wex@dali.pws.bull.com (Buckaroo Banzai) (12/01/90)
I attended a presentation last night (11/29/90) made by the people who have developed the (extensive, multimedia) on-line help system that ships with Lotus Marketplace, Business (LMB). Although this group is not the place for repeating the user-interface and human factors items that were the main focus of the discussion, I did manage to glean some facts of interest. [Note that these are from my notes taken at high speed, plus a one-sheet marketing glossy. Any errors are my own.] LMB is distributed on a chock-full CD-ROM. There's 650 Meg of data, compressed down from a 2 Gig original. The data is "heavily encoded." They wouldn't say, but my guess is that they're using the DES encryption code from Lotus Notes. The CD is released quarterly; the purchase price of $695 (retail) gets you one issue (but see below). You can get 4 updates for $150. LMB is implemented as a Hypercard stack. Lotus had access to prerelease versions of Hypercard 2.0. All information can be exported as ASCII; some info can be exported in other program's formats (presumably database, DTP and spreadsheet programs). There is extensive on-line help (65+meg of on-line manual, tutorials, multi- media "movies") because the end user is assumed to be almost completely computer-naive. "Desktop marketing," the niche Lotus is trying to create, is where DTP was when it first came out - lots of people know about the domain, but they're largely unaware of desktop computers. The process of generating a list from LMB goes in three steps. First you define the list (or call up a saved list). List definition can be by any data field (e.g. $$ (income or sales revenue), type of business [standard industrial classification], location [Zip Code], area code, etc.) Users can also do sorts, merges, and joins on their list to expand or shrink it. The result of step 1 is a list of how many items the database contains that match your criteria. Once you have the list, you can go to step 2, which allows you to preview and analyze the list. The data can be previewed in standard formats, or you can do a custom, two-level breakdown of the data, sorted by any field. At any point during steps 1 & 2 you can save the list (as ASCII). Analyzed lists cannot be re-opened by LMB. Once you're happy with this, you then "buy" the names on the list. Once you've bought it, you can manipulate the "real" data, producing mailing labels, phone lists, reports, etc. You can also export the data as ASCII or other programs' formats. LMB has introduced a really innovative feature in the way you buy lists. Included in LMB is a postage-meter-like counter. It comes loaded with 5000 names. Each time you buy a list, the number of names on that list is subtracted from your meter. Once you've bought a set of names, you own it and can use it as many times as you like. At any time, you can call up Lotus with your credit card or purchase order and get meter increments (at $400/5K names - dirt cheap compared with the per-name costs of standard mailing lists). This buying of name-credits can be done at any time, independent of which version of the CDROM you have. Another interesting feature is that when you buy the LMB box from a software retailer, the disk that you get contains *bogus data*. You have to fill out and fax/mail in a form to get the real CD. This is done for two main reasons: 1) users will always get the latest version of the database, even if the box has sat on the shelves for years. 2) Lotus will use this mechanism to "control" who gets the list. For LMB, the name of the business calling in will be matched against a "list of known fraudulent businesses" provided by "credit bureaus and the Better Business Bureau." Lotus delayed releasing LMB until their lawyers verified that it was legal for them to refuse selectively to sell the software if they refunded the purchase price. They plan to use a similar scheme of "control" with Lotus Marketplace, Households (LMH). That version (available 1Q91) does not include phone numbers, and will contain information on "120 million people and 80 million U.S. households." The information supplied with LMB is licensed from Trinet, Inc. The info for LMH comes from Equifax Marketing Decision Systems, Inc. -- --Alan Wexelblat phone: (508)294-7485 Bull Worldwide Information Systems internet: wex@spdcc.com (for now) What I have on my desk is a 386 copralite.
