LETTERS

The Cost of a Free Lunch

The article "Proposing a Standard Web API," (DDJ, February 1996) by Michael Doyle, Cheong Ang, and David Martin, incorrectly states that "the applet developer must purchase a compiler from Sun or its licensees at considerable cost." The Java Developers Kit contains a Java compiler with a very liberal licensing agreement and can be obtained free of cost. Check out http://java.sun.com for more information.

Asheville, North Carolina

kuzniar@cs.unca.edu

DDJ Responds: Eric, thanks to you and others, such as Noel Gorelick (gorelick@tesla.asu.edu), for pointing out the oversight.

I would like to comment on Jonathan Erickson's "Editorial" in the November 1995 issue of DDJ, the letter from Michael Doyle in the December 1995 issue, and Erickson's retraction in the January 1996 issue.

I believe that, as application developers and operating-system implementers, we need to examine the battle of Web APIs very seriously. What is at stake, as described by Erickson, is a standard that will benefit the Internet. I contend that what is at stake is the creative flexibility of our industry. Let me explain.

Promoting one Web API is very similar to allowing Microsoft's Win32 API to dominate 100 percent of the market. This is bad for computing, users, developers, OEMs, ISVs, IHVs, and Microsoft. No innovation into vertical markets and general competition is fostered by the universal dominance of one system API for an entire class of applications.

The description of the consortium to define the Web API, mentioned in the letter by Doyle, does not expound upon the rules of membership or the model of decision making. If all licensees are permitted to be involved in the consortium, then all API developers would be involved. This would include operating-system makers, application makers, and hardware manufacturers. How would the members vote on the design of the Web API? Would the more-important members, such as Sun, Netscape, and Microsoft, have majority control. Would startups be allowed to add to the API to support their emergent technology?

A parallel can be drawn with a platform API such as the Standard UNIX system calls, Xlib, or Win32. All commercial implementations of these APIs either directly support, or coexist with an extensible API set. These extensions do not necessarily have to be a universal standard. They are the innovation that drives the computing industry. They are the made-for-Netscape slogans. They are the value added.

By forcing one standard API, Eolas makes all existing operating systems virtually a hardware abstraction layer for the Web API. Thus, for HTTP-based embedded languages, a standard Web API reduces the value added by any company involved with Internet computing to null.

Standards are the only way to make quantitative technological progress, but heterogeneity is the life and the capitalism of the computing industry.

Multiple Encryption Correction

In our article "Multiple Encryption: Weighing Security and Performance" (DDJ, January 1996), we state (on page 124) that "Three-key triple encryption is still vulnerable to a meet-in-the-middle attack requiring 2^2k words on memory and about 2^k+1 operations." Instead, the numbers should be reversed so the sentence reads, "Three-key triple encryption is still vulnerable to a meet-in-the-middle attack requiring 2^k+1 words of memory and about 2^2k operations."

Burton S. Kaliski, Jr.

Matthew J.B. Robshaw

RSA Laboratories

Redwood City, California

Putting the Squeeze On

I was enthused to read Jason Mathews' article "Comparing Data Compression Algorithms" (DDJ, January 1996). I have a similar task except my data are call detail records. Two things in his article stood out:

Although he mentions it once, Mathews ignores decompression time even though CDF data is read surely at least as often as it is written. It is a pity that this critical aspect was not discussed further.

Jason claims the compress and gzip programs have very similar compression ratios. Although I've only directly compared the two algorithms for several gigabytes of data, I have never seen compress come close to gzip; compress typically gets 2-3:1, and gzip is typically 3-4:1.

andrew@plan9.att.com

Shocking Stuff

I read the December 1995 "Editorial" entitled "Shock Treatment" with great interest. I am a masters student in the management department at the University of Canterbury in New Zealand. In part fulfillment of my degree, I am carrying out a research project for Trans Power New Zealand Ltd., the government-owned company that operates the national electricity grid.

