Slashdot Mirror

Slashdot doesn't allow the SCRIPT tag but some sites do (perhaps unknowingly) and so someone can write an apparently innocent comment in a chat and include a script that eats your hard disk.

A close friend of mine told me that she's been writing largely in Javascript for a long time now and her company is in fact basing their entire online strategy on Javascript. They're making a huge investment in it and will be selling a product that will be very expensive that will require very highly paid people to leave Javascript on all day long just to do their work.

I was astonished at that idea and said they were doing a disservice to their customers by encouraging them to enable Javascript, let alone requiring it for the basic functions of their product.

She was pretty incredulous about this, even after I recounted the above CERT advisory. She told me Javascript was sandboxed and could not do anything destructive. I told her it was full of holes and highly nonstandardized and bugs were being found in it all the time.

I also advisted her to read the Forum on Risks to the Public in Computers and Related Systems (also available as comp.risks on the Usenet News).

I told her I felt that reading Risks was a very basic requirement for anyone who wrote software for a living, and was doubly important for someone like her who wrote software that would effect people's lives in a substantial way (I can't be too specific - but she's not writing entertainment software). She thought this was all very silly.

Now, slashdotters, what can I say to my friend - what can I say that is of real substance not just flaming? Can you give me literature references or URL's? Pertinent CERT advisories would be good.

BTW - here's a suggestion - while I leave Javascript turned off most of the time, I often find I have to turn it on to use some sites. It really gets me down that some sites don't even function if Javascript is not enabled.

But Junkbuster is a simple proxy that will filter out ads and stop cookies, but allow them in controlled ways. For example, I only allow cookies from Slashdot and my bank, so I don't have to have cookies from any other site and I don't have to keep turning cookies back on to read slashdot.

I think it would be a fairly simple matter to modify the Junkbuster source code to filter out SCRIPT tags for most sites except those that are on an approved list. The source code is GPL'ed so someone with the inclination could just get the source and do it. I'd do it myself but I'm real busy for the next little while.

Please read my page Why You Should Use Encryption.

If you get your mail from and put web pages on a hosting service, then at a minimum you should use one that provides secure shell (ssh) and secure copy (scp) access. One such hosting service that does is Seagull Networks. Does anyone know any others?

When you retrieve your email via POP or load a web page via FTP your password is being transmitted in the clear. You have no control over which routers and cables it passes through in the process, so you have no way of knowing if someone's running a sniffer on a compromised host. Usually you have no knowledge even of the route, unless you go to the trouble to run traceroute regularly.

You can download your email via an encrypted channel with ssh port forwarding if your mail host provides ssh. The instructions given are oriented to the BeOS but apply in general to any OS for which an SSH client exists.

If you run a website that uses passwords please consider allowing the users to enter their passwords via SSL (https).

If you use websites that require passwords, please use a different password for each site. At the very least, use a unique password for your important sites, like your email, web pages and financial sites. If you keep the passwords in a file (which you may have to do because there are so many sites that take passwords), encrypt the file.

Be aware that most sites that have passwords do not encrypt them, otherwise they wouldn't be able to send you your password reminder in clear text. I've even used sites that mailed out password reminders in the clear every couple months just to prompt me to use the service. Note that anyone at the site who has root access, anyone who compromises the site or anyone running a sniffer on or near the site will be able to catch your passwords.

Also I think it is very likely that many websites are provided for no other purpose than to collect passwords for later use by crackers - beware of that free trial and use a unique password if you must accept the offer!

Use the anonymizer or, if you have Windows 95 or 98, Freedom to protect your privacy while you web surf.

Finally, do you use a laptop computer? Do you have files on it that you don't wish to share with the random stranger who might steal it someday? How about your competitors? A thief won't likely be in the direct employ of your competitors but they may recognize the value of the information and sell it to them, or even post it on the net for fun.

And remember in this information age the information on our computers is more valuable than the hardware itself, and unlike car stereos can continue providing value to a thief because, once it is fenced, it is still available to be fenced again.

Depending on your OS, you should use PGPDisk or the Linux encrypting kernel on your laptop.

Consider encrypting important information on your desktop too. A friend of mine who is a software developer lost every machine in his company in a robbery - source code, strategic plans, and the customer database.

I know of two cases where laptops were stolen from intelligence agents, once during the Gulf war, and once from an MI5 agent while he'd set it between his legs at a train station. Good thing they used encryption!

