TidBITS#529/01-May-00 ===================== Should spam be illegal? Brady Johnson examines state and federal efforts to cut back on unsolicited commercial email and the practical implications of regulating spam. Plus, Adam provides comprehensive details about keys you can hold down to control your Mac's startup process. We also note the availability of AOL 5.0, Palm Desktop 2.6, and Virtual PC 3.0.3; Apple's free release of iMovie; and major Internet security issues found in FileMaker Pro 5. Topics: MailBITS/01-May-00 Modifying the Macintosh Startup Sequence Email Spam: The Bandwagon Plays On, Part 2 Copyright 2000 TidBITS Electronic Publishing. All rights reserved. Information: Comments: --------------------------------------------------------------- This issue of TidBITS sponsored in part by: * READERS LIKE YOU! You can help support TidBITS via our voluntary <- NEW! contribution program. Special thanks this week to Mike Millard, Richard Mageau, and David Chaplin-Loebell for their support! * APS Technologies -- 800/443-4199 -- -- How <--- NEW! do you back up your APS hard disks? Try APS tape, removable, and CD-R drives! * WinStar Northwest Nexus. Visit us at . Internet business solutions throughout the Pacific Northwest. * Small Dog Electronics: PowerLogix PowerForce G3 350MHz: $189 <----- NEW! NEW! G4/450 256/27GB/DVD-RAM/Zip & FREE 256MB RAM Upgrade!: $2,949! Asante 8-port 10-BaseT, 2 port 10/100 FS3208+ Switch: $89! For Details: -- 802/496-7171 * Not only does Outpost offer Free Overnight Delivery, but now we offer SAME-DAY DELIVERY! Order that camcorder by 10:30 am EST and film your child's little league game tonight! Astonishing? Not at Outpost.com! * Aladdin Systems: STUFFIT DELUXE 5.5 GETS 4 MICE FROM MACWORLD Read the review at macworld.com and see why StuffIt is still the best way to send/receive files over the Internet! UPGRADE NOW AT: * TRY NEW INTERNET EXPLORER 5 MACINTOSH EDITION AND ENTER TO WIN! Internet Explorer for the Mac supports Apple technologies and helps you find, track, and use information from the Net. Enter to win an iMac! * FILEMAKER PRO HOSTING at digital.forest gives you all the tools <-- NEW! needed to put your FileMaker Pro database on the Web, including FileMaker Web Companion, Lasso, Tango and our exclusive Online Database Manager, Alder! * MacAcademy: FILEMAKER PRO LIVE TRAINING SEMINARS! Master the <----- NEW! Power of FileMaker Pro 5. A 16 city tour, coming to a city near you! Call 800/527-1914 or register online today at: ->->->->->-> --------------------------------------------------------------- MailBITS/01-May-00 ------------------ **Government Recommends Microsoft Breakup** -- In the latest move in the ongoing antitrust action against Microsoft, last Friday the U.S. government proposed breaking Microsoft into two separate companies for ten years. One company would be tightly regulated and focus solely on Windows operating systems, and the other would encompass all other Microsoft businesses, including Office, online ventures, development tools, server software, Web browsers, games, and much more. Microsoft reiterated its intention to defend itself aggressively against any judgment against it. [GD] **FileMaker 5 Internet Security Holes** -- Blue World Communications has published a FileMaker 5 security alert outlining serious Internet security issues with FileMaker Pro 5 and FileMaker Pro 5 Unlimited's XML publishing and email capabilities. Two exploits enable an interloper to acquire the entire contents of any Web-published database via email or as XML regardless of Web security settings; another enables anyone on the Internet to use FileMaker 5's email capabilities to send arbitrary email messages (a problem sure to delight spammers worldwide). These revelations come a week after FileMaker Inc. published documentation of FileMaker Pro 5's Web publishing capabilities in FileMaker Developer 5, although portions of FileMaker's XML capabilities have been documented on FileMaker's Web site for five weeks. As of this writing, FileMaker has not acknowledged any problems, and the only workarounds currently appear to be disabling FileMaker 5's Web Companion, reverting to FileMaker Pro 4.x (which does not have these security issues, but cannot open FileMaker 5 databases), or using a middleware product like Blue World's Lasso as a gateway for incoming requests. [GD] **Apple Offers Free iMovie Download** -- Citing popular demand for iMovie, Apple has made its entry-level desktop video editing program available as a free download for owners of PowerBook G3 (FireWire) and Power Macintosh G4 machines. iMovie accepts video input from digital camcorders using a FireWire connection and enables budding cinema auteurs to rearrange clips and add transition effects, sound, and titles. Movies can then be exported in a variety of formats. The 19.2 MB download does not include the 160 MB tutorial, and Apple offers no technical support for the Web version. iMovie currently ships with iMac DV computers. [JLC] **Handspring Releases Palm Desktop 2.6** -- Handspring, Inc. has released Palm Desktop 2.6 for the Macintosh, which is compatible with the Visor handheld device and fixes a USB synchronization problem introduced in Mac OS 9.0.4. Previously, Visor owners were limited to using Palm Desktop 2.1, instead of version 2.5 