Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"Software Pirates Loot Silicon Valley; Hong Kong street vendors hawk hot software" An article by Jeff Pelline in the *San Francisco Chronicle*, 14 May 1996, p. C1 aptly summarizes some of the basic problems of software piracy: * Two CD-ROMs with more than 100 programs (Windows 95, Windows NT, AutoCad, LotusNotes, Xing's Mpeg, ...) valued at $50,000 go for $70 from a Hong Kong street vendor (pushing something that looked like a hot-dog cart). These items (and many conventional CDs as well) come from pirate operations in southern China [apparently turning out legitimate products when the "inspectors" are around for an hour or so, and hot stuff the rest of the time — on a 24-hour production schedule]. * Pirated software costs an estimated $12 billion annually worldwide. * "More than half of all software in existence today is lost to piracy." * An estimated 98% of the software sold in China is pirated — to the tune of 200 million copies a year; in Brazil it is 95%, in Russia 94%. Korea is at 78%, Japan at 67%, the U.S. at 35%, according to a chart attributed to Glenco Engineering, Inc. [No one seems to mention the devious opportunity for Trojan horses being added inside the pirate shrinkwrap.] [If it's a floppy, it might be a copy. If it's a disk, you're also at risk. If it's a pirate, the vendors are irate. To avoid such frustration, try: Free Software Foundation. (Not enough BurmaShavian literature anymore?)] [Considering the volume and issue, this item must be an 18.12 OVERTURE. PGN]
Just fire up Ye Olde Web Browser, and open the URL [URL withheld by Moderator's Standards. PGN]. It'll show you a curvacious, scantily-clad female member of our species, ask you for your phone number (including area code), and then a female with a sexy voice will call you right back and say, um, "things" (ahem), to you. Yes, that's right, a call-back phone-sex system on the Web. But of course, it doesn't take much imagination to realize you don't have to type in *your* phone number. How about your boss's? Or his wife? Or your not-so-favourite right-wing member of parliament/congress? This could be one of the best ways to get 'net censorship going: have these sexy voices call up a random, powerful right-wing politician. This is just a variation of the old "order a large pizza with all the toppings to the house across the street" trick we loved to do as teenagers. Except the risks are potentially more dangerous.
I discovered an unexpected condition when attempting to do some printing of a document created on the Macintosh, in that the character code using ASCII 217 in the Geneva font does not appear onscreen the same way depending on what size it is. I suspect this is an issue with other characters and character sets. I know there is a feature to select a certain character, usually a "box" to display in place of characters not defined for a certain font, in order to show that something is there, not merely either a blank or nothing at all. Since I would expect that to be consistent, that is acceptable, and in fact, much more desirable behavior, e.g. if the character is undefined in a particular character set, a square is printed, to show that the character is unprintable (undefined) in that set. But *this* behavior is both unexpected and undesirable. What I discovered is that a character in a specific font on the Macintosh can be "amorphic", in that it can be a different appearance depending on whether it is printed or displayed on screen, and depending on what size it is displayed at. Now, I'm not talking about the difference between the appearance of, for example, the letter "S" when shown onscreen and when printed with a 9-pin dot-matrix printer and the appearance when printed with a 300dpi laser or inkjet. No, I'm talking about selecting, say, an character containing the image of a Star of David, and printing out a Hammer and Sickle! Some characters on some sets produce some interesting effects, including such symbols as the entire Zodiac; various stars, both circled and squared, white and black; arrows going in 8 directions, various other symbols such as icons of telephones, scissors, greek and mathematical symbols, and many others. These symbols can be useful for various enhancements to a document. For example, one could print a coupon, and use the scissor symbol on the dotted line with the words "Cut Here" to make a much nicer looking image. But when displaying some sets, what you see isn't always what you get! Here is an exact explanation of what I did and what I discovered: I created a macro using the Word Basic programming language that is included as a part of Microsoft Word for the Macintosh. This macro created every character in the Ascii set from 0 to 255. I deleted all the nonprinting characters (0-31), and left the rest that did show. I changed the default font, which happens to be Times, to various fonts in the collection we have for the purpose of creating a display of all the different symbols and special effects characters such as arrows, borders, and indicators such as superscript and subscript characters. In one case, When I changed the font Geneva from 