numbers on the Internet are impressive, who see the Internet as another tool for changing society and the world in virtually every way.5 But the Internet isn't a "neutral" tool like a hammer or a calculator. Because it is a mass movement, the Internet is an arena for very intense political struggle. There are people who want to use it primarily to make money and to continue the kind of society most of us are still living in. There are those of us, and our numbers on the Internet are impressive, who see the Internet as another tool for changing society and the world in virtually every way. 6 6 7 7 These aren't just theoretical options. The choices you make impact on the way you use the Internet. They can either contain your experience and force you into the control of a company or allow you to grow and broaden your experience. … … 9 9 More than that, these choices have an impact on the rest of the Internet and the rest of the progressive movement. Because, as with any issue or struggle (and possibly more important than most), there are responsible choices to make about your Internet work and there are choices that are simply irresponsible. 10 10 11 You want to make the responsible choices and so, in making your Internet plans, here are some issues and questions you need to be conscious of. So when you're choosing an Internet "provider", here are some questions you might ask.11 You want to make the responsible choices and so, to help progressive people make Internet plans, we have written some issues and questions to guide your thinking. 12 12 13 13 == Web == 14 14 15 Does your server allow plain text FTP access? 15 === Are you able to use encrypted connections? === 16 16 17 F TP is "File Transfer Protocol" and it's the way you get your files (or web pages) into your website for people to see on their browsers. Seeing a page is a fairly safe thing: you see it and there's not a whole lot you can do with it. But uploading a page is quite another matter: if someone uploads a malicious file, it can literally eat up the other web pages on your website or display information you don't want or, even worse, get into the rest of your directory and destroy it. If the provider's server is not properly secure, such a file can destroy everyone else's data.17 For most of us, the information on our web is intended for public consumption, so there is no need to encrypt the communication between people's web browsers and the server. 18 18 19 FTP access is insecure because it travels over channels (called "Ports") that allow it to be read as it's being transferred and because it doesn't provide a lot of protection while you're in your directory. A person with proper programs can eavesdrop the entire session, log it and do all kinds of information robbery to be used in exploiting your files.19 However, even with public web sites, some information ''is'' private. If nothing else - than the transmission of your password when connecting to the server to make a change. If someone gains access to this private information, they can upload malicious files, it can literally eat up the other web pages on your website or display information you don't want or, even worse, get into the rest of your directory and destroy it. If the provider's server is not properly secure, such a file can destroy everyone else's data. 20 20 21 Everyone should use Secure File Transfer Protocol. SFTP is less common than FTP and there are fewer programs that you can use to do an sftp session. So many activists are used to FTP and wonder why they should be using the alternative. 22 Basically, it's because your data is critically important to you and to the rest of us: because you're part of our movement. 21 The two most common ways to authenticate to your web site to make a modification are: 23 22 24 There are SFTP programs for every computer platform. You should insist that your provider only allows sftp. If the answer's no, do not use that provider.23 * FTP is "File Transfer Protocol" and it's one way you can get your files (or web pages) into your website for people to see on their browsers. FTP access is insecure because it travels over channels (called "Ports") that allow it to be read as it's being transferred and because it doesn't provide a lot of protection while you're in your directory. A person with proper programs can eavesdrop the entire session, log it and do all kinds of information robbery to be used in exploiting your files. Everyone should use Secure File Transfer Protocol. SFTP is less common than FTP and there are fewer programs that you can use to do an sftp session. So many activists are used to FTP and wonder why they should be using the alternative. Basically, it's because your data is critically important to you and to the rest of us: because you're part of our movement. There are SFTP programs for every computer platform. You should insist that your provider only allows sftp. If the answer's no, do not use that provider. 25 24 26 What's your policy on receiving cease-and-desist letters? 25 * Via a web browser. Many people use web-based programs like Drupal, or WordPress, or Joomla to manage their sites. FIXME: add discussion of difference between http and https. Does your provider allow you to setup https connections? 26 27 === What's your policy on receiving cease-and-desist letters? === 27 28 28 29 At some point, you or an organization you do work with is going to get a cease and desist letter from a company, an individual, another organization (usually corporate-based or right-wing) or the government. These letters are designed to stop you from doing something you're doing on line. Often they have to do with copyright infringements but we've seen such letter provoked by statements and expressions of opinion. … … 30 31 Many providers give you a day to pull the material and, if you don't, they take your website down. 31 32 32 The reason is simple: the only thing they care about is your money. They couldn't care less about the importance o if your message and the even greater importance of allowing you to express that message. Money means everything and, in the balance, the fees you pay them are simply not worth the potential payments to lawyers and other grief caused by a legal action.33 The reason is simple: the only thing they care about is your money. They couldn't care less about the importance of your message and the even greater importance of allowing you to express that message. Money means everything and, in the balance, the fees you pay them are simply not worth the potential payments to lawyers and other grief caused by a legal action. 