Changes between Version 11 and Version 12 of WebInfoPamphlet


Ignore:
Timestamp:
Jun 17, 2008, 4:18:27 AM (12 years ago)
Author:
alfredo
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • WebInfoPamphlet

    v11 v12  
    1 = Making Good Internet Decisions =
     1Making Good Internet Decisions
    22
    3 We all use the Internet; most of us don't know more about than we have to. That's logical; most of us learn what we need to and the Internet's powerful technology allows us to do a lot without really knowing how things work. And that's good because most activists have plenty to do and the easier things are to use, the better.
     3We all use the Internet and most of us don't know more about than we have to. For most of us, it's a tool and we can use tools without understanding how they work.
     4But the Internet isn't a "neutral" tool like a hammer or a calculator. It's a mass movement, an arena of very intense political struggle over its present and future and, because it involves more than a billion people, a place for us to work around all struggles, issues and movements we're involved in.
     5The choices you make about the Internet affect its potential for you and your work. They can either contain your experience and force you into the control of some large corporation or allow you to grow and broaden your experience and the effectiveness of your work.
     6More than that, these choices have an impact on the rest of the Internet and the rest of the progressive movement. Because, as with any issue or struggle, there are responsible choices to make about your Internet work and there are choices that are simply irresponsible.
     7To help you think about those choices, we have put together some information about some of theimportant Internet issues and choices we think you should be aware of. We've divided this information into two parts: security and control.
    48
    5 But the Internet isn't a "neutral" tool like a hammer or a calculator. Because it is a mass movement, the Internet is an arena for very intense political struggle. There are people who want to use it primarily to make money and to continue the kind of society most of us are still living in. There are those of us, and our numbers on the Internet are impressive, who see the Internet as another tool for changing society and the world in virtually every way.
     9Security
     10Every progressive understands the importance of security but, on the Internet, the concept takes on a whole other meaning and very different details. This is because the Internet functions on a public communications system and when something is public the potential for abuse, theft of data and disruption of communications is enhanced. Our movement can't take chances with that kind of abuse.
     11Are you able to use encrypted connections?
     12Even if your use the Internet is mainly for very public communications, there is always some information that should remain private: a password, members list, payment info, content of a sensitive email. If someone gets access to this information, they can steal your data, wreck your website and even wreck other sites on your server. The security of your connection is a political issue and one that affects everyone else sharing a server with you.
     13Here's what we think you should use:
     14For uploading files to your website use SFTP (for Secure FTP). Regular FTP, File Transfer Protocol, is completely insecure and anyone with the right programs can steal all your data in transmission. Take note because most commercial providers still use ftp and don't even offer sftp as an option. .They don't really care if your information is stolen. If that's the case with yours, change providers immediately.
     15For sensitive interactions on your website (like many forms, for example), always use https (or secure layers). This requires a certificate and probably some cooperation from your provider but everything we just said about ftp is a thousand times more true with http (hypter-text transfer protocol). To be clear, regular http is wonderful; it's the lifeline of the web. It's also designed for transparent communications between visitor and site. Transparent means anybody can see it; if there is something you don't want everyone to see, you need secure http. If a provider doesn't facilitate https, leave that provider.
     16The same is true for webmail. Since this has become so popular, most providers offer it as a service and for many people it has actually become the primary "client" for email. If you check email on the web and you don't have a secure connection, anybody can see your email with the proper software. All webmail should use https.
     17For email itself, does your provider use starttls so all email data is encrypted from point-to-point with other email providers using starttls?
     18Starttls is not common among commercial providers and it's possible that the provider's rep  you're talking to won't even know what you're talking about. But consciousness of this "security trigger" is as important as anything we've talked about here. Normally your email is sent from your provider's mail server to the recipient provider's mail server in plain text, usually traveling through a half dozen routers controlled by the largest telecommunications providers on the planet, all of whom have the technical capacity to read the message (and, of course, turn it over to any government authority who wants it). On the other hand, if both providers use starttls, your communication will be encrypted from end-to-end.
     19Insist on this with your provider and also insist that the provider also support OpenGPG.
     20OpenGPG is a way to encrypt your individual email messages. This software is typically the responsibility of the user to install on their own workstation. However, it's important for your Internet provider to be aware of it and provide support and education on how to use it.
     21Those four terms -- sftp, htts, starttls and OpenGPG – form the basis of good security practices for a progressive activist. They should be part of your Internet functioning and your provider should be making that possible.
    622
    7 These aren't just theoretical options. The choices you make impact on the way you use the Internet. They can either contain your experience and force you into the control of a company or allow you to grow and broaden your experience.
