Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"Software Pirates Loot Silicon Valley;
Hong Kong street vendors hawk hot software"
An article by Jeff Pelline in the *San Francisco Chronicle*, 14 May 1996,
p. C1 aptly summarizes some of the basic problems of software piracy:
* Two CD-ROMs with more than 100 programs (Windows 95, Windows NT,
AutoCad, LotusNotes, Xing's Mpeg, ...) valued at $50,000 go for
$70 from a Hong Kong street vendor (pushing something that looked
like a hot-dog cart). These items (and many conventional CDs as well)
come from pirate operations in southern China [apparently turning out
legitimate products when the "inspectors" are around for an hour or so,
and hot stuff the rest of the time — on a 24-hour production schedule].
* Pirated software costs an estimated $12 billion annually worldwide.
* "More than half of all software in existence today is lost to piracy."
* An estimated 98% of the software sold in China is pirated — to the
tune of 200 million copies a year; in Brazil it is 95%, in Russia 94%.
Korea is at 78%, Japan at 67%, the U.S. at 35%, according to a chart
attributed to Glenco Engineering, Inc.
[No one seems to mention the devious opportunity for
Trojan horses being added inside the pirate shrinkwrap.]
[If it's a floppy, it might be a copy.
If it's a disk, you're also at risk.
If it's a pirate, the vendors are irate.
To avoid such frustration,
try: Free Software Foundation.
(Not enough BurmaShavian literature anymore?)]
[Considering the volume and issue, this item must be an 18.12 OVERTURE. PGN]
Just fire up Ye Olde Web Browser, and open the URL
[URL withheld by Moderator's Standards. PGN].
It'll show you a curvacious, scantily-clad female member of our species, ask
you for your phone number (including area code), and then a female with a
sexy voice will call you right back and say, um, "things" (ahem), to you.
Yes, that's right, a call-back phone-sex system on the Web.
But of course, it doesn't take much imagination to realize you don't have to
type in *your* phone number. How about your boss's? Or his wife? Or your
not-so-favourite right-wing member of parliament/congress? This could be
one of the best ways to get 'net censorship going: have these sexy voices
call up a random, powerful right-wing politician. This is just a variation
of the old "order a large pizza with all the toppings to the house across
the street" trick we loved to do as teenagers. Except the risks are
potentially more dangerous.
I discovered an unexpected condition when attempting to do some printing of a document created on the Macintosh, in that the character code using ASCII 217 in the Geneva font does not appear onscreen the same way depending on what size it is. I suspect this is an issue with other characters and character sets. I know there is a feature to select a certain character, usually a "box" to display in place of characters not defined for a certain font, in order to show that something is there, not merely either a blank or nothing at all. Since I would expect that to be consistent, that is acceptable, and in fact, much more desirable behavior, e.g. if the character is undefined in a particular character set, a square is printed, to show that the character is unprintable (undefined) in that set. But *this* behavior is both unexpected and undesirable. What I discovered is that a character in a specific font on the Macintosh can be "amorphic", in that it can be a different appearance depending on whether it is printed or displayed on screen, and depending on what size it is displayed at. Now, I'm not talking about the difference between the appearance of, for example, the letter "S" when shown onscreen and when printed with a 9-pin dot-matrix printer and the appearance when printed with a 300dpi laser or inkjet. No, I'm talking about selecting, say, an character containing the image of a Star of David, and printing out a Hammer and Sickle! Some characters on some sets produce some interesting effects, including such symbols as the entire Zodiac; various stars, both circled and squared, white and black; arrows going in 8 directions, various other symbols such as icons of telephones, scissors, greek and mathematical symbols, and many others. These symbols can be useful for various enhancements to a document. For example, one could print a coupon, and use the scissor symbol on the dotted line with the words "Cut Here" to make a much nicer looking image. But when displaying some sets, what you see isn't always what you get! Here is an exact explanation of what I did and what I discovered: I created a macro using the Word Basic programming language that is included as a part of Microsoft Word for the Macintosh. This macro created every character in the Ascii set from 0 to 255. I deleted all the nonprinting characters (0-31), and left the rest that did show. I changed the default font, which happens to be Times, to various fonts in the collection we have for the purpose of creating a display of all the different symbols and