TBTF for 10/20/97: In a twist

Mon, 20 Oct 1997 00:15:54 -0500


TBTF for 10/20/97: In a twist

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/10-20-97.html >

C o n t e n t s

Microsoft security exploit #14 risks IE4 users' data
IE4 causes an uproar among blind users
Why Microsoft couldn't ship the Java RMI
Comments sought on impact of crypto export limitations
ISPs agglomerating
Followup: Alta Vista indexes more (again)
The Spam King sets the chutzpah meter to 11
No Java, no cookie: no service
Lawn browser wars
In a twist

The majority of this week's coverage revolves around Microsoft. Not
so odd, as the entire software industry does the same. Here's a com-
pelling nugget from Mark Anderson, a technology analyst who claims
a record of 100% accuracy in his Strategic News Service newsletter's
predictions about industry trends.

> The same argument that Sun makes for Java (write once, run
> everywhere) can be made even more forcefully by Wintel: if
> we own the everywhere, you only have to write it once. As
> objectionable as it sounds, it is a world that MIS directors
> technically crave, even as they financially fear it.

=2E.Microsoft security exploit #14 risks IE4 users' data

A hole in Dynamic HTML puts your files at risk; Microsoft has a fix

The German computer magazine c't [1] commissioned a study of IE4
security features by Ralf Hueskes, an Internet consultant. He
found the Microsoft's Dynamic HTML feature allows a Web page to
steal any text, HTML, or image file from the computer of an IE4
user, as long as its name and path are known. Hueskes's descrip-
tion of the exploit is here [2]; and an early form of the upcoming
c't article [3] is included on the TBTF archive by permission.
Here is Hueskes's exploit page [4]. Microsoft has already issued
a patch [5] for the problem. See the summary [6] of all MS secur-
ity bugs and exploits reported in TBTF in 1997.

[1] http://www.heise.de/ct/
[2] http://www.jabadoo.de/press/ie4_us.html
[3] http://www.tbtf.com/resource/ct-exploit-14.html
[4] http://www.jabadoo.de/press/ie4demo.html
[5] http://www.microsoft.com/msdownload/ieplatform/ie4patch/ie4patch.ht=
[6] http://www.tbtf.com/resource/ms-sec-exploits.html

=2E.IE4 causes an uproar among blind users

Promised Active Accessibility support, long a part of IE3, is missing
from the new release

Internet Explorer 3 has been popular in the blindness community
because it supports Microsoft's Active Accessibility technology,
so it works with third-party text-to-speech screen readers. (I
wonder what Active Accessibility will be called now that the Active
Platform denomination has been discarded on the middenheap of soft-
ware history [7].) Microsoft advised blind users not to download
beta versions of IE4 because Active Accessibility had not yet been
fully integrated, but it was promised for the final version of the
new browser. The company ran into technical difficulties [8] and
reneged on this promise. Activist blind users reacted with consid-
erable anger [9] and threatened lawsuits on human-rights grounds.
For insight into the point of view of this community of users, whose
lives have decidedly not been enhanced the advent of mouse-icon-
windows software, peruse this archive of the Jaws for Windows mail-
ing list [10].

[7] http://www.tbtf.com/archive/09-29-97.html#s02
[8] http://www.microsoft.com/enable/products/ie4.htm
[9] http://www.reference.com/cgi-bin/pn/go.py?choice=3Dmessage&table=3D=
[10] 3Djfw@yoyo.cc.mon=">http://www.reference.com/cgi-bin/pn/listarch?list=3Djfw@yoyo.cc.mon=

=2E.Why Microsoft couldn't ship the Java RMI

Remote method invocation strikes too close to COM+ for Redmond's

As a followup to the Sun Microsystems suit against Microsoft [11],
and a reinforcement of the importance of COM+ to Microsoft's
strategy [12], here is MSNBC [13] on the reason Microsoft didn't
ship one of the omitted Java components, remote method invocation.
In short, RMI plus Java add up to a credible competitor to COM+.