    823
    9 More than that, these choices have an impact on the rest of the Internet and the rest of the progressive movement. Because, as with any issue or struggle (and possibly more important than most), there are responsible choices to make about your Internet work and there are choices that are simply irresponsible.
     24Control
     25Most people who use the Internet either think they are in control of their experience or don't think about it at all. But control is fundamental to a progressive approach to the Internet. It means that we can not only preserve and protect our Internet functioning but can more easily contribute to the Internet's future. Remember that there are people, mostly companies, that want to control the Internet for you and, if they can control the way you use the Internet, they can control what you use it for and what you say on it. And, sooner or later, they will.
     26Content and Access
     27You should have full control of your content and complete access to it.
     28One area of content attack is the cease and desist letter. At some point, you or an organization you work with is going to get a cease and desist letter from a company, an individual, another organization or the government. These letters are designed to stop you from doing something you're doing on line. Often they have to do with copyright infringements but we've seen such letter provoked by expressions of opinion or information about some company or government agency.
     29Many providers have a knee-jerk reaction to these letters. They give you a day to pull the material and, if you don't, they take your website down. After all, they're there for the money and any potential legal difficulty (even answering a lawyer's letter) isn't worth what you're paying.
     30In reality, cease and desist letters are usually bogus and if the complaint is legitimate, a court can decide or you can negotiate with the letter-writer. Providers have no right to act unilaterally or threateningly towards you. If something is so offensive that it shouldn't be on a provider's servers, they should discuss that with you and take action on their own. Otherwise, if it's not too offensive to be on-line, it deserves to be on-line.
     31A very prominent issue around access is shell access. You may not know about it or even use it but there's a "layer" of functioning beneath your website display and beneath "protocols" like sftp. It's call "shell access" and it means that you can use a "command line program" to get into your directories and files and interact directly with the file and operating system.
     32Most of us won't use this but, if we need to (or we have a techie in to work on some aspect of our website), it should be available. In principle it represents real control over your website and your data.
     33Good providers offer command line access; those who don't aren't.
     34And then there's Domain Name conrol. This is quite possibly the most torturous lesson many experienced activists learn on the Internet. We see this all the time.
     35You'll frequently find hosting providers who offer you "domain registration" and "monthly hosting." You sign up because it looks like a good deal. But when you want to move your site to another host, you run into all kinds of "contract clauses" and payment requirements and, in the end, you can't move the domain, the old provider must do it for you (and often charge you extra for that).
     36You are in domain prison and this is unethical and fundamentally reactionary ... and among the most common and even encouraged abuses on the Internet.
     37DNS and hosting are two different activities and people can't do both legally. DNS is the address of your domain and it's handled by a select group of companies with special programs and systems to do that. All they do is register your domain and then point people to the hosting provider who is handling your data.
     38Hosting is what it implies. Your website, email and other Internet resources are “hosted” and “served” by the provider. Providers have no control over your DNS.
     39What's happening is that your hosting company has a semi-hidden deal with a DNS registrar. They're actually registering your domain for you. This may seem more convenient but it takes away your power over your website and that's as bad politically as it gets.
     40The right way to do it is: the person who owns the website should own the registration. You go register it and the hosting provider then makes sure it resolves to your site.
     41Control over what you send and receive
     42The most egregious attack on this obvious right is spam control. We have a lot written on this issue because it is among the Internet's most important. So we'll summarize:
     43All spam should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. There are several good server programs that can "guess" what's spam and what's not with a remarkably high degree of accuracy. Then they flag suspect email and the user decides whether to set up email so he/she can review the "spam flagged" email individually or filter it into some spam box automatically.
     44What you don't want is a provider making those choices for you: filtering spam and destroying it, blocking it, or what's worse, rejecting and blocking the server that sent it (called blacklisting...aptly). Your provider has no right to determine the content you should receive; no company should even be allowed to make those choice for you.
     45That's all the more important because of the definition many providers have of “spam”: mass email or email to a list of people the sender doesn't know. Here's the critical issue we must all understand:  if the mailer can reasonably expect that you'll be interested in the material you're receiving, that is protected speech and not spam. That's the law and it's a law our movement has fought for over a century to create, enforce and protect. It's fundamental to our ability to communicate and organize. If we can't send email to people we don't know, we're not going to reach people we need to inform.
