[ Editor's Note:
 [
 [ On 19 Mar 97 Craig Brougher reported that he'd received
 [ notification, from MSN (Microsoft Network), of a security
 [ bug in Microsoft's Internet Explorer.  Although Robbie and I
 [ tend to discourage discussion of unrelated computer trivia
 [ and Internet rumors, this report seemed appropriate.
 [
 [ On 20 Mar 97 Larry Smith wrote in to explain in more detail
 [ about the bug, confirming it was real.  He also  took the
 [ opportunity to make some editorial comments about Microsoft,
 [ Linux, encryption, and some other issues.
 [
 [    (Background Material)
 [
 [    I have been a student of Computer Science since the late 60's.
 [    I started programming on IBM mainframes in Fortran and assembly
 [    language, but soon found myself programming in Algol on a Burroughs
 [    machine.  I discovered a curious phenomenon.  If IBM hadn't invented
 [    it, many people discounted a technology.  Burroughs had fielded
 [    technology that IBM didn't have (or hadn't marketed yet), and
 [    many people discounted it because it wasn't IBM.  Much technology
 [    was delayed to "the masses" until IBM decided to market it.
 [    From my point of view, this delayed the evolution of Computer
 [    Science, which I found frustrating.  Clearly this is
 [    an opinion, but many people hold this opinion, and its
 [    relevant to what follows.
 [
 [    In the non-mainframe software market, Microsoft quickly became
 [    the dominant player.  Many people believe that Microsoft's
 [    domination of the market has delayed the evolution of Computer
 [    Software.  Consider that many of the "features" just introduced
 [    by Microsoft in Windows 95 were available on the Macintosh in 1987.
 [    To me, it feels like the IBM/Burroughs (and other industry players)
 [    struggle all over again.
 [ 
 [ As a consequence, I'm sympathetic to Larry's position about Microsoft.  
 [ I asked Robbie to run his article, and gave Robbie a verbal statement
 [ to put at the end.
 [
 [ The apparent Microsoft "bashing" offended Pat Mullarky, who has a
 [ "beta" testing agreement with Microsoft.  (Beta testing is when you
 [ help a vendor test a product by using before its released to the
 [ general public).  In the interest of allowing a "balance" of points-
 [ of-view, Robbie and I decided to run Pat's article.  The article,
 [ however, had a personally critical tone towards Larry, which
 [ Robbie and I overlooked.  We owe both Larry, and the group
 [ an apology for running the article.  Larry, for not recognizing
 [ that Pat's article would probably be offensive to him.  To the rest
 [ of the group because to "make it right", we're going to run a
 [ couple of more articles on the subject which some of you may
 [ not want to see.
 [
 [ The messages which follow are
 [
 [     1) Larry's response to Pat's rebuttal message, which Larry found
 [        offensive  Although I received this message on the 24'th, I
 [        have not run it until now.  There's been several
 [        "behind-the-scenes" messages between me and Larry and
 [        between me and Pat prior to deciding to running these.
 [
 [     2) Pat's response to my pointing out to him privately that Larry
 [        had been personally offended by Pat's rebuttal and that I
 [        was most likely going to print Larry's message (1) above.
 [        Although Pat's message was addressed to the "rollreq" account
 [        he's since sent me permission to run it.
 [
 [ Jody

Jody, I went to some trouble to ensure my post did not have a tone that
implied any degree of Microsoft-bashing.  I don't believe in that, and I
don't do it.  I use Microsoft products daily, and will continue to do so
-- but it annoys me to the extreme when the members of the Church of
Microsoft feel they must take such a post as an excuse to proselytize,
and Mr. Mullarky's post was, in my opinion, entirely uncalled for.  All I
did was point out that alternatives existed -- and not only stopped short
of _recommending_ them, I even went so far as to characterize them as
somewhat paranoid!  I am angry and aggrieved that Mullarky's post was
sent to the list, I take it as a direct and unprovoked attack on my cred-
ibility at my professional _job_ -- for testing software, and software
security, is what I do for a _living_.

I believe the proper thing to do was to forward it to _me_ for comment
_before_ posting it, and to allow me to dialog with Mr. Mullarky before
he could go off half-cocked.  The result would have been less
inflammatory I am certain.

But I am afraid I cannot let it rest without addressing two important
points:  Mr. Mullarky said:

> I know the holes in the software. "Joe Average User" will *never*
> be hurt by them.  And, even those tiny security holes have been fixed.

No one we know of _has_ been hurt by these bugs -- but the demo page
showed very clearly _how_ a computer can be seriously damaged or
disabled.  That was _not_ a "tiny security hole".  It was large enough to
kill an entire system.  Users _must_ download those patches and apply
them _now_ if they want to continue to use Internet Explorer (IE) -- for
if there were no web pages that would destroy your system before the holes
were reported there surely are _now_.  I have little doubt that the
vandal mentalities of the network are already inventing ways of using
these holes, knowing that many people _won't_ upgrade.

In less than a fortnight, _three_ security holes large enough to kill a
system were discovered in Internet Explorer.  It is possible those were
the last such bugs in the program -- but it is also possible that they
were not [*1].  _None_ of Netscape's reported bugs possessed such
potential [*2].  I stand by my recommendation of Netscape as far less
likely to have such bugs.  I have spent enough years in software Quality
Assurance to have some idea of what I am talking about.  Un-critical
fan-dom will not help other users on this list.  Nor Microsoft, for
that matter.

[*1]  They were certainly not.  Another bug has just been reported on
Usenet that could potentially give web users unauthorized access to
arbitrary files on your hard drive.  Microsoft is planning a patch to
the IE 3.02 release and will probably shortly have new patches for
3.00 and 3.01.

[*2] Netscape has had at least one security bug pegged against it in
recent months which is shared with IE.  This does not provide access
to a hard drive, but it could theoretically allow a clever web pro-
grammer to grab a VISA card number entered in a "secure" form to be
retrieved from an insecure one.  This is partly a bug, partly an
issue with HTML, and partly carelessness.  But it reminds us all that
there is no one, entirely safe alternative, there are only acceptable
and unacceptable _degrees_ of risk, and we all must determine how
much risk we are willing to accept ourselves.

Mr. Mullarky also said:
> In my opinion: Linux is for computer professionals, only, as is the vast
> majority of Unix systems. Very few non-computer people can sit down to a
> Linux/Unix keyboard and simply edit and send a letter to their Mom
> without going through a very, very steep learning curve.   Installing
> Linux/Unix on a computer can be very difficult even for professionals.

Denigrating competing products is also not a valid defense.  And the
above is completely unjustified, especially for readers of _this_ list,
many of whom will not be able to "simply edit and send a letter to their
Mom" no matter _what_ system they buy.  Linux's installation and learning
curve is no higher than Windows 95's, and only slightly higher than
Mac's.  Do not assume your _own_ familiarity with Microsoft products make
them easy for all.

I will leave open my invitation to contact me with technical questions
relating to Microsoft _or_ Linux and the programs that run on either of
them.  If I can't help, I can point people toward someone who can.

I would also suggest that henceforth Internet questions be redirected by
the moderators to people they believe can help the questioner, and that
advisories be sent by the moderators when needed, and kept to a minimum
-- with a policy of not discussing them.  Corrections can issued after
off-line discussions.

regards,¶
Larry Smith