Last issue's [1] piece comparing Java with JavaScript took too much for granted. John Robert LoVerso <loverso at osf dot org> wrote to chide me for giving currency to this little untruth from Netscape's Web pages:

>          JavaScript                            Java
> Secure. Cannot write to hard disk.   Secure. Cannot write to hard disk.

JavaScript can make no claim to being proveably secure. As LoVerso points out, Sun's Java was designed to be secure in the network environment; its design and implementation have been examined by hundreds, perhaps thousands, of knowledgable and critical people. Netscape's JavaScript is a separate implementation of an interpreted (not precompiled) language syntactically similar to Java; it derives no security from the similar name.

There is no spec for JavaScript available for public scrutiny -- not in the sense that Java is spec'ed, with details of the language, the bytecode, and the virtual machine. Netscape's JavaScript spec [2] is intimately tied to the single existing implementation of the language, in the Navigator browser; the source code has not been examined by anyone outside the company.

JavaScript, which started out life as "LiveScript," displayed security flaws as early as beta 2 (see TBTF for 1995-12-02 [3]). Scott Weston <scott at tripleg dot com dot au> was among the first to be awarded Netscape's $1000 "bug bounty" for his demonstration [4] of a way to capture the "clickstream" of the browser user. The bug was fixed in beta 3.

In early January a cluster of bugs with similar effect was reported by John Tennyson <aelana at c2 dot org> against beta 4; he was awarded a $1000 bounty. Netscape claimed to have worked around these problems in beta 5 and 6; they said that the real fix would come in version 2.1. On February 13 LoVerso notified Netscape that one of these bugs, the "directory browser" [5], still exists in the released Navigator 2.0. I'm told Netscape posted a response to the resurgent problem but I haven't been able to locate it online -- it might only have existed in a local newsgroup.

There's more. On Wednesday 2/21 LoVerso invented a new way using JavaScript to record and report on a user's browsing history. He posted to the moderated newsgroup Risks and on Thursday night Netscape notified him that he has won another $1000 bounty. See LoVerso's sample implementation of "the tracker" [6].

In his posting to Risks LoVerso quoted a colleague thus: "It is hard to determine that a program is safe or secure after studying it. It is impossible without." The claim that JavaScript is "secure... cannot write to hard disk" can now be put to bed. Without its supper.

Dorothy Denning <denning at cs dot cosc dot georgetown dot edu>, cryptographer and independent reviewer of the U.S. government's proposed escrowed encryption system, posted the following note on Usenet. The editor of the Risks newsgroup suggested that this clause be known as the "Matt Blaze exemption." Blaze <mab at research dot att dot com> is a cryptographer at AT&T and can usually be found on the other side of a cryptographic argument from Dr. Denning. His 1994 exploits as an international arms courier are detailed in [7], the first publication of which I found dated January 6, 1995.

> Today's [1996-02-16] Federal Register contains a notice from the Department of
> State, Bureau of Political Military Affairs, announcing final rule of an
> amendment to the International Traffic in Arms Regulation (ITAR) allowing
> U.S. persons to temporarily export cryptographic products for personal use
> without the need for an export license. The product must not be intended for
> copying, demonstration, marketing, sale, re-export, or transfer of ownership
> or control. It must remain in the possession of the exporting person, which
> includes being locked in a hotel room or safe. While in transit, it must be
> with the person's accompanying baggage. Exports to certain countries are
> prohibited -- currently Cuba, Iran, Iraq, Libya, North Korea, Sudan, and
> Syria. The exporter must maintain records of each temporary export for five
> years. See Federal Register, Vol. 61, No. 33, Friday, February 16, 1996,
> Public Notice 2294, pp. 6111-6113.

This occasional TBTF feature profiles on-Net resources that I've found useful in developing Web content, or in keeping an eye on Web standards and trends. The full Essential Tools collection is available on the TBTF archive [8].

Alert reader Peter H. Levin <75542.1325 at compuserve dot com> inspires this first example of what I hope to make a regular TBTF feature, with your participation. Jargon Scout aims to give you advance warning of jargon that is just about ready to hatch into the Net's language but for which a term has not yet been invented.

Levin picks up and generalizes an odd wrinkle in the operation of IBM's Aqui (see "Organized copyright violation" in [1]). Please drop a note to <dawson dot tbtf at gmail dot com> if you can suggest a term befitting this condition of "inappropriate fidelity."

> Interesting glitches arise from the literalness with which texts
> are copied on the web. You reported one instance, although you
> were making a different point:
>
> : I wrote at the bottom of my page "Copyright, all rights
> : reserved," and the words persist on Aqui's copy.
>
> I recently downloaded a tax form in pdf from the IRS site. When
> I printed it I found at the bottom the recycling symbol and the
> words "printed on recycled paper."
>
> Do you know a jargonesque way to denote this inappropriate
> faithfulness to the original?

TBTF for 1995-10-30 [13] delves into two obstacles to obtaining consistent color on Web browsers running on Macintosh, PC, and other systems. A recent discussion on the Apple Internet Authoring mailing list uncovers considerable new detail on the inconsistent use of color palettes on Mac and PC.

The 20-color solution suggested in October, and featured in a resource on the TBTF archive [14], is now seen to be incomplete: sticking to these 20 colors can still get you dithered solids. [This file has been updated now -- 1996-02-28, kad.] The best cross-platform palette turns out to comprise 216 colors. That's 6 cubed, for every permutation of the values (0, 20%, 40%, 60%, 80%, 100%) for each of (red, green, blue). It happens that Netscape, Mosaic, and Microsoft Internet Explorer all use this 216-color palette internally, thus leaving 40 colors free out of an 8-bit (256-color) color space.

This 6-6-6 color cube has been called the "Satan Matrix." A less ominous name was bestowed by Lynda Weinman <lynda at lynda dot com> in her new book Designing Web Graphics (ISBN 1-56205-532, New Riders, $50.00 USA / $68.95 Canada): she calls it the Browser Safe palette. It is explained in a Web page of understated elegance [15], with examples. I have not seen the book but after admiring this on-Net resource (excerpts are posted at [16]) I intend to hunt it down.

Thanks to Carl-Frederic De Celles <cfd at ixmedia dot com> (who forwarded an article by Niko Sluzki <niko at gate dot cks dot com>) and to and Marshall Goldberg <AFCMars at aol dot com> for earlier pointers in the direction of this 216-color palette.

The Electronic Freedom Foundation urges Web-page owners to display a blue-ribbon graphic [17] as a token of protest against the Communications Decency Act. Peter Bishop <esuvy at csv dot warwick dot ac dot uk> writes to inform us that this symbol is less than universal: in the United Kingdom at the moment a blue ribbon means "No drinking and driving," and adds: "Never saw anyone sporting one, but supposed to be available in our libraries etc. Apparently more people die in the summer as a result of D/D than in the winter here... Very few people wear the Red Ribbon here either."

A public mea culpa in the direction of Venanzio Jelenic <Venanzio at i-site dot on dot ca>, whom I failed to credit in [1] as the first to post on the Apple Internet Authoring list about the moral / legal dubiousness of IBM's Aqui site.