R.U.N.S.A.F.E.

Summary:

• Set up your computer so it protects itself as much as possible by following StartSafe recommendations.
• Refuse unknown programs. A malicious program can undo all your security.
  • Unfamiliar or unsolicited files from any source should be treated with caution.
  • Verify the sender of messages and the contents.
    • e-mail attachments
    • instant messages and file transfers
    • P2P files
    • Files found on open windows file shares
    • Files offered from Web links found in e-mail, instant messages, P2P, or any other unsolicited source
• Don't believe everything you see on your computer or the Internet.
  • The FROM field in an e-mail message cannot be trusted.
  • Anyone can put up a web site that says anything
  • File names are often meaningless
  • Do not make critical decisions based on unsolicited e-mail or instant messages without verifying the source
    • Providing passwords
    • Providing sensitive information like account numbers
    • Running programs on your computer
    • Reconfiguring your computer
• Don't let someone else force their way into your computer
  • Update your computer's programs regularly. Windows updates only update Microsoft software. You're responsible for anything else you install (e.g. media players, document readers )
  • Choose strong passwords and safeguard them.
• Be aware of computer related threats and crime.
  • Computing Security Hot Topics
• Prepare for the inevitable failure. Backup critical data regularly.
• Recovery instructions for a sick and quarantined Windows computer.

Did you know that with one wrong mouse click you could make it possible for someone to read all your email, documents, or instant messages? That they could also view your grades, online bank accounts, or change your course schedule? That they could read or change anything on your computer? Or anything accessed from it? That they could turn on your computer's microphone to listen in on conversations? Or command your computer to attack other network users or sites? Or use your computer for a computer crime for which you may be blamed?

Did you know a newly installed Windows XP, 2000, NT, or Linux computer is likely vulnerable to the same type of compromise without even a mouse click just by being attached to the network? 

Did you know several such incidents have occurred on computers at JMU...from Windows 95 and Macintosh desktops to Windows NT and Unix servers? That they've been used to attack other computers and divulge information? Did you know all our computers are scanned constantly from around the world by people hoping to take advantage of them?

Did you know that your behavior impacts your neighbors' security and their behavior yours?

The Internet, paired with today's software, provides us astonishing capabilities for sharing and communication. However, these same capabilities also provide access and computer power to more than 600 million people around the world...some of whom may not share our behavioral expectations. Examples, such as random acts of vandalism, can be found in any local newspaper. 

The threats associated with online folks' behavior are very different from similar threats in the physical world. Using the same freedom and functionality we treasure, they can communicate with our computers almost instantaneously, almost anonymously, and en masse from around the world. They don't even need to be a computer expert. It only takes one person to write a destructive program to enable many people without technical knowledge to cause problems, just as all of us use word processors and web browsers without knowing how they work or being able to write one ourselves.

While the risks associated with these threats can be decreased by limiting communications, limiting computer functionality, and increasing the complexity involved with our computing environment, they can't be eliminated. Moreover, the more we wish to maintain our current freedom in communications and computing, the more necessary it is that we individually take steps to take care of ourselves and reduce the need for outside controls and limitations. 

The only person ultimately in control of a computer is the operator in front of the keyboard. That person presently has the freedom to run any software he or she wants and communicate with anyone around the world. Our computers can do almost anything we tell them to do. Unfortunately, this versatility makes them very complicated. Perhaps the most complicated devices we are exposed to on a regular basis. This is true despite our most fervent wishes, occasional profanity, and manufacturers efforts. Computers have more decision points and varying functionality than almost anything else we use. They are not cars, televisions, or radios and efforts to make them appear to be so have sometimes backfired and caused security problems.

The goal of the R.U.N.S.A.F.E. program is to help you attain the knowledge and skills necessary to more safely operate an Internet connected computer. R.U.N.S.A.F.E. workshops are offered once per semester that describe the incidents we've seen at JMU, the threats we're exposed to, and that teach the defensive concepts and procedures described here. Onsite workshops are also available to groups. (contact Gary Flynn to schedule one).

