(A Javascript-enabled browser is required to email me.)

TBTF for 1996-03-24: There's no there there

Keith Dawson (dawson@atria.com)
Mon, 25 Mar 1996 03:10:31 -0500



Netscape Navigator 2.01 released -- lets users disable JavaScript

TBTF for 1996-02-27 [1]
TBTF for 1996-03-10 [2]
TBTF for 1996-03-17 [3]

The new version of Netscape's browser is available for download from the company's FTP sites [4]. Netscape claims that this version fixes the more serious security and privacy problems [1] found in Netscape's JavaScript extensions to HTML. The chronicler of these bugs and the inventor of techniques that demonstrate many of them, John Robert LoVerso <loverso at osf dot org>, begs to differ [5]. He has modified the "tracker" [5] and "directory browser" [6] demonstrations so that they still do bad things under 2.01; and he claims to have invented a way [6] to read from an arbitrary file on your local disk. The one ironclad way to avoid these and other (undiscovered) weaknesses in JavaScript is to disable JavaScript, and an option in version 2.01 lets you do so.

Note added 1996-03-26: Version 2.01 also fixes the serious bug in Java (not JavaScript) reported by Drew Dean <ddean at princton dot edu> dot However, Bill Marrs <bill@atria dot com> reports:
Just a comment from a user - the new Java security stuff seems to cause most if not all existing Java on the net to get security violation (and then it doesn't run). So, it seems as though turning off Java and/or upgrading to 2.01 has the same effect - No Java.

Version 2.01 comes in the form of patches for Windows and Mac machines and full exectables for all platforms. I was unable to apply the Macintosh patch to my 2.0 executable, even after a clean install.

Note added 1996-03-26: In the email version of this issue I directed people to a CGI URL in LoVerso's pages. LoVerso wrote the following note, the import of which I have incorporated into this archive:
Boy, you picked up on that one quickly!

BTW, my "invoke" CGI, as in:

   http://freebsd.osf.org:8000/cgi-bin/user/loverso/invoke?SOMENAME

basically redirects the user to my top level JavaScript page, http://www.osf.org/~loverso/javascript/index.html, unless they were coming from a valid start page. I added it so that people couldn't do what you did, which was direct people at an exploit without reading the accompanying description!

[1] <http://www.tbtf.com/archive/1996-02-27.html>
[2] <http://www.tbtf.com/archive/1996-03-10.html>
[3] <http://www.tbtf.com/archive/1996-03-17.html>
[4] <ftp://ftpX.netscape.com/2.01/>, for X = 1 to 12
[5] <http://www.osf.org/~loverso/javascript/index.html>
[6] not being made public at this time

___

Top Web sites of the week

This site [7] purports to list the top 100 sites on the Web, ranked by number of hits, for the previous week. It is just getting up and running; after posting the first two weeks' numbers in January the page seemed to take a 7-week hiatus. The current page, dated March 10, also lists the top categories of queries to Web search engines:

1. sex (16%), 2. magazines, 3. college, 4. world-wide-web, 5. locality, 6. travel, 7. showbiz, 8. model/celebrity, 9. Internet-user, 10. sports.

The data make for engrossing reading, but there is no way to judge their validity. I looked in vain for any mention of methodology, statistical assumptions, etc.: which search engines were polled, and how? Are the top-100 rankings based on the sites' claimed hits or on some more objective measure?

Note added 1996-07-05: The site has remedied this early shortcoming. Here is an explanation of their methodology quoted from [7]:
Methodology: 3 search engines provide data on the common search terms that users enter, and popular categories are derived from this. The magic ingredient that sets this directory apart from the others is the use of web traffic: the 100hot websites are ranked by hits aggregated from a variety of sources including surveys, logs and traffic samples. Rankings are updated weekly, our data is good but not perfect -- please send us your own audited figures where necessary. We do not warrant it for accuracies or omissions.

[7] <http://www.web21.com/services/hot100/index.html>

___

Netscape to build in telephony

I haven't seen any coverage stateside of this news item, culled from an Australian newspaper and forwarded by Peter Langston <psl at wolfenet dot com>. Netscape's intention should throw a log onto the fire of the lawsuit filed by long-distance suppliers against cheap Internet telephony -- see "Hanging up the I-Phone" in TBTF for 1996-03-10 [2].