Finally, read the Forum on Risks to the Public in Computers and Related Systems available on the Usenet News as comp.risks and on the web at http://catless.ncl.ac.uk/Risks

Tilting at Windmills for a Better Tomorrow

The Risks forum should be read by:

• Anyone who uses or depends on computers in their daily lives
• Anyone who programs computers
• Anyone who makes policy decisions involving computers or software
• Anyone who ever depends on the correct functioning of computers for their lives or safety (flown on a modern airplane lately?)
• Anyone who operates computers that affect safety (piloted one?)

You might think such spy stuff as this article is about is out of your realm, but consider this example which likely could have affected most of us:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

The Risks forum should be read by:

• Anyone who uses or depends on computers in their daily lives
• Anyone who programs computers
• Anyone who makes policy decisions involving computers or software
• Anyone who ever depends on the correct functioning of computers for their lives or safety (flown on a modern airplane lately?)
• Anyone who operates computers that affect safety (piloted one?)

You might think such spy stuff as this article is about is out of your realm, but consider this example which likely could have affected most of us:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

See RISKS for details.

Paul.

Also read my note Secure Email Download with SSH on the Be Tip Server. While the tip is BeOS specific, the basic ideas work fine on other operating systems.

Of course, to download your mail via SSH, you'll need a hosting service that provides it at their end, which is why I recommend Seagull Networks. Note that if you upload content to your website with FTP, you're exposing your password to network sniffers. Seagull Networks allows you to use secure copy (scp) for this so your password remains secure.

Finally, I use the Linux Encrypting Kernel under Linux and PGPDisk under Windows to keep important personal info like my Quicken checkbook, and confidential business information like the source code I'm writing for my clients encrypted on my laptop so the theives won't have them if my computer is stolen.

With either one you can create a big file that when mounted with a passphrase is accessible like any ordinary filesystem. I have even found that I can run MPEG movies off a PGPDisks with no loss in playback quality on my laptop which has a 450 MHz Pentium III.

Finally read the Forum on Risks to the Public in Computers and Related Systems for significant discussions on privacy issues. It is available as comp.risks on the Usenet News and on the web at http://catless.ncl.ac.uk/Risks/.

Do you think Microsoft takes care to protect your privacy when designing its products? Guess again.

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

Also read my note Secure Email Download with SSH on the Be Tip Server. While the tip is BeOS specific, the basic ideas work fine on other operating systems.

Of course, to download your mail via SSH, you'll need a hosting service that provides it at their end, which is why I recommend Seagull Networks. Note that if you upload content to your website with FTP, you're exposing your password to network sniffers. Seagull Networks allows you to use secure copy (scp) for this so your password remains secure.

Finally, I use the Linux Encrypting Kernel under Linux and PGPDisk under Windows to keep important personal info like my Quicken checkbook, and confidential business information like the source code I'm writing for my clients encrypted on my laptop so the theives won't have them if my computer is stolen.

With either one you can create a big file that when mounted with a passphrase is accessible like any ordinary filesystem. I have even found that I can run MPEG movies off a PGPDisks with no loss in playback quality on my laptop which has a 450 MHz Pentium III.

Finally read the Forum on Risks to the Public in Computers and Related Systems for significant discussions on privacy issues. It is available as comp.risks on the Usenet News and on the web at http://catless.ncl.ac.uk/Risks/.

Do you think Microsoft takes care to protect your privacy when designing its products? Guess again.

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

Mike

Tilting at Windmills for a Better Tomorrow

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

Mike

Tilting at Windmills for a Better Tomorrow

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

Mike

Tilting at Windmills for a Better Tomorrow

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

Mike

Tilting at Windmills for a Better Tomorrow

This sort of thing has been discussed repeatedly and at length in the Risks Digest. You guys do read the Risks Digest, don't you?

The Risks Digest is more verbosely known as the Forum On Risks To The Public In Computers And Related Systems, ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator. It's a great and fascinating thing to read; it covers almost any topic even tangentially related to the risks of using computers and digital systems, including privacy issues, Y2K issues, software in critical systems, encryption policy, etc., etc. It is known on usenet as comp.risks, and is also available via e-mail. It's an old forum; in the online archives you can read discussions following such famous events as the loss of the Shuttle Challenger and the Robert Morris Internet Worm. Highly recommended reading for anyone making software.

Also recommended are the Privacy Forum and the Computer Privacy Digest.

