NEWS

Jan.-Feb 1997

Contents

STRATEGICALLY IMPORTANT NEWS *

Texas Instruments To Unveil Powerful Digital Signal Processor *

Japan's NEC Develops 4-Gigabit Memory Chip *

The U.S. Department of Defense has recommended establishing a new "information-warfare" czar in the Defense Department and an "information-warfare" center within U.S. intelligence agencies. *

Rivest think that cryptography will just be wherever you've got digital communications going on *

How Close Are We To Creating `HAL'? *

JAVA *

JDK 1.1 *

100% Pure Java Program *

Light Form of Corporate Schizophrenia ? Microsoft Is Of Two Minds On Java Adoption Road Map *

Intuit probably wishes it had never heard of ActiveX. *

Security Monitor for ActiveX *

JAVA RINGS A BELL IN COMPUTER TELEPHONY *

Several major Java IDEs are in beta for release later this year, including major offerings from Borland, Powersoft, and IBM Corp. *

ActiveX will have an impact on the future of distributed computing *

Microsoft Java Strategy *

Component Wiring metafor in Java RAD *

Code conversion *

Java wake up call for microprocessors designers *

DATA SECURITY AND COMPUTER VIRUSES *

New trend in AV software: e-mail scanners *

Java virus scanner for non-existent viruses *

New crash protection software for Windows 95: Norton CrashGuard and First Aid 97 *

INTRUSION DETECTION AND ACCESS CONTROL *

MasterCard International and IBM have teamed up with a Danish bank to demonstrate a system designed to protect credit card purchases on the Internet. *

Microsoft is using VeriSign's algorithms to authenticate software delivered over the Internet. It becomes the electronic equivalent of shrink wrap. *

Penetration into corporate systems for hire - new profitable *

business *

AOL Auto-disconnecting Absent Users *

KEY TECHNOLOGIES *

Internet Congestion *

The Internet's appealing economics outweigh its risks *

Junk e-mail and "Push Through" Technology: Nuisance Or Opportunity? *

WEB SPOOFING IS NO JOKE *

CRYPTOGRAPHY AND REVERCE ENGINEERING *

IBM introduces digital certificate, key recovery technologies *

Lotus Notes 4.0 circumvents encryption export rules *

COMPUTER CRIMES AND LAWS *

Corporate crime traditionally is an insider job *

Internal security breaches are quite costly. You better be prepared. Chevron will issue digital signatures to managers and business partners *

Former Oracle employee found guilty of perjury *

FBI target pirate BBS *

Internet is no.1 choice for foreign snoopers *

Programmer pleads guilty of defrauding AOL *

Informix sues oracle over people piracy *

America Online has shut down service in 40 cities in the former Soviet Union, primarily in Russia *

ETS *

Barnes & Noble To Go Online *

IBM offers free patent data base on WEB *

IBM Internet-related businesses will break even this year *

Intelligent indexing of scientific literature *

  

STRATEGICALLY IMPORTANT NEWS

Texas Instruments To Unveil Powerful Digital Signal Processor

Texas Instruments Inc. will start producing a new, more powerful digital signal processor chip that can process 1.6 billion instructions per second. The new chips provide about 40 times the processing power of current chips. A digital signal processor helps convert analog signals, such as telephone lines, into the digital form used by computers. It can also be used for speech recognition. Digital signal processing is the fastest-growing segment of the market for TI. It's becoming more important to translate analog and digital signals between phone lines and computers because of the growth of computer networking and the Internet.

Additional info is available from http://www.bloomberg.com

Japan's NEC Develops 4-Gigabit Memory Chip

NEC Corp. developed a 4Gbit dynamic random access memory chip and will begin shipping samples in the year 2000, the company said. The chip could store 64 copies of the complete works of William Shakespeare. NEC will spend 200 billion yen ($1.6 billion) on a factory in Japan to make the chips, aiming to begin volume production in 2002.

Some high-end computers now use 64-megabit DRAM chips. By the end of the year computer makers will put 256-megabit memory chips in some machines. (New York Times 7 Feb 97)

Additional info is available from http://www.bloomberg.com

The U.S. Department of Defense has recommended establishing a new "information-warfare" czar in the Defense Department and an "information-warfare" center within U.S. intelligence agencies.

A report released by a task force appointed by the Defense Science Board calls for

spending $580 million in R&D over the coming years, mainly in the private sector, to develop new software and hardware to provide security, such as a system for automatically tracing cracker attacks back to their source. The task force also recommends changing the laws so that the Pentagon can legally pursue and repel those who attempt to hack into DoD computer systems. A Defense Department spokesman notes that the Advanced Research Projects Agency is working on an "electronic immune system" that could detect invaders and mobilize against them. (Wall Street Journal 6 Jan 97 B2)

Rivest think that cryptography will just be wherever you've got digital communications going on

While at the Massachusetts Institute of Technology in the 1970s, Ron Rivest helped develop public/private key encryption technology. He went on to co-found RSA Data Security Inc., whose security products reside in most software products developed today. Rivest, now an MIT professor and associate director of the MIT Laboratory for Computer Science, in Cambridge, Mass., talked recently with PC Week Senior Editor Michael Moeller about where encryption technology came from and where it's going.

In his recent interview to PC Week Rivest think that encryption soon is going to be pervasive. He think that user need it whenever he/she is communicating remotely to make sure you're talking to the right party. In a next decade much of our communications will be remote, over the Internet. You may be wearing things on your person which allow you to communicate. You may have your electronic wallets and so on, too. So cryptography will just be wherever you've got digital communications going on. In terms of making it all work nicely, one of the issues that still needs to be resolved is the establishment of good certification services and public key infrastructure.

When asked about new algorithms in cryptography, Prof. Rivest replied that the most exciting work is at the higher levels, dealing with protocols and applications and trying to put together larger systems. The game with the elementary building blocks is basically over, but at the higher level [there are] key establishment and electronic payments, electronic voting, all kinds of interesting applications trying to build up a higher level of applications and getting some real functionality to the particular problem that you're trying to face. We're getting to that stage now. Microsoft has got a cryptographic API. We'll just have to see how the market responds and whether developers jump on that as a way of coming up with sort of more transportable applications using that encryptographic technology provided by the API. I think it's a bit early yet to see how that shakes out, but he is optimistic.

How Close Are We To Creating `HAL'?

Scientists around the world are celebrating the ``birth'' of the world's most famous fictional computer who, in 2001: A Space Odyssey. According to Arthur C. Clarke's novel, the actual date is January 12, 1997. The University of Illinois staff marked the date with a Cyberfest, a vast Internet party.

Clarke's tale recounts that fours years after he became operational, HAL finds a problem with the communications link between the space ship Discovery and Earth. The astronauts, Dave and Frank, can find nothing wrong with the link. They decide the fault lies with HAL and plan to close him down.

HAL has other ideas: Frank is killed during a spacewalk; Dave is trapped outside the ship. Dave demands to be let back in. ``I'm sorry, Dave, I'm afraid I can't do that,'' is HAL's chilling response. The computer's motives are not selfish-he knows that without him the Discovery cannot complete its mission of reaching Jupiter. Dave manages to get inside the emergency airlock and disconnects HAL's higher functions. The computer's fears are well-founded: Dave is left alone and the ship never returns to Earth.

In a new book, HAL's Legacy: 2001's Computer as Dream and Reality, a team of computer specialists analyze how close we are to being able to build a computer like him.

Clarke and Stanley Kubrick, who directed the film, devised a super computer , that controlled a large number of independent electronic and mechanical systems; hear and understand speech; see and recognize still and moving objects, culminating in the ability to lip-read; respond to situations with speech or actions; make plans; play games (such as chess); express emotions.

In several areas there is a progress. Now we have chess programs that can beat all but the very best players. There are speech recognition programs which can understand and decode thousands of words. Vision analysis systems which can identify the edges of static and moving objects. There are even have programs which can simulate emotions-primarily paranoia. But despite the progress of the past 30 years, we still aren't anywhere near building a computer which provides all these functions. There is something special about being a human, or being able to do human-like processes which involve talking, interpreting, planning, and foreseeing problems.

Instead computer research is moving toward machines that are "local experts". They will know a great deal about what they are supposed to know about and miserably little about anything else."

 

JAVA

 

JDK 1.1

Sun Microsystems published of the Java Developer Kit (JDK) 1.1. JDK 1.1 offers:

The biggest change is the incorporation of JavaBeans package and support classes. They offer developers a standard architecture for using complex, reusable components across all Java virtual machines.

Another key feature that developers will be interested in is the lightweight user-interface framework. The Lightweight UI Framework in the JDK 1.1 enables developers to create innovative custom Java UI components that are lightweight, partially transparent, and handled with 100 percent consistency across all Java platforms.

The Win32 version of the AWT has been "rewritten 100% from scratch" and promises to improve considerably the performance of Java apps running in Windows 95 and Windows NT. Other changes to the AWT include:

Java IDL has been decoupled from the JDK 1.1 and will be available on a slightly delayed schedule.

There are still some bugs -- and an incorrect design in one case -- regarding the new event model for the AWT and some inconsistencies across platforms. But is it worth another download.