special effects characters such as arrows, borders, and indicators such as superscript and subscript characters. In one case, When I changed the font Geneva from 12 to 20 point, I noticed something odd. The character I later determined to be ASCII 217, in Geneva 12 point, appeared as an image of a rabbit. In 20 point, however, that character metamorphicized into the image of a Macintosh computer! It gets more interesting. I tried the different font sizes available, and this is what I saw: Point Character 8 Upper Case Y with two dots above 9 Image of a sheep 10 Image of a Macintosh 11 Upper Case Y with two dots above 12 Image of a rabbit 14 Image of a dog 16 Upper Case Y with two dots above 18 Image of a sheep 20 Image of a Macintosh 22 Upper Case Y with two dots above 24 Image of a rabbit 26,28,36,48,72 Upper Case Y with two dots above The behavior appears to be consistent; the "special" images reappear at the doubling of the character (except the "dog"). What is notable about this is that when the character set is printed out on an Apple color inkjet printer, what does appear - at the appropriate 8 to 72 point size as is used - is the specific character, the upper case Y with two dots above. (I can't yet remember the exact name for that mark, I think it is called an umlaut.) As for the risks, the example I gave above is pretty clear. (Oh yes, the Star of David and the Hammer and Sickle are available, but fortunately they are different characters in different fonts!) I am reporting this because I believe that if it happens in one font it can happen in others. Consider a font designed so that the $ appears as the British pound sterling when printed, or the #, and it could cause misunderstandings, perhaps even legal problems. Especially if - and it is possible - the printed output, having been checked several times in previous revisions, is merely given a cursory glance when reprinted using a slightly larger font. It is well understood that Postscript is a programming language, and with all the risks and benefits that implies. But font files may or may not be, depending on the system or the application, and that opens up a whole new can of worms. Unexpected behavior in a rarely-used symbol is, in-and-of-itself not a big deal. But in other contexts it could be, and thus I considered the issue to be worth reporting. Paul Robinson, General Manager, Tansin A. Darcos & Company/TDR, Inc. [I am curious about the upper-case Y-umlaut. German, Turkish, and Swedish (for example) use umlauts (as does English, for diaeresis), but I have *never* seen an upper-case Y-umlaut. I have seen Dutch names (Edsger Dijkstra's, for example) in handwritten Dutch appear with the i and j run together as if they formed a "y", with the dots over the i and j appearing as a y-umlaut (in lower case only). Perhaps this is one of the Power(book) Morphin' Dangers? PGN]
I ran into an interesting risk recently. A computer is located where it is hard to gain physical access. This computer some times needs reseting. To this end a system to remotely turn the power off and back on was installed. Recently it was decided that this computer must operate in the case of a power failure. As a result a UPS was installed. You guessed it, we now can't remotely reset the computer. Ray Todd Stevens Senior Consultant Stevens Services R.R. # 14 Box 685 Bedford, IN 47421 (812) 279-9394 Raytodd@tima.com
As part of the aftermath of the ValuJet Florida crash, the FAA announced that they will be scrutinizing all of ValuJet's procedures, including flying inspectors in the cockpit to watch the crew at work. Exactly what they expect to find doing this is cloudy to me, given the `observer effect'. It's axiomatic that the crew will behave differently with an inspector peering over their shoulder. The RISK is that the FAA will waste a lot of time and energy looking at something that won't give them useful information. Perhaps it's time for video cameras in the cockpit? Phil Reed Libbey Inc reedpc@libbey.com
I seem to recall hearing a CBC Radio report on a similar situation developing in Germany in, if memory serves, January of this year. The target which they were attempting to quash was hate literature. Surprisingly (because I'm Canadian), the report mentioned that most of the hate literature on the Internet originates in Canada. (This begs the question of the source and reliability of this statistic.) As I remember it, the German government was taking issue with this material, and figured (similar to the case in France) that the best approach was to hold the ISPs legally accountable. The reaction on the part of the ISPs was to cut off any newsgroup deemed to be inappropriate. What surprises me is that nobody is fingering the telcos using the same slippery-slope arguments, ie, providing the hardware and the bandwidth. Perhaps someone with a better recollection of events than I could give this story better clarity. Jim Carroll <pjcarrol@ca.oracle.com> Principal Consultant, Core Consulting Oracle Corporation Canada Inc.