The electricity industry in New Zealand has been in a state of ongoing change since the commencement of a government deregulation and privatization drive in 1986. Electricity generation (previously the preserve of the government) has been deregulated, and ECNZ (the state-owned electricity generation company) has literally been carved in two in an effort to bootstrap a fledgling competitive generation industry.

Trans Power (the grid operator) has been charged with the role of providing a neutral and transparent dispatch service to the industry. The matching of generation to demand will be achieved by a wholesale electricity spot market (an interim spot market is being launched in around six weeks time), in addition to contract and hedging facilities.

The electricity retail sector is now fully deregulated (and, in fact, some power companies have been privatized and even listed on the NZ stock exchange). While these utilities have maintained their natural monopoly status with physical distribution networks, customers may now pick and choose between energy suppliers.

Interesting stuff, but to the point: One aspect of my project is to investigate potential business opportunities for Trans Power. The company already has an extensive telecommunications infrastructure (the telecom industry here was deregulated and privatized around five years ago.) Utilizing bandwidth into the home on existing reticulation systems for home communications, demand side management, and intelligent appliance control is an area I would like to investigate.

If any readers can provide me with more information--a journal reference, newspaper article, or the like--it would be great. Thank you in advance for any information you may be able to provide.

Christchurch, New Zealand

misc2311@cantva.canterbury.ac.nz

Absence of Malice

I read Jonathan Erickson's "Editorial" (DDJ, March 1996) about Randall Schwartz, and I will be sending Schwartz some money.

Until I read the editorial, I was ambivalent about what CPU I put in my motherboards. No longer. I now know I will no longer use Intel CPUs. Period.

I have begun using these tactics more and more. I do not care for some of Microsoft's attitudes these days, so I don't buy Microsoft products for personal use any more, unless I absolutely have to (for example, Windows 95, but not Office). Instead, I use Linux to do all my fun stuff.

I also informed President Clinton, by e-mail, that I will not vote for him (or anyone else involved) in the next election if he signs any bill containing the Communications Decency Act. I have never had cable television, because I don't believe people should be paying ridiculous sums of money for very little of anything. I will not use a cellular telephone service, because: 1. The cellular telephone companies have tried to make it illegal to even own a device that can receive their frequencies; 2. They attempted to put a high-powered transmitter antenna across the street from a grammar school in my neighborhood; and 3. It appears that they are doing their best to convince people that airwaves should cost lots of money. Ask yourselves this: Is the Internet worth your human rights or your freedom? Are computers? I have become convinced over the years that politics and monetary greed go hand-in-hand. So be it; from this point on, I speak with my wallet.

Chuck Bermingham

Chicago, Illinois

bermin19@starnetinc.com

While reading Jonathan Erickson's "Absence of Malice" editorial in the latest edition of DDJ, I noticed that it says:

Schwartz ill-advisedly ran Crack, a commercially available password-cracking program that uses brute force to discover vulnerable passwords.

As may have already been pointed out, Crack is not a "commercially available" program--it is a "freely available" package easily downloaded over the Internet. In fact, any knowledgeable high-school student could easily install and run Crack (and do it in such a way so as to not be easily discovered). This is what makes maintaining computer security a major issue and why Intel actually should be thanking Schwartz for revealing their appallingly inept situation (the bozo with the "pre$ident" password should have been reported and given the boot...).

By the way, although Crack does resort to "brute" force to try and crack a password, it first checks any dictionary lists made available to check against the encrypted passwords. It is unfortunately surprising how often people use simple words as passwords.

Mark J. MacLennan

Iowa City, Iowa

maclenna@cgrer.uiowa.edu

As programming has become more important, it has become evident that we cannot restrict ourselves to simply exchanging programming tips. Our interactions with society are significant enough that we need the vision to see what is right and wrong and, what is rarer, the courage to do something about it.

Jonathan Erickson's "Absence of Malice" editorial (DDJ, March 1996) on the silly but tragic prosecution of Randall Schwartz is a fine example of this vision and courage. I applaud you for seeing what was necessary to say in this matter and saying it.

Sunnyvale, California

jeffrey@rahul.net