How To Subscribe and Unsubscribe is at the end of this note.
Mailing List Trouble? See http://www.langa.com/help.txt
Want an easier-to read formatted HTML version? See http://www.langa.com/whats_new.htm

Please email the LangaList to a friend! (Use this super-fast form!)

The LangaList

In This Issue:
A Quick Reader Poll: Please Vote!
Cookie Monster, Part II
Big Brother Inside?
Thanks Again!
"Remote Explorer" Virus
Stability Vs. Complexity
BrowserTune 2000
Another No-Reformat option
High-Speed Surfing
Just For Grins
More!

Quick Poll!

In recent weeks, I've tried two different approaches to the free weekly LangaList---a full-text version (where you get everything in the email); and a shorter email version that includes links to the full text, which resides on this site.

The advantage of the long version is that it's all there in one piece. The disadvantage is that it makes the email long---sometimes very long. It also costs me more money to send you the issue.

The advantage of the short version is that the email downloads fast and is much easier to skim. The disadvantage is that it requires a second action---going to a web page---to view the full text of items that interest you.

On balance, which approach do you prefer? Vote for the LONG version by sending any email to LONG@langa.com; vote for the SHORT version by sending any email to SHORT@langa.com.

Thanks!

return to top of page

Cookie Monster Redux

I got a lot of email last week about my notes on Cookies, and many, many of you visited the BrowserTune cookie test pages (http://www.browsertune.com/bt98/cookie.htm) to learn more.

Many readers were concerned about cookies tracking where you've been. No one can go in and gather up all your cookies to see where you've been. That's a common misconception. Generally, cookies can only be read by the site that creates them. There is one documented JavaScript bug in which a malicious site owner can deliberately create a cookie that can be read by a second site IF that site knows the cookie's exact name. I'm not sure how this could be used against anyone, because the person who created the readable cookie would somehow have to communicate its name to the owner of the second site. And besides, cookies cannot sniff out any private information about you or your system.

Another point of confusion: The HTTP protocol has a "document.referrer" function that remembers the last one page your browser was on---i.e. where you came from to get to the current page. This information can be stored in cookies, but it has nothing to do with cookies. It's part of HTTP itself. And at most, it only remembers back one page.

Still, one reader took me to task: "You might have mentioned some of the disadvantages and the very simple steps to receive a warning and choice of [cookie] placement." However, he mist have missed the reference to the BrowserTune cookie tests; those tests and the supporting pages cover all this in great depth.

return to top of page

In any case, if cookies scare you, the next item will really make your hair stand up:

Big Brother Inside?

It all happened pretty fast. Two weeks ago, EBN (a sister publication of WinMag) learned that Intel was planning to embed an individual serial number in each P3 and Celeron chip. The 96-bit ID can identify the user's PC to any software that asks the right way, including browsers and web site applications.

Software makers could use this number to record on what machine a software application had been installed. Web sites could access this number to allow in---or block out---people using a particular PC, even if they changed their names, ISPs or software. E-commerce sites could use it to verify that a purchaser of a product or service is really who he/she says they are. IT administrators could use this number to automatically track what's connected to a corporate network.

Some of these uses are benign, but others raise serious privacy concerns. Immediately after the announcement, various consumer watchdog groups cried foul, including the Electronic Privacy Information Center, or EPIC (http://www.epic.org/). EPIC even launched a boycott of Intel, calling it the "Big Brother Inside" campaign. (http://www.bigbrotherinside.com/)

EPIC says the processor serial number, or PSN , "…would likely be collected by many sites, indexed and accumulated in databases….The records of many different companies could be joined without the user's knowledge or consent to provide an intrusive profile of activity on the computer. The only solution would be to change the processor or computer."

The cryptography community also had problems with the concept. CMP's EETimes reported that cryptography expert Bruce Schneier, said that although Intel had worked to hide its encoding and access scheme, it wasn't enough. "There is no such thing as tamper-resistant software on a general purpose computer," Schneier said. "[A] system is only as secure as the smartest hacker. All it takes is for one person to defeat the tamper resistance. There's always someone who manages to unravel the protection. There isn't a copy-protected piece of software that hasn't been stripped of its protections and posted to hacker bulletin boards. This won't be any different."