33 34 34 35 Let's clarify a couple of points first of all. Because someone writes a letter doesn't mean they are right moral or even legally. In fact, copyright on the Internet is very complicated and partly untested so most letters about infringement are subject to legal interpretation. Otherwise, almost all speech on the Internet is protected. You can't infringe copyright and you can't libel someone (or defame them falsely) but both infringement and libel are decisions of fact subject to jury action. In other words, you haven't done either until a court decides you have. So how in the world can a provider wipe your site? … … 36 37 Moreover, it's doubtful that most providers could be held legally responsible for a website's presence on their servers until a court determines that there's an illegality or violation. In short, no provider has to wipe a site until a judge says so and there's no action that can be taken against it. They're just taking the road of least effort. 37 38 38 Politically, weak cease and desist policies favor right-wing movements and strategies. The Right wants to repress speech; we don't. We want everyone to be able to talk because once we get the debate going, we win. We're telling the truth, after all. This has been proven historically countless times. So cease and desist is effectively a right-wing 39 tactic and it is absolutely essential that we resist. Imagine if your website has to come down the moment some lawyer issues that kind of letter? And, we assure you, that's what often happens. 39 Politically, weak cease and desist policies favor right-wing movements and strategies. The Right wants to repress speech; we don't. We want everyone to be able to talk because once we get the debate going, we win. We're telling the truth, after all. This has been proven historically countless times. So cease and desist is effectively a right-wing tactic and it is absolutely essential that we resist. Imagine if your website has to come down the moment some lawyer issues that kind of letter? And, we assure you, that's what often happens. 40 40 41 41 If someone is so offensive that it shouldn't be on a provider's servers, they don't need a letter from a lawyer to tel them that. Let them ban the materials themselves and then discuss that with the site managers. Otherwise, if it's not too offensive to be on-line, it deserves to be on-line. … … 45 45 If that's not the answer you're getting from your provider, find another one. 46 46 47 Do I have full secure shell access? 47 === Do I have full secure shell access? === 48 48 49 49 You may not know this and you may not need it but there's a "layer" of functioning beneath your website display and beneath "protocols" like sftp. It's call "shell access" and it means that you can use a "command line program" to get into your directories and files. A command line program is best identified by its prompt. You have a few letters, then a colon and you enter commands next to that and things work. You're interacting directly with the server's operating system (Unix, Linux or one of the weaker OS systems) and you can do virtually everything you want to your files and accounts. … … 55 55 If you don't have secure shell access, you should not be with that provider. 56 56 57 57 == Email == 58 58 59 How do you handle spam? 59 === How do you handle spam? === 60 60 61 We have a lot written on this issue because it is among the I Nternet's most important. So we'll summarize:61 We have a lot written on this issue because it is among the Internet's most important. So we'll summarize: 62 62 63 63 All spam should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. Using one of various programs, you can "guess" what's spam and what's not with a remarkably high degree of accuracy. Then you flag it and the user decides whether to set up email so he/she can review the "spam flagged" email individually or filter it into some spam box. … … 69 69 Finally, what defintion of spam does your provider have. There is one acceptable definition: spam is the massive, arbitrary email of material to people who cannot reasonably be expected to be interested in it. That is, if the mailer can reasonably expect that you'll be interested in the material you're receiving, that is protected speech and not spam. That's the law and, for our movement, it is a definition that must be protected because, otherwise, you can't organize. 70 70 71 === Do you use starttls so all email data is encrypted from point-to-point with other email providers using starttls? === 71 72 73 Starttls is not common among commercial providers and it's possible that the person you're talking to won't even know what you're talking about. But consciousness of this "security trigger" is as important as anything we've talked about here. 72 74 73 Do you use starttls so all email data is encrypted from point-to-point with other email providers using starttls? 75 Normally when you send an email message, the message is sent from your provider's mail server to the recipient provider's mail server in plain text. Usually, such a message will travel through a half dozen routers controlled by the largest telecommunications providers on the planet, all of whom have the technical capacity to read the message. 