     46Things get much worse with blacklisting, an abuse that is a cousin of irresponsible spam control. If someone is "turned in" for spamming, some providers will block that person's IP address and that blocks the entire server which means that nobody on that server (and there are often hundreds of other users) can communicate with people who the acting provider hosts. If that's a large company, like AOL, hundreds of activists will be blocked from reaching thousands and even tens of thousands of people including people they normally email with. It is the worst kind of arbitrary blockage of free speech.
     47Intrusive spam control and blacklisting are simply not acceptable and a provider that does those things shouldn't be your provider.
    1048
    11 You want to make the responsible choices and so, to help progressive people make Internet plans, we have written some issues and questions to guide your thinking.
     49Summing Up
    1250
    13 == Web ==
    14 
    15 === Are you able to use encrypted connections? ===
    16 
    17 For most of us, the information on our web is intended for public consumption, so there is no need to encrypt the communication between people's web browsers and the server.
    18 
    19 However, even with public web sites, some information ''is'' private. If nothing else - than the transmission of your password when connecting to the server to make a change. If someone gains access to this private information, they can upload malicious files, it can literally eat up the other web pages on your website or display information you don't want or, even worse, get into the rest of your directory and destroy it. If the provider's server is not properly secure, such a file can destroy everyone else's data.
    20 
    21 The two most common ways to authenticate to your web site to make a modification are:
    22 
    23  * FTP is "File Transfer Protocol" and it's one way you can get your files (or web pages) into your website for people to see on their browsers. FTP access is insecure because it travels over channels (called "Ports") that allow it to be read as it's being transferred and because it doesn't provide a lot of protection while you're in your directory. A person with proper programs can eavesdrop the entire session, log it and do all kinds of information robbery to be used in exploiting your files. Everyone should use Secure File Transfer Protocol. SFTP is less common than FTP and there are fewer programs that you can use to do an sftp session. So many activists are used to FTP and wonder why they should be using the alternative. Basically, it's because your data is critically important to you and to the rest of us: because you're part of our movement. There are SFTP programs for every computer platform. You should insist that your provider only allows sftp. If the answer's no, do not use that provider.
    24 
    25  * Via a web browser. Many people use web-based programs like Drupal, or WordPress, or Joomla to manage their sites. FIXME: add discussion of difference between http and https. Does your provider allow you to setup https connections?
    26 
    27 === What's your policy on receiving cease-and-desist letters? ===
    28 
    29 At some point, you or an organization you do work with is going to get a cease and desist letter from a company, an individual, another organization (usually corporate-based or right-wing) or the government. These letters are designed to stop you from doing something you're doing on line. Often they have to do with copyright infringements but we've seen such letter provoked by statements and expressions of opinion.
    30 
    31 Many providers give you a day to pull the material and, if you don't, they take your website down.
    32 
    33 The reason is simple: the only thing they care about is your money. They couldn't care less about the importance of your message and the even greater importance of allowing you to express that message. Money means everything and, in the balance, the fees you pay them are simply not worth the potential payments to lawyers and other grief caused by a legal action.
    34 
    35 Let's clarify a couple of points first of all. Because someone writes a letter doesn't mean they are right moral or even legally. In fact, copyright on the Internet is very complicated and partly untested so most letters about infringement are subject to legal interpretation. Otherwise, almost all speech on the Internet is protected. You can't infringe copyright and you can't libel someone (or defame them falsely) but both infringement and libel are decisions of fact subject to jury action. In other words, you haven't done either until a court decides you have. So how in the world can a provider wipe your site?
    36 
    37 Moreover, it's doubtful that most providers could be held legally responsible for a website's presence on their servers until a court determines that there's an illegality or violation. In short, no provider has to wipe a site until a judge says so and there's no action that can be taken against it. They're just taking the road of least effort.
    38 
    39 Politically, weak cease and desist policies favor right-wing movements and strategies. The Right wants to repress speech; we don't. We want everyone to be able to talk because once we get the debate going, we win. We're telling the truth, after all. This has been proven historically countless times. So cease and desist is effectively a right-wing tactic and it is absolutely essential that we resist. Imagine if your website has to come down the moment some lawyer issues that kind of letter? And, we assure you, that's what often happens.
    40 
    41 If someone is so offensive that it shouldn't be on a provider's servers, they don't need a letter from a lawyer to tel them that. Let them ban the materials themselves and then discuss that with the site managers. Otherwise, if it's not too offensive to be on-line, it deserves to be on-line.