12 to 20 point, I noticed something odd. The character I later determined to be ASCII 217, in Geneva 12 point, appeared as an image of a rabbit. In 20 point, however, that character metamorphicized into the image of a Macintosh computer! It gets more interesting. I tried the different font sizes available, and this is what I saw: Point Character 8 Upper Case Y with two dots above 9 Image of a sheep 10 Image of a Macintosh 11 Upper Case Y with two dots above 12 Image of a rabbit 14 Image of a dog 16 Upper Case Y with two dots above 18 Image of a sheep 20 Image of a Macintosh 22 Upper Case Y with two dots above 24 Image of a rabbit 26,28,36,48,72 Upper Case Y with two dots above The behavior appears to be consistent; the "special" images reappear at the doubling of the character (except the "dog"). What is notable about this is that when the character set is printed out on an Apple color inkjet printer, what does appear - at the appropriate 8 to 72 point size as is used - is the specific character, the upper case Y with two dots above. (I can't yet remember the exact name for that mark, I think it is called an umlaut.) As for the risks, the example I gave above is pretty clear. (Oh yes, the Star of David and the Hammer and Sickle are available, but fortunately they are different characters in different fonts!) I am reporting this because I believe that if it happens in one font it can happen in others. Consider a font designed so that the $ appears as the British pound sterling when printed, or the #, and it could cause misunderstandings, perhaps even legal problems. Especially if - and it is possible - the printed output, having been checked several times in previous revisions, is merely given a cursory glance when reprinted using a slightly larger font. It is well understood that Postscript is a programming language, and with all the risks and benefits that implies. But font files may or may not be, depending on the system or the application, and that opens up a whole new can of worms. Unexpected behavior in a rarely-used symbol is, in-and-of-itself not a big deal. But in other contexts it could be, and thus I considered the issue to be worth reporting. Paul Robinson, General Manager, Tansin A. Darcos & Company/TDR, Inc. [I am curious about the upper-case Y-umlaut. German, Turkish, and Swedish (for example) use umlauts (as does English, for diaeresis), but I have *never* seen an upper-case Y-umlaut. I have seen Dutch names (Edsger Dijkstra's, for example) in handwritten Dutch appear with the i and j run together as if they formed a "y", with the dots over the i and j appearing as a y-umlaut (in lower case only). Perhaps this is one of the Power(book) Morphin' Dangers? PGN]
I ran into an interesting risk recently. A computer is located where it is hard to gain physical access. This computer some times needs reseting. To this end a system to remotely turn the power off and back on was installed. Recently it was decided that this computer must operate in the case of a power failure. As a result a UPS was installed. You guessed it, we now can't remotely reset the computer. Ray Todd Stevens Senior Consultant Stevens Services R.R. # 14 Box 685 Bedford, IN 47421 (812) 279-9394 Raytodd@tima.com
As part of the aftermath of the ValuJet Florida crash, the FAA announced that they will be scrutinizing all of ValuJet's procedures, including flying inspectors in the cockpit to watch the crew at work. Exactly what they expect to find doing this is cloudy to me, given the `observer effect'. It's axiomatic that the crew will behave differently with an inspector peering over their shoulder. The RISK is that the FAA will waste a lot of time and energy looking at something that won't give them useful information. Perhaps it's time for video cameras in the cockpit? Phil Reed Libbey Inc reedpc@libbey.com
I seem to recall hearing a CBC Radio report on a similar situation developing in Germany in, if memory serves, January of this year. The target which they were attempting to quash was hate literature. Surprisingly (because I'm Canadian), the report mentioned that most of the hate literature on the Internet originates in Canada. (This begs the question of the source and reliability of this statistic.) As I remember it, the German government was taking issue with this material, and figured (similar to the case in France) that the best approach was to hold the ISPs legally accountable. The reaction on the part of the ISPs was to cut off any newsgroup deemed to be inappropriate. What surprises me is that nobody is fingering the telcos using the same slippery-slope arguments, ie, providing the hardware and the bandwidth. Perhaps someone with a better recollection of events than I could give this story better clarity. Jim Carroll <pjcarrol@ca.oracle.com> Principal Consultant, Core Consulting Oracle Corporation Canada Inc.
There have been similar reports to this from various places for some time. However, one extra detail did catch my interest; France Telecom (the French state-owned telephone service) recently launched its own Internet access service under the name 'Wanadoo'. I wonder if it will also withdraw from providing the News.