which Palm, Inc. released in October 1999 (see "Palm Desktop 2.5 Expands HotSync & USB Support" in TidBITS-501_). Palm Desktop 2.6 provides features available in the 2.5 release, including integration of HotSync functions within the Palm Desktop application, enhanced USB support, and easy switching between users. Although Handspring has the new application available, its documentation and appearance suggests this is a Palm, Inc. update as well (Handspring licenses the Palm OS and Palm Desktop from Palm). In our testing, the update functioned correctly with a Palm V as well as a Visor. However, as of this writing Palm has not made the update available, and you must enter your Visor's serial number to download the free 12 MB file from Handspring. [JLC] **AOL 5.0**-- America Online has released AOL 5.0 for Macintosh, which includes a new calendar feature, the capability to retrieve messages you've accidentally deleted within the last 24 hours, support for Apple's text-to-speech technology to read messages aloud, and more. However, the new client still includes a customized version of Internet Explorer 4.0 as its Web browser, not the more recent Internet Explorer 4.5 or 5.0. AOL 5.0 requires a PowerPC-based Macintosh with at least Mac OS 8.1, 32 MB of RAM, and 30 MB of disk space, although AOL recommends a PowerPC G3 or better processor, 64 MB to 128 MB of RAM, and 100 MB of disk space. AOL 5.0 is a 10.4 MB download. [JLC] **Virtual PC 3.0.3 Update Released** -- Connectix has released Virtual PC 3.0.3 Updater, which improves compatibility for Windows 2000 and Red Hat Linux 6.1. The new version of the Pentium chip emulator also adds Velocity Engine (AltiVec) optimizations for Power Mac G4 machines, resolves an issue with iMac DV systems, and improves stability for sharing folders and drag & drop operations. The update is a 2.5 MB download, and is free for owners of Virtual PC 3.0. [JLC] **Dartmouth Spins Off Software** -- Three popular network monitoring and troubleshooting tools developed and sold by Dartmouth College have been transferred to Dartware, LLC, a newly formed New Hampshire company. Included are InterMapper, a network and server monitoring tool with email alert and paging features; MacPing, a multi-featured ping-based network troubleshooting tool; and SNMP Watcher, an SNMP network monitoring console. The new venture brings together Rich Brown and Bill Fisher (who created and supported the software at Dartmouth over the last four years) with Stuart Pompian. [MHA] **Poll Preview: Collateral Spammage** -- This week brings the conclusion of Brady Johnson's look at anti-spam legislation in the United States, and his article prompted us to wonder how serious the spam problem is for you. We receive numerous spam messages every day (I've averaged about 56 per week in 2000), but our addresses are extremely public. So help us determine more clearly what the actual impact of spam is on Internet. The question: "On average, how many unsolicited commercial email messages do you receive during a week at all of your email addresses?" Whether you think the spam problem is completely overhyped or the scourge of the Internet, be sure to cast your vote on our home page! [ACE] Modifying the Macintosh Startup Sequence ---------------------------------------- by Adam C. Engst In last week's quiz, we asked what you hold down at startup to eject removable media from your Mac. The correct answer is the mouse button, which about two-thirds of the 2,150 quiz respondents knew. However, most of the rest of the answers also have functions at startup, and the knowledgeable folks on TidBITS Talk pointed out even more startup modifiers as well. The next time you turn on your Macintosh, try one of the following. **Controlling the Post-Startup Environment** -- Most Macintosh users know about holding the Shift key down to prevent extensions from loading, but there are numerous startup modifiers that affect the state of the system after the boot process finishes. * Shift causes the Mac to boot without extensions, which is useful for troubleshooting extension conflicts. If you hold down Shift after all the extensions have loaded but before the Finder launches, it also prevents any startup items from launching. * Spacebar launches Apple's Extensions Manager early in the startup process so you can enable or disable extensions before they load. Casady & Greene's Conflict Catcher, if you're using it instead of Extensions Manager, also launches if it sees you holding down the spacebar, or, optionally, if Caps Lock is activated. Conflict Catcher also adds the capability to configure additional startup keys as ways of specifying that a particular startup set should be used. Choose Edit Sets from the Sets menu, select a set in the resulting dialog and click Modify. In the sub-dialog that appears, you can specify a startup key and check the checkbox to make it effective. * Option, if held down as the Finder launches, closes any previously open Finder windows. On stock older Macs, holding down Option does nothing at startup by default, although some extensions may deactivate if Option is held down when they attempt to load; see below for Option's effect on new Macs and Macs with Zip drives. * Control can cause the Location Manager to prompt you to select a location. Although