(A Javascript-enabled browser is required to email me.)

TBTF for 1995-11-19: Win95's barn door; death of a gateway; costs of Web presence

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 19 Nov 1995 22:39:51 -0500



Another Windows 95 security hole

Windows 95 opens the barn door wide to intruders. Win95 machines connected
full-time to the internet from inside corporations without firewalls are
the most vulnerable. A feature called Sharing Resources, intended for file
and printer sharing, combined with a lack of security auditing, leaves a
networked Win95 machine open to continual attack over the Internet. A suc-
cessful attacker maps the victim's hard drive as a network drive and then
has access to all files on the disk.

Drives can be password-protected, but this offers little real security.
Hackers, even unsophisticated ones, have access to subtle password-gues-
sing programs. And Computerworld recently reported on a survey of almost
200 computer sites that found that 85% of users are not required to change
passwords frequently, 23% have passwords that can be guessed easily, and
21% of systems require no passwords at all.

Because Windows 95 has no capability for auditing disk access, an intruder
could try different passwords day and night for weeks without detection.

I have not yet seen a description of this vulnerability in the online or print
press. A description of the problem, apparently originating on the cyberpunk
fringe in Hong Kong and sent from an anonymous remailer, came across one of
the mailing lists I read. While researching the problem I found these useful
pointers: the FAQ of the Windows 95 Net Bugs newsgroup is at
<http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html>, and a descrip-
tion of a different IP security problem common to Win95 and WfW 3.11 -- open-
ing up these systems to similar unintended full-disk access -- is at
<http://www-leland.stanford.edu/~llurch/win95netbugs/IP-Security-Bug.txt.asc>.


>>From Netsurfer Digest (1995-10-19):

> OF GIFTS AND FLAMES: PUBLIC NEWS GATEWAY FOLDS AFTER A DECADE

> The public mail to news gateway at cs.utexas.edu has been quietly and
> happily serving the Net community for a decade, run as a labor of love
> by the sysadmin. It was reliable, free to everyone, and had many users,
> even fans. But now the gateway is no more. That in itself may not be
> big news but the tale of how it all came about is a modern morality
> play cutting to the very bone of the Internet gift economy. The ele-
> ments involve many problems from malicious or ignorant America Online
> users, a service cutoff to the aol.com domain, and a spectacular flame
> from a disgruntled AOLer which broke the camel's back -- despite a be-
> lated apology.

The discussion of the demise of Fletcher Mattox's UT gateway has died down
on news.admin.misc and most of you, if you missed this thread, will find
it expired on your newsservers. I've gotten permission to post on the TBTF
archive Gene Crick's <gcrick at tpoint dot net> cogent summary of this sad tale
of bad money driving out the good.


Costs of Web presence

Online Business Today, reporting from Comdex in Las Vegas, leads with the
alarmist headline "WWW SHAKEOUT AS SITES GO BROKE." (Yeah, and they leave
the caps-lock key down, too.) This turns out to be the assertion by one
participant in a panel session that "more WWW sites are now going bust
than new sites are coming online." No evidence is given to support this
claim, but it leads to a useful discussion of the cost of web pages.

>>From Online Business Today (1995-11-20, sic):

> The panel felt a "large" site could cost $6 million over two years, a
> medium site $2 million over two years and $500,000 for a small site.
> These numbers include many costs for site and product promotion and
> content upkeep which were uncommon as recently as a few months ago.
>
> OBT spoke with many vendors on the convention floor and found numerous
> attractive alternatives to the high costs expressed by the panel. One
> company, for example, provided complete Web site creation software,
> secure transaction capabilities built in, semi-automated order taking,
> 10 Mbytes of WWW storage and one full year of WWW exposure at their
> site for $1,795.

For a look closer to the ground, here are the results of a survey that Al
Hogan <alh at ok dot bc dot ca> conducted in the last week via Net mailing lists
-- the survey's results are stored on the TBTF archive by permission). Al asked
for pricing guidelines for designing and then hosting a small-scale commercial
site. He got dozens of responses, some quite elaborate -- from individuals, HTML
consultants, and providers of web presence -- of which he posted 33 (citing
26 URLs) with details on what the going rates are to set up and host a web
site. Some of the writers believe the prices reflect local conditions, but
the summary points to wide variations everywhere. Concensus figures:

* Web-page designers get $40 to $100 per hour, but figures as high as $150
and as low as minimum wage were quoted. Some web designers charge on a
per-page basis, with complex items like CGI programming and forms design
billed separately.

* For maintaining existing pages, $60 to $80 per hour is common.

* Web-site hosting ranges from $40 to $100 per month for a small commercial
site. Hosting charges usually depend on storage required, bandwidth (MB
per month), and sometimes complexity.

Taking figures from the middle of these ranges, we could launch a putative
5-page site with some graphics and hyperlinks for perhaps $2000, and host
and maintain it (assuming minimal changes every other week) for $3000 per
year.


Second thoughts from Internet World

With a little distance, what sticks in the mind from this Boston confer-
ence are two products, one that costs money and one that doesn't.

First, Vermeer Technologies <http://www.vermeer.com/>, a startup based in
Cambridge, MA, introduced FrontPage. This web authoring environment com-
bines capabilities of Adobe (Ceneca) PageMill and SiteMill (which is not
yet shipping), and goes considerably beyond. Not only is FrontPage a WYSI-
WYG web-page editor and graphical site editor, but it also adds new capa-
bilities to the common web servers. FrontPage customers can enhance their
pages with an interactive bulletin board or forms specified without CGI
programming. At Comdex AT&T announced that it has selected FrontPage as
part of its Easy World Wide Web Services package (press release at
<http://www.att.com/press/1195/951113.bsb.html>).

Second, Architext Software <http://www.atext.com/> of Mountain View, CA
began giving away their innovative indexing and search engine, called
Excite for Web Servers. The company makes money from advertising on its
Internet index service at <http://www.excite.com/>. (This search site
belongs on everyone's hotlist alongside Lycos, Infoseek, Webcrawler, and
Yahoo.) Excite is outstanding at returning gold from a fuzzily described
search. It claims to index by "concept," not just by words, and its in-
dexes are a small fraction the size of those produced by other full-text
search engines. And Excite indexes with remarkable rapidity -- we're test-
ing the engine at Atria and saw times under 10 minutes to index 50 MB of
web pages. One of Excite's friendliest features is a sort of query-by-ex-
ample: for any returned URL you can request "more like this one." Webmas-
ters can download the Excite engine from <http://www.excite.com/navigate/>.


>>Sources:

>>NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject
> and with message: subscribe nsdigest-html /or/ subscribe nsdigest-text

>>Online Business Today -- (ascii version) mail obt.text@hpp.com; PDF
> version: email obt.pdf@hpp.com .


TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com.
______________________________________________________
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.