The biggest concern is its adoption rate for network browsers. I have heard that JDK licensees have to implement the JDK 1.1 API within six months after FCS [first customer ship]. The question is whether the Netscape and Microsoft 4.0 browsers will occupy the same market that the current 3.0 browsers do. Given bigger system footprint these browsers will bring, a reasonable guess is that adoption will first occur in large offices, rather than in homes. So it is still unclear when JDK 1.1 applets can have the same general Internet coverage that those in JDK 1.0.2.

Performance on Solaris screams compared to the JDK 1.02. This makes developing high-performance server-side applications completely in Java really viable for the first time. But the really cool part is the new language features, like Beans and Reflection.

API-wise this release seems to be complete; but with the new Win32 AWT rewrite, there are still bugs. In general it looks like a pretty good release.

The release will only create applets in browsers that currently support it.

Resources

100% Pure Java Program

The 100% Pure Javatm Initiative is a marketing and technology program designed specifically for developers of Java software applications. It is intended to give developers guidance on how to write 100% Pure Java applications and to provide them with marketing support once the applications are ready for the marketplace. This initiative has already gained widespread industry support.

The program complements the efforts that JavaSoft has undertaken since 1995 to ensure that all implementations of Java maintain compatibility, including the different versions of the VM, which are now being included in the industry's major operating system software. Now, for network applications, the 100% Pure Java logo will signify to end users that this program will run anywhere that the Java Compatible logo appears.

Sun Microsystems sees this program as extremely important since it ensures that there is always a way for developers to write in Pure Java so that the multi-platform nature of Java is preserved and enhanced.

For developers, this program ensures that they will be able to write programs once, and have them run anywhere, regardless of the underlying operating system.

The program includes a broad assortment of elements which will:

A select group of ISVs who have passed the 100% Pure Java test suites and have been certified will be eligible for co-marketing funds for their products. Details of the co-marketing aspect of the 100% Pure Java Initiative will be announced at JavaOne, the Internet's largest developer conference, in April, 1997.

JavaSoft will be providing a comprehensive suite of tests that applications will have to pass in order to qualify for the 100% Pure Java logo. More details of the testing procedure as well as details of the program elements will be released during the first quarter of 1997. 100% Pure Java Developer Cookbook is available.

 

Light Form of Corporate Schizophrenia ?
Microsoft Is Of Two Minds On Java Adoption Road Map

On one hand, Microsoft is trying to convince developers to write to its proprietary ActiveX and is bad-mouthing Sun Microsystems Inc.'s stewardship of Java. On the other hand, it is supporting Sun's rival open Java technologies and standards.

Now Microsoft has developed its own version of the Abstract Windowing Toolkit, and will license Java class libraries to run on top of the toolkit. Microsoft's Application Foundation Classes will be available to developers for free to include with their Java applications. Microsoft's innovations include debugging tools, a Just-In-Time compiler and the toolkit. Microsoft's classes are supposed to ship this quarter with Microsoft's Software Developers Kit for Java, the Internet Explorer 4.0 beta, and through other channels.

Microsoft expects that these classes will permit creating commercial applications that are smaller and faster than using technology from JavaSoft or Netscape. Microsoft has included widgets such as toolbars and said the classes are cross-platform and "fully compatible" with the programming model for Sun's own Abstract Windowing Toolkit. They run on top of all Abstract Windowing Toolkits.

JavaSoft has no plans to license the classes but Microsoft is welcome to apply for the 100 Percent Pure Java brand when the tests are ready in about two months.

Those who spent a lot of time working with Microsoft Foundation Classes usually understand that MFC was inferior in design to a number of other third-party libraries. But because MFC was a Microsoft product everybody used it, and developers spent many years working in C++ with mediocre libraries.

"It seems that there are multiple camps inside Microsoft," said one prominent Java developer. "Java, the Application Foundation Classes and a Microsoft Virtual Machine on multiple platforms finally provides a credible, uncomplicated portability story for ActiveX. Some inside Microsoft see that as the eventual goal. But the Java team inside Microsoft genuinely believes that they will continue to be compatible with the standard Java as defined by Sun," the developer said.

JavaSoft in April will make the JavaOS, including the Java Virtual Machine and HotJava Views -- its JavaStation interface -- available for 486-based machines, turning them into competitors to NetPCs

Although distribution and pricing are not set, a JavaOS-DOS solution will come at a fraction of the cost of the NetPC and Sun Microsystems' own JavaStation, JavaSoft President Alan Baratz said.

"You can still access all your old Windows files and applications-- none of that disappears," Baratz said. We're just taking over your microprocessor and running the JavaOS. You get E-mail, browsing, calendaring, all the things you need in a Net-centric environment. We're not Java all the way down to the metal, but you can easily replace Windows 3.1 with the JavaOS.

"Windows is not designed to pull its functions off the network, and that's the difference between a stand-alone operating environment and a networked one like Java," Baratz said.

The idea for the JavaOS-DOS solution, initially called "Project Rescue" by JavaSoft, came from Bill Raduchel, Sun's chief information officer, according to Baratz. Raduchel urged JavaSoft to provide an easy upgrade path to the JavaStation while allowing corporations to recycle their old hardware.

Baratz also called on Microsoft to put Windows into a standards body. "That's essentially what they've asked us to do with Java. They haven't even turned over all of ActiveX -- just some very low-level communications protocols," Baratz said. "If developers even want to cut and paste or drag and drop, they have to use the Microsoft event model, which is proprietary. It's just one more gimmick to hook people back on proprietary technology and platforms."

Baratz said JavaSoft handles Java the way a standards body would -- publishing the spec, asking for developer feedback, incorporating changes.

But Baratz said JavaSoft and the International Standards Organization have made the process formal, and will make an announcement to that effect in a few days. Additional info is available in href=http://techweb.cmp.com/corporate/current/.

http://www.intuit.com/Intuit probably wishes it had never heard of ActiveX.

The company is now in damage control mode after reports that German hackers used an ActiveX control to make unauthorized bank transfers with Intuit's Quicken financial software. Intuit issued recommendations for a "simple, common-sense approach" to safe Net surfing, going so far as to suggest that fidgety users stop using ActiveX controls entirely.

"Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX," Intuit said in a statement.

As previously reported by CNET, the German hackers known as the Chaos Computer Club, created an ActiveX control that is able to snatch money from one bank account and deposit it into another without having to enter the personal identification number. Chaos demonstrated the ActiveX control on German national television in late January.

The U.S. version of Quicken is not susceptible to hacker attacks that involve stealing money from one account and depositing it into an unauthorized account--the attack that the Chaos hackers simulated. Users in the U.S. can only use Quicken to transfer money between "pre-authorized" accounts, such as a user's checking and savings account.

Intuit said today that it will introduce a new German version of Quicken that encrypts the program's data files, a move that will make it less susceptible to hacking.

Nevertheless, the incident underscores something that Microsoft, and computer security experts have known for some time: ActiveX is not secure.

While Java applets are prevented from performing certain tasks such as erasing files from a user's hard disk, ActiveX controls--small Internet programs that work mainly through the Internet Explorer browser--are able to do virtually anything on a user's computer that a programmer can dream up, including installing a destructive virus.

Instead of the "sandbox" model that cordons off Java applets from other applications, Microsoft has created an "accountability" security system called Authenticode. The system allows software publishers to stamp their controls with a digital signature. If a control does something bad to a user's computer, the publisher can then be tracked down and prosecuted. In other words, the Authenticode system does not protect against malicious code; it simply makes it easier to find out who wrote it.

But if the programmer wants to hide, Authenticode offers little protection. And it's easy for users to unwittingly accept an unsigned ActiveX control if they get lazy or frustrated by the Authenticode warning window. The Chaos club's ActiveX control, for example, is not signed. Once it is accepted by an Internet Explorer user, the program is free to do its work.

"What this incident tell us is you cannot take candy from strangers," said Cornelius Willis, group product manager at Microsoft. "The thing I'm hoping users get out of this is that they should not be running any executable code that is anonymous."

Intuit today issued their own warning that users should heed their browser when it warns of ActiveX controls and other software that are not digitally signed.

"Intuit takes great precautions to help guard the safety of customers' financial information in Quicken," said Intuit senior vice president Eric Dunn in statement. "These measures, together with users' common sense precautions against using unknown ActiveX controls or other downloaded software, provide a high level of security

Security Monitor for ActiveX

Israel company Finjan Software Ltd. is preparing to introduce an application to limit dangers posed by executable code including Java applets and ActiveX controls.

SurfinGate 1.0 is similar to antivirus software in that it checks Web-based executables for any problems that could wreak havoc on a company's LAN. The software sits next to a firewall or gateway, where it scans and analyzes applets and ActiveX controls. It then digitally signs executables deemed safe by the software's scanning engine and creates profiles of each applet.

Those profiles are checked against user-defined security policies before the applets are al-lowed onto the network, according to officials with Finjan, an Israeli startup.

The software runs on Windows NT and Unix and is priced at $1,250 for 10 licenses, or $18,950 for unlimited usage.

Finjan also offers $49 SurfinShield client software, which sits at the desktop and checks Java applets as they are downloaded from the Internet. Later this quarter, SurfinShield will monitor ActiveX controls as well.