    42 
    43 The correct position is: We don't comply with cease and desist letters. Period.
    44 
    45 If that's not the answer you're getting from your provider, find another one.
    46 
    47 === Do I have full secure shell access? ===
    48 
    49 You may not know this and you may not need it but there's a "layer" of functioning beneath your website display and beneath "protocols" like sftp. It's call "shell access" and it means that you can use a "command line program" to get into your directories and files. A command line program is best identified by its prompt. You have a few letters, then a colon and you enter commands next to that and things work. You're interacting directly with the server's operating system (Unix, Linux or one of the weaker OS systems) and you can do virtually everything you want to your files and accounts.
    50 
    51 Of course, the caveats that apply to sftp are even more important here -- because there's so much more access. Make sure you have secure access (SSH) and use it. At this point, most providers do that. The problem is that most providers don't provide shell access at all.
    52 
    53 This may seem like a nothing since many of us don't use shell access. But shell access represents true control over your Internet data and it's the most powerful control we have. It's the way system administrators work. At some point, you may need it or someone in your organization may need it and you should have it because this is your data. No questions asked.
    54 
    55 If you don't have secure shell access, you should not be with that provider.
    56 
    57 == Email ==
    58 
    59 === How do you handle spam? ===
    60 
    61 We have a lot written on this issue because it is among the Internet's most important. So we'll summarize:
    62 
    63 All spam should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. Using one of various programs, you can "guess" what's spam and what's not with a remarkably high degree of accuracy. Then you flag it and the user decides whether to set up email so he/she can review the "spam flagged" email individually or filter it into some spam box.
    64 
    65 What you don't want is a provider making those choices for you: filtering spam and destroying it, blocking it, or what's worse, rejecting and blocking the server that sent it (called blacklisting...aptly). Your provider has no right to determine the content you should receive; no company should even be allowed to make those choice for you.
    66 
    67 Most of all, blacklisting is almost always a destructive and irresponsible policy. If someone is "turned in" for spamming, some providers will block that person's entire server (there's no other way to do it) which means that nobody on that server (and there are often hundreds of other users) can communicate with people on the targeted server. It is the worst kind of arbitrary blockage of free speech.
    68 
    69 Finally, what defintion of spam does your provider have. There is one acceptable definition: spam is the massive, arbitrary email of material to people who cannot reasonably be expected to be interested in it. That is, if the mailer can reasonably expect that you'll be interested in the material you're receiving, that is protected speech and not spam. That's the law and, for our movement, it is a definition that must be protected because, otherwise, you can't organize.
    70 
    71 === Do you use starttls so all email data is encrypted from point-to-point with other email providers using starttls? ===
    72 
    73 Starttls is not common among commercial providers and it's possible that the person you're talking to won't even know what you're talking about. But consciousness of this "security trigger" is as important as anything we've talked about here.
    74 
    75 Normally when you send an email message, the message is sent from your provider's mail server to the recipient provider's mail server in plain text. Usually, such a message will travel through a half dozen routers controlled by the largest telecommunications providers on the planet, all of whom have the technical capacity to read the message.
    76 
    77 On the other hand, if your provider uses starttls and you send an email message to a user on a different provider that also uses starttls, it means that your communication will be encrypted from end-to-end.
    78 
    79 You can see how important this can be to you. Does you provider see that as well? If not, your provider isn't thinking about your security or privacy and you should start thinking about another provider.
    80 
    81 === Does your provider support OpenGPG? ===
    82 
    83 OpenGPG is a way to encrypt your individual email messages. This software is typically the responsibility of the user to install on their own workstation. However, it's important for your Internet provider to be aware of it and provide support and education on how to use it.
    84 
    85 === Do you enforce https only web access to webmail? ===
    86 
    87 Straight and to the point. When you do webmail with your provider and the url begins with "http" rather than "https", your email is insecure and your provider is not thinking about your security.
    88 
    89 The secure layer for web access, https, is the only way to make sure your email is traveling through a secure tunnel and is not visible or viewable to hackers. Put it this way: you see that website you got to through http? You can see everything on it? Your webmail is a website. All you need is a password and someone can steal the password or guess it. Ask yourself this question: why do people who take credit card information on the Internet use https pages? Is your email less valuable than a credit card number?
    90 
    91 == DNS ==
    92 
    93 === Can do I have full control over my domain name (ability to change the authoritative DNS servers)? ===
    94 
    95 This is quite possible ''the'' most torturous lesson many experienced activists learn on the Internet.
    96 
    97 You'll frequently find hosting providers who offer you "domain registration" and "monthly hosting." You sign up because it looks like a good deal and you get a registered domain and hosting. But when you want to move your site to another host, you run into all kinds of "contract clauses" and payment requirements and, in the end, you can't move the domain, the old provider must do it.