--Jim

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca (Canadian bookseller)

Mike

Tilting at Windmills for a Better Tomorrow

While I recommend it to everyone who uses computers for anything of any significant importance, it is especially important to those who:

• Design computer systems, such as software and hardware engineers, and
• Make policy decisions involving computers, such as managers and government officials

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Mike

Tilting at Windmills for a Better Tomorrow

While I recommend it to everyone who uses computers for anything of any significant importance, it is especially important to those who:

• Design computer systems, such as software and hardware engineers, and
• Make policy decisions involving computers, such as managers and government officials

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Mike

Tilting at Windmills for a Better Tomorrow

While I recommend it to everyone who uses computers for anything of any significant importance, it is especially important to those who:

• Design computer systems, such as software and hardware engineers, and
• Make policy decisions involving computers, such as managers and government officials

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Mike

Tilting at Windmills for a Better Tomorrow

While I recommend it to everyone who uses computers for anything of any significant importance, it is especially important to those who:

• Design computer systems, such as software and hardware engineers, and
• Make policy decisions involving computers, such as managers and government officials

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Mike

Tilting at Windmills for a Better Tomorrow

Cell phone interference to airliners has been discussed there extensively.

For those of you who work where they're considering replacing a real OS installation with Windows NT, consider this post I contributed:

USS Yorktown dead in water after divide by zero

The Yorktown has to be towed back into port after a sailor entered "0" into a data entry field and it crashed the ship's entire NT network.

Mike

Tilting at Windmills for a Better Tomorrow

Cell phone interference to airliners has been discussed there extensively.

For those of you who work where they're considering replacing a real OS installation with Windows NT, consider this post I contributed:

USS Yorktown dead in water after divide by zero

The Yorktown has to be towed back into port after a sailor entered "0" into a data entry field and it crashed the ship's entire NT network.

Mike

Tilting at Windmills for a Better Tomorrow

These days, for example, few people will pay for an editor; it is not surprising that many editors are free. Netscape, to take another example, only made its browser free (in two different ways: permitting use of the binary versions at no cost, and releasing the Mozilla product as open source) when Microsoft made its own Internet Explorer available on Windows at no cost, killing the market overnight. Until then, the Netscape browser was sold for a fee.

• Product F is free software. It comes with the standard no-warranty warranty.
• Product P is proprietary software. It costs $50 for the binary-only version. It uses the most advanced techniques of software engineering. It never crashes, or departs in any way from its (mathematically expressed) specification. The seller is, in fact, so sure of those qualities that he will commit in writing that any violation of the specification during execution will immediately lead to reimbursement of the purchase price and compensation for any damages incurred.

"I've looked at the source, and there are pieces that are good and pieces that are not ... My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse." (IEEE Computer, 32, 5, May 1999, page 61.)

In a different case, the newsgroups comp.risks recently published a report of rather horrendous and elementary C errors found in a quick and simple check of the source of the FreeBSD operating system (see http://catless.ncl.ac.uk/Risks/20 .18.html#subj9.1).

You maybe be thinking of the RISKS Digest which is the same as the newsgroup comp.risks. They have a web archive at http://catless.ncl.ac.uk/Risks

They kind of live for murphy's law.

Readers of RISKS may remember this piece about lasers, spiders and networking.

I have to disagree with the main thesis of this article. Inspecting the source code does not guarantee that code is backdoor free. You have to inspect the object code (not source code) of your compiler as well, to ensure it doesn't insert a backdoor.

Ken Thompson brought this up quite clearly in his 1983 Turing award lecture, which has also been discussed in comp.risks. If you want to insert a backdoor into Linux, just booby trap a binary gcc distribution somewhere in such a way that the backdoor is reinserted when you re-compile gcc.

Open source is a good start, but it does not guarantee a lack of backdoors.

RISKS postings (web archive and Usenet are about the risks of computers. They are a good source for anechdotes on funny or scaring uses and misuses of cryptography.
__

In 1988 a bunch of sun's stopped working, and people who created accounts with ADM (whatever that is) found they couldn't log in. A bunch of BBS's Crashed.

I don't have any URL's, but I recall that in 1984, Primos machines suffered an outage when the backup program attempted to create a tape to expire on 29FEB85.

I'm sure there are many instances before that, but i'm not familiar with them. I'd say that date's have always been a problem in programs, simply because they're so complex, and easy to get wrong.

In 1988 a bunch of sun's stopped working, and people who created accounts with ADM (whatever that is) found they couldn't log in. A bunch of BBS's Crashed.

