(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-10-20: In a twist

Keith Dawson (dawson dot tbtf at gmail dot com )
Sun, 19 Oct 1997 23:48:11 -0400


Contents


The majority of this week's coverage revolves around Microsoft. Not so odd, as the entire software industry does the same. Here's a compelling nugget from Mark Anderson, a technology analyst who claims a record of 100% accuracy in his Strategic News Service newsletter's predictions about industry trends.

The same argument that Sun makes for Java (write once, run
everywhere) can be made even more forcefully by Wintel: if
we own the everywhere, you only have to write it once. As
objectionable as it sounds, it is a world that MIS directors
technically crave, even as they financially fear it.


Microsoft security exploit #14 risks IE4 users' data

A hole in Dynamic HTML puts your files at risk; Microsoft has a fix available

The German computer magazine c't [1] commissioned a study of IE4 security features by Ralf Hueskes, an Internet consultant. He found the Microsoft's Dynamic HTML feature allows a Web page to steal any text, HTML, or image file from the computer of an IE4 user, as long as its name and path are known. Hueskes's description of the exploit is here [2]; and an early form of the upcoming c't article [3] is included on the TBTF archive by permission. Here is Hueskes's exploit page [4]. Microsoft has already issued a patch [5] for the problem. See the summary [6] of all MS security bugs and exploits reported in TBTF in 1997.

[1] http://www.heise.de/ct/
[2] http://www.jabadoo.de/press/ie4_us.html
[3] http://www.tbtf.com/resource/ct-exploit-14.html
[4] http://www.jabadoo.de/press/ie4demo.html
[5] http://www.microsoft.com/msdownload/ieplatform/ie4patch/ie4patch.htm
[6] http://www.tbtf.com/resource/ms-sec-exploits.html

______

IE4 causes an uproar among blind users

Promised Active Accessibility support, long a part of IE3, is missing from the new release

Internet Explorer 3 has been popular in the blindness community because it supports Microsoft's Active Accessibility technology, so it works with third-party text-to-speech screen readers. (I wonder what Active Accessibility will be called now that the Active Platform denomination has been discarded on the middenheap of software history [7].) Microsoft advised blind users not to download beta versions of IE4 because Active Accessibility had not yet been fully integrated, but it was promised for the final version of the new browser. The company ran into technical difficulties [8] and reneged on this promise. Activist blind users reacted with considerable anger [9] and threatened lawsuits on human-rights grounds. For insight into the point of view of this community of users, whose lives have decidedly not been enhanced by the advent of mouse-icon-windows software, peruse this archive of the Jaws for Windows mailing list [10].

[7] http://www.tbtf.com/archive/1997-09-29.html#s02
[8] http://www.microsoft.com/enable/products/ie4.htm
[9] http://www.reference.com/cgi-bin/pn/go.py?choice=message...
[10] http://www.reference.com/cgi-bin/pn/listarch?list=jfw@yoyo.cc.monash.edu.au

______

Why Microsoft couldn't ship the Java RMI

Remote method invocation strikes too close to COM+ for Redmond's liking

As a followup to the Sun Microsystems suit against Microsoft [11], and a reinforcement of the importance of COM+ to Microsoft's strategy [12], here is MSNBC [13] on the reason Microsoft didn't ship one of the omitted Java components, remote method invocation. In short, RMI plus Java add up to a credible competitor to COM+.

Note added 1997-10-20: Larry Allen writes to inform us that the Java RMI is indeed available from Microsoft's pages [13a], apparently as unsupported code. Allen says, "I'm not trying to defend Microsoft, but I have... no great love for Sun either, and I think Sun has been inaccurate in some of their statements."

Note added 1997-10-21: Simon Springall writes: "Microsoft had a contractual obligation to provide RMI, but did not publicise it's location at all, and still have not done so. The location was published on the Usenet by somebody who found it by scanning the FTP site, late last week. Microsoft claimed it's on the 'web site'; but a search at http://www.microsoft.com will not find it."

In my view it's far from clear whether Microsoft was or was not obligated to ship RMI -- it turns on the question of whether RMI is part of "core" Java, and I expect Sun's and Microsoft's lawyers to argue opposite viewpoints, and vehemently.

See these two resources [13b], [13c] for technical details of what RMI is, what pieces of Java Microsoft omitted from IE4, and what was altered.

For those of you who saw the unconfirmed note on the Java Forum site [13d] -- the author now retracts his suspicions.

[11] http://www.tbtf.com/archive/1997-10-06.html#s01
[12] http://www.tbtf.com/archive/1997-09-29.html#s02
[13] http://www.msnbc.com/news/116052.asp
[13a] ftp://ftp.microsoft.com/developr/MSDN/UnSup-ed/rmi.zip
[13b] http://www.javaworld.com/jw-10-1997/jw-10-lawsuit.html
[13c] http://www.javaworld.com/jw-10-1997/jw-10-sdk.html
[13d] http://www.javalobby.org/scripts/forum.dll?13@^3727@.ee6c1a5

______

Comments sought on impact of crypto export limitations

Give the Bureau of Export Administration a piece of your mind

Want to give the Bureau of Export Administration the benefit of your thinking on crypto export controls? You have a rare opportunity to do so, as the Bureau has issued a call for comments [14] on how existing export controls have affected exporters and the general public. The invitation says that the Bureau is "reviewing the foreign policy-based export controls in the Export Administration Regulations to determine whether they should be modified, rescinded, or extended."