    98 
    99 You are in domain prison and this is unethical and fundamentally reactionary ... and it is among the most common and even encouraged abuses on the Internet.
    100 
    101 First an explanation of what's what here because domain registration and hosting aren't the same at all and they are ''not'' being done by the same people not matter what they tell you.
    102 
    103 Domain registration is an Internet-wide practice performed by a very few, select and highly specialized companies called "registrars." These are companies that have huge resources and experience and are required to demonstrate those resources and experience with the Internet's management authorities (like ICAAN).
    104 
    105 Their only role is to sign you up for a domain no one else has, take your yearly fee and put you on a database that has your domain, information about who owns it, and the IP addresses of the people who host the authoritative DNS for that domain. They also circulated this information to a network of servers called "root DNS servers."
    106 
    107 That's it. People type in the url and it goes to one of those servers to find out where the local dns is hosted.
    108 
    109 Authoritative DNS is something different. Here the provider has a set of records that have your domain name, your service year (www or mail or whatever) and the IP of the specific server this stuff is one (or servers if there's more than one). It's the system that tells .your browser or email client where precisely to go to find a website or to send a specific person email.
    110 
    111 That's the difference: Like with an office or apartment building, domain registration is like the telephone directory: it gives the address to the building where the person you're looking for resides or work. Authoritative DNS is the office or bell directory downstairs that tells you precisely where, inside the building, that person can be found.
    112 
    113 If a provider controls domain register, that provider can actually prevent you from moving your site from his/her servers or demand all kinds of things from you before permission is given.
    114 
    115 This practice runs counter to everything the Internet stands for. You can't move your site if someone else is controlling the domain and if you can't move your site, you are a prisoner. No matter what someone may tell you about a "contract" or anything else, you have the legal right to know who is providing your domain registration and the legal right to move your domain anyplace you want.
    116 
    117 In fact, you ''do'' have access to this information even though your provider may hide it from you. You use the whois command on a command line of any terminal hooked up to the Internet. For example,
    118 
    119 {{{
    120 yourterminal$ whois mayfirst.org
    121 }}}
    122 
    123 yield this information:
    124 
    125 {{{
    126 Domain ID:D101505448-LROR
    127 Domain Name:MAYFIRST.ORG
    128 Created On:25-Sep-2003 18:44:27 UTC
    129 Last Updated On:30-Jan-2008 14:13:08 UTC
    130 Expiration Date:25-Sep-2010 18:44:27 UTC
    131 Sponsoring Registrar:Dotster, Inc. (R34-LROR)
    132 Status:OK
    133 Registrant ID:DOT-4FPDSMK4ZL0F
    134 Registrant Name:Media Jumpstart Inc.
    135 Registrant Organization:aka May First/People Link
    136 }}}
    137 
    138 So we know two things right off -- this domain name is owned by the organization Media Jumpstart (our owning foundation) and it's registered at dotster (our domain registrar). All registration records give you this information. And at the bottom of the record it says:
    139 
    140 {{{
    141 Name Server:B.NS.MAYFIRST.ORG
    142 Name Server:A.NS.MAYFIRST.ORG
    143 }}}
    144 
    145 which are the names of the authoritative DNS servers at May First/People Link.
    146 
    147 If you go to Dotster, login and you are the owner of this record (the registrant), then you can re-point it to whatever authoritative DNS server you want and that place will then assume the responsibility for handling DNS lookups (and presumably many other services) for you. There may be some restrictions (like if you owe the old provider money) but if you're in the midst of a contract year or are paid off, you can make the move legally without any question.
    148 
    149 The right way to do it is: the person who owns the website should own the registration.
     51If you weren't aware of what we've written here, you're not alone and there's not shame in it. Most of us don't know these things because the corporate Internet doesn't discuss them, at least not in a progressive way. But we think we should all at least be aware of these issues when we make our choices. You may decide, for good reasons, that a provider that doesn't comply with good practices in some of these areas is still the best one for you. The point is to be aware of what you're giving up so you can make these decisions constructively and responsibly.
     52And we are...
     53May First/People Link, an organization of more than 260 progressive organizations and people who pool our resources and our work to build an alternative to corporate hosting, facilitate our movement's work in the Internet, and organize the Internet to more fully realize its enormous, historic potential.
     54Needless to say, we comply with the progressive practices we've outline above...and a lot more. We're also among the oldest “providers” in the world.
     55For information about our work and how to become part of our organization, visit our website:
     56http://www.mayfirst.org
     57and thanks for reading this. Keep it and pass it along to someone you think should be thinking about these issues.