Security incidents on the Internet are growing at an alarming rate. While many see the Internet as a big business opportunity, few know about or deal to any notable extent with security issues. The few who know about the security issues generally know one side of the story, how to break it or how to fix it. For an intruder trying to get inside computer systems, knowing how to break security may be enough. It is sadly not enough for the system administrator to know only about either the security problems or the security solutions. The system administrator needs a firm grasp of both the problems and the solutions. Most security documentation ignores this truth and focuses either only on the problems or the solutions. We attempt to bridge the gap by presenting both sides of the coin, security problems with possible solutions to them. Our attempts go even further by presenting the intruder and his ways. We do this in an effort to make the intruder more understandable and therefore easier to protect against.
The Internet started out of the need by researchers to share information about their fields of research with others. It does not seem that it was ever planned for ``release'' to the public. This is clear in the design which supports easy sharing of information, but pays little attention to and almost neglects security concerns. The Internet still retains the reputation as an information sharing platform with the security concerns still remaining an afterthought. It is advertised as an information sharing platform which is easy to use, and recently the mother of all marketplaces, with risks mentioned in very fine print, if at all. Most users of the Internet are therefore completely ignorant of the risk being on the Internet poses to them and their information until it is too late. This document is therefore published partly as a contribution to the initiative by the security community to clearly present security concerns to the misinformed and ignorant. We also publish this document as part of another initiative to curb security incidents on the Internet.