[14] http://jya.com/bxa100897.txt

______

ISPs agglomerating

Netcom is the latest to merge as the high end of the ISP market compresses some more

The ISP market is consolidating at the top, leaving small, local providers filling niche roles and mid-sized regionals feeling an increasing upward pull. The news last week was IGC's purchase of Netcom [15]. IGC is a so-called competitive local exchange carrier. This new hybrid beast offers local and long-distance services to, among other customers, the Baby Bells. In other telecomm merger news this year we've seen GTE acquire BBN Planet, Intermedia swallow Digex, and WorldCom ingest MFS communications, which had in turn just purchased UUNet Technologies, one of the largest operators of local Internet access. The chances are good that either GTE or WorldCom will acquire MCI.

[15] http://www.news.com/News/Item/0%2C4%2C15154%2C00.html

______

Followup: Alta Vista indexes more (again)

Whatever the search engine was doing in August to limit the number of pages reported for small sites, it's not doing it now

TBTF for 1997-08-11 [16] noted that the Alta Vista service seemed to be further limiting the number of pages it indexed (or, at any rate, reported) for some Web sites, particularly smaller ones. I'm pleased to note that the ceiling has now lifted. The table shows the number of pages returned for "url:xxx.yyy" Alta Vista searches in August and at present. Thanks to Jamie McCarthy <jamie at voyager dot net> for the pointer.

Note added 1997-10-20: David Brake writes to alert us to this press release [16a] from Alta Vista outlining their storage upgrade and new spidering policies. AV now claims to index 100M pages online and to spider the Web at a rate up to 10M pages per day. Robert Lo Verso points out that a fairer test would be to use Alta Vista's host: search instead of url:, since the latter also picks up other pages that reference the site in question..

pp. indexed in: pp. indexed in:
site 08-97 10-97 site 08-97 10-97

fas.org 40 16035 privacy.org 79 238
epic.org 40 992 harvard.net 616 731
vtw.org
40 168 eff.org 911 28535
cdt.org 40 336 microsoft.com 1854 111904
patents.com
40 452 w3.org 3905 185051
polymers.com
40 332 netscape.com 4517 66630
tbtf.com 40 519 geocities.com 14427 358912
internic.net 41 24601 stanford.edu 49274 837292

[16] http://www.tbtf.com/archive/1997-08-11.html#Tavs
[16a] http://altavista.digital.com/av/content/pr101497.htm

______

The Spam King sets the chutzpah meter to 11

Pssst... wanna buy 3 million names?

On 10/14 Cyber Promotions spammed its 2.9-million-strong mailing list with an offer to sell -- that very same mailing list. You can read the offer in all its oleaginous glory at [17]. Thanks to Karl Hakkarainen <kh at augment-systems dot com> for the timely forward (and to Captain Farris for the spelling lesson).

After being summarily ejected [18] by AGIS, his ISP of last resort, Cyber Promo's Sanford Wallace (who proudly calls himself the Spam King) won a court order forcing AGIS to restore his service for 2 weeks. The mandated resumption has come and gone and news reports now say [19], [20] that Sanford Wallace is electronically homeless. He claims to be servicing his customers (i.e., spamming the rest of us) as usual, however. How can this be? This article ([21], alternate at [22]), posted to news.admin.net-abuse.email, sheds light on the spam-meister's wicked, wicked way of duping innocent folks into serving as his proxy spammer-for-a-day.

[17] http://www.tbtf.com/resource/cyberpro-self-spam.html
[18] http://www.tbtf.com/archive/1997-09-22.html#s02
[19] http://www.news.com/News/Item/0%2C4%2C15374%2C00.html
[20] http://www.wired.com/news/news/business/story/7789.html
[21] http://www.flinet.com/~erwyn/spam/trowbridge.html
[22] http://www.circumtech.com/news/spammerforaday.html

______

No Java, no cookie: no service

As Microsoft disparages Java, its revamped customer support site comes online requiring it

Though Microsoft has by and large removed all traces of Java from its pages [23], it recently introduced a Java-enhanced online customer support site [24]. Not only do you need to visit with Java enabled -- considered an impolite requirement among broadminded webmasters -- but you are required to accept a cookie before you will be helped. You must sip the brew and bite the cookie. (This latter resounding phrase comes courtesy of Jargon Scout [25] Glenn Fleishman <glenn at popco dot com>. Lest we forget how Microsoft truly feels about Java, Glenn D'Mello <Glenn.Dmello at bglobal dot com> forwards this firkin from the IE4 end-user license agreement. Remember, all of us who have downloaded and run IE4 have agreed to these sentiments.