Online:

• RUNSAFE PowerPoint presentation. If you don't have PowerPoint, you can get a free viewer from Microsoft here.
• Security in the Trenches PowerPoint presentation.

REFUSE to Run Unknown Programs

Our computers operate the way they do entirely because of the programs we run on them. When we run a program, we give control of our computer, its data, and our keystrokes to the author of the program. In fact, a computer break-in is typically just someone running a program on our computer to make it do what we don't want it to do.

A malicious individual may try to convince us to run their program which then takes control of our computer. Or they may force our computer to run their program by using software defects or unintentional access. The program may then tell our computer to email viruses to our friends. It may tell our computer to collect and reveal our passwords. It may tell our computer to disable its anti-virus and personal firewall protection. It may tell our computer to flood a web site with traffic in an attempt to disable it. Or it may tell our computer to break into someone else's computer to help hide the identity of the perpetrator.

Since programs control the computer and everything the computer does or has access to, it is very important that we not run programs written by people we don't know or trust. Almost every other security precaution depends upon our having control of our computers. If we run unknown programs, we don't.

A program can take many forms. It might be a Windows .exe file. It might be a Microsoft Word macro. It might be a script.

We may find programs in many places. They may be offered to us in email attachments. They may be on web sites. They may be on shared folders. As we'll see later, they even may be forced on us over the network if we don't keep our computers up to date. For now, we'll concentrate on the programs over which we have a choice about running.

In our point and click world, knowing what to click and what not to click can be confusing. We are conditioned to click on everything. Here are some rules of thumb that may be helpful:

• We should pause a moment to consider the nature of the site, file, or message and how much we want to trust our computer to it before clicking:
  • when the file or icon is an email attachment or associated with an instant message
  • when the file or icon is in a shared directory accessible to other people on the network. For example, a Kazaa or Windows File Sharing directory.
  • when our browser asks us if we want to allow extra access. For example, to download or execute a file, plug-in, or ActiveX control.
  • when our Word processor or spreadsheet asks us if we want to allow a macro to run.
  • when we don't know for certain where the file came from or through whose hands it passed
• We're generally safe to click in the following situations as long as our computer software is kept up to date.
  • When the file is on our own computer. Note that an icon may point to a file actually on a shared drive or web site particularly with Microsoft's Active Desktop enabled.
  • When we're browsing the web and our browser doesn't prompt us for extra access.
  • When we're reading email and there are no attachments.

It all cases, risk is decreased if we save a file and open it with its related application rather than double-click it or choose "Open this file from its current location".

• By design or defect, a file displayed on our screen may not always appear as it should. It may look like a relatively harmless Word document (resume.doc), picture file (mydog.jpg) or sound file but may actually be a malicious executable program (resume.doc.spy.exe). By saving it to disk and opening it with the application that should go with it, we'll protect ourselves from this scenario. The couple of additional mouse clicks it takes to do this may save a lot of aggravation or worse.
• For example, if you are offered a file displayed as "resume.doc" in an email attachment or on a web site, don't double-click it or open it from its current location. Instead, save it to disk, open Word, and use Word's File->Open menu to open the file you saved. If the file doesn't open properly, or its name changes, its almost a sure sign something is badly wrong with the file.

There have been many instances of malicious programs spread automatically or getting passed around purposely or innocently. When such a program is discovered, vendors of anti-virus software update their products to recognize the new program. Running the anti-virus product on our computers protects us from this recognized program if we fail in our efforts at refusing unknown programs. But like flu shots, anti-virus software won't protect us from new viruses. Fast moving, email based viruses can circle the globe in hours and infect a lot of computers before antivirus software can be updated. Nevertheless, installing and maintaining anti-virus software is a very important part of maintaining the security of our computers. JMU has purchased licenses for Symantec/Norton anti-virus for faculty, staff, and students home and office computers. It is fully supported by the helpdesk. Why not install it now?

