These are the rules.
The rules are subject to change, but you are
always advised to follow the current set of rules. They are not all
of the rules. They are some of the rules. The absence in this list of
a particular rule does not mean you don't have to follow it, if indeed
it is a rule. These are intended to be a simple set of general rules
for dealing with the kinds of interactions that are prevalent on the
internet (web/email). Some of them also apply to the telephone. Use of
the rules is at your own risk (as is use of the internet).
But you do have to follow these, even if you've lost your rulebook
under the stack of AOL CDs. Remember, there are lots of people out
there trying to scam you. Don't make it easier for them. These rules
derive from the core principles of "don't execute untrusted code" and
"verify your contacts".
Watch the Chain of Trust
Do not ever give out any information to
anyone who contacts you first, no matter how inconspicuous it
seems. Find an alternate way to find out their contact information (or
use contact information you already have, which has been verified),
and contact them yourself. For example, if you get a voicemail from your
credit card company telling you to contact them about some suspected
fraud, don't use the number they leave. Call the number on the back of
your card instead.
You don't control the links
If you're going to give out any
information - financial info, username / password, etc..., even if it
seems like inconspicuous information - do not click on links that are
emailed to you. Always type in URLs by hand (or use bookmarks that you
saved from typing URLs in by hand).
You don't control attachments
Do not open attachments unless
you are expecting the specific attachment and you know what it
is. Even then, this is risky. If you're not expecting that specific
attachment, it's probably an email worm or something else bad. Even if
you are expecting the attachment, rather than clicking on it directly
to run it, you're much better off saving it to disk, opening the
program you think it should be run with, and then opening it
manually. This takes a bit more time, but think of the time you save
by not having your data randomly deleted by malicious attachments. f
you can, open them in some program other than the one for which they
were intended (use an alternate PDF reader instead of Acrobat, or the
Word viewer or OpenOffice, or an unpopular operating system).
HTML can be used to hide things from you
If you can, use
a plaintext mailreader. HTML mail is fraught with all sorts of
security problems. I like
Mutt.
Burn me a million times...
Do not use Microsoft products to
browse random websites or read random emails. In a controlled
environment, these products do have advantages. When used with
untrusted content, they behave badly and will run code without your
permission or knowledge. This includes all versions of Internet
Explorer, Outlook, and Outlook Express. Instead, use products that are
better about executing (or not) untrusted system code -
Mozilla/Firefox/Thunderbird,
Opera, and the like. If you absolutely
must use Microsoft products, make sure they are up to date with the
latest patches.