74 76 75 Starttls is not common among commerial providers and it's possible that the person you're talking to won't even know what you're talking about. But consciousness of this "security trigger" is as important as anything we've talked about here. 76 77 Starttls is a keyword-based interaction between two providers doing email. You want to email someone on our system, you enter a keyword and that triggers a reaction from the other provider that puts your interaction into secure and encrypted mode. Now the email being transferred, its content and both email address is completely encrypted. Nobody can effectively steal them. 77 On the other hand, if your provider uses starttls and you send an email message to a user on a different provider that also uses starttls, it means that your communication will be encrypted from end-to-end. 78 78 79 79 You can see how important this can be to you. Does you provider see that as well? If not, your provider isn't thinking about your security or privacy and you should start thinking about another provider. 80 80 81 Do you enforce https only web access to webmail? 81 === Does your provider support OpenGPG? === 82 83 OpenGPG is a way to encrypt your individual email messages. This software is typically the responsibility of the user to install on their own workstation. However, it's important for your Internet provider to be aware of it and provide support and education on how to use it. 84 85 === Do you enforce https only web access to webmail? === 82 86 83 87 Straight and to the point. When you do webmail with your provider and the url begins with "http" rather than "https", your email is insecure and your provider is not thinking about your security. … … 85 89 The secure layer for web access, https, is the only way to make sure your email is traveling through a secure tunnel and is not visible or viewable to hackers. Put it this way: you see that website you got to through http? You can see everything on it? Your webmail is a website. All you need is a password and someone can steal the password or guess it. Ask yourself this question: why do people who take credit card information on the Internet use https pages? Is your email less valuable than a credit card number? 86 90 91 == DNS == 87 92 93 === Can do I have full control over my domain name (ability to change the authoritative DNS servers)? === 88 94 89 == DNS == 95 This is quite possible ''the'' most torturous lesson many experienced activists learn on the Internet. 90 96 91 Can do I have full control over my domain name (ability to change the authoritative DNS servers)? 97 You'll frequently find hosting providers who offer you "domain registration" and "monthly hosting." You sign up because it looks like a good deal and you get a registered domain and hosting. But when you want to move your site to another host, you run into all kinds of "contract clauses" and payment requirements and, in the end, you can't move the domain, the old provider must do it. 92 98 93 This is quite possible *the* most torturous "lesson" many experienced activists learnon the Internet.99 You are in domain prison and this is unethical and fundamentally reactionary ... and it is among the most common and even encouraged abuses on the Internet. 94 100 95 You'll frequently find hosting providers who offer you "domain registration" and "monthly hosting". You sign up because it looks like a good deal and you get a registered domain and hosting. But when you want to move your site to another host, you run into all kinds of "contract clauses" and payment requirements and, in the end, you can't move the domain, the old provider must do it.101 First an explanation of what's what here because domain registration and hosting aren't the same at all and they are ''not'' being done by the same people not matter what they tell you. 96 102 97 You are in domain prison and this is unethical and fundamentally reactionary...and it is among the most common and even encouraged abuses on the Internet. 98 99 First an explanation of what's what here because domain registration and hosting aren't the same at all and they are *not* being done by the same people not matter what they tell you. 100 101 Domain registration is an Internet-wide practice performed by a very few, select and highly specialized companies called "registrars". These are companies that have huge resources and experience and are required to demonstrate those resources and experience with the Internet's management authorities (like ICAAN). 103 Domain registration is an Internet-wide practice performed by a very few, select and highly specialized companies called "registrars." These are companies that have huge resources and experience and are required to demonstrate those resources and experience with the Internet's management authorities (like ICAAN). 102 104 103 105 Their only role is to sign you up for a domain no one else has, take your yearly fee and put you on a database that has your domain, information about who owns it, and the IP addresses of the people who host the local dns for that domain. They also circulated this information to a network of servers called "DNS servers" (there are about two dozen of them world-wide). … … 115 117 This practice runs counter to everything the Internet stands for. You can't move your site if someone else is controlling the domain and if you can't move your site, you are a prisoner. No matter what someone may tell you about a "contract" or anything else, you have the legal right to know who is providing your domain registration and the legal right to move your domain anyplace you want. 116 118 117 In fact, you *do*have access to this information even though your provider may hide it from you. You use the whois command on a command line of any terminal hooked up to the Internet. For example,119 In fact, you ''do'' have access to this information even though your provider may hide it from you. You use the whois command on a command line of any terminal hooked up to the Internet. For example, 118 120 119 121 yourterminal$ whois mayfirst.org