• The Symantec antivirus software is available from the Computing Support Software Downloads page

Once malicious software is run on our computer, it can do anything including disabling anti-virus software and personal firewalls. We can limit the damage malicious software can cause by operating our computers using safer accounts for day to day use. For Windows computers, this translates into using a 'standard' or 'limited' account for daily use of Windows XP and Vista computers. The run-as command can be used on the few occasions when Administrator privilege is necessary. Windows Vista's UAC feature makes it even easier. Macintosh computers should also be set up to use a safer account. Likewise, unix users should not use the root account for daily activities and the su command can be used when it is needed.

When we receive email, we can rarely be sure who sent it. The FROM: information is as easily falsified as the return address on a paper envelope. Virus programs running on an infected computer can easily send out email in anyone's name. Accordingly, email attachments, which may contain malicious programs, should all be treated with caution. One click is all it takes to lose complete control of our computer and everything it accesses.

• Be particularly careful of unexpected or unusual email or attachments regardless of the source, content, or attachment name.
• Treat any email attachment whose name ends in ".exe", ".com", ".bat", ."scr", ".pif", ".shs", ".js", ".hta", ".vbs", or any ending you're not familiar with as you would hazardous waste material. Find out what it is from the sender before opening it!
• Treat email attachments ending in .zip cautiously. They can hold harmless documents or more hazardous executable files.

Spyware

A lot of computers have recently had problems with undesirable programs that are being called  "Spyware" or "Adware". The programs are sometimes installed along with free programs such as music sharing programs. They are also sometimes offered by web sites and even forced upon you if you haven't kept up with Windows Updates. This software may track your movements, steal your passwords, pop up targeted ads, take control of your web browser, or report your movements to online web sites.

• Spy Stoppers (PC Magazine)
• Spyware - Its Lurking on Your Machine (PC Magazine)

Being no different than any other undesirable programs, it is less risky and usually easier to prevent a compromise of your computer and privacy than it is to recover from it. In particular, read all program documentation thoroughly before installing it and only load programs obtained and written from trusted sources. Oftentimes the distributors of programs that include spyware or adware tell you in the fine print of the licensing or installation documentation. Also make sure to keep up with Windows Updates. Some of these programs are being installed by web sites taking advantage of Internet Explorer defects to force installation without operator knowledge.

Two tools, Adaware and SpyBot, are available on the JMU Computing Downloads site to detect these undesirable programs on your computer.

These types of programs (Spyware) are no different than others other than that they've been labeled, been given press coverage, and are widespread. The functions they perform on your computer vary widely and any name given to them or attempt to classify them is quite generalized. Regardless of anti-virus software, anti-spyware software, anti-trojan software, firewalls, other security precautions, and even legislation, the first line of defense is to refuse to run unknown programs.

Portable Storage

Portable storage devices, such as USB drives, can harbor malicious programs or become infected by them.

• Use a USB drive with a write protect switch and set it to read-only when before plugging the drive into an unknown or untrusted computer. In fact, leave it in read-only mode unless you are planning to write from it.
  • If your USB drive does not have a write protect switch, a partially effective workaround is to:
    • Mark all files on the drive read-only
    • If an autorun.inf file does not exist, create an empty one and mark it read-only.
• Use caution when plugging an unknown USB drive into your computer. On Windows computers, hold down the Shift key while inserting the drive to keep programs on the drive from automatically running on your computer. Better yet, disable the autorun feature on your computer.

-->more information on refusing unknown programs...

UPDATE Our Computers Regularly

Computer programs frequently contain defects. Some of these defects can allow third parties to run programs of their choice on our computers without any action on our part. This allows the third party to take control of our computers, and all the resources and data they have access to, for their own purposes. 

• Defects in client programs like browsers, email clients, and media players may allow unwanted programs to run if we click a link to a malicious web page or receive malicious email. These types of defects can cause us to lose control of our computer simply by browsing the web or starting our email client.
• Defects in server programs like web or file servers, can allow someone to force unwanted programs to be run on our server. They exploit the defect by making malicious web or file requests. The exploitation might be carried out by an individual or by an automated program like a worm.