Control is the default, you can redefine it in the Location Manager's Preferences dialog, and since Control held down at startup also activates Apple's MacsBug debugger (see below), you may wish to pick a different key combination. * Command turns virtual memory off until the next restart. * Shift-Option disables extensions other than Connectix's RAM Doubler (and MacsBug - see below). To disable RAM Doubler but no other extensions, hold down the tilde (~) key at startup. * Escape does nothing at startup by default, although some third party utilities might look for it at startup as a signal to disable themselves. (We only include it here because it was one of the incorrect quiz answers.) **Eliminating Corruption** -- Several startup modifiers are useful for resetting low-level aspects of the Mac to default states to aid in troubleshooting. * Command-Option rebuilds the desktop files on disks when they're mounted. This can happen when you insert removable media, or at the end of the startup process as the Finder launches. Holding down these keys while all your extensions load may disable some of them - it's best to press the keys between when you see your last extension icon appear and before the Finder launches. * Command-Option-P-R "zaps" the Mac's Parameter RAM, or PRAM, which contains a variety of low-level settings. Zapping PRAM was the subject of an earlier quiz and followup article in TidBITS-506_. **Choosing Startup Disks** -- Not surprisingly, many of the startup modifiers affect the disk used to boot the Mac. A number of these are specific to certain models of the Macintosh. * The mouse button causes the Mac to eject floppy disks and most other forms of removable media, though not CD-ROMs. * The C key forces the Mac to start up from a bootable CD-ROM, if one is present, which is useful if something goes wrong with your startup hard disk. This key doesn't work with some older Macs or clones that didn't use Apple CD-ROM drives; they require Command- Shift-Option-Delete instead (see below). * Option activates the new Startup Manager on the iBook, Power Mac G4 (AGP Graphics), PowerBook (FireWire), and slot-loading iMacs. The Startup Manager displays a rather cryptic set of icons indicating available startup volumes, including any NetBoot volumes that are available. On some Macs with Iomega Zip drives, holding down Option at startup when there is a Zip startup disk inserted will cause the Mac to boot from the Zip disk. * Command-Shift-Option-Delete bypasses the disk selected in the Startup Disk control panel in favor of an external device or from CD-ROM (on older Macs). This is also useful if your main hard disk is having problems and you need to start up from another device. (On some PowerBooks, however, this key combination merely ignores the internal drive, which isn't as useful.) * The D key forces the PowerBook (Bronze Keyboard and FireWire) to boot from the internal hard disk. * The T key forces the PowerBook (FireWire) (and reportedly the Power Mac G4 (AGP Graphics), though I was unable to verify that on my machine) to start up in FireWire Target Disk Mode, which is essentially the modern equivalent of SCSI Disk Mode and enables a PowerBook (FireWire) to act as a FireWire-accessible hard disk for another Macintosh. **Seriously Tweaky Startup Modifiers** -- Only programmers and the most geeky of users will find these startup modifiers useful. * Control activates Apple's MacsBug debugger as soon as it loads. If you rely on this frequently, you may want to redefine the default key for selecting the Location Manager location at startup from Control to something else. For more information about MacsBug, check out Geoff Duncan's three-article series. * Shift-Option disables extensions and virtual memory but still loads MacsBug, which would otherwise be disabled by the Shift key. * Command-Option-O-F puts you into Open Firmware mode on PCI-based Macs and clones. Open Firmware is a cross-platform firmware standard for controlling hardware that all PCI-based Macs use. It's mostly of interest to hardware developers, but it can be a fun way to freak out a new user who's not expecting to see a command line on the Mac. To exit Open Firmware and continue booting, type "mac-boot" or "bye" (depending on Macintosh model) and press Return. For a list of commands you can enter while in Open Firmware mode, see the following Tech Info Library article. **Just for Fun** -- Although Apple has moved away from relatively frivolous "Easter Eggs" connected with startup modifiers, there are a few available for old Macintosh models. * Command-X-O, when held down at startup on a Macintosh Classic boots the Classic from a built-in ROM disk. We wrote about this back in November of 1990, in TidBITS-031_. * Command-Option-C-I, when held down at startup on a Macintosh IIci whose date has been set to 20-Sep-89 (the machine's introduction date), produces some sort of graphical display that I can't check for lack of a relevant machine. A different display appears if you hold down Command-Option-F-X at startup on a Macintosh IIfx with the date set to 19-Mar-90. Email Spam: The Bandwagon Plays On, Part 2 ------------------------------------------ by Brady R. Johnson TidBITS has published a variety of articles about how to deal with unsolicited commercial email (UCE), more