Unless you've been living in an underground bunker on Nantucket , you know that America Online plans to acquire Netscape for around $4 billion, in a deal that also involves Sun Microsystems. I won't attempt any grand pronouncements on What it All Means -- seemingly everyone with a modem has already done so . Here are 44 articles and analyses published in the three days after the deal was confirmed on 24 November, and the pace has barely slowed since.
thread("cda") ?> Judge blocks CDA-II
After an all-day hearing on 18 November, U.S. District Judge Lowell A. Reed, Jr. enjoined the Justice Department from enforcing or prosecuting any conduct under the law dubbed CDA-II by its critics . The injunction will last for at least ten days until the issues in the lawsuit can be further litigated. Over the objections of the government, Judge Reed extended the order to cover anyone posting material on the Web, not just the named plaintiffs. The order also precludes retroactive enforcement of the law: if CDA-II is eventually upheld, no-one can be prosecuted for material posted while the restraining order is in efect. While he stressed that the ruling is not a "final order on the merits," the judge's finding expressly states that the plaintiffs apear likely to prevail in their constitutional challenge.
thread("gum") ?> Microsoft ordered to purify Java
U.S. District Judge Ronald Whyte granted Sun's request for a preliminary injunction and gave Microsoft 90 days to alter its Java technology in shipping software -- including Windows 98 and Internet Explorer -- that does not pass Sun's compatibility tests, or stop selling that software . The order also requires Microsoft to adjust its Java development tools so that Sun-standard Java is the default setting. Here is the text of the ruling  (84K). Sun didn't get everything it wanted -- Microsoft does not have to stop selling "polluted Java" products immediately, nor to retrofit Windows-only Java software that has already been sold. Developers were jubilant , .
Judge Whyte found that Sun is likely to prevail on the merits. The trial itself has not been scheduled.
Microsoft mulled appealing the ruling for a few days and then announced that they will comply for Windows products and will strip Java from all their Unix and Macintosh products.
Java Lobby founder pleads for more openness
All is not sweetness and light in Java-land. Java's inventor Sun Microsystems has been under increasing pressure from partner companies to cede some of its control over the standard's development. Rick Ross added to the pressure on 17 November at Comdex  when he called for the formation of a three-part Java oversight committee made up of Sun, other Java companies, and not-for-profit institutions.
Obligatory sub-head about the mouse that roared
If you're within 500 miles of Stanford on 9 December, make plans now to go to the symposium Engelbart's Unfinished Revolution . The man who invented the mouse, and much else that we now take for granted in personal computing, will speak on the 30th anniversary of his demonstration at the 1968 Fall Joint Computer Conference. It was the killer demo of all time. (I saw it three years later on grainy 16mm film and it reoriented my career.) Joining Engelbart on stage in this one-day event will be a who's-who of computing visionaries including Marc Andreesen, Stewart Brand, Eric Drexler, Alan Kay, Ted Nelson, Andy van Dam, and Terry Winograd, among many others.
For a detailed discussion of some of Engelbart's ideas that have not been realized after more than 30 years, see this article [9a] from a recent edition of Adam Engst's TidBITS.
Requires malicious intent and VBScript
Virus fighters for years have dismissed as an urban legend the notion that a computer virus could spread by the simple act of reading email. Now an anti-virus company claims to have isolated precisely such a virus  and to have seen 17 variants of it in the wild. In fact the virus in question relies on VBScript and on the tendency of modern email readers to render HTML content. It cannot spread by the actions of innocent users alone, but requires a malicious Web site. Trend Micro claims to have seen 17 variants of the virus, which relies on Microsoft's VScript. At risk are users of Windows 98 and recent versions of Internet Explorer and Outlook 98, which depend on Microsoft's Windows Scripting Host facility. Microsoft calls the claims alarmist, and correctly points out that to become infected a user would not only have to lower the default security settings, but also to acknowledge assent to a dialog that warns about executing downloaded content.
All it takes is one MUA [mail user agent -- Ed.] author who stupidly chose to use gets instead of fgets, or similar, while reading the body of the message into memory. If you study the nature of buffer overflows for about a half hour (given a solid understanding of C and assembler), it becomes really obvious that this is true.
I don't understand why so many people are so confused about this. What's so different about an e-mail message and a username passed to imapd? Neither is intended to allow attacks, but in theory, both are attackable.
Note that a pure e-mail virus is very unlikely to be able to infect more than one MUA. Odds are quite high it would have to be targeted at Outlook alone, or Netscape mail alone, or Eudora mail alone -- perhaps even a single release of one of these products, or another similar MUA product.
Executable content makes it more likely, but the fact is, it's possible even without executable content.