I don't have any URL's, but I recall that in 1984, Primos machines suffered an outage when the backup program attempted to create a tape to expire on 29FEB85.

I'm sure there are many instances before that, but i'm not familiar with them. I'd say that date's have always been a problem in programs, simply because they're so complex, and easy to get wrong.

In 1988 a bunch of sun's stopped working, and people who created accounts with ADM (whatever that is) found they couldn't log in. A bunch of BBS's Crashed.

I don't have any URL's, but I recall that in 1984, Primos machines suffered an outage when the backup program attempted to create a tape to expire on 29FEB85.

I'm sure there are many instances before that, but i'm not familiar with them. I'd say that date's have always been a problem in programs, simply because they're so complex, and easy to get wrong.

There are a couple of things I don't understand here. Firstly I believe Airbus Industries are 20% owned by British Aerospace, where as as far as I know there is no British interest in Boeing, so I don't understand the motives of commercial espionage by the British against Airbus.
The other thing is that it amused me to read the following article on Risks Digest last week. I guess everyone spies on everyone else!

The Risks Digest frequently covers issues related to this. The latest issue contains a brief comment on Simson Garfinkel's new book, Database Nation: The Death of Privacy in the 21st Century published by O'Reilly & Associates. The PRIVACY Forum is also an excellent resource on issues of privacy and technology.

Society of Broadcast Engineers:
http//www.sbe.org/eas/eas.html

Risks Digest:
Emergency Alert System interrupts Hurricane Announcement, and crashes

Also, a real hoot... after the government mandated the system (and the broadcasters bought the requisite equipment), an outfit named Quad Dimensions announced that they owned a patent that covered the entire system, and sent out royalty requests to all stations(!) Wasn't able to find a link covering this, but maybe someone else can...

your text about the A320 crash being caused by the flight-control software is just plain wrong. The flight-control software *saved* lives; the pilot had no chance of recovering from the state he stupidly placed the plane

Y2K is not too serious of a problem. But what happens when we roll over to 5 digit years?

So maybe I'm an April Fool, but it seems to me that the Y10K issue is worth a little serious thought.

There are areas of human endeavor in which 8000 years is not an extreme time span. At present, we deal with these long time spans only in modeling things like geological and cosmological events. But it is not unreasonable that within the next century, we may begin to build very high technology systems with mission durations of thousands of years - for example, a system to contain radioactive wastes, or a probe to another star system.

Y2K issues have raised our consciousness about timer overflows, but it's quite possible that this may fade in succeeding generations. There's no reason not to start setting standards now.

Perhaps all time counters should bignums?

At least IMO!

It's by Bruce Schneier in Risks Digest 20:66.

Whether all this boils down to a privacy intrusion or not is an open question. However, I find the cookies themselves irrelevant in this matter. Cookies are merely a convenience and a nice concept to the information provider, but they don't add any significant functionality to the data exchange process.

Even if you disable everything that deals with cookies, you are still stuck with the ultimate cookie--the URL. Before cookies, some servers encoded the same kind of personalization data in long URLs. For all I know, this technique may still be in popular use. You type in a short URL found in a magazine, and the server immediately redirects you to a personalized URL, full of cryptic parameters, or simply containing a user ID. Disable URL redirection as well, and what do you have left?

The cookies simply provide a cleaner way to implement this, without burdening the URL with massive amounts of data. Besides avoiding URL buffer overflow, the cookies are supposed to be less visible to the user. However, they add no new functionality for tracking user habits. If you are worried about your privacy, you should be more concerned about what information sits in somebody else's database, than about what is stored on your own hard drive.

The essence of this news item, though, seems to be Doubleclick's omnipresence, doing away with the argument that all those different sites you visit won't be able to match their logs in order to find out anything important about you (they simply won't have to). I haven't studied Doubleclick's policy. Does it say anything about whether Doubleclick will comply with requests from law enforcement authorities to find out who seem to be frequent visitors to warez sites displaying Doubleclick banners? Is that something to be concerned about in the first place?

Whether all this boils down to a privacy intrusion or not is an open question. However, I find the cookies themselves irrelevant in this matter. Cookies are merely a convenience and a nice concept to the information provider, but they don't add any significant functionality to the data exchange process.

Even if you disable everything that deals with cookies, you are still stuck with the ultimate cookie--the URL. Before cookies, some servers encoded the same kind of personalization data in long URLs. For all I know, this technique may still be in popular use. You type in a short URL found in a magazine, and the server immediately redirects you to a personalized URL, full of cryptic parameters, or simply containing a user ID. Disable URL redirection as well, and what do you have left?