commonly referred to as "spam" (see "Responding to Spam" in TidBITS-442_). As the problem has increased with the widespread popularity of the Internet, lawmakers have begun to pay serious attention to the bulk email that's flooding their constituents' mailboxes. In the first part of this article, I covered the legal definitions of spam and some of the studies done by governmental bodies into the severity of spam. In this installment, I'll talk about how various governments propose to handle this growing problem. **Response by Congress and the States** -- Email solicitation has much in common with other forms of commercial bulk marketing such as junk mail and broadcast advertising. Advertising speech is protected by the First Amendment and an outright ban on any type of advertising, including bulk mail solicitations, would be unconstitutional. But commercial speech can be regulated to a greater degree than private speech. Based on two Federal Trade Commission reports (see the first part of this article), as well as the increasing number of consumer complaints, Congress and several states began considering legislative solutions to the problem. Congress has not yet passed any legislation, but 20 states have considered the issue and 15 have enacted laws on the subject. Others are actively considering legislation to address the problem. The state and federal statutes - both proposed and enacted - contain many similar provisions. A business that wishes to advertise on the Internet can generally avoid violating the statutes by complying with certain rules such as: * Include valid headers and particularly include a return address such that the recipient of an email solicitation can reply to a valid email address that is monitored to ensure that it does not become full and begin bouncing email. * Include instructions in the body of the message providing an email address, a toll-free telephone number, or both, so a recipient can ask to be removed from the mailing list. * Maintain an "opt out" list of persons who have asked not to receive email solicitations and ensure they are removed from the mailing list. (Statutes are unclear on the sender's responsibility regarding future iterations of the email list.) * Use accurate and informative subject lines on all solicitations. Any solicitation for adult material should be clearly identified in the subject line with the initial characters being "ADV:ADLT." All other solicitations should begin with "ADV:" **State of the States** --Responding to increasing consumer complaints about a variety of scams, a proliferation of unwanted pornographic solicitations, and other abuses, some state legislatures began considering how to regulate Internet email marketing in a manner that would both protect the consumer and allow legitimate businesses to advertise their products. The resulting proposed and enacted statutes are chaotic; although many provide criminal penalties, most create a private right of action for damages, and several empower the state's Attorney General to pursue a civil action for damages and injunction. Email legislation at both the state and federal levels also shares significant similarities. Although each state has adopted a slightly different definition of spam, there are enough factors in common to present a pattern. Of the 15 states that have passed laws on spam so far, 8 have made violating one or more of the following prohibitions a criminal offense that will subject an individual or corporation to fines and possible incarceration: * False or misleading routing or transmission information in the headers. * Misleading or deceptive subject line. * Use of a third party domain without permission. * Offering to sell software primarily intended for these purposes. Other provisions contained in state laws that may create civil liability on an individual or corporation include: * No means of opting out or getting off of a mailing list. * Continuing to send email after receipt of an opt out request. * Violation of primary ISP policies. * Failing to label UCE as "ADV:" in the subject line. Ten of the 15 states permit individuals to sue a spammer for violation in addition to other criminal or civil penalties the state may impose. In most of theses states, recipients of spam that violates the prohibitions noted above can sue the sender for statutory damages that range from $10 per item in Delaware and other states to $500 per item in Washington state. In addition, a provider of interactive computer services (like an ISP) may sue for higher damages. In Washington state, the amount is $1,000 per item. To illustrate the significance of these provisions, in one pending case in Washington state, an ISP that received 5,800 UCEs is suing a corporation for violations of the state anti-spam law. At $1,000 each, the sender's exposure is $5,800,000. Most of the state statutes provide that anyone sending email solicitations to residents of their state are subject to the jurisdiction of the state courts. This is a form of law known as a long-arm statute. Anyone who tries to sell a product in a state - even if they are doing so from out of state via catalog or email solicitations - has the protection of the state laws if a buyer refuses to pay, for example, and also has the responsibility to obey state laws such