Sometime, as a test, when someone tells you a pure e-mail virus isn't possible, ask them if they understand how buffer overflows work. Odds are, the majority won't be able to tell you. Then go and ask people who do believe a pure e-mail virus is possible, and ask these same people to describe how buffer overflows work. I'm pretty sure you'll find that many more of these people understand what's happening behind the scenes to make such an attack possible.
In a number of cases servers will only pass the first 7 bits of a byte, making shellcode harder to write. I bet a lot of them choke on nulls too, so it's probably 1..127 that'd be allowed with many servers. Still, the possibility exists.
The most direct route to the pure bits
Earlier this year I suggested that Whatis.com work up a definition for infosurfing, and that ever-useful resource defined the term this way :
The dedicated infosurfer also knows that many news sites offer a "printer-friendly version" of each of their stories at an alternate URL. The PFV is lighter in site graphics and advertising banners. It tends to run wider than the news story at the official (advertised) URL, which is sometimes squeezed into a narrow column surrounded by graphics-heavy advertising, site branding, and navigational apparatus. Some news sites, for example Wired News, often split a story across several URLs in order to push even more ads at the viewer, while the PFV displays the entire story at a single URL.
For each news site that offers such a friendly service, you can determine the URL of the PFV algorithmically from its advertised URL. Here are the rules, with examples, for five popular news destinations.
I've added these rules to the TBTF Sources page  and will update them as I learn more PFV tricks. TBTF has used PFV links for some time now for news.com and Industry Standard stories (what, you didn't notice?), and starting with this issue will do so for stories from all five news sources listed above.
Dan O'Neill <dano at cadence dot com> sent me this holiday shopping guide  for the geek on your list. He promises to pass along more cool electronic toys as he encounters them, so set up a Javelink watch on . O'Neill adds that he looked up the domain names toysforgeeks.com and toys4geeks.com, hoping for sites full of reviews and purchasing pointers for tech gadgets. The names are owned by a venture capital firm  but there are no sites behind them yet.
Mick Fox <mickf at aldiscon dot ie> pointed out the Gifts for Geeks site . It carries a single item: an international country-identifier sticker for your car (like the GB or IRL stickers you sometime see) that reads URL.
Chuck Bury <cbury at softhome dot net> likes the small selection of compelling folding objects offered by Hoberman , who has been called the Buckminster Fuller of the 90s.
John Pittman <john dot pittman at indsys dot ge dot com> writes that he has a Lego Mindstorms box  in a closet supposedly intended for his son. (Uh-huh.) And he has been putting together, Lego-style, an ultimate toy set for using the Global Positioning System:
Pittman is begging Santa for Delorme's TopoUSA  -- it talks to a 12XL directly.
The December issue of Wired features an expanded Technolust section listing 101 cool gadgets, instead of the 8 to 10 they ordinarily profile. Unfortunately for the truly wired among us the magazine does not post the current edition until the next one hits the newsstands. Perhaps it will appear online in time for next-day holiday delivery.
It's a small Web after all
You've heard the theory that everyone is connected through a web of acquaintances to everyone else on earth by at most six hops. This Web site  aims to put the theory to the test. It's preposterously addictive, surfing from your own circle of friends outward in successive waves. (And the site misses no opportunity to push advertising under your nose as you click addictively.) A few of you know I've joined Six Degrees because I tagged you as business acquaintances. With 11 declared first-degree contacts, my sixth degree reaches to nearly 255,000. I invite you to explore the site; if you have ever sent me email directly, feel free to claim me as an acquaintance and we'll see how wide the ripples spread.
On 2 December I began a real-life experiment in Net-aided human connections on the TBTF site's Tasty Bit of the Day feature. A month ago while on vacation I had found a roll of exposed film on a rustic bench in the open air. No one was around. This was at the landward end of Uncle Tim's Bridge, Wellfleet harbor, Cape Cod, Massachusetts, USA . I decided to have the film developed and see if I could locate its rightful owners. I posted a picture of them on what looks like a family vacation in Washington, D.C. and asked visitors to identify the people if they could. By 5 December 146 people had looked at the picture; then Jay Lepreau <lepreau at cs dot utah dot edu> wrote:
What is particularly ironic is that I didn't even click on the picture when I saw your story; instead I went to my wife and said, "This is a great idea someone thought of, and a good one for us to try" -- because last summer we had found a similar roll of film at 8200 feet in the Sawtooth mountains in Idaho. [We were] hoping to see ID, which just missed -- a shot of the front of a car instead of the rear -- but hadn't thought to put it on the Net. Then I came back to the machine and clicked on  and was shocked. Perhaps you might reciprocate with a pointer to the pictures when I put them up? Your site gets exposure mine doesn't.
Finally, thanks for TBTF. Your page is one place I check periodically although not religiously.
TBTF home and archive at http://tbtf.com/ . To subscribe send the the message "subscribe" to firstname.lastname@example.org. TBTF is Copy- right 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.
include ("../inc/foot-ar") ?>