A discussion of the Rogers report from the perspective of organizational psychology can be found in Chris Argyris, _Overcoming Organizational Defences_ (Allyn & Bacon, 1990). Inter alia, he says ".. the Rogers Commission unwittingly strengthened the organizational routines that caused the problems in the first place." I would commend Argyris' book to anyone seeking to understand the attitudes that underly many of the RISKS discussed in this forum. Michael Wild <mwild@iee.org>, <michael@kyrie.demon.co.uk>
>Nowhere in this volume could I find a reference to the numerical odds >of a shuttle accident. A lot of what Feynman's personal conclusions are not in the volumes. Perhaps you remember the minor flap about Feynman's addition of a separate appendix. However, Feynman did publish several other accounts (and some video interviews) discussing these issues, including the probability of failure. I don't remember the exact reference source but some places to look are: 1) Feynmen's "So what do you care what other people think?" (or some similar title). 2) A Cover story article in Physics Today soon after the report was issued. Both of these are good reads in and of themselves as well as being excellent supplementary sources on the Challenger episode. Feynman's role on the Roger's commission raises another issue that is worthy of discussion here. Do we help or exacerbate risks with our methods of ex-post facto accident investigations (Challenger, air-crashes, Exxon Valdez, ...) ? Feynman seemed to feel that some very important issues about the management structure at NASA were not included in the Roger's report and that consequently were not being addressed. This does not include items in the report that have not been vigorously pursued (a debatable proposition in and of itself). Do investigations reveal problems and fix them or do they simply serve to identify scapegoats? What's more, how do we define investigation ground rules to favor the former over the latter? These are the critical questions to ask in order to reduce the probability of another challenger John W. Cobb, Off. Computing&Network Management, Oak Ridge National Laboratory MS-6486 Oak Ridge, TN 37831-6486 1-423.576.5439 cobbjw@ornl.gov
[Sent to RISKS via Stanton McCandlish <mech@eff.org>. RISKS generally eschews such postings. However, this one may have broad appeal to readers in the U.S., and far-reaching implications. PGN] Re: Getting Copies of "Discussion Drafts" of Med Privacy Bill Online This is a sign-on letter to Senators Kassebaum and Warner, asking that the Senate make copies of its "discussion drafts" of S. 1360, the Medical Records Confidentiality Act, on the Internet. The discussion drafts reflect the current versions of the controversial legislation, after negotiations between various Senators and lobbyists. Currently these drafts are only distributed in paper, and are mostly available to Washington DC lobbyists. Senator Kassebaum controls access to the discussion drafts, and Senator Warner is in charge of Senate rules on topics such as public access to Senate documents. The letter has been signed by Gary Ruskin, Director of the Congressional Accountability Project, Lori Fena, Director of the Electronic Frontier Foundation, James Love, Director of Consumer Project on Technology, and Jim Warren, a well known computer journalist and information activist. To add your name, send a note to Gary Ruskin at gary@essential.org. The letter follows: Senator Nancy Kassebaum, Chair Committee on Labor and Human Resources 428 Dirksen Senate Office Bldg Washington, DC 20510-6300 Senator John Warner, Chair Committee on Rules and Administration 305 Russell Senate Office Bldg Washington, DC 20510-6325 Dear Senators Kassebaum and Warner: We are writing to express the frustrations of many American citizens who cannot effectively monitor the actions of the U.S. Congress, because the Senate does not give ordinary citizens the same access to key legislative documents that it gives to interest groups that can afford full time lobbyists. Our immediate concern is the refusal of the Senate Labor Committee to provide online access to a series of discussion drafts of S. 1360, the Medical Records Confidentiality Act. This controversial legislation seeks to pre-empt state laws in favor of a federal system regulating access to personal medical records. The legislation is controversial and complex and the stake holders are many. Privacy and consumer groups say the legislation provides too much access and too little privacy, while industry groups are pressing for even easier access to identified medical records. The legislation was introduced last October. Beginning in April, the Committee on Labor and Human Resources has prepared several "discussion drafts" for a new chairman's mark. These drafts have been given to lobbyists, but the Committee staff has refused to make the text of the drafts available on the Internet where they would be readily available to the general public. As a consequence, as Equifax, IBM, Dun & Bradstreet, TRW, Blue Cross, Aetna, and other groups with full-time lobbyists read each and every new discussion draft, the general public mistakenly believes the October 24, 1995 version of the bill represents the relevant text of the legislation. Why keep the discussion drafts from the general public? The bill is very long, and it is costly and difficult to distribute the bill in the paper formats. Most citizens don't have any way of even knowing that the various discussion drafts even exist. With efforts to push for a rapid mark-up on S. 1360 it seems urgent to resolve this issue soon. More generally, however, the Senate should adopt new rules about access to the various types of "unofficial" drafts of bills, including committee prints, managers amendments, chairman's marks, and widely disseminated discussion drafts, which are the real stuff of the legislative process. The text of these important documents should be placed on the Internet for the benefit of the general public, as soon as they are made available to Washington lobbyists. Sincerely, Gray Ruskin, Director, Congressional Accountability Project (Member, Advisory Committee, Congressional Internet Caucus) gary@essential.org Lori Fena, Director, Electronic Frontier Foundation, lori@eff.org James Love, Director, Consumer Project on Technology, love@tap.org Jim Warren, tech-policy columnist and open-government advocate Government Technology Magazine, MicroTimes Magazine, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075 jwarren@well.com To add your name to this letter, send a note to Gary Ruskin. His contact info is: Gary Ruskin gary@essential.org 202/296-2787; fax: 202/833-2406 James Love, Center for Study of Responsive Law, P.O. Box 19367, Washington DC 20036 202/387-8030 Consumer Project on Technology; love@tap.org with webpages.