There have been similar reports to this from various places for some time. However, one extra detail did catch my interest; France Telecom (the French state-owned telephone service) recently launched its own Internet access service under the name 'Wanadoo'. I wonder if it will also withdraw from providing the News.
A discussion of the Rogers report from the perspective of organizational psychology can be found in Chris Argyris, _Overcoming Organizational Defences_ (Allyn & Bacon, 1990). Inter alia, he says ".. the Rogers Commission unwittingly strengthened the organizational routines that caused the problems in the first place." I would commend Argyris' book to anyone seeking to understand the attitudes that underly many of the RISKS discussed in this forum. Michael Wild <mwild@iee.org>, <michael@kyrie.demon.co.uk>
>Nowhere in this volume could I find a reference to the numerical odds >of a shuttle accident. A lot of what Feynman's personal conclusions are not in the volumes. Perhaps you remember the minor flap about Feynman's addition of a separate appendix. However, Feynman did publish several other accounts (and some video interviews) discussing these issues, including the probability of failure. I don't remember the exact reference source but some places to look are: 1) Feynmen's "So what do you care what other people think?" (or some similar title). 2) A Cover story article in Physics Today soon after the report was issued. Both of these are good reads in and of themselves as well as being excellent supplementary sources on the Challenger episode. Feynman's role on the Roger's commission raises another issue that is worthy of discussion here. Do we help or exacerbate risks with our methods of ex-post facto accident investigations (Challenger, air-crashes, Exxon Valdez, ...) ? Feynman seemed to feel that some very important issues about the management structure at NASA were not included in the Roger's report and that consequently were not being addressed. This does not include items in the report that have not been vigorously pursued (a debatable proposition in and of itself). Do investigations reveal problems and fix them or do they simply serve to identify scapegoats? What's more, how do we define investigation ground rules to favor the former over the latter? These are the critical questions to ask in order to reduce the probability of another challenger John W. Cobb, Off. Computing&Network Management, Oak Ridge National Laboratory MS-6486 Oak Ridge, TN 37831-6486 1-423.576.5439 cobbjw@ornl.gov
[Sent to RISKS via Stanton McCandlish <mech@eff.org>. RISKS generally eschews such postings. However, this one may have broad appeal to readers in the U.S., and far-reaching implications. PGN] Re: Getting Copies of "Discussion Drafts" of Med Privacy Bill Online This is a sign-on letter to Senators Kassebaum and Warner, asking that the Senate make copies of its "discussion drafts" of S. 1360, the Medical Records Confidentiality Act, on the Internet. The discussion drafts reflect the current versions of the controversial legislation, after negotiations between various Senators and lobbyists. Currently these drafts are only distributed in paper, and are mostly available to Washington DC lobbyists. Senator Kassebaum controls access to the discussion drafts, and Senator Warner is in charge of Senate rules on topics such as public access to Senate documents. The letter has been signed by Gary Ruskin, Director of the Congressional Accountability Project, Lori Fena, Director of the Electronic Frontier Foundation, James Love, Director of Consumer Project on Technology, and Jim Warren, a well known computer journalist and information activist. To add your name, send a note to Gary Ruskin at gary@essential.org. The letter follows: Senator Nancy Kassebaum, Chair Committee on Labor and Human Resources 428 Dirksen Senate Office Bldg Washington, DC 20510-6300 Senator John Warner, Chair Committee on Rules and Administration 305 Russell Senate Office Bldg Washington, DC 20510-6325 Dear Senators Kassebaum and Warner: We are writing to express the frustrations of many American citizens who cannot effectively monitor the actions of the U.S. Congress, because the Senate does not give ordinary citizens the same