Although Java has built-in security mechanisms, it's easy to create holes in the code, says Lior Arussey, VP of sales and marketing at Finjan. SurfinGate acts as "a 24-hour guard" that augments the security controls in Java, he said.

Applets that have been tampered with, for example, can freeze a user's screen or scramble the hard drive. Infected applets can also "suck up CPU cycles until the user's machine crawls," says Michael Zboray, a VP at Gartner Group Inc., an IT advisory firm in Stamford, Conn.

"With Java applets and ActiveX controls, these are moving items, or executable items, and you never know what they will do to your computer," Arussey said. Without monitoring or security checks, "you can expose yourself to items that are hostile to your environment."

Few security tools now available specifically check Web-based executables, said Charles Cresson Wood, a consultant at Baseline Software Inc., an information security consulting firm in Sausalito, Calif. "This is just starting to show up in more progressive firewalls, and the capability is not available in most."

Web-based executables are expected to be key elements of electronic commerce, Wood said. "We need them in order to conduct business on the Internet. Java applets and ActiveX controls will play a major role in things like automating electronic orders of products."

But Wood noted that, without security tools such as SurfinGate, companies are forced to restrict access to executables. "Many organizations are taking a very conservative stance and blocking them altogether," he said.

Using SurfinGate's security management console, network administrators can set levels of access. Policies can be defined to determine which business groups or departments are granted access to which resources at what times.

Java rings a bell in computer telephony

Several companies plan to unveil products that should boost computer telephony, based on the new Java Telephony API (JTAPI), at next week�s CT Expo in Los Angeles. "The beauty of JTAPI is that runs on multiple platforms and environments," says an industry consultant. Lucent Technologies will introduce its PassageWay software, an applications development tool that links to any telephone system and Sun Microsystems will debut a development kit called JavaTel that allows users to build telephony functions, such as call control and routing, into Java-based applications. A recent survey by Sage Research showed that only 13% of companies currently are using computer telephony, but fully half plan to use it within the next two years. (Communications Week Interactive 28 Feb 97)

Several major Java IDEs are in beta for release later this year, including major offerings from Borland, Powersoft, and IBM Corp.

 

Most upgrades will incorporating significant database RAD support into Java.

In the current standings, however, Symantec's Visual Cafe takes top honors. Microsoft's Visual J++ is also a very strong contender, but less so if your development needs require lots of intricate user-interface design. Finally, we found SunSoft's Java WorkShop intriguing and fully expect it to become a dominant force in this market. However, for now we'd suggest waiting for the next upgrade.

ActiveX will have an impact on the future of distributed computing

In the anti-ActiveX camp, you hear Microsoft is using ActiveX to "take over" the Internet, making the net as Windows-centric as today's desktops. Furthermore, they say Microsoft's promise to make ActiveX an open, cross-platform, and cross-browser product is full of air. And to top it all, ActiveX also is being branded a Trojan horse that can sneak harmful code onto your system and wipe out your hard drive in the blink of an eye. A recent column on HotWired's Packet site sums up the fear and loathing succinctly: "Microsoft's ActiveX technology is the single greatest technological threat to the future of the World Wide Web," wrote columnist Simson Garfinkel.

The pro-ActiveX camp tries to cool the heat surrounding ActiveX, stating it's the most advanced component software platform around, based on five-plus years of work at Microsoft. They say thousands of developers already have created countless ActiveX programs, called controls, that can jump-start active Internet content, and that the ActiveX platform uses state-of-the-art digital authentication to add a level of security missing from the shareware and freeware software now ubiquitous on the Web.

Even for those without a political stake in the ground, it's not always clear exactly where ActiveX fits in the Internet landscape

The middle ground should be based on the Internet and corporate intranets are quickly moving away from their roots as delivery platforms for relatively static HTML content toward active, live content. And ActiveX-currently in a period of rapid development and great flux-looks certain to play a major role.

ActiveX officially arrived on the scene in December 1995, announced for the first time from the stage at Microsoft's now-famous "embrace-and-extend" Internet "D-Day" in Seattle. But the technology has deep roots.

ActiveX is based on two core Microsoft development technologies: OLE (Object Linking and Embedding) and COM (Component Object Model). While even Microsoft in some of its documentation calls ActiveX just a new name for OLE controls, there is a difference.

OLE controls are focused on integrating desktop applications, and while they technically can be used as ActiveX controls on a Web site, they're typically too large to be downloaded over the Internet. To help speed the delivery of controls, Microsoft streamlined and simplified the definition of ActiveX to optimize delivery of controls over networks, especially over the relatively low bandwidths of today's Internet.

Active Web sites can include a variety of multimedia effects, enhanced page layouts, and executable applications, all of which are downloaded and run in real-time over the Internet. ActiveX coexists with and complements the core technologies of today's Web, including HTML, plug-ins, Java, and more. Perhaps most important, ActiveX is a fairly mature technology.

In its latest incarnation-and with all the latest jargon to go along with it-ActiveX consists of five elements spanning both the client and server:

ActiveX is part of the larger Active Platform, the still-evolving end-goal of Microsoft's Internet vision. With the Active Platform, Microsoft swallows up such "open" Internet technologies as TCP/IP, HTML, and Java, and marries them to its legacy desktop technologies to create a new network-centric development environment that does Windows extremely well, but promises not to ignore other operating systems and hardware, too.

The Active Platform-which encompasses Microsoft's Active Desktop, Active Server, and ActiveX technologies-already has begun to appear in pieces, and will come together on the desktop with the upcoming OS-integrated releases of Internet Explorer 4.0 and 5.0, both expected in some form this year.

To fuel the Active Platform's cross-platform goals, Microsoft recently began the process of moving control of core ActiveX technologies to a third party, The Open Group. In addition, Microsoft is working with Metrowerks Inc. and Macromedia Inc. to support ActiveX on the Macintosh platform (an early version of the ActiveX SDK for the Mac is available now). Microsoft also is working with Bristol Technology Inc. and Mainsoft Corp. to support it on Unix platforms. It remains to be seen, however, how successful and popular these non-Windows implementations of ActiveX will be.

Indeed, it will likely be the platform issue that dogs Microsoft and ActiveX the most. While Microsoft owns the PC user desktop with its Windows operating system, the dynamics of content and applications development are somewhat different on the Internet, where new technologies simply are not adopted if they're not broadly supported on the client side.

What does ActiveX do for Web surfers? The most important thing is that it makes active content a much more seamless part of the Web than existing technologies, notably Netscape plug-ins. While plug-ins disrupt the Web experience by forcing users to download the .exe file, run the install program, and at times restart their computers, ActiveX controls (once they're accepted by users for download) are automatically installed in the background and are ready to be used immediately. Unlike Java applets, however, ActiveX controls are "persistent." The one disruption in this process is the Authenticode code-signing security process, which we'll discuss in more detail later. Once they're downloaded, the controls remain on users' hard drives and are always available to be used.

In rough terms, Web surfers will encounter two main types of ActiveX controls. The first type, which can best be described as a plug-in replacement, serves as an integrated media or content play-back engine. Users download the control and then are able to experience media types not natively supported within the browser, including audio, video, and chat. Most of the major Netscape plug-in vendors have by now released ActiveX control support with their products as well, including Adobe Systems Inc.'s Acrobat, Progressive Networks' RealAudio, and VDONet Corp.'s VDOLive.

The second major type of ActiveX control found on the Web affects the layout of Web pages. Active buttons, scrolling billboards, enhanced layout, drop menus, and much more are possible with ActiveX and help produce much-improved Web user interfaces. As a Web surfer, the installation of such controls is fairly seamless because they're small and quick to download. Internet Explorer 3.0 also comes with a small set of pre-installed controls-including Chart, Label, Preloader, and Timer-that Web authors can take advantage of right away.

The big issue for ActiveX from a user's perspective is security. It's here that ActiveX and Java differences are most pronounced. Java applets run within the Java Virtual Machine, a so-called "sandbox" that keeps the downloaded Java byte code from reaching other parts of your system. ActiveX doesn't use such an approach. ActiveX controls can access your hard drive and various system services, thus making it possible for a developer to release a control that by design could damage your system (see "ActiveX Danger?," facing page). Less ominously, but no less harmful, a developer could develop a buggy control that could inadvertently do some harm.

Advocates of ActiveX argue that only by letting downloaded software objects have access outside the sandbox, or by letting it interact with objects on other distributed servers, do you get really interesting Internet content-another thing Java in its early days doesn't allow. For instance, a game score or spreadsheet calculation can be written directly to applications on your hard drive. The trade-off is power vs. security. Indeed, most Java developers, as much as they give lip service to the importance of the sandbox, also say they feel constrained by the airtight Java security model.

Microsoft's answer to the inherent security problems with ActiveX has been to introduce a rather rigorous program of signed digital authentication of ActiveX controls, called Authenticode. While digital authentication provides probably a greater level of security than today's shrink-wrapped software, there's no way it can ensure that downloaded code is not buggy or in other ways harmful. Microsoft recommends that users download code from vendors they trust, and says makers of bad code will get singled out and blackballed. So in the end it's caveat emptor-buyer beware and good luck chasing down that control developer if a problem ever occurs.