ddean@rain.andrew.cmu.edu (Drew Dean) (12/01/90)
Thanks, Alex, for an informative posting. I note though, that your posting refers mostly to the Business version of Lotus Marketplace. I don't think businesses are in quite the same situation as individuals though. Businesses are all regestired somewhere, and that's public info. Businesses presumably exist for the purpose of selling things, and are always looking to do this more effectively. If an unsolicited ad comes in that helps in this, it's generally a good thing. Also, unsolicited advertisements can be a great way to find out what your competitors are doing (like when they announce a product similar to what you're developing; this actually happened to me). And mail addressed to VP, XYZ, Inc. Somewhere USA doesn't provide much of a privacy invasion. Lotus Marketplace Home (or whatever it's called; I guess I need a TM in there too so Lotus's lawyers don't come banging down my door :-)) seems much more dangerous, though, and what most people seem to be upset about. Also, how secure is "highly encoded" ? Remember a few years ago the "unbreakable" copy protection schemes, which were usually broken either before the product was released or within 1 month if it was really hard ? Can the NSA invert DES ? [Not to be paranoid, but it's still an open question.] Can someone else invert DES ? Would encrypting a bunch of common names do any good, ala encrypting the dictionary to find Unix passwords ? Drew Dean Drew_Dean@rain.andrew.cmu.edu [CMU provides my net connection; they don't necessarily agree with me.] -- Drew Dean Drew_Dean@rain.andrew.cmu.edu [CMU provides my net connection; they don't necessarily agree with me.]
barmar@think.com (Barry Margolin) (12/01/90)
In article <11252@pt.cs.cmu.edu> ddean@rain.andrew.cmu.edu (Drew Dean) writes: > Also, how secure is "highly encoded" ? Remember a few years ago the >"unbreakable" copy protection schemes, which were usually broken either >before the product was released or within 1 month if it was really hard ? >Can the NSA invert DES ? [Not to be paranoid, but it's still an open >question.] Can someone else invert DES ? Would encrypting a bunch of >common names do any good, ala encrypting the dictionary to find Unix >passwords ? It shouldn't be necessary to break DES to get at the data on the disk. Remember, the weakest link in most encryption schemes is the key. And in the case of Lotus Marketplace, the key is stored somewhere in the program that reads the disk. If the Hypercard stack includes custom XCMDs to access the disk then they'd be wise to put it in there, but I wouldn't be too surprised if it's in the Hypercard stack itself. So, all you need is a good disassembler to help you find the decryption key. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
tom@ssd.csd.harris.com (Tom Horsley) (12/01/90)
wex> Once you're happy with this, you then "buy" the names on the list.
wex> Once you've bought it, you can manipulate the "real" data, producing
wex> mailing labels, phone lists, reports, etc. You can also export the
wex> data as ASCII or other programs' formats.
wex> LMB has introduced a really innovative feature in the way you buy
wex> lists. Included in LMB is a postage-meter-like counter. It comes
wex> loaded with 5000 names. Each time you buy a list, the number of names
wex> on that list is subtracted from your meter. Once you've bought a set
wex> of names, you own it and can use it as many times as you like. At any
wex> time, you can call up Lotus with your credit card or purchase order and
wex> get meter increments (at $400/5K names - dirt cheap compared with the
wex> per-name costs of standard mailing lists).
Ah, with as many hackers as there are out there who passionately hate Lotus,
I forsee a big underground research program to break the protection scheme
and scatter around millions of copies of programs to "fill your meter"
without the formality of a phone call to Lotus and an exchange of cash...
Get enough people using pirate meter fillers and Lotus won't make any money
on the product. Possibly the best way to kill it off :-).
Just what would the legal status of such a program be? It seems to me to
fall in the same area as using a pirate satellite decoder, which apparently
companies like HBO can successfully prosecute, although I am not sure why
after all, I didn't ask them to beam radio signals through my house, what
difference should it make if I decode them? (I can see it now, the SETI
people pick up a signal, and the next day the interglactic police show up
and vaporize the planet because earth didn't get the proper license for
their decoder...).
--
======================================================================
domain: tahorsley@csd.harris.com USMail: Tom Horsley
uucp: ...!uunet!hcx1!tahorsley 511 Kingbird Circle
Delray Beach, FL 33444
+==== Censorship is the only form of Obscenity ======================+
| (Wait, I forgot government tobacco subsidies...) |
+====================================================================+
spike@world.std.com (Joe Ilacqua) (12/03/90)
In article <TOM.90Nov30205918@hcx2.ssd.csd.harris.com> tom@ssd.csd.harris.com (Tom Horsley) writes:
<Ah, with as many hackers as there are out there who passionately hate Lotus,
<I forsee a big underground research program to break the protection scheme
<and scatter around millions of copies of programs to "fill your meter"
<without the formality of a phone call to Lotus and an exchange of cash...