access to key legislative documents that it gives to interest groups that can afford full time lobbyists. Our immediate concern is the refusal of the Senate Labor Committee to provide online access to a series of discussion drafts of S. 1360, the Medical Records Confidentiality Act. This controversial legislation seeks to pre-empt state laws in favor of a federal system regulating access to personal medical records. The legislation is controversial and complex and the stake holders are many. Privacy and consumer groups say the legislation provides too much access and too little privacy, while industry groups are pressing for even easier access to identified medical records. The legislation was introduced last October. Beginning in April, the Committee on Labor and Human Resources has prepared several "discussion drafts" for a new chairman's mark. These drafts have been given to lobbyists, but the Committee staff has refused to make the text of the drafts available on the Internet where they would be readily available to the general public. As a consequence, as Equifax, IBM, Dun & Bradstreet, TRW, Blue Cross, Aetna, and other groups with full-time lobbyists read each and every new discussion draft, the general public mistakenly believes the October 24, 1995 version of the bill represents the relevant text of the legislation. Why keep the discussion drafts from the general public? The bill is very long, and it is costly and difficult to distribute the bill in the paper formats. Most citizens don't have any way of even knowing that the various discussion drafts even exist. With efforts to push for a rapid mark-up on S. 1360 it seems urgent to resolve this issue soon. More generally, however, the Senate should adopt new rules about access to the various types of "unofficial" drafts of bills, including committee prints, managers amendments, chairman's marks, and widely disseminated discussion drafts, which are the real stuff of the legislative process. The text of these important documents should be placed on the Internet for the benefit of the general public, as soon as they are made available to Washington lobbyists. Sincerely, Gray Ruskin, Director, Congressional Accountability Project (Member, Advisory Committee, Congressional Internet Caucus) gary@essential.org Lori Fena, Director, Electronic Frontier Foundation, lori@eff.org James Love, Director, Consumer Project on Technology, love@tap.org Jim Warren, tech-policy columnist and open-government advocate Government Technology Magazine, MicroTimes Magazine, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075 jwarren@well.com To add your name to this letter, send a note to Gary Ruskin. His contact info is: Gary Ruskin gary@essential.org 202/296-2787; fax: 202/833-2406 James Love, Center for Study of Responsive Law, P.O. Box 19367, Washington DC 20036 202/387-8030 Consumer Project on Technology; love@tap.org with webpages.
[Starkly abridged by PGN]
The SEI Software Engineering Symposium
Achieving Maturity Through Technology Adoption
September 9 - 12, 1996
David L. Lawrence Convention Center
Pittsburgh, Pennsylvania
The SEI Software Engineering Symposium is an annual event hosted by the SEI
to provide an opportunity for people to learn about practical solutions to
software-related problems and the role of the SEI in assisting the
development and adoption of those solutions. The primary goal of the
symposium is to provide a forum to facilitate communication among the
various sectors of the software engineering community and to help
participants build collaborative relationships based on their shared
interests.
The format of the symposium will include plenary sessions, tutorials, panel
discussions, presentations, and birds-of-a-feather sessions on topics that
fall within three broad topic areas that promise significant sustained
impacts on the state of the practice in the coming decade.
Topic 1: Trustworthy Systems: Security, Reliability, Safety
As computer-intensive systems grow in scope, and as their information bases
grow ever richer, the users have corresponding concerns and increased needs
for confidence in these systems. Continued successful use of such systems
requires a high degree of reliability and security from harmful intrusions.