Running defective, vulnerable software on our networked computers is similar to leaving broken windows in our homes and offices for strangers to enter. Except with the Internet, people can enter these "windows" from anywhere in the world. Large scale scans from around the world are often seen within days of new vulnerabilities being announced. Machines with defective software or vulnerable configurations have been known to be compromised within hours of being attached to the network both here and elsewhere. Most software is out-of-date and full of vulnerable defects on the installation CDs and even sometimes when downloaded from vendor web sites. Scanners and automated worms may find a vulnerable server almost as soon as it is connected to the network. It is necessary to check for updates as soon as new software is installed and regularly thereafter.

All computer operators:

Defects in popular add-on programs are often discovered that are not covered by automatic update sites. If you run any of the following programs, you will be responsible for making sure you have the latest security updates from the vendor:

• Instant Messaging Programs (AOL IM, Yahoo Messenger, Trillian, etc.)
• Media players (RealOne, RealPlayer, Winamp, etc.)
• Document viewing programs (Adobe Reader, Shockwave, etc.)

The Cassandra service will allow you to set up profiles indicating products of interest to you and receive email notifications when vulnerabilities associated with those products are reported. The service is offered by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Microsoft Windows Systems

Due to several defects discovered in Microsoft Windows NT, 2000, XP, and 2003 since August 2003, and associated exploitation of those defects by automated worms and criminals, it is no longer safe to plug a new computer running those versions of Windows into a network without following special procedures. To do so would mean a race against worms and hackers to get patches installed. Before connecting such a computer to any network, follow the StartSafe instructions for new Windows computers.

Windows Desktop Operators: (reminder: Microsoft no longer supports Windows 95 and 98)

• Follow StartSafe procedures to set up automatic updates.
• Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations when the computer:
  • Is used to access accounts with elevated privileges.
  • Runs remotely accessible services such as web, database, or file shares.
• If Microsoft Office is installed and you're running Windows 2000, visit the Office Update Site monthly. You'll need the original distribution media to install Office patches.
• Double-click the Norton Anti-Virus gold shield icon in the lower left of your screen. A Norton window will come up. Check the date of the Virus Definition File. If it is more than two weeks old, the Norton Anti-Virus program is not updating itself correctly.
• Upgrade or replace software which Microsoft doesn't support with security patches. Of particular importance in this respect are: 
  • Internet Explorer versions 3 and 4 
  • Office 97 and 98 for Windows
  • Windows 95, 98, and ME
• Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you.

Windows Server Operators:

Servers need to have more timely patches as they run software that is accessible to anyone on the Internet. Patches should be installed as they become available.

• NEVER bring up a server until all patches and configuration changes have been completed. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install the software while the machine is disconnected from the network, make sure all servers are shut down, connect to the network and download the patches, disconnect from the network, and apply patches.
• Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations. Windows Update is not sufficient for servers. It does not check some software for updates nor does it check for vulnerabilities due to configuration mistakes.
• Subscribe to Microsoft's Security Bulletin Mailing List and apply patches as soon after they are announced and can be tested as possible. 
• Cygwin users must also check for defect updates in Unix programs packaged with Cygwin or installed separately. For example, OpenSSH.
• Review computer security Hot Topics  page weekly for announcements of software defects or other issues that may affect you.
• If you install non-Microsoft software, subscribe to vendor security bulletins or check their web site regularly for updates.

Linux and other Unix Systems

These systems often have server programs running after even a default desktop installation.

• NEVER connect a server to the network until all listening services have been stopped. Unpatched servers have been found and compromised in minutes by automated worms and scripts. Install software while the machine is disconnected from the network, make sure all services started in the inetd.conf file, /etc/rc* files, or your vendor's equivalent have been disabled, connect to the network and download the patches, disconnect from the network, and apply patches.
• Subscribe to vendor security bulletins and apply patches as soon after they are available as possible. Click here for a list of various vendor security sites and notification services.
• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you. Server operators should check the Hot Topics  page weekly.

MacIntosh OSX

MacIntosh OSX is based on unix. Many unix related defects also affect MacIntosh OSX.