<Get enough people using pirate meter fillers and Lotus won't make any money
<on the product. Possibly the best way to kill it off :-).
You can bet that Lotus will put plenty of entries in the
database which ultimately get back to them. This is a common practice
when you own a mailing list to keep track of who is using it. There
is a term for it which slips my mind.
Just another form of copy protection...
->Spike
--
The World - Public Access Unix - +1 617-739-9753 24hrs {3,12,24,96,192}00bps
bzs@world.std.com (Barry Shein) (12/10/90)
From: spike@world.std.com (Joe Ilacqua) > You can bet that Lotus will put plenty of entries in the >database which ultimately get back to them. This is a common practice >when you own a mailing list to keep track of who is using it. There >is a term for it which slips my mind. "Ringers" is the term you're looking for. They're also used in dictionaries, almanacs etc, obscure, harmless, but false pieces of information which can prove copying. Sometimes when you see what appears to be an amusing "blooper" in a dictionary it's just a ringer and was put there on purpose. It's a reliable way to catch mailing list theft. -- -Barry Shein Software Tool & Die | {xylogics,uunet}!world!bzs | bzs@world.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
wcs) (12/10/90)
In article <BZS.90Dec9142813@world.std.com>, bzs@world.std.com (Barry Shein) writes: > "Ringers" is the term you're looking for. They're also used in > dictionaries, almanacs etc, obscure, harmless, but false pieces of > information which can prove copying. Sometimes when you see what > appears to be an amusing "blooper" in a dictionary it's just a ringer > and was put there on purpose. One problem I have with the Lotus stuff is that I use a similar technique myself - the Time Magazine subscription goes to Time Stewart, the New York Magazine goes to NY Stewart, the MCI Mail freebie went to Richard Falken, etc. I'll ask them to get rid of references to the REAL people here, but I won't bother with the randoms. J. Fnord Stewart -- Pray for peace! Bill --- # Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
seanf@sco.COM (Sean Eric Fagan) (12/11/90)
In article <11252@pt.cs.cmu.edu> ddean@rain.andrew.cmu.edu (Drew Dean) writes: > Also, how secure is "highly encoded" ? More to the point, how easy is it going to be for an adventurous hacker to change the 5000 to 80000000? I would think that would be easier than decrypting the data... -- -----------------+ Sean Eric Fagan | "*Never* knock on Death's door: ring the bell and seanf@sco.COM | run away! Death hates that!" uunet!sco!seanf | -- Dr. Mike Stratford (Matt Frewer, "Doctor, Doctor") (408) 458-1422 | Any opinions expressed are my own, not my employers'.
zane@ddsw1.MCS.COM (Sameer Parekh) (12/14/90)
In article <BZS.90Dec9142813@world.std.com> bzs@world.std.com (Barry Shein) writes: > >From: spike@world.std.com (Joe Ilacqua) >> You can bet that Lotus will put plenty of entries in the >>database which ultimately get back to them. This is a common practice >>when you own a mailing list to keep track of who is using it. There >>is a term for it which slips my mind. > >"Ringers" is the term you're looking for. They're also used in >dictionaries, almanacs etc, obscure, harmless, but false pieces of >information which can prove copying. Sometimes when you see what >appears to be an amusing "blooper" in a dictionary it's just a ringer >and was put there on purpose. > >It's a reliable way to catch mailing list theft. It's a neat method. Can you give examples of a dictionary ringer? How would they work? -- zane@ddsw1.MCS.COM
bzs@world.std.com (Barry Shein) (12/15/90)
> Can you give examples of a dictionary ringer? How would they work?
I don't have any examples off-hand, but every so often you'll see
someone point humorously at something like:
percatious - see frumptious.
frumptious - see percatious.
I suspect in most cases those sorts of things are ringers and were
inserted purposely. Of course, it's not in the dictonary's interest to
explain themselves, so who can really know (unless you can get an
insider to admit it.)