7. NOTE ON JAVA SUPPORT. The SOFTWARE PRODUCT may contain
support for programs written in Java. Java technology is not
fault tolerant and is not designed, manufactured, or intended
for use or resale as on-line control equipment in hazardous
environments requiring fail-safe performance, such as in the
operation of nuclear facilities, aircraft navigation or com-
munication systems, air traffic control, direct life support
machines, or weapons systems, in which the failure of Java
technology could lead directly to death, personal injury, or
severe physical or environmental damage.

Note added 1997-10-20: Larry Allen notes that Sun sports similar wording in its basic license agreement for Java [25a]. I have to disagree. The only related wording in Sun's license is this:

[This] software is not designed or intended for use in on-line
control of aircraft, air traffic, aircraft navigation or aircraft
communications; or in the design, construction, operation or
maintenance of any nuclear facility.

Note added 1997-10-22: Pekka Pihlajasaari writes to motivate the difference between Sun's license wording and that apropriate for a vendor producing end-user software: "The problem with the original Sun license is that it does not clearly describe the limitation as an overall limitation on mission or safety critical systems. They are, however, in a position to individually negotiate with each licensee about the intended application. The browser vendors do not have this assurance." Pihlajasaari points out the Netscape license [25b], an excerpt of which appears below.

HIGH RISK ACTIVITIES. The Software is not fault-tolerant and is
not designed, manufactured or intended for use or resale as
on-line control equipment in hazardous environments requiring
fail-safe performance, such as in the operation of nuclear
facilities, aircraft navigation or communication systems, air
traffic control, direct life support machines, or weapons
systems, in which the failure of the Software could lead
directly to death, personal injury, or severe physical or
environmental damage ("High Risk Activities"). Accordingly,
Licensor and its suppliers specifically disclaim any express or
implied warranty of fitness for High Risk Activities.

Bottom line: there is no story in Microsoft's Java license wording.

[23] http://www.tbtf.com/archive/1997-09-29.html#s03
[24] http://www.news.com/News/Item/0%2C4%2C15057%2C00.html
[25] http://www.tbtf.com/jargon-scout.html
[25a] http://java.sun.com/products/jdk/1.1/LICENSE
[25b] http://home.netscape.com/download/license_text.html

______

Lawn browser wars

A boy's a boy, two boys is half a boy, and three boys is no boy at all

Mozilla triumphant fingernail In the middle of the night after Microsoft released IE 4.0, someone (presumably Microsoft employees) placed a large Internet Explorer logo on the front lawn of Netscape's headquarters. Though it was past midnight some Netscape employees were hard at work. They tipped the IE logo on its side, spray-painted "Netscape Now!" on the surface facing the road, and surmounted it with a 7-foot statue of Mozilla, Netscape's mascot. The story was posted to rec.humor.funny on 10/3 by John Stracke <francis at netscape dot com> and is mirrored at [26]. "Sure it's childish," a Netscapee was quoted as saying, "but they started it."

[26] http://people.netscape.com/francis/MozillaTriumphant.html

______

In a twist

One softwear market Microsoft doesn't dominate

Glen McCready <glen at substance dot abuse dot blackdown dot org> forwarded a report of yet another delicate tussle occupying the well-oiled legal machine in Redmond. It seems that the English grocery chain Adsa is using the name "microsoft" for its brand of ladies underthings made from polyamide elastane lycra. The story proves elusive on the Web; I could turn up only this single reference from Slate [27], which looks as if it may be ephemeral. The Financial Times site denies all knowledge.

From Computergram (1997-10-13):

Microsoft Corp's busy legal team took time off from working
out their defense to Sun Microsystems Inc's Java suit and got
their "knickers in a twist" over a range of women's underwear.
Red-faced Microsoft executives were outraged when they discov-
ered that UK supermarket group Asda was calling a range of
bras, panties, and thongs "microsoft." The software giant de-
manded that Asda remove the name from its own range of "soft-
wear" because the public might get "confused." Asda chose
microsoft, according to the Financial Times, because the fab-
ric name polyamide elastane lycra, was a bit of a mouthful for
its customers. Now Asda is refusing to drop its microsoft
knickers -- though it has promised only to use the microsoft
name in connection with women's underwear.

[27] http://www.slate.com/Code/chatterbox/chatterbox.asp


Notes

Welcome to some 250 new subscribers. Early in July PC World named TBTF one of the five best email newsletters in the category of Computer Industry News. Hey thanks. Last week the publication's Tipworld mailing list [28] carried this months-old news to its presumably substantial readership; the TBTF subscriber base grew by 5% overnight.

[28] http://www.pcworld.com/cgi-bin/news?ID=971015172322


Sources

bul For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.

none SNS -- send mail to sns@tapsns.com requesting a free sample issue. The newsletter costs $195 for 13 months. Web home at http://www.tapsns.com/.


TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

______