• You can use the Apple Software Update feature to keep your Macintosh OS X computer up to date.
• Current security roll-up patches can be viewed and downloaded at http://www.info.apple.com/usen/security/security_updates.html
• If you run Windows in Virtual PC, you'll need to use the Windows Update Site to get Windows patches.
• Email notification of security defects in MacOSX can be obtained by subscribing to the Apple notification service at http://lists.apple.com/mailman/listinfo/security-announce
• Use a safer account for day to day use.

Other Systems

• Review computer security Hot Topics page at least monthly for announcements of software defects or other issues that may affect you.
• Keep anti-virus software up to date.
• If available, check your vendor's security site monthly for critical security updates.

  -->more information on updating our computers...

NULLIFY Unneeded Risks

Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers. 

• Do not store sensitive information unnecessarily. If you handle constituent, partner, financial, or other sensitive information, please review the Protecting Sensitive Information material. If you must store sensitive data associated with JMU business or constituents on a portable device, contact JMU Security Engineering at it-security@jmu.edu for assistance.
• Use a safer account for day to day use.
• Do not install unnecessary or non-job related software on a computer handling sensitive information.
• Microsoft Windows generally installs with several open doors by default. Shut these doors by following the following precautions:
  • Assign a good password to all Windows NT, 2000, and XP accounts paying particular attention to the Administrator and other privileged accounts.
  • Be very careful with Microsoft File Sharing. It is commonly misconfigured. Don't share more than you need to.
• Do not type sensitive information into untrusted or public computers.
• Follow wireless usage and setup best practices.
• Install and configure the IIS Lockdown Tool on Windows computers running the IIS web server.
• Consider installing and configuring modsecurity on computers running the apache web server.
• Limit unwanted network communications with a firewall. If your computer is only used to communicate in certain ways, the consequences of mistakes or defects can be decreased by disabling other, unnecessary communication channels. One way this can be done is through desktop firewalls. Windows 2000, XP, and 2003 come with firewall functionality built-in. In the form of Internet Connection Firewall for Windows XP and 2003 and IPSEC filtering in 2000. See the StartSafe for Windows page for enabling instructions. Other Windows operators have many commercial and no-cost choices. ZoneAlarm, by ZoneLabs, is free for personal or non-profit use but they specifically exclude educational institutions from this offer. You can, however, use it on a personal computer at home. Keep in mind that all desktop firewalls are vulnerable to locally run code. Some viruses disable them. Linux operators can take advantage of the built in ipchains or iptables facilities. More information on personal firewalls.
• Internet Explorer, which has a wealth of functionality, also has a history of a security defect almost every other month for the past three years. Several options are available for decreasing risk due to these defects.
• Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations when the computer:
  • Is used to access accounts with elevated privileges.
  • Runs remotely accessible services such as web, database, or file shares.
• Disable unused Linux services
• Nullify Risks of Anonymous, Public Storage.
• Web Service designers, providers, and administrators should familiarize themselves with Guidelines on Securing Public Web Servers (PDF-National Institute of Standards and Technology)
• Follow platform specific "best practices" guidelines when configuring a public server
• Disable music and peer sharing services when not needed

  -->more information on nullifying unneeded risk...

SAFEGUARD Our Identity and Password

Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren't careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:

1. It can't be obvious. That is, it can't exist in an attack dictionary.
   • Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don't want the password to have any personal significance to you...your dog's name for example. Using a dictionary word for a password is like using a locker number for a combination.
2. It can't be a short
   • A combination lock with a two number combination wouldn't protect very well. Anything less than an eight character password is like having a such a combination. It simply won't hold up for long on the network. A minimum of ten characters is recommended.
3. It can't be made up of just a few characters
   • A combination lock with only ten numbers on the dial isn't as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters:
     • Uppercase letters ( A-Z )
     • Lowercase letters ( a-z )
     • Numbers ( 0-9 )
     • Punctuation  marks ( !@#$%^&*()_+=- ) etc.

   Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.

How, you may ask, am I ever going to remember such a complicated password? 