Given its relatively small (but growing) market share and security concerns, ActiveX as an end-user technology has had a somewhat bumpy run in its early days on the Web. But the future looks brighter. Indeed, because Internet Explorer 3.0 has proved itself a viable alternative feature-for-feature to Netscape's Navigator, IE's ActiveX support, especially support for self-installing media controls, may make Internet Explorer the browser to beat on 32-bit Windows platforms-particularly for users who feel comfortable with digitally signed code.

For webmasters who've already dabbled with Java applets, the basic concepts behind adding ActiveX to a Web page are very similar. But there are some new tricks to learn-and some new tools that will help you-before you can become fully adept with ActiveX.

The first thing webmasters need to do is find the controls they want to use. Like Java, ActiveX is not for the faint of heart. Don't plan on writing ActiveX controls if you're not a programmer, or at the very least conversant in higher-level programming environments like Visual Basic. But the real power of object technology like Java and ActiveX is that you don't need to write an applet or control to use it. You can reuse ones written by others-sometimes for free, other times for a fee.

Where do you find ActiveX controls? As we noted above, Internet Explorer 3.0 downloads with a number of controls already installed, so the savvy webmaster can start with those. But that's just the start. Microsoft estimates there are more than 1,000 ActiveX controls available today, and the numbers are growing. Check out the Web sites listed in the Reference Desk (at right) for listings of free and for-pay controls you can add to your Web site.

Once you have the binaries for the ActiveX control you want to use, you can add the control to a Web page using the HTML.

Microsoft Java Strategy

In a recent interview to CommunicationsWeek Charles Fitzgerald, program manager for Microsoft's Internet Client and Collaboration division, discussed the company's Java strategy.

Microsoft promise to support JDK 1.1. Generally Microsoft strategy is to provide the best way to develop and run Java applications, whether they are cross-platform Java applications or full-fledged Windows applications written in Java. At the same time, MS will extend the benefits of Java to developers building Windows applications.

ActiveX provides an extensibility mechanism so Java applications are not stuck on an island, but can be integrated with other software systems, written in any other programming language. Java is much less interesting if it requires ripping and replacing all your software investments.

Component Wiring metafor in Java RAD

Expect every major RAD tool to receive a facelift this year. For once, the surgery will be more than skin- deep. "Component wiring" technology quietly pioneered by IBM in its Visual Age line of development tools (http://www.ibm.com) is poised to become the dominant development metaphor. It will appear first in Java development tools from many vendors, then spill over into traditional client-server development environments.

Component wiring visualizes object-oriented development beyond simple property sheets or graphical user interface (GUI) builders, which today rely heavily on user-generated source code. With component wiring, developers simply draw a line, or "wire," between on-screen objects and those in a repository. The software automatically generates the application code based on the visual components that the developer connected.

Enterprise developers say component wiring finally puts the development in RAD. "The fact that you're always building a 'part' is the other big plus," says Mike Hudgins, a staff consultant and Visual Age developer with DST Systems, a financial services provider in Kansas City, Mo. "If you look at Visual Basic or something like that, even in its GUI environment, you're building something which is quasi-GUI, because you always end up typing something in."

Symantec's Visual Cafe is the first Java tool to deliver component wiring Others will follow. "Symantec pushed wiring into the mainstream. You'll see it in the next versions of all the major products," says Evan Quinn, object technology analyst for International Data Corp., a market research firm in Framingham, Mass.

Code conversion

Of the estimated 3 million developers using RAD tools, only 1.3 million have experience with C++, from which the Java language is derived. For those who don't know C++, code conversion utilities represent the reasonable way to gain access to the Java environment.

For example Applet Designer, a $97 add-on from TVObjects Corp. (http://www.tvobjects.com) in Princeton, N.J., convert Visual Basic code directly to Java.

Converters are also available from other software vendors. Black Dirt Software (http:// www.blackdirt.com) in Goshen, N.Y., offers Visual Basic-to-Java 2.1, which supports Visual Basic 4.0 and Java 1.1. The product is written in Java, scans VB forms, and generates Java source code. Each VB component is mapped to a corresponding Java class, according to the company.

As Java code conversion takes off in 1997, it won't be limited to Visual Basic or Java. For example, Intermetrics Inc. (http://www.inmet. com) in Burlington, Mass., is testing AppletMagic, an Ada95 compiler that compiles to a Java Virtual Machine. The compiler inputs Ada95 source code and outputs Java byte code. The converted Ada applications run in any Java-compatible Web browser, according to company officials.

Also, Metamorphic Computing Corp. in New York (http://www.metamorphic.com) offers MCC, a $195 program that takes Visual Basic 3.0 applications and outputs 32-bit C++ code. MCC reportedly improves the performance of VB applications 100-fold.

"The technology to do this is finally mature," says IDC's Quinn. "To a large extent, the [cross-language] portability issues have been solved."

While developer interest in Java will accelerate the dispersal of code-conversion utilities, the offerings will be short-lived. "Java is pulling this along, but this is a temporary phenomenon that will soon peak," says Quinn. "We'll soon be at the peak of the 'hotness' of this. People will keep these tools in their arsenals, but you only need to buy them once."

As developers gain experience with Java, they will increasingly build business applications that are independent of browsers, especially in the server environment. Analysts say this year will be the year Java escapes the browser and becomes a preferred language for building platform-specific applications. Its biggest use will be on the server, particularly for connecting Web servers to legacy data sources.

Helping Java tackle the back office will be two key features of the 1.1 release:Remote Method Invocation (RMI) and JDBC (Java Database Connectivity). RMI functions like a remote procedure call, allowing Java objects to communicate on the same computer or over a network. JDBC is Sun Microsystems' answer to Microsoft's Open Database Connectivity, an abstract, uniform API for managing connectivity to SQL databases.

Maturing Java and Internet standards will beget more and better Web-development workbenches, life-cycle tools, and component integration products. Although last year saw a trickle of Web programming tools, the next 12 months will see vendors satisfying demand for Internet-savvy tools at every step of the development life cycle.

Other vendors will also get into the Web life-cycle act. StarBase Corp. (http://www.starbasecorp.com) in Irvine, Calif., offers a $549 version- control product called StarTeam 2.0, which was announced in December. StarTeam provides source-code management, such as check-in and check-out, that will work over the Internet. Finally, it provides a threaded, Lotus Notes-style conferencing system for developer communication. It also provides version control of Web content, such as HTML pages and CGI (common gateway interface) scripts.

When 1997 is over, the technology that will have had the greatest impact on corporate development will be a tool already on most developer's desks: Microsoft Visual Basic. Already, more than 100,000 developers have downloaded an early version of Visual Basic 5 Control Creation Edition (http://www.microsoft.com/vbasic) since it was posted to the Web on Oct. 28, say Microsoft officials.

The complete Visual Basic 5 suite, expected in March, will allow any client-server developer to build and reuse ActiveX controls and components. The effect could be staggering. Enterprise development teams will at last have a standardized, easy way of turning their applications into components and sharing them with other developers.

In terms of raw numbers, VB5 will very quickly push Visual Basic over the top, making it more widely used than Cobol. That mean bright future for ActiveX.

While the popularity and number of ActiveX controls is certain to explode, developers will continue to struggle with scaling ActiveX within the enterprise. "For ActiveX to move out of small projects, into areas that are more mission-critical, more transactional, they're going to need a repository. ActiveX needs to grow up and include metadata," says IDC's Quinn.

In the interim, efforts are under way at major object request broker (ORB) vendors to facilitate interoperability between OMG's Corba standard on the server and Microsoft's ActiveX object model on the desktop. The gap will continue to narrow between ActiveX's popularity and Corba's sophisticated distributed capabilities.

Increasingly, object middleware will support all of the major object models in use. IBM's Visual Age product, for example, supports Open Doc, ActiveX, Corba, and Java. Other vendors are expected to soon follow suit.

Java wake up call for microprocessors designers

As Java-or, to be precise, plans to investigate Java-became more ubiquitous, systems vendors faced the real possibility that their products would have to execute Java's intermediate form-Byte code-in an efficient manner. And as the year wore on, that prospect sent microprocessor designers to their workstations.

Unlike C++, Java is normally compiled, not into an object module for a particular CPU, but into Byte code-an intermediate language not unlike the pseudo code used by some P-Pascal. The problem for architects is that the Java virtual machine doesn't map very well into any commercially available microprocessor. To execute Byte code, microprocessors have to scan through the bytes, partition them into virtual-machine instructions, and then perform the operations that the virtual machine would perform in response to each instruction. There is a good deal of overhead in this interpretation process, and often a poor fit between the abilities of the MPU and the needs of the virtual machine.

On the one hand, the Java virtual machine makes no use of some of the most powerful features of modern CPUs, such as MMX-like instructions. On the other hand, things the virtual machine must do, such as stack management and garbage collection, can be particularly clumsy on a modern MPU.

Initial attempts to solve this problem have taken a variety of approaches. Early in the year, just about everyone saw software as the solution to the problem. Many people with fast MPUs, including DEC with its StrongARM and, ironically, parts of Sun Microsystems itself, still see it that way.