>> COOLUM, AUSTRALIA, 1996 MAR 13 (NB) -- Netscape Communications within
> six months will build voice software for making low-cost long distance
> calls via the Internet into its Navigator program, the company's co-
> founder and vice president of technology, Marc Andreesen, said at a
> technical forum in Australia.
>
> Andreesen told The Sydney Morning Herald newspaper that telephone com-
> panies could no longer justify the way they charge for voice telephony,
> especially over long distance.
>
> "We're going to build the voice telephony stuff into our Navigator
> (software). We can get it out to 25 or 30 million desktops in the next
> six months. That's a big enough critical mass for it to take off," he
> said, according to the newspaper. He predicted phone companies would
> find much of their equipment "rapidly becoming useless."
>
> Forwarded-by: Keith Bostic <bostic at bsdi dot com>
> Forwarded-by: "Gregory S. Halbrook" <gsh at iti dot org>
> Forwarded-by: Dave Farber <farber at central dot cis dot upenn dot edu>

[2] <http://www.tbtf.com/archive/1996-03-10.html>

___

There's no there there

When Gertrude Stein made this famous quip she was referring to Oakland, CA. The U.S. Customs Service recently decided that it applies to the Internet as well. The following story came my way on a private mailing list from Andrew C Bulhak <acb at cs dot monash dot edu dot au>, who found it in the Fringewear Digest attributed to the newsletter of the Electronic Freedom Foundation, EFFector. The moral Bulhak derives from the story: "Avoid sending atoms whenever you can."

>> US Customs Decides Internet is Not a Place - Fines Those Who Claim
>> Otherwise

> A "virtual" software corporation, ACD, with software engineers in both
> California and Hungary, but no real physical business infrastructure,
> was recently slapped with an $85 fine by US Customs.
>
> ACD's product, EPublisher for the Web, was developed over the Internet
> with no physical meetings or other contact between the developers. When
> Hungarian developers sent versions of the software on diskette to their
> US counterparts, the shipment was stopped by Customs at LAX (the major
> Los Angeles airport) for "mark violation". The Hungarians had marked
> "Country of Origin" on the forms as "Internet", as the product was not
> decidably made in Hungary or the US, and the owners of the intellectual
> property rights to the product are in no single physical location. ACD's
> Laslo Chaki says, "We had to pay an $85 fine for mark violation. Virtual
> company, in virtual city with $85 real fine!"
>
> Though the intent of the "Country" section on customs forms is to ascer-
> tain where a particular package was shipped from, and the listing of the
> country of origin as "Internet" is somewhat silly in this context, the
> lack of any sense of humor on the part of Customs is not particularly
> encouraging. You might want to be careful with those RSA t-shirts [8] --
> Customs just might handle them as munitions after all, and regard you as
> an unlicensed international arms dealer, at this rate.

[8] <http://www.tbtf.com/archive/1995-06-07.html>


>>Notes:

This issue of TBTF is a short one, as I'm operating from my Powerbook out of a hotel room. That's why no digital signature this week; I don't keep a copy of PGP with my private key on my travelling machine. I'm in San Francisco for the Software Development '96 trade show at the Moscone Center 3/26 - 3/28, running concurrently with Web Design and Development. If you're at either show stop by the Atria Software booth, #708, and say hello.

Over the next several weeks I'll be moving the TBTF archive off of the Atria site that has hosted it since TBTF winked-in to the world late in July 1995. I want to thank Atria for its generous policy of hosting the personal Web pages of employees. The traffic to the TBTF archive has been building steadily to the point where in my role as Atria webmaster I've begun to filter out TBTF hits to avoid skewing the company's statistics. Before making the final move I'll send a heads-up to the list, but you might want to revise any bookmarks you keep that point into the archive. For a few months any visitors to the old Atria site will receive a notice of the new URL: <http://www.tbtf.com/tbtf/>.


TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. See the archive
at <http://www.tbtf.com/>. To subscribe send the message
"subscribe" to tbtf-request@world.std.com. Commercial use prohibited. For
non-commercial purposes please forward and post as you see fit.
______________________________________________________
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.