[Starkly abridged by PGN] The SEI Software Engineering Symposium Achieving Maturity Through Technology Adoption September 9 - 12, 1996 David L. Lawrence Convention Center Pittsburgh, Pennsylvania The SEI Software Engineering Symposium is an annual event hosted by the SEI to provide an opportunity for people to learn about practical solutions to software-related problems and the role of the SEI in assisting the development and adoption of those solutions. The primary goal of the symposium is to provide a forum to facilitate communication among the various sectors of the software engineering community and to help participants build collaborative relationships based on their shared interests. The format of the symposium will include plenary sessions, tutorials, panel discussions, presentations, and birds-of-a-feather sessions on topics that fall within three broad topic areas that promise significant sustained impacts on the state of the practice in the coming decade. Topic 1: Trustworthy Systems: Security, Reliability, Safety As computer-intensive systems grow in scope, and as their information bases grow ever richer, the users have corresponding concerns and increased needs for confidence in these systems. Continued successful use of such systems requires a high degree of reliability and security from harmful intrusions. Presentations in this topic area will address aspects of systems that lead them to be considered trustworthy or not. Such presentations will include descriptions of systems specifically called "trustworthy systems," but will also includes such related topics as system vulnerability, system reliability, and information warfare. Topic 2: Engineering of Software-Intensive Systems In recent years, primary concepts of program design and program construction have been influenced and even overturned by developments in such domains as software reuse, by research in such topics as software architectures, and by methodologies such as object-oriented construction. As these developments mature and become ubiquitous, an emerging common thread is the notion of composition of systems; this notion underlies technologies such as architecture design languages as well as new system-oriented approaches such as open systems. Presentations in this topic area will describe a number of these developments, such as recent work in patterned architectures, integration of heterogeneous commercial tools, and program understanding. Topic 3: New Dimensions in Process and Risk The Capability Maturity Model(SM) (CMMSM) has become the most widely used basis for achieving process improvement in software engineering, and it has provided a framework for the development of a number of other maturity models for improvement efforts within other domains. With the forthcoming release of the CMM Version 2.0, this vital aspect of software engineering enters a new phase. New developments, such as integration of measurement technologies with the CMM, as well as extension of the model toward risk assessment, risk management, and Personal Software Process (PSP), are extending the domain of process improvement enormously. Presenters in this topic area will consider practical and theoretical issues related to the CMM (e.g., CMM integration), results of industrial-scale process improvement efforts, and issues surrounding process-related technologies (e.g., current capabilities in process enactment engines). Plenary Sessions: Six keynote speakers representing the views of industry and government will provide different yet complementary perspectives on current concerns as well as issues forming just over the horizon. Invited speakers include representatives from government and industry. A view from DARPA, where tomorrow's technology is being explored today, will highlight a number of important issues in software assurance. Speakers from the Department of Defense will address ways in which information is becoming increasingly important both as an asset and as a potential threat. Industrial perspectives on the trials and successes in day-to-day practice will fill out the picture of the relationships among these various sectors as we approach the millennium, and how those relationships are changing with the times. Who should attend? To address the broad set of concerns represented by the software engineering community, presentations will cover topics of interest to people with differing levels of knowledge and technical expertise. A range of topical sessions will be offered to discuss issues of concern to senior managers, senior technical staff, and practitioners. The structure of the technical program will focus on 1. fundamentals of a technology area for those new to the technology or those who need to brush up on key concepts and developments 2. state-of-the-art or state-of-the-practice discussions to outline the best industrial practices and the ways in which they improve the baseline on practices 3. experience reports detailing the results of using particular technologies or approaches to improvement 4. management issues and answers to some of the fundamental questions that determine if and when to adopt a technology, such as return on investment or other business-case analyses 5. transition plans for key technologies that are deemed "close to ready" for transition into routine use and that offer nontrivial, measurable improvements to adopters Tutorials, Monday, September 9, 1996 ____ Personal Software Process ____ Identifying Success Strategies for Software Process Automation ____ Planning the Cultural Dimensions of Improvement ____ Comprehensive Risk Management ____ How to Deploy Software Process Improvement ____ FODA for Pragmatists ____ Legacy System Reengineering ____ Goal-Driven Software Measurement Plenary sessions, panel discussions, and presentations, are offered Tuesday, September 10 through Thursday, September 12. CMM and Capability Maturity Model are service marks of Carnegie Mellon University. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense, and operated by CMU. Contact Information Events Software Engineering Institute Carnegie Mellon University Pittsburgh, Pennsylvania 15213-3890 FAX 412 / 268-7401 Internet: registration@sei.cmu.edu [And look for their web page for details. Carol did not give a URL, but many readers object to URLs as not meaningful in the fullness of time anyway — and besides, preannouncements are of less interest in the long run. PGN]
Please report problems with the web pages to the maintainer