If the MPU is fast enough, then straight Byte-code interpretation will be fast enough for most applications. This is certainly true in a workstation environment, where most of the task load consists of heavily optimized C programs, and only once in a while does the user dabble in applets, McGhan observed.

If interpretation isn't fast enough, the JavaSoft group at Sun came up with the idea of a just-in-time compiler-sort of an interpreter that produces lightly optimized object code as it goes. For even more demanding applications, of course, Byte code can simply be compiled off-line, like any other recalcitrant language.

But during 1996, a growing number of designers began to worry that this was not the right approach. They were driven, at least in part, by the way Java seemed to be penetrating deeper into client systems.

"With the development of the Java OS," McGhan said, "we have the ability to create thin clients-clients which load almost all their software, including the OS, from a network-that are Java all the way down to the device drivers. This has significant advantages for the developer, since the resulting software would be highly portable and would use one set of object constructs from top to bottom.

There is even work going on now to add real-time capabilities to both Java OS and Java objects, so that systems with real-time constraints could be all-Java. But when this happens, that changes the way people look at Java execution. Now it suddenly makes sense to optimize the hardware for Java execution, not for C execution."

Through this back door, Java began to influence thinking about microprocessors. The first indication came from Sun Microelectronics itself, which produced the PicoJava core. PicoJava is a compact, stack-based processor optimized to emulate the Java virtual machine. While not earth-shaking in raw speed, it directly executes most of Byte code, interpreting only a few of the more complex Byte-code sequences. This gives it a debatable, but probably somewhere between 2x and 10x, performance advantage over fast 32-bit CPUs interpreting Byte code.

PicoJava has yet to appear as commercial silicon. But the core is finding its way into a variety of products, ranging from Internet appliances to cellular phones. The core is also going into Sun's next step, MicroJava. This chip is a faster, more-augmented processor based on the PicoJava core, but designed to be the heart of a thin client-or in early 1996 parlance, a network computer.

Sun has chosen to go all the way to direct Byte-code execution. "Right now, we see systems that are mostly C with a little Java," McGhan said. "And we see some systems coming that are mostly Java, with a little other code. But we don't see many systems that are a nearly equal mix of C and Java. That suggests to us that it makes sense to either use a conventional processor or to go all out for Java execution, but not to try to do both at once."

But other vendors are taking a more cautious approach. Temic Semiconductors, for instance, has been extremely successful in adapting Sparc architecture to the needs of the communications market. It sees the Web storm approaching, and is well aware that the storm carries Java at its core. But it is not convinced that direct Byte-code execution is the way to go.

"We can now build embedded Sparc chips fast enough to interpret Byte code in meaningful embedded applications," claimed Temic program director Alain Fanet. "The place the CPU needs help is not in Byte-code interpretation, but on the overhead of object management."

The most taxing tasks in Byte code are object-protection mechanisms, translation of object links into memory addresses, and-no surprise-garbage collection. Temic's approach to Java execution has been to develop an object-optimized memory-management coprocessor-not specific to Java, by the way-to work with the Temic Sparclet core.

SGS Thomson is also taking the problems of Java execution very seriously, and is actively developing a Java coprocessor to work with its Cyrix-designed X86 processor core. The company is, in effect, aligning its architecture with what appears to be political reality on the Internet-total dominance by Microsoft software, with a strong seasoning of Java applets.

Such an approach makes sense for dedicated Web browsers that may cost as much as an entry-level PC. But for more deeply embedded applications, such as set-top boxes for TV/Web-combination appliances, cost is more of an issue. For these applications, SGS Thomson is working on a software Byte-code interpreter for its ST20 32-bit micro-controller family.

The risk, of course, is that the ST20 won't interpret fast enough. In anticipation of this issue, rival Siemens is watching carefully the possibility that a hardware coprocessor may be necessary, at least temporarily.

"CPU power may eventually overtake the Java speed problem, but we are investigating hardware alternatives as well," observed Christian Wolff, head of the terminal IC group at Siemens.

Sun's initial focus is on deeply embedded Java execution with PicoJava. SGS Thomson and Siemens are also looking at applications ranging from Network thin clients to set-top boxes. But as the year draws to a close, the concern about Java performance is spreading to include even the largest of workstation processors.

Officially, of course, workstation RISC architectures are too pure to stoop to application-specific instructions. Certainly an instruction set as enshrined in shrink wrap as X86 would not consider such a move. At least that was the feeling before Sun's upstart idea, the visual instruction set (VIS), spawned such creations as Intel's MMX.

Now, adding instructions to deal with a prickly chunk of often-executed code doesn't seem so unrealistic. Even MIPS, which preached purity of spirit louder than anyone, this year admitted that it was adding VIS-like extensions to its architecture. If byte-code execution on workstations becomes a bottleneck, workstation architects may turn their attention to it.

One is already doing so. "I think you will see more general-purpose CPUs looking for ways to improve Java performance," said Sun's McGhan. "We have been looking at that here in respect to the Sparc architecture. But the problem we face, and that other CPU architects face as well, is that hybrid chips are always conflicted, in a sense. If you do something to accelerate Java, it can slow down the native code. In the workstation market that's a trade-off you can't make."

Material is based on copyrighted article by CMP Media Inc. You can reach this article directly:

http://www.techweb.com/se/directlink.cgi?EET19961223S0040

 

DATA SECURITY AND COMPUTER VIRUSES

New trend in AV software: e-mail scanners

Cheyenne Software Inc. released AV Agents for Lotus Notes and Exchange Server

The agents are designed to work with Cheyenne's InocuLAN anti-virus products and provide protection for E-mail mailboxes, The agents work by scanning databases created by Notes, Exchange Server and GroupWise to guard against macro viruses. Pricing for the AntiVirus Agents is $695 each per server. Additional info is available from http://www.cheyenne.com/.

Central House Technologies Inc. announced today that it will distribute MIMESsweeper, a software program that scans documents attached to e-mail for computer viruses.

MIMESsweeper, by U.K. software developer Integralis Ltd., is now available for cc:Mail application. It will soon support Microsoft Mail and Novell Inc.'s Groupwise mail application. MIMESsweeper provide interface between e-mail system and AV scanner and could use any AV scanner. MIMESsweeper works by diverting an incoming message to a mailbox where any attachments are scanned for viruses. The message is then sent to its destination. MINESsweeper is available from Central House for $2,875 for 100 users.

Java virus scanner for non-existent viruses

Symantec unveil the Java virus scanner-the first of its kind for Java programming language. The impetus for the research was the possibility that a Java virus could emerge, despite the fact that none have been identified so far, company officials said. Java viruses behave much like macro viruses and could spread over a wide variety of platforms because of Java's inherent portability.

The company has also produced a Java class file scanner extension for the Norton Anti-Virus that it claims will enable it to monitor for Java viruses in real time, within any Java-supported World-Wide Web browser. The only problem with the product is that no Java viruses exist yet.

New crash protection software for Windows 95:
Norton CrashGuard and First Aid 97

Losing work from crashes and application "freezes" are a reality and frustration that every Windows 95 user must live with. With Norton CrashGuard, users can save the work in more cases that before. Norton CrashGuard can intercept and repair some crashes and "frozen" applications, enough for the user to save their work.

There are other products in the market that attempt to capture and repair crashes, including Cyberbmedia's' First Aid 97, Quarterdeck's Fix-It and WINProbe 95. None of these products can match the price and robustness of Norton CrashGuard. Currently Symantec is offering Norton CrashGuard free. On March 1st, 1997 the installer will stop working, but the installed Norton CrashGuard program will continue to operate, protecting the user from crashes and lost work. Download site is www.symantec.com/crashguard.

Norton CrashGuard 1.1 is not the only program that tried to prevent crashes in Windows 95. First Aid 95 was one of the first such programs on the market but caused more problems than it solved and sometimes was the reason of system collapse. One part of the crash-protection feature, which lets you reactivate frozen applications, worked only occasionally. Often, a frozen application locked up the entire computer-including First Aid. Sometimes First Aid 95 lock computer during saving of prev. configuration files. First Aid 97 seems to be an improvement over 95 version. Also Dr. Solomon's AntiVirus Toolkit package is now included.

First Aid 97 also goes onto the Internet in search of patches or new drivers that might help fix a problem. Cybermedia also makes Oil Change that automates the process of updating software.

Structurally First Aid 97 has several modules that help protect you from disaster and some of this modules could be a source of problem themselves, so they should not be used without necessity. List includes: Windows Guardian that sits in the background, watching for problems and then tries to fix them when they occur; Backtrack monitors changes made to crucial files, including the Windows Registry and can recover from multiple backups called Snapshots; The Advisor, which is similar to Symantec's PC Handyman, uses hypertext to help you track down problems. The Physical feature does a thorough check of your PC, from hardware to applications to the Windows 95 system. You can also use something called Specialist to look at only certain aspects of your computer.

First Aid sells for about $35. Cybermedia also sells a deluxe version of First Aid, which comes with a listing of technical support contacts for various hardware and software companies and multimedia Windows 95 and Internet tutors.

INTRUSION DETECTION AND ACCESS CONTROL

MasterCard International and IBM have teamed up with a Danish bank to demonstrate a system designed to protect credit card purchases on the Internet.