Presentations in this topic area will address aspects of systems that lead
them to be considered trustworthy or not. Such presentations will include
descriptions of systems specifically called "trustworthy systems," but will
also includes such related topics as system vulnerability, system
reliability, and information warfare.
Topic 2: Engineering of Software-Intensive Systems
In recent years, primary concepts of program design and program construction
have been influenced and even overturned by developments in such domains as
software reuse, by research in such topics as software architectures, and by
methodologies such as object-oriented construction. As these developments
mature and become ubiquitous, an emerging common thread is the notion of
composition of systems; this notion underlies technologies such as
architecture design languages as well as new system-oriented approaches such
as open systems. Presentations in this topic area will describe a number of
these developments, such as recent work in patterned architectures,
integration of heterogeneous commercial tools, and program understanding.
Topic 3: New Dimensions in Process and Risk
The Capability Maturity Model(SM) (CMMSM) has become the most widely used basis
for achieving process improvement in software engineering, and it has provided
a framework for the development of a number of other maturity models for
improvement efforts within other domains. With the forthcoming release of the
CMM Version 2.0, this vital aspect of software engineering enters a new phase.
New developments, such as integration of measurement technologies with the
CMM, as well as extension of the model toward risk assessment, risk
management, and Personal Software Process (PSP), are extending the domain of
process improvement enormously. Presenters in this topic area will consider
practical and theoretical issues related to the CMM (e.g., CMM integration),
results of industrial-scale process improvement efforts, and issues
surrounding process-related technologies (e.g., current capabilities in
process enactment engines).
Plenary Sessions: Six keynote speakers representing the views of industry
and government will provide different yet complementary perspectives on
current concerns as well as issues forming just over the horizon. Invited
speakers include representatives from government and industry.
A view from DARPA, where tomorrow's technology is being explored today, will
highlight a number of important issues in software assurance. Speakers from
the Department of Defense will address ways in which information is becoming
increasingly important both as an asset and as a potential threat.
Industrial perspectives on the trials and successes in day-to-day practice
will fill out the picture of the relationships among these various sectors
as we approach the millennium, and how those relationships are changing with
the times.
Who should attend?
To address the broad set of concerns represented by the software engineering
community, presentations will cover topics of interest to people with
differing levels of knowledge and technical expertise. A range of topical
sessions will be offered to discuss issues of concern to senior managers,
senior technical staff, and practitioners. The structure of the technical
program will focus on
1. fundamentals of a technology area for those new to the technology or those
who need to brush up on key concepts and developments
2. state-of-the-art or state-of-the-practice discussions to outline the best
industrial practices and the ways in which they improve the baseline on
practices
3. experience reports detailing the results of using particular technologies
or approaches to improvement
4. management issues and answers to some of the fundamental questions that
determine if and when to adopt a technology, such as return on investment
or other business-case analyses
5. transition plans for key technologies that are deemed "close to ready" for
transition into routine use and that offer nontrivial, measurable
improvements to adopters
Tutorials, Monday, September 9, 1996
____ Personal Software Process
____ Identifying Success Strategies for Software Process Automation
____ Planning the Cultural Dimensions of Improvement
____ Comprehensive Risk Management
____ How to Deploy Software Process Improvement
____ FODA for Pragmatists
____ Legacy System Reengineering
____ Goal-Driven Software Measurement
Plenary sessions, panel discussions, and presentations, are offered Tuesday,
September 10 through Thursday, September 12.
CMM and Capability Maturity Model are service marks of Carnegie Mellon
University. The SEI is a federally funded research and development center
sponsored by the U.S. Department of Defense, and operated by CMU.
Contact Information
Events
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, Pennsylvania 15213-3890
FAX 412 / 268-7401
Internet: registration@sei.cmu.edu
[And look for their web page for details. Carol did not give
a URL, but many readers object to URLs as not meaningful in
the fullness of time anyway — and besides, preannouncements
are of less interest in the long run. PGN]
Please report problems with the web pages to the maintainer