The cookies simply provide a cleaner way to implement this, without burdening the URL with massive amounts of data. Besides avoiding URL buffer overflow, the cookies are supposed to be less visible to the user. However, they add no new functionality for tracking user habits. If you are worried about your privacy, you should be more concerned about what information sits in somebody else's database, than about what is stored on your own hard drive.

The essence of this news item, though, seems to be Doubleclick's omnipresence, doing away with the argument that all those different sites you visit won't be able to match their logs in order to find out anything important about you (they simply won't have to). I haven't studied Doubleclick's policy. Does it say anything about whether Doubleclick will comply with requests from law enforcement authorities to find out who seem to be frequent visitors to warez sites displaying Doubleclick banners? Is that something to be concerned about in the first place?

The old IBM adage, "if it works don't fix it," has a new application as the world stumbles over into a new millennium. Today, in 1999, a new group might claim with pride of their favorite OS, "we don't have to fix it, because it works!"

The Holy War between the armies of Linux users, Windows users, and Mac die-hards has grown more vicious than ever. And none of the content of the diatribes actually matters one iota - and certainly not Dr. Goebbel's new anti-Linux page at microsoft.com.

My contention is that the only issue for most users is stability, and measuring stability for these users is straightforward. At the IBM think tank in Hursley in the south of England, where pressure is on to integrate with Windows NT, Linux is a clear favorite. "It's bulletproof," one developer told me. And that's all he needed to say. Stability is what end users want. They don't want blue screens of death, leaky drivers, faulting TCP stacks, and the like. They want to be able to turn on their computer and have it run - and run and run and run without re-booting all the time - and just do what they set out to do. And in this regard, Linux fits the bill, and no other OS comes close.

I am not a Linux user, but I am raised on UNIX. And I do vaguely remember when we got word about a chap across the sea from us in Stockholm who had taken the kernel to something called MINIX as I remember and was working on it. But when a developer tells me what he tells me in such uncertain terms, with such a note of satisfaction in his voice, directly corroborating all I've heard over the months and years - then I purport to know.

The application software will come. Maybe it will be freeware too. There once was a time when all software was officially free anyway. Long before the emergence of the Software Beast in Redmond. Snow White and the Seven Dwarfs sold hardware - the software just tagged along. It seems we're back there again. You can't get around paying for hardware. The laws guarding software are a real headache. Someone might have to invest in programmers, but then again maybe they don't. Hardware companies might invest in support gurus, but then again they did that back in the old days too. For all MVS ever was, and it's hard to compare apples and oranges here, I don't think IBM would whine that open source was less stable than what they constructed.

And the complexity, as the opposing armies call it, is just a hurdle. The more people use computers - and new generations are being born all the time who know things by 10 that our IT gods never learned in their lifetimes - the more this "hurdle" will turn into an innocuous speed bump - just something else to be learned, like driving a car, cycling a washing machine, filling out an income tax form.

I think - I am guessing here - that the Linux experience might be akin to a Swiss avalanche. It needs momentum. And as it gathers momentum, it gathers power, and thereby more momentum. The more people using it, the more stable and developed it becomes, which results in even more people using it, which results in further stability, and so on and so forth. I don't regard corporate tagging onto the Linux bandwagon as decisive here - I just don't think it will matter much when the final score is in. I think the ordinary users in the field will determine the outcome - the users with PCs on their kitchen tables and cables running over their toasters, huddling over manuals deep in the night. The more the word gets out - the more people who use this system - the more it will spread. Like chatter teeth bumping into chatter teeth - sooner or later they're all yacking away.

Security isn't even an issue. What the web servers of the world run is one thing (and that's basically freeware anyway), what your kitchen gurus need is something quite different. Your kitchen gurus can't even spell security, raised as they are on shortcuts and Start menus and Favorites.

People have forecast the doom of William H. Goebbels 3 before. The Richest Man in the World has only grown richer. It's fashionable, even, to criticize him and his company. It's great gratuitous speculation to let him and his corporation have it when they're on the verge of introducing a new product. And the way it usually goes - once the product is released, in a few weeks, as the oooh's and ahhhh's die down, everyone with the stars still in their eyes, blinded by this new product, will forget this new Winter of Our Discontent.