They will use the Secure Electronic Transaction industry standard developed by Visa and MasterCard last February. A pilot program involving three merchants, 500 to 1,000 customers and the Danish Payment Systems bank is slated for the middle of this month. MasterCard anticipates that member banks will initiate some 50 pilot programs in 20 countries during the next three months, and the system should be available in 40 to 50 countries by the end of 1997. Visa International says its version of the credit card

system has been delayed, and won't be widely available until early 1998 (Investor's Business Daily 2 Jan 97 A33).

Microsoft is using VeriSign's algorithms to authenticate software delivered over the Internet. It becomes the electronic equivalent of shrink wrap.

Jim Bizdos, Greek heritage CEO of RSA Data Security Inc. now almost single-handedly dominates the encryption business. Now he has sighing deal between Microsoft and RSA spin-off-VeriSign Inc. and basically became the industry's dominant digital certificate authority. To date, the company has issued 12,000 server IDs at $295 each and seeded the market with half a million user IDs that need to be renewed at low, annual rates.

VeriSign also has important alliances with Visa, Intuit and Merrill Lynch, Comcast (owns the $1.7 billion cable retailer QVC), Microsoft, Netscape, Oracle, Apple and IBM( which will offer Web presence, content and software.)

Cisco, in San Jose, Calif., another partner, sees authentication as critical to its network environment. The ability to ensure that router updates get authenticated could be an important service for Intranets.

VeriSign's ambition is to be the trusted clearinghouse for authenticating transactions. The lowest classes of identification are registered and verified online, while the next level up involves a credit bureau check (servers are verified through an online link to Dun & Bradstreet).

Penetration into corporate systems for hire - new profitable business

Penetration testing specialists agree that an up-front approach to security is wiser. Ironically, the demand for penetration tests is on the rise. Recently, the General Accounting Office, in Washington, has been making penetration tests a standard element in regular security audits. The General Accounting Office performs audits for executive government branch agencies such as the Department of Defense, the Department of Social Security and the Department of Health and Human Services.

Usually such a "penetrators" are delivering bad news. Using publicly available tools picked up on the World Wide Web in most case there is a way to get into corporate LAN. Break-ins are not a wake-up call for most clients. It is often difficult and costly to take serious actions. Price Waterhouse's estimates that only 20% of his clients actually make changes to their security practices after failing a penetration test. They don't necessarily view [the penetration] as real.

Usually, companies react to the bad news about network security by looking for a scapegoat or trying to find short-term solutions that simply plug up the security holes revealed by the test. Longer-term fixes, such as writing and implementing a formal policy are more rare.

Getting good advice on network security-and then ignoring it-doesn't come cheap. Both IBM Consulting and Price Waterhouse, for example, charge $50,000 to $75,000 for such a test. The cost covers a review of a company's firewall configuration and written security policies and an actual break-in to the network from the Internet.

Bob Dacey, director of civil audits at the General Accounting Office, said the agency started conducting penetration tests about two years ago. People tend to talk in the abstract about hackers breaking through firewalls or finding other points of entry into a network, Dacey said. "Penetration testing brings into focus those threats and demonstrates they are real, not just potential," he explained.

Typical penetration tests take anywhere from a few days to a few weeks. Clients can hire testers to actually break in and move around their networks or they can opt for an unobtrusive audit, which pinpoints the vulnerabilities in the system without an actual infiltration.

In addition, security experts will usually conduct the tests under a variety of scenarios. Price Waterhouse consultants, for example, will attack a system acting as an outside hacker who knows nothing about a network, a hacker who has limited information such as IP addresses, an insider who has no information, or an insider who has specific knowledge about the system, including a few log-ons or passwords.

General opinion is that companies should be devoting more resources to security up front, not just on penetration testing.

The reason so many vulnerabilities are found is tied back to a lack of a security architecture. That's usually missing because enough resources haven't been allocated to building it. Companies need to spend more on security technology and their security staff, on educating staffers and end users about security policy and measures.

As part of their standard service, companies could help clients to address all the vulnerabilities uncovered in penetration testing.

AOL Auto-disconnecting Absent Users

Customers who manage to get onto the America Online computer network despite its capacity crunch may find themselves being gently nudged toward the exit.

AOL has begun flashing a message on the screens of customers who've been on line for 45 minutes. The message simply asks if they plan to keep using the system. Users who reply by clicking a ``yes'' button can continue. But those who don't respond will be logged off 10 minutes later.

AOL has long had an automatic feature that disconnects inactive users after 15 minutes of idle time. But now the network will ask even the most active user to consider hanging up.

AOL spokeswoman Tricia Primrose says flashing a log-off message is not an attempt to drive heavy AOL users off the network. Instead, it's meant to encourage AOL users to make efficient use of the system.

"It was basically intended to say to customers, `are you on line and are you using the service?'" Primrose said. "It's a prompt, it's a reminder, but it's not intended to force them not to use the system."

The new policy is the latest tactic being used by Vienna, Va.-based AOL to cope with a massive increase in network use, caused by its new flat-rate pricing scheme. The new rate has been so popular that use of AOL has soared beyond the system's capacity, and thousands of AOL's 8 million customers find it impossible to connect to the network.

Attorneys general of 36 states joined forces to demand that AOL fix the problems and offer refunds to dissatisfied customers. On Wednesday, AOL agreed to provide refunds of up to $39.90 to some customers and to stop signing up new users until the system can handle the load.

Additional info is available from the Boston Globe http://www.globe.com.

KEY TECHNOLOGIES

Internet Congestion

A recent Lou Harris and Associates poll estimated 35 million adults in the United States used the Internet, up from 27 million last year. Home users said they were online about 2.8 hours a week.

Two of the biggest online services, AOL and The Microsoft Network with 8 million and 2 million subscribers respectively, say they are racing to get enough modems and traffic-handling computers installed in areas of heavy use so more calls can be accepted.

Internet users place extra load on phone networks because they tie up more lines for much longer than ordinary voice calls, phone company officials say. The average Internet connection lasts about 17 minutes, compared to two to five minutes for a voice call, said Harry Grandstrom, spokesman for U S West.

Internet activity is typically concentrated in early evening hours, meaning there are huge daily spikes in demand; and, since flat-rate users don't pay per-minute charges to connect to their local Internet access providers, they have little incentive to log off the network even when they step away from PC.

Also the Internet ``backbone'' have become so congested that an estimated 10% to 30% of all packets of Internet data are dropped.

The on-ramps of the information highway - online service companies and Internet service providers - are competing for customers through cheap flat-rate service and free trial subscriptions. But by signing up millions of new customers, some have outstripped the capacity of their internal communications systems.

Companies are working on modifications of their existing networks so they can better handle data traffic. Technologies exist today that can significantly increase the carrying capacity of individual copper wires. For example, SBC Communications, the Regional Bell operating company serving Texas, Kansas, Missouri, Oklahoma and Arkansas, is introducing a new technology into its region that essentially sifts Internet traffic from conventional lines and routes it to a high-speed network connecting to the Internet backbone.

Local telephone companies are scrambling to increase the number of ``trunk'' lines that carry calls between local switching centers.

The Internet's appealing economics outweigh its risks

Even with daily news stories problems with the Internet's instability and security, companies are increasingly turning to it as a cost-effective medium for conducting internal business, largely through the use of VPNs (virtual private networks).

When compared with the expense of international leased lines from branch offices, the economics of the Internet look very attractive, despite its rather large and numerous problems. Many corporate networks have embraced TCP/IP. Several technologies are emerging that ensure sensitive data remains secure, even if transmitted across the public venue of the global Internet. And as companies reassess their vulnerabilities, they're finding that the enemy within can be an even greater risk than the enemy without.

Creating VPNs (virtual private networks) over the Internet, linking remote LANs throughout a company using firewalls or router like encryption boxes, is a technology that has matured quickly and is easily deployed.

During the past year, most firewall vendors have introduced VPN add-ons that seamlessly encrypt and decrypt all network traffic for specific destinations.

Initial VPN products required the same brand of firewall on both ends, but recently there's been a rush to conform to the new IPsec (IP Security Protocol) VPN standard. In theory, it should now be easier to add newly acquired companies or partners to a VPN so long as their firewalls or routers support IPsec. In practice, little interoperability testing has been done.

Solutions competing with firewalls range from black-box-type stand-alone products such as NetFortress from DSN Inc. to traditional routers. Cisco Systems Inc.'s latest Internetwork Operating System, Version 11.2, for example, features optional encryption. Which of these technologies a company deploys for its VPN will depend largely on its installed base of equipment, for compatibility reasons.

Throughput considerations also should be taken into account. Encryption adds a significant processing tax on systems, and if an existing router or firewall platform is already at the peak of its performance ability without encryption, it should likely be upgraded to a speedier box.

The actual setup of VPNs is really quite simple, provided that compatible encryption technology is in place at all sites.

The administrator at each site must use the VPN software to generate a unique digital key, or signature, which is then delivered by disk to the other locations. A simple insertion of the floppy disk with the key and the click of a menu item is usually all that's needed to get the whole process running.