--
-Barry Shein
Software Tool & Die | {xylogics,uunet}!world!bzs | bzs@world.std.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
lws@comm.wang.com (Lyle Seaman) (12/16/90)
ddean@rain.andrew.cmu.edu (Drew Dean) writes: > Also, how secure is "highly encoded" ? Remember a few years ago the >"unbreakable" copy protection schemes, which were usually broken either >before the product was released or within 1 month if it was really hard ? >Can the NSA invert DES ? [Not to be paranoid, but it's still an open >question.] Can someone else invert DES ? It's not really an open question, it just requires a lot of CPU. The NSA has the power, do they have the motivation? Most other places don't have the power right at hand, but here at Wang, we've got thousands of machines on a LIN. I'll bet that if I had the motivation, I could write a distributed DES cracker running nights and weekends and break the database in a couple of months. Paying off the right people at Lotus would probably be easier, though. >Would encrypting a bunch of >common names do any good, ala encrypting the dictionary to find Unix >passwords ? Probably. -- Lyle Wang lws@capybara.comm.wang.com 508 967 2322 Lowell, MA, USA Source code: the _ultimate_ documentation.
tom@ssd.csd.harris.com (Tom Horsley) (12/17/90)
> Can you give examples of a dictionary ringer? How would they work? I don't know if they were all ringers or not, but my edition of the OED (that's Oxford English Dictionary, no, not the latest edition, the one before that) contains a section on "Spurious words". These are words they found in other dictionaries which they never found anywhere else in printed english text (and they look at a *lot* of printed text!). -- ====================================================================== domain: tahorsley@csd.harris.com USMail: Tom Horsley uucp: ...!uunet!hcx1!tahorsley 511 Kingbird Circle Delray Beach, FL 33444 +==== Censorship is the only form of Obscenity ======================+ | (Wait, I forgot government tobacco subsidies...) | +====================================================================+
shore@mtxinu.COM (Melinda Shore) (12/18/90)
In article <TOM.90Dec17080636@hcx2.ssd.csd.harris.com> tom@ssd.csd.harris.com (Tom Horsley) writes: |> Can you give examples of a dictionary ringer? How would they work? |I don't know if they were all ringers or not, but my edition of the OED |(that's Oxford English Dictionary, no, not the latest edition, the one |before that) contains a section on "Spurious words". These are words they |found in other dictionaries which they never found anywhere else in printed |english text (and they look at a *lot* of printed text!). This practice is fairly widespread. In Grove's Encyclopedia of Music and Musicians, for example, there are several completely fictitious composers included, along with complete "biographies" and lists of works. If these entries show up in another music encyclopedia, it provides evidence that they've been plagiarizing from Grove's. Now, the situation is somewhat different from a database like Lotus', because when you go to a dictionary or encyclopedia you generally have a name or term and are looking for further information. You never should have any need to use one of the bogus entries. In a database, on the other hand, you typically have a description of what/who you're looking for and want to find records matching that description. I really don't know how to keep bogus records from being retrieved other than to tag them, and that gives the game away. -- Hardware brevis, software longa Melinda Shore shore@mtxinu.com mt Xinu ..!uunet!mtxinu.com!shore
rkh@mtune.ATT.COM (Robert Halloran) (12/19/90)
In article <1990Dec18.080034.8237@mtxinu.COM> shore@mtxinu.com (Melinda Shore) writes: >In article <TOM.90Dec17080636@hcx2.ssd.csd.harris.com> tom@ssd.csd.harris.com (Tom Horsley) writes: >This practice is fairly widespread. In Grove's Encyclopedia of Music >and Musicians, for example, there are several completely fictitious >composers included, along with complete "biographies" and lists of works. >If these entries show up in another music encyclopedia, it provides >evidence that they've been plagiarizing from Grove's. Another example is Trivial Pursuit, where they apparently put ringer questions and answers into the card sets to help flag plagiarizers. Bob Halloran ========================================================================= Internet: rkh@mtune.dptg.att.com UUCP: att!mtune!rkh Disclaimer: If you think AT&T would have ME as a spokesman, you're crazed. Quote: "We have no plans at this time to introduce new, standalone Apple II models." --- Robert Puette, president of Apple USA. "Apple II Forever"? Looks like Forever = 13 years, 6 months (4/15/77 - 10/15/90) =========================================================================