But I'm not so sure this time. I won't be a fool and say Bill will even be scratched by this latest attack from Linux. But you never know. You just never do.

Where we at radsoft.net are stationed, it doesn't matter much really, although personally I am beginning to find the Windows experience rather enervating. We've been trying to fight bloat and compensate for unstable Microsoft system hacks ever since we had to use Windows - I think we've succeeded, but that doesn't mean we're happy about it.

Rick Downes

Linux/X11 Game Writers Page

The World should really ditch imperial once and for all.
---

The men part.

:-)

I agree with Heinlein; let's rescind the franchise from men, and let women run the country for the next 200 years.

On another front, the major problem with online election is guaranteeing non-repudiability, one-vote per voter... _and_ anonymity, all at the same time. There's been _extensive_ work on this topic; check the RISKS digest archives, among other places -- available on the web at

(forgive me, Lindsay)

http://catless.ncl.ac.uk/Risks.

Let's not re-invent the wheel, shall we?
Cheers,

I recently hosted a visit from a group of engineers that are assisting us with Y2K verification. As they were leaving, one of them said, "Say, you don't have a 1979 Toyota, do you?" Apparently the engine computer in these cars uses "00" in the year field as a code for "complete engine shutdown". I wonder if it would cause a moving vehicle to quit, or just one that was turned off overnight on the 31st?

- comp.risks archive

This was in the latest comp.risks digest. The article makes reference to a NewsScan Daily article called "Spy Who Messaged Me" -- Now Playing at Microsoft!, which in turn cites the New York Times article.

... if for no other reason than a lack of information.

A paper from the first announcement of this back in May is available in a couple of places (zipped eps and postscript), as well as an analysis by RSA. see also the RISKS posting.

If you meant just that the design is untried, I suppose this won't convince you, though optical computers of this sort have been build (on a much smaller scale) before. Anyway, we have this thing called "engineering" for figuring out if something's going to work or not. :)

I don't seen any new information on the web. Can someone from the conference let us know what progress has been made on the design front?

Risks Digest has been chronicling risks to the public through computing for quite some time. It would be interesting to see how many cases involved law suits.
--
I noticed

The sewage in the park was near here in Los Angeles, I believe. A city sewage treatment plant was being tested to make sure that it would switch over to a backup generator in the event of a power failure. The test (cutting main power) caused a valve to close, which caused sewage which was supposed to be entering the plant to back up, into the storm drains and eventually up into the park (which is in a large flood control basin). There's a brief description in RISKS-20.46. The RISKS article has a link to a more in-depth LA Times article, which you have to pay for, except they seem to be having database problems.

Please show me where a non-y2k-related bug has resulted in 3-1/2 million gallons of sewage being dumped on the ground.

Please show me where a non-y2k-related bug has resulted in 3-1/2 million gallons of sewage being dumped on the ground.

Please show me where a non-y2k-related bug has resulted in 3-1/2 million gallons of sewage being dumped on the ground.

Best article I have seen on the causes of bloat in MS products is R.A. Downs's analysis of bloat in RegClean Version 4.1a Build 7364.1. In a program of 818KB, he finds 350KB (that's over 40% of "bloat," including unused cursors, dialogs, string entries, tool bar, menus, icons, etc. You might quibble with some of what he counts, but the basic point is powerful.

Let me point to a follow-up in Risk-Digest, this article gives a more detailed description of regedit.exe.
Read it, this may be an eye-opener.

Linus himself stating that he believed OS design was well understood by the 1970s, and he considers microkernels to be "stupid", plan9 to be "stupid" etc etc.
[...]
While he is undoubtedly a highly talented programmer, I think that there are engineers in the world who are at least, if not more, skilled working for Sun, CMU, Microsoft, DEC and suchlike whose work has proved Linus to be very wrong.

Pardon, could you please tell me exactly which of the above comments (microkernel, plan9) were proven wrong by Microsoft engineers?
I don't want to say Linus is good, everything he says is right etc., but I want to see plain facts.

But for high volume dynamically generated content, for example, or commerce, or databases, NT is more mature and benefits from being developed by engineers rather than hackers. DEC, from whence Cutler came, are very serious about this.

I'm far from saying Win NT should be avoided at all cost - heck, I use what does the job best for me. But do you want to say for very high traffic, dynamic web sites you would like to use Windows NT?
Ok, this is not a server-issue, but it is Microsoft, so here follows a description example of "mature" software and the answer of the question: Why is regedit so big? (The Risks digest, Vol 20;35)