• Pick a sentence that reminds you of the password. For example:
  • if my car makes it through 2 semesters, I'll be lucky (imcmit2s,Ibl)
  • only Bill Gates could afford this $70.00 textbook (oBGcat$7t)
  • What time is my accounting class in Showker 240? (WtimaciS2?) 
• If you absolutely have to, record it in a secure location. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 600 million people on the Internet.

Use only applications that encrypt communications (e.g. SSL https web servers, SSH, IMAPS, SMTPS) when passwords are required.

Follow wireless usage and setup best practices.

Be careful not to type your password into the wrong field. For example, the username field. Doing so will generally result in your clear text password being recorded in a system log.

  -->more information on safeguarding passwords...

ASSURE Sufficient Resources for Proper System Care

Do you want your organization's web server to become known as the one that makes headlines when it is used to bring down a high profile Internet site? That is used to break into your neighbors computer? That harbors illegal or inappropriate files? That gives away any privileged information that is stored on it? That is unreliable?

A publicly accessible network resource needs special care in its initial setup. Today's development projects often encompass many architectures, products, and technologies. Depending upon the level of your involvement with each component, you or your project team may need to be aware of a wide variety of issues. For example, a safe deployment of a web based application may involve taking into account implementation and development issues in any of the following environments:

• Core operating system issues in Unix or Windows
• Web server issues in Internet Information Services or Apache
• Web development issues in server and client side scripting and components
• Issues with transaction processors or application servers like Tuxedo or MTS
• Backend database issues with Access, Oracle, or MySQL

Issues with authentication, file access controls, data authorization, encryption, and network access controls often cross OS, web server, web development, application server, and database realms.

Perhaps less well known due to vendor marketing efforts and perhaps our own wishful thinking, a service needs ongoing monitoring and maintenance regardless of platform. Without this care, the server may not remain in operation long, it may not preserve the confidentiality and integrity of resident data and accounts, or it may be used as a base of operations for criminal activity including attacks on other computers.

• Budget planning, hiring procedures, staffing levels, and job descriptions should reflect the need for developer and administrator training and ongoing monitoring and maintenance in a complex and ever changing environment.
• Allow time for regular maintenance
• Elevate security and ongoing maintenance to the same level of consideration as cost, ease of use, functionality, and performance.

-->more information on assuring system care...

FACE Insecurity

It is impossible to provide absolute security for our computers just as it is impossible to provide absolute security for ourselves or our possessions in the physical world. Insecurity is a fact of life. There are no technical panaceas. 

There are over 600 million people with Internet access and we cannot control their actions. They have world-wide, almost instantaneous and anonymous access to our computers' network ports. There are practical compromises in the design of our computers and networks that may leave them vulnerable to certain activities. Accordingly, we must temper our actions with awareness and take some precautions. 

• Keep up to date with current threats and scams
• Regularly backup critical or hard to replace data
• Be careful about whom and what you trust. Don't believe everything you see on the web or in email messages.
• Do not ignore warning messages. In particular, those associated with:
  • Web browsers warning about site certificate mismatches
  • Web browsers warning about file downloads or potential security problems
  • SSH clients like Putty, F-Secure, and SecureCRT warning about host key mismatches
  • Repeated virus warnings

-->more information on facing insecurity...

EVERYBODY Needs to Do Their Part

Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. Simple Windows 95 and Macintosh desktops have been involved in security incidents. Even with switched networks, a compromised computer may be used to sniff network traffic from neighboring computers. Thus, your security is dependant upon your neighbors' security and their security on yours.

In the days of standalone computers, reckless or unauthorized use of a computer affected just one computer. With a networked computer and its access to shared network resources and common communications lines, the same actions may affect many computers, accounts, services, or people. 

As long as we want to continue to have relatively open computing and communications choices, and preserve our privacy, services, and data, each one of us must do his or her part to help ensure the integrity of our network. 

• Do your part - RUNSAFE
• Encourage and help your peers to do their part - RUNSAFE

  -->more information on doing our part...