Intel was alarmed by the harsh reaction and immediately announced a change: They said they would provide a small piece of software that will turn off the PSN feature after each boot. If a user wants the PSN feature re-enabled, they'll run a small Control Panel applet to turn it back on.

EPIC says this isn't enough because the chips will wake up with the PSN enabled, and if the turn-off software isn't properly installed, or if it doesn't run for any reason, or runs and fails, the PSN will remain enabled. What's more, the turn-off software doesn't exist yet and can't be evaluated by independent experts for its reliability or crack-resistance. EPIC says, "Because the privacy protection scheme relies on a software patch that must run each and every time that a user turns on the computer, it is susceptible to tampering by other software programs. Programs such as word processors or web browsers which must be installed onto systems could easily disable the patch in the installation process. Web-based Java applets could also be used for this purpose."

So, EPIC's boycott is still in place: They insist that Intel should disable the PSN at the hardware level where it will stay disabled until the PC owner turns it on. Starting Monday around midday (EST; GMT-5) in this week's Dialog Box on the Windows Magazine Web Site (http://content.techweb.com/winmag/), I'll tell you why I don't think Intel's gone far enough, and I'll provide you with additional information so you can make your own informed judgement.

What's your take? Is a PSN a nice convenience, or a security headache? Do you see this as no big deal, or does this turn you off to Intel? Does "Intel Inside" mean "Big Brother Inside?" Join in the discussion!

return to top of page

Recommendations Pouring In!

Thank you once again! Many of you continue to respond to my request that you recommend this newsletter to at least one other person via the easy-to-use, 60-second recommendation form at http://www.langa.com/recommend.htm#2.

But there's always room for more readers! If you could take just literally one minute and recommend the LangaList to just one friend, I'd really appreciate it.

Thanks!

return to top of page

The "Remote Explorer" or "RICHS" Virus

This got wide coverage a month or so ago, but a lot of people seem to have missed it: It's a "traditional" virus scenario in that you have to download and run an infected file. The virus then copies itself into other executable files, and spreads when they are passed around.

But this virus has a nasty twist: If you have administrator privileges on a system or LAN, this virus uses your privileges to install itself as a "service;" a low-level program that runs invisibly in the background, where it can infect executable files on other machines on your network.

All the major anti-virus vendors have added this virus to their database, so just be sure you're running an updated copy of a reputable anti-virus software, and you should be OK.

Also, even if you don't have AV software remember that viruses like these can't hurt you unless you download and execute ("run") the files that contain them. If you only download files from totally trustworthy sources, you should be safe.

return to top of page

Stabilty Vs. Complexity

Last week's discussion of "The Sorry State Of Desktop Software" on the InformationWeek site led to some interesting side-discussions, as is often the case whenever there's a gathering of well-informed---and opinionated!---people such as yourselves.

One heated side discussion erupted as result of my hypothesis that at least part of Linux's stability stems from the fact that it supports less hardware than Windows.

The most vocal participants in the discussion had two main issues with that. One, they said, is that Windows' instability (or Linux's stability) has nothing whatsoever to do with the number of supported hardware and software products.

In this week's InformationWeek column, I'll examine each of these points in turn, and show you the results of many hours of online research trying to track down exactly how many hardware devices both Linux and Windows actually support. The numbers may surprise you!