[11] http://www.tbtf.com/archive/10-06-97.html#s01
[12] http://www.tbtf.com/archive/09-29-97.html#s02
[13] http://www.msnbc.com/news/116052.asp

=2E.Comments sought on impact of crypto export limitations

Give the Bureau of Export Administration a piece of your mind

Want to give the Bureau of Export Administration the benefit of your
thinking on crypto export controls? You have a rare opportunity to
do so, as the Bureau has issued a call for comments [14] on how ex-
isting export controls have affected exporters and the general pub-
lic. The invitation says that the Bureau is "reviewing the foreign
policy-based export controls in the Export Administration Regula-
tions to determine whether they should be modified, rescinded, or

[14] http://jya.com/bxa100897.txt

=2E.ISPs agglomerating

Netcom is the latest to merge as the high end of the ISP market
compresses some more

The ISP market is consolidating at the top, leaving small, local
providers filling niche roles and mid-sized regionals feeling an
increasing upward pull. The news last week was IGC's purchase of
Netcom [15]. IGC is a so-called competitive local exchange carrier.
This new hybrid beast offers local and long-distance services to,
among other customers, the Baby Bells. In other telecomm merger
news this year we've seen GTE acquire BBN Planet, Intermedia swal-
low Digex, and WorldCom ingest MFS communications, which had in
turn had just purchased UUNet Technologies, one of the largest op-
erators of local Internet access. The chances are good that either
GTE or WorldCom will acquire MCI.

[15] http://www.news.com/News/Item/0%2C4%2C15154%2C00.html

=2E.Followup: Alta Vista indexes more (again)

Whatever the search engine was doing in August to limit the number
of pages reported for small sites, it's not doing it now

TBTF for 8/11/97 [16] noted that the Alta Vista service seemed to be
further limiting the number of pages it indexed (or, at any rate, re-
ported) for some Web sites, particularly smaller ones. I'm pleased
to note that the ceiling has now lifted. The table shows the number
of pages returned for "url:xxx.yyy" Alta Vista searches in August
and at present. Thanks to Jamie McCarthy <jamie@voyager.net> for the

site 8/97 10/97
-------------- ----- -------
fas.org 40 16035
epic.org 40 992
vtw.org 40 168
cdt.org 40 336
patents.com 40 452
polymer.com 40 74
polymers.com 40 332
pureatria.com 40 706
tbtf.com 40 519
internic.net 41 24601

privacy.org ~ 79 238
harvard.net ~ 616 731
eff.org ~ 911 28535
microsoft.com ~ 1854 111904
w3.org ~ 3905 185051
netscape.com ~ 4517 66630
sun.com ~ 4831 109931
geocities.com ~ 14427 358912
yahoo.com ~ 32582 2671157
stanford.edu ~ 49274 837292
aol.com ~ 78651 381923

[16] http://www.tbtf.com/archive/08-11-97.html#Tavs

=2E.The Spam King sets the chutzpah meter to 11

Pssst... wanna buy 3 million names?

On 10/14 Cyber Promotions spammed its 2.9-million-strong mailing
list with an offer to sell -- that very same mailing list. You
can read the offer in all its oleagenous glory at [17]. Thanks to
Karl Hakkarainen <kh@augment-systems.com> for the timely forward.

After being summarily ejected [18] by AGIS, his ISP of last resort,
Cyber Promo's Sanford Wallace (who proudly calls himself the Spam
King) won a court order forcing AGIS to restore his service for 2
weeks. The mandated resumption has come and gone and news reports
now say [19], [20] that Sanford Wallace is electronically homeless.
He claims to be servicing his customers (i.e., spamming the rest
of us) as usual, however. How can this be? This article ([21], al-
ternate at [22]), posted to news.admin.net-abuse.email, sheds light
on the spam-meister's wicked, wicked way of duping innocent folks
into serving as his proxy spammer-for-a-day.