Administrators must set the security options for each of the remote sites. The combination of VPNs with routers and firewalls offers a fine granularity of security profiles, at the packet level, for individual sites. For example, it is feasible to have the network of a subcontractor linked in an extranet, while ensuring that only usage of specified systems is allowed.

Switching end-user access of the corporate LAN from traditional dial-up remote access servers to the Internet alleviates the need to maintain large banks of modems and phone lines. However, the administrative hassles are many.

The unresolved issue of key management becomes a major headache when dealing with large numbers of end users at scattered locations. With site-to-site VPNs, it isn't too tough for administrators at each site to generate and exchange keys. However, when this process is scaled to hundreds of telecommuters, it becomes problematic.

Luckily, the road to secure end-user access via the Internet is starting to be paved. The newly introduced protocols from Microsoft and Cisco-Point-to-Point Tunneling Protocol and Layer 2 Forwarding, respectively-make significant strides in helping Internet service providers coordinate their networks with corporations, allowing remote users to dial in to a local Internet account and be authenticated all the way through the head office firewall.

Junk e-mail and "Push Through" Technology: Nuisance Or Opportunity?

Despite rising resistance by Internet users and a crackdown by Internet providers, junk e-mail continues to flourish and now even get a second name. For small businesses with a limited advertising budget, it is a practically free way to get their message out.

Junk e-mail does not have to be a nuisance activity if it can provide timely information and user can delete himself from the list.

Junk e-mail is the number one complaint from AOL members. AOL was one of the ISP to fight junk mail by blocking the transmissions of several major junk e-mailers. Recently, the company introduced a free service that continually screens incoming mail originating from a updated list of notorious junk-mailers.

Last month, America Online won a court case against Cyber Promotions, a Philadelphia-based Internet marketing company. The company had filed a lawsuit accusing the provider of violating their First Amendment rights by restricting access to the e-mail addresses.

Most providers expel customers who are caught sending the spam. But the door is left open for people, who owns his own server.

Internet is a new medium and understandably it lacks a consistent system of regulation. However, free filter programs that can weed out junk mailers are now freely available on the Internet.

Some junk mailer send out a two- or three-line message offering a business opportunity. The short message urges customers to reply by return e-mail if they want to be taken off the mailing list.

Those who do not respond are sent a longer, more detailed message explaining in more depth what the product is.

Additional info is at http://www.coxnews.com

WEB SPOOFING IS NO JOKE

Researchers at Princeton University have released a paper documenting ways that nefarious crackers could dupe unwitting Web browsers into divulging personal information, such as bank personal identification numbers or credit card numbers. One way to do this is to break into a legitimate Web server and alter the links to other sites, so that when users click to transfer, they're actually transported to the cracker's computer where the virtual hijacker can watch every move they make (such as entering credit card info when prompted). The researchers suggest that Web surfers take the following precautions: disabling JavaScript in their Web browsing software; keeping an eye on the software's location line, to ensure they know where they are; and paying close attention to the addresses they visit. Chronicle of Higher Education 10 Jan 97 A25. http://www.cs.princeton.edu/sip/pub/spoofing.html.

CRYPTOGRAPHY AND REVERCE ENGINEERING

IBM introduces digital certificate, key recovery technologies

IBM unveil a number of digital certificate and key recovery technologies designed to make security and encryption a fundamental component in a corporation.

Among the announcements, IBM rolled out the underlying technologies that will enable key recovery applications and services. With products due to enter beta testing by the second quarter, the technologies would allow corporations to decrypt documents or messages by combining information that reconstructs a private key.

The announcement of the underlying technologies used in IBM's key recovery strategy came on the same day that the Key Recovery Alliance, a collection of more than 45 software and hardware vendors, held their second meeting to discuss interoperability issues.

IBM also formally unveiled its two digital certificate offerings:

Net.Registry and World.Registry. While similar in nature, Net.Registry is aimed at helping corporations to issue their own digital certificates to users or customers, while World.Registry is aimed at providing an outsourced service for corporations.

IBM Net.Commerce offering makes use of the Secure Electronic Transaction standard, has been granted exportation clearance by the U.S. government, enabling it to be shipped internationally while still making use of strong cryptography.

Lotus Notes 4.0 circumvents encryption export rules

Foreign versions of the newest Lotus Notes application, version 4.0, are now shipping with 64-bit encryption, a more secured version than the 40-bit encryption level of software allowed to ship overseas today.

Cambridge, Mass.-based Lotus is able to sidestep current export regulations by giving the U.S. government exclusive access to 24 bits of the 64-bit encryption key. Lotus calls this capability "differential workfactor cryptography," said Ray Ozzie, president of Iris Associates, the developer of Lotus Notes.

VARs establishing Web sites are concerned because their clients' international partners must use less-secured software to access their U.S. counterparts' Web sites. This will become a greater issue when electronic commerce becomes more widespread.

The main objection from the National Security Council (NSC) over the issue of encryption export is that strong encryption is too difficult for the government to crack, should they need to do so in the interest of national security. In recent months, widespread use of the Internet and recent breaks into 40-bit encrypted software have vendors pleading with the NSC to relax export rules.

The technology was accomplished solely by Lotus, with no input by security guru RSA. "Things will be stirred up by this announcement," said Jim Bidzos, president and chief executive of RSA.

Ozzie also mention that there is a terrorist treat from having too weak keys:

"One of these days, someone is going to bring down an airliner somewhere in the world, or cause a train wreck, or destabilize an economy, by breaking into an information system through the worldwide Net. And it may be something that we could have prevented, if we had been making more casual and widespread use of cryptography," Ozzie said.

Ozzie called the security technology within Notes 4.0 a compromise solution. "This is not a panacea. This is not the silver bullet that addresses all needs," he said. Vendors such as Lotus and Netscape Communications Corp., Mountain View, Calif., continue to press the NSC to relax the export controls.

This holds down the cost of U.S. eavesdropping on international Lotus traffic, since the government only has to break the remaining 40-bit key to tap information. While the move gives Lotus customers greater protection against intrusion by other governments or criminals, many experts believe software providers will still be forced to negotiate individually with NSA to get similar deals, slowing security globally.

Netscape product manager Jeffrey M. Treuhaft says Netscape contacted customers who want stronger security and found they don't like Lotus' approach, primarily because it gives the U.S. government access to their data. "Some are even state-owned entities in Europe and Japan, and the issue of the U.S. government having access to the keys isn't appealing to them." The problem for Netscape, says Treuhaft, is that there is a "burgeoning development community building Web products with longer keys in places like the U.K. and Australia where import/export restrictions are very limited." Additional info is available from http://www.techweb.com/se/directlink.cgi?CRN19960129S0030

COMPUTER CRIMES AND LAWS

Corporate crime traditionally is an insider job

The worst threat to your network security has little to do with the fact that you may have credit card transactions or other interactive data traveling from your company's Web site into the office. It has even less to do with the nameless, faceless hacker you picture sitting at a computer, waiting for an opportunity to tap into corporate America's wealth of information and bank accounts.

The biggest threat to your network is the people you know. Even worse, the people you've hired. Bill Hancock, a keynote speaker at the recent NetWorld+Interop show in Atlanta and an expert on network security who has been hired by the FBI, CIA and the National Security Agency (NSA) to locate hackers, says 568 out of 600 incidents of network hacking are perpetrated by disgruntled employees, bitter former employees or friends of employees who are provided with inside access information.

Everyone is hyped up about the Internet and external threats to the network, but corporate crime has traditionally been made up of inside jobs. The network is just a good tool for it. Many expert believe that ~ 80% of all network security breaches are inside jobs.

Beyond encrypting sensitive files, the key to network security is internal firewalls that are not routers; routers actually can be used to hack into the network. Because they implement a protocol's routing layer, if routers could be breached by an attack or a software flaw in the routing code. Additional info is available at http://www.techweb.com/se/directlink.cgi?NWC19961201S0017

Internal security breaches are quite costly. You better be prepared. Chevron will issue digital signatures to managers and business partners

In a 1996 survey of 205 organizations by Baltimore consulting firm WarRoom Research LLC, more than 15% of the companies reported internal security breeches that resulted in losses of more than $1 million. Security problems, easy to identify, are not always easy to fix. "Security has always been a problem, but now it has only gotten more complex and worse as a result of intranets and extranets," said a Wall Street financial firm IS director.

For example, Charles Schwab & Co. Inc. plans to base a paperless enterprise project on digital signatures and certificates. To do that, Schwab is looking at mapping digital signatures to an X.500-based directory for verification of authorized signatures and for enabling authenticated access to a manager for a specific workflow application-all without passwords.

"We are going to have to implement a way within our workflow system that will enable us to have a digital equivalent to a manager's signature on file. Otherwise, I could spoof my boss's mail system and give myself a promotion," said Mark Nevolows, a project manager at Charles Schwab, in San Francisco.

Chevron Information Technology Co. this year will begin examining how it can issue digital signatures to managers and business partners as a way of authenticating access to applications or services. Chevron runs a World Wide Web site for partners and customers that is password-protected and secured with firewalls, said Philip de Louraille, a Unix systems administrator and Web site manger at Chevron, in La Habra, Calif. Digital certificates will be used to identify and authenticate users more easily and could remove the need for password-based security.