Once you've seen the column and its surprising numbers, join in the discussion starting Wednesday midday (EST; GMT-5) at http://www.informationweek.com/langaletter. Do you think Linux will one day be able to match Windows support numbers without suffering any degradation in final, delivered stability? Can Linux gain support for myriad brand-specific functions and yet avoid the bloat that's plagued Windows? Would Microsoft be smart to start paring away functions in order to improve Windows' stability? Join in!

return to top of page

BrowserTune2000

The demo pages mentioned last week are almost done. Alas, a case of the flu knocked me out for a couple days, so I'm running a little behind and the pages aren't quite ready to post in public. I hope to get them done this week, but in one of life's little jokes, I've been summoned for jury duty this month. The last time I was called, I lived in New York; I lost a couple days, and then had to be on-call by telephone for the rest of the period. I have no clue how it works in New Hampshire, but I'm about to find out. 8-)

With luck and a light trial schedule, I'll be able to get the BT2K demo pages posted very soon. Stay tuned!

return to top of page

Another No-Reformat Reinstall Option

Reader David M. Gondek (realtor@internetwis.com) sent in this tip, which he says allows you to re-initialize an existing installation of Windows without a reformat, and without having to have access to your CD! (For example, if your boot floppy fails, or if you forgot to put DOS-mode CD drivers on it.)

"I am a former Windows 95 support tech. Most problems in Windows 95 that aren't solved by reinstalling a particular application or piece of hardware are Registry related. A trick I used that worked quite often is related to a file named system.1st located in the root directory. First, boot to a command prompt and use the attrib command to take the attributes off system.1st and then system.dat and system.da0 in the windows directory. Second, rename system.dat and system.da0 to system.xxx and system.yyy. Third, copy system.1st to the windows directory as system.dat and system.da0. Then you may need to reboot 2 or 3 times. This provides you with a clean copy of your registry and all PnP hardware should be redetected. Of course, you will then need to reinstall any software that has registry entries...i.e. any software that doesn't run after this procedure. "

"This alternative is definitely worth a try if you don't have real mode CD drivers readily available and you don't have the Windows 95 setup cab files on your hard drive (which is a surprisingly large number of people). "

"These are not new ideas but I find it helps to repeat them every so often for people new to Microsoft's wondrous innovation we, not always kindly, refer to as the registry!--- David Gondek"

I haven't tried that, but it seems logical. Of course, it won't clean up unneeded files the way the "DelTree" method will (see http://content.techweb.com/winmag//library/1997/0301/analy026.htm), but it could be a good alternative. Thanks!

return to top of page

High-Speed Surfing

Long-time readers will remember the hassles I went through to get an ISDN line installed here when we moved in a year ago. Well, over the last few months, the line performance has been steadily dropping. It's not the ISDN connection itself, but the ISP (I use MSN because of its $49/mo unlimited ISDN deal) and the ISP's connection to the Internet---in this case UUnet. The local MSN dial-in point is often saturated, and then when you do get through, the total volume of data through the UUnet connection makes the routers there sluggish. My ISDN line---nominally 230Kbps with compression, was often slower than my 56K modem!

MSN isn't terribly expensive, but BellAtlantic is: On top of the $49/mo to MSN, my ISDN bills to Bell Atlantic have been running well over $500/mo.

So I've just about stopped using ISDN until MSN and UUnet relieve the bottleneck, or until one of the other high-speed options becomes available.

There's a certain irony in this, because I wrote the feature "High Speed Surfing" in the current issue of WINDOWS Magazine (http://content.techweb.com/winmag//library/1999/0201/fea0053.htm) . If, like me, you're looking for faster access, check out that article for an overview of the most promising alternatives to standard dialup!

return to top of page

Just for Grins

Reader Ryan Martinsen (Ryan@homeonthewww.com) sends this along, entitled "One of the more desirable Y2K bugs:"

Date: January 1, 2000
Subject: Vacation Pay

Dear Valued Employee:

Our records indicate that you have not used any vacation time over the past 100 year(s). As I'm sure you are aware, employees are granted 3 weeks of paid leave per year or pay in lieu of time off. One additional week is granted for every 5 years of service.

Please either take 9,400 days off work or notify our office and your next pay check will reflect payment of $8,277,432.22 which will include all pay and interest for the past 1,200 months.

Sincerely,
Automated Payroll Processing

return to top of page

(P.S. Please email the LangaList to a friend! Use this super-fast form!)

return to top of page