[17] http://www.tbtf.com/resource/cyberpro-self-spam.html
[18] http://www.tbtf.com/archive/09-22-97.html#s02
[19] http://www.news.com/News/Item/0%2C4%2C15374%2C00.html
[20] http://www.wired.com/news/news/business/story/7789.html
[21] http://www.flinet.com/~erwyn/spam/trowbridge.html
[22] http://www.circumtech.com/news/spammerforaday.html

=2E.No Java, no cookie: no service

As Microsoft disparages Java, its revamped customer support site
comes online requiring it

Though Microsoft has by and large removed all traces of Java from
its pages [23], it recently introduced a Java-enhanced online cus-
tomer support site [24]. Not only do you need to visit with Java
enabled -- considered an impolite requirement among broadminded
webmasters -- but you are required to accept a cookie before you
will be helped. You must sip the brew and bite the cookie. (This
latter resounding phrase comes courtesy of Jargon Scout [25] Glenn
Fleishman <glenn@popco.com>. Lest we forget how Microsoft truly
feels about Java, Glenn D'Mello <Glenn.Dmello@bglobal.com> forwards
this firkin from the IE4 end-user license agreement. Remember, all
of us who have downloaded and run IE4 have agreed to these senti-

> support for programs written in Java. Java technology is not
> fault tolerant and is not designed, manufactured, or intended
> for use or resale as on-line control equipment in hazardous
> environments requiring fail-safe performance, such as in the
> operation of nuclear facilities, aircraft navigation or com-
> munication systems, air traffic control, direct life support
> machines, or weapons systems, in which the failure of Java
> technology could lead directly to death, personal injury, or
> severe physical or environmental damage.

[23] http://www.tbtf.com/archive/09-29-97.html#s03
[24] http://www.news.com/News/Item/0%2C4%2C15057%2C00.html
[25] http://www.tbtf.com/jargon-scout.html

=2E.Lawn browser wars

A boy's a boy, two boys is half a boy, and three boys is no boy
at all

In the middle of the night after Microsoft released IE 4.0, some-
one (presumably Microsoft employees) placed a large Internet Ex-
plorer logo on the front lawn of Netscape's headquarters. Though
it was past midnight some Netscape employees were hard at work.
They tipped the IE logo on its side, spray-painted "Netscape Now!"
on the surface facing the road, and surmounted it with a 7-foot
statue of Mozilla, Netscape's mascot. The story was posted to rec.-
humor.funny on 10/3 by John Stracke <francis@netscape.com> and is
mirrored at [26]. "Sure it's childish," a Netscapee was quoted as
saying, "but they started it."

[26] http://people.netscape.com/francis/MozillaTriumphant.html

=2E.In a twist

One softwear market Microsoft doesn't dominate

Glen McCready <glen@substance.abuse.blackdown.org> forwarded a re-
port of yet another delicate tussle occupying the well-oiled legal
machine in Redmond. It seems that the English grocery chain Adsa is
using the name "microsoft" for its brand of ladies underthings made
from polyamide elastane lycra. The story proves elusive on the Web;
I could turn up only this single reference from Slate [27], which
looks as if it may be ephemeral. The Financial Times site denies
all knowledge.

>>From Computergram (10/13/97):

> Microsoft Corp's busy legal team took time off from working
> out their defense to Sun Microsystems Inc's Java suit and got
> their "knickers in a twist" over a range of women's underwear.
> Red-faced Microsoft executives were outraged when they discov-
> ered that UK supermarket group Asda was calling a range of
> bras, panties, and thongs "microsoft." The software giant de-
> manded that Asda remove the name from its own range of "soft-
> wear" because the public might get "confused." Asda chose
> microsoft, according to the Financial Times, because the fab-
> ric name polyamide elastane lycra, was a bit of a mouthful for
> its customers. Now Asda is refusing to drop its microsoft
> knickers -- though it has promised only to use the microsoft
> name in connection with women's underwear.

[27] http://www.slate.com/Code/chatterbox/chatterbox.asp

N o t e s

> Welcome to some 250 new subscribers. Early in July PC World named TBTF
one of the five best email newsletters in the category of Computer
Industry News. Hey thanks. Last week the publication's Tipworld mail-
ing list [28] carried this months-old news to its presumably substan-
tial readership; the TBTF subscriber base grew by 5% overnight.

[28] http://www.pcworld.com/cgi-bin/news?ID=3D971015172322

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

> SNS -- send mail to sns@tapsns.com requesting a free sample issue.
The newsletter costs $195 for 13 months. Web home at
< http://www.tapsns.com/ >.

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, < dawson@world.std.com >.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2, by FileCrypt 1.0