Cadence Design Systems Inc., a CASE/CAD software company in San Jose, Calif. verify the integrity of passwords, by using crackers on employees' passwords.

Firewall vendors are rapidly integrating Internet Engineering Task Force's IPsec (IP Security Protocol), which will enable multiple firewalls from different vendors to establish a secure Internet channel. With interoperability testing under way, the standard could be finished by midyear with products supporting IPsec coming out in the fall.

Likewise, S/MIME (Secure Multipurpose Internet Mail Extensions) will have a dramatic impact on how corporations exchange messages and E-mail. S/MIME will allow users to encrypt, send and decrypt messages between multiple vendors' mail systems. Netscape Communications Corp., Microsoft Corp. and others are working on implementing S/MIME into their mail systems.

New security frameworks and APIs are also due to market that will make encryption a common software feature. Microsoft, IBM and Hewlett-Packard Co. are among the vendors that have built API frameworks that enable developers to add strong cryptography to applications from the ground up.

While the integration of security technologies into applications must start at the ground level, the creation of enforceable security procedures must start at the top-and include a human element. One of the biggest mistakes corporations make is over-reliance on technology. Such education is fundamental, say experts.

Former Oracle employee found guilty of perjury

A former employee of software company Oracle Corp. was found guilty of creating false electronic mail and lying about it under oath to support a wrongful termination suit. A jury of eight women and four men deliberated for just under a day at a court in Redwood City, near San Francisco, before pronouncing Adelyn Lee, 33, guilty of two counts of perjury, one count of preparing a false document and one count of offering a false document into evidence.

Lee, a former administrative assistant at Oracle, once had a relationship with the company's billionaire chairman and chief executive, Lawrence Ellison. Ellison, 52, who founded the company was a key witness in the three-week trial in San Mateo County Superior Court in Redwood City. Lee was fired in 1993, days after her last date with Ellison. Later that year, she filed a wrongful termination suit against the company, alleging that Ellison had had her fired for refusing to have sex with him. The cornerstone of Lee's suit was an e-mail message that she alleged was sent by her boss, former vice president for sales Craig Ramsey, to Ellison on April 22, 1993. It read: ``I have terminated Adelyn per your request.'' The suit was settled out of court for $100,000.

But prosecutors later filed criminal charges against Lee, accusing her of breaking into Oracle's computer system and sending the e-mail message herself. Testifying at the trial earlier this month, Ellison denied he had had Lee fired for refusing to have sex. Ellison said Lee peppered him with requests for expensive gifts like a Rolex watch and an Acura sports car during their sporadic, 18-month relationship. Company officials said Lee was fired for tardiness and for having an abrasive attitude.

Lee's attorney Gordon Rockhill said many employees at the high-tech company could have doctored e-mail records and said the evidence did not prove her guilt.

In a statement released after Tuesday's hearing, Ellison said sexual harassment was a crime. "It is not always the case, however, that everyone accused is guilty and everyone making a claim is telling the truth" he said. "Jury of 12 unanimously determined that Adelyn Lee's sexual harassment claim was based on her perjured testimony and evidence that she manufactured. And that's a crime too,'' Ellison said.

Lee is scheduled to be sentenced on Feb. 27 when she faces up to four years and four months in jail.

FBI target pirate BBS

FBI agents served search warrants at residences and businesses in eight cities nationwide, including San Leandro, Atlanta, Miami, Oklahoma City, Pittsburgh, Columbus, Ohio, Des Moines, Iowa, and Cedar Ridge (Nevada County) where illegal software trafficking was suspected of taking place. Accompanied by corporate representatives to identify the software, FBI agents took the computer systems off-line and confiscated the equipment and other documents.

The search warrants were executed after an eight-month undercover investigation, code-named Cyber Strike, by the FBI's International Computer Crime Squad. The investigation is ongoing and no arrest warrants have been issued.

``The FBI served notice that it's ready to meet the challenge of cyberspace,'' said Bob Kruger of the by Business Software Alliance (BSA), a Washington-based software publishers trade association. (e.g. overblown) estimates in 1995, the latest year for which figures piracy cost the U.S. software industry $13 billion in losses worldwide. This figure is definitely overblown as no exact methodic exit so real losses could be up to 10 times less.

BSA also estimates that 26% (you can make it 10%-30% with the same accuracy) of all software in use in the United States is pirated, causing $2.9 billion in losses to the industry. Western Europe accounts for $3.5 billion in losses, Japan $1.6 billion and the rest of Asia $3.9 billion.

Pirated board usually distribute "latest and greatest" software. The operators of the pirate boards do it for fun, for ``philanthropic'' reasons. Only in some case rare cases they try to make money by charging for the software.

BSA and software publishers argue that software piracy is a crime that affects more than just Bill Gates' bank account. "The victims are not just rich software executives," said Kathy Tom Engle, spokeswoman of Autodesk Inc. in San Rafael. She argue that consumers pay too. The company estimates that for every product sold legitimately, seven to eight are stolen. That means the company passes the cost on. In reality pricing is more result of direct competition that anything else.

Some software publishers have staff for fighting illegal coping. For example Autodesk employs 12 full-time people, mostly lawyers, to track down software theft. They recovered $4 million last year from North America alone, often from companies and schools that paid for one license but distributed multiple copies for internal use. Autodesk said corporate customers account for more than 80% of its piracy losses.

The FBI's computer crime squad, set up in September 1995, has about a dozen agents in San Francisco as well as squads in Washington and New York.

Internet is no.1 choice for foreign snoopers

A report released by the National Counterintelligence Center (NACIC) indicates that the Internet is the fastest growing method used by foreign entities to gather intelligence about U.S. companies. "All requests for information received via the Internet should be viewed with suspicion," says the report, which urges caution in replying to requests coming from foreign countries or foreign governments, particularly with regard to questions about defense-related technology. NACIC works in close coordination with the CIA, but is an autonomous agency reporting the National Security Council. (BNA Daily Report for Executives 6 Jan 97 A15)

Programmer pleads guilty of defrauding AOL

A former Yale computer science student has pleaded guilty to defrauding America Online and faces a maximum sentence of five years in prison, a $250,000 fine, and restitution to AOL for using that company's services without paying for them. AOL estimates it lost between $40,000 and $70,000 in service charges because the student distributed his computer program, which he called AOL4FREE, to hundreds of other computer users. (UPI 9 Jan 97)

Informix sues oracle over people piracy

Informix Corp. filed a lawsuit in Portland, Ore., last week, charging that arch-rival Oracle Corp. "pirated away" 11 key engineering employees. The filings alleges that Oracle engaged in "a conspiracy to misappropriate Informix's intellectual property and gain an unfair advantage in the competitive market for database computer access systems." An Oracle senior VP called the charges "ludicrous" and says the defectors were hired only after they'd been rejected by Microsoft. He adds that the new employees were asked to purge their computers, cars and houses of any trade secrets before coming to work. "We have absolutely no interest in Informix's trade secrets or technology." (Wall Street Journal 27 Jan 97)

America Online has shut down service in 40 cities in the former Soviet Union, primarily in Russia

This was dine because of widespread incidents where fraudulent credit-card numbers were used to access the service. Last month, the company set up an Integrity Assurance division to fight online fraud, and the company routinely denies access to those who log on using fraudulent means. AOL is not sure when service to Russia will resume: "Until we feel comfortable that we have an understanding of the problem, we're not prepared to put it back up," says Integrity Assurance's VP. (Wall Street Journal 8 Jan 97 B6)

ETS

Barnes & Noble To Go Online

Barnes & Noble, the world's largest bookseller, will go online in February and will mount a challenge to the Seattle-based Amazon.com Books (http://www.amazon.com). Barnes & Noble now sell books through America Online, with all hardbacks in stock offered at a 30% discount, paperbacks in stock at a 20% discount. Amazon.com offers a 10% discount on most books (30% on best-sellers).

IBM offers free patent data base on WEB

IBM plans to make the content of 2 million U.S. patents (from 1971) available free on the Web site < http://www.ibm.com/patents/ >. Various companies provide patent access for a fee; one company, Questel-Orbit (a division of France Telecom) charges $1,995 a year, and a company executive says: "I still believe that we have the most robust search engine." (New York Times 9 Jan 97 C3)

IBM Internet-related businesses will break even this year

IBM's Net.Commerce software allows merchants to handle electronic transactions, and its World Avenue is an e-mail service. A company executive estimates that $900 million of business was done on the Net in 1996 and predicts that $3- to 4-billion will be done this year and $1 trillion in 2000. (New York Times 9 Jan 97 C3)

Intelligent indexing of scientific literature

Computers became powerful enough to organize and index huge treasure troves of scientific literature using intelligent functions such as "vocabulary switching"-classifying an article that mentions "Unix" under "operating systems" even if the words "operating systems" do not appear in the article. Large-scale simulations on the HP Convex Exemplar supercomputer at the National Center for Supercomputer Applications have resulted in generating concept spaces for 10 million journal abstracts across 1,000 subject areas covering all engineering and science disciplines-the largest vocabulary switching computation ever achieved in information science. Future developments will require automatic indexing with scaleable semantics to coordinate searches among the one billion repositories likely in the next century. (Science 17 Jan 97 p327)