as the consumer protection and anti-spam statutes. Thus, a recipient of UCE may file suit in the courts of his own state. A spammer who sends to recipients in multiple states and violates the law in one or more may find himself responding to multiple suits filed in several different state courts. An interesting provision contained in four of the state statutes is that the sender of UCE must honor the policies of the ISP they use. For example, if a person were to use AOL to send email across the Internet, and the email violated AOL's written and posted policies, that sender's violation of the AOL policies would _also_ be a violation of law in California, Iowa, Louisiana and North Carolina. California and Tennessee have passed laws that require all UCE to be labelled as an advertisement. The subject line of email offering goods or services for sale must begin with the letters "ADV:". In California, if the solicitation is for material that can legally be viewed or possessed only by a person over 18, the subject line must begin with the letters "ADV:ADLT." Under the long-arm provisions that grant jurisdiction over non- compliant UCE sent to state residents, it is possible that a spammer in any state who sends a solicitation to a California resident but omits the "ADV:" label may become subject to penalties in California. At the current time the courts have not shed any light on this jurisdictional question - the issue involves not only long-arm jurisdiction, but also something called "conflict of laws," where an action may fall within the statutes of more than one state. In such cases, the court is required to determine which state law to apply to the case. Conflicts analysis can become very complex. The states that have enacted anti-spam statutes of one type or another are California, Connecticut, Delaware, Iowa, Illinois, Louisiana, Maryland, North Carolina, Nevada, Oklahoma, Rhode Island, Tennessee, Virginia, Washington State, and West Virginia. Maine has enacted a statute establishing a commission to study the problem and make recommendations to the legislature for appropriate legislation. **Possible Federal Statutes** -- A wide variety of bills addressing email solicitation have been proposed in the House and Senate since 1997. While none have received the concurrence of both houses (and thus none have been presented to the President for signature) it is instructive to examine the types of concerns Congress is attempting to address for two reasons. First, it is highly likely that Congress will pass a bill on this issue, and second, two of the fifteen states that have anti-spam laws have specifically included a provision that says their law will expire if a federal statute is passed. The federal legislation proposed to date does not contain the more stringent provisions of the state laws. In general, the federal bills do not criminalize violations and nearly all of them permit email solicitation in some form so long as the user has a meaningful way to opt out of the mailing list. Only one proposed federal statute has included a provision that UCE be labelled in the subject line, and only one has contained a provision requiring that senders of UCE honor an ISP's policies. The most recent submission to Congress is the Unsolicited Electronic Mail Act of 2000. If enacted, the statute would make it illegal for spammers to violate the usage policies of an ISP, would require use of valid return or Reply-to addresses and that spammers maintain and honor an opt-out list. It also requires that email solicitations be clearly marked in some standardized way, to be determined by the FTC. That bill was recently amended in committee in March, and must be introduced to the floor of the House of Representatives, then to the Senate if it passes the House. At either stage it can be sent back to committee for further revision. If it finally passes both the House and the Senate, it will be presented to the President for signature. At the present time, it is uncertain just what effect a future federal statute would have on existing state legislation. There is some precedent in the so-called junk fax legislation however. The federal Telephone Consumer Protection Act prohibits unsolicited faxes being sent to consumers and imposes a penalty of $500 per fax sent in violation of the statute. Washington and other states have a similar statute providing a nearly identical remedy for unsolicited faxes. It is quite likely that state and federal statutes regarding UCE will coexist in the same way that the anti-fax statutes have. **Unsolved Mysteries** -- For the most part, none of the statutes addresses a key issue in the spam wars: most spammers don't want to be found. They conceal their identities and return addresses for a reason. They know that it is just as easy for their victims to send them opt-out email as it is for them to send the spam in the first place. If the spammers let the victims actually have a say, the spammers will be inundated with opt-out requests and will have to do an honest day's work trying to keep their mailing lists clear of those who have opted out. A good example of this problem is found in Engst v. Worldtouch. Adam Engst and three other TidBITS editors filed suit against "Christopher Lee Knight" and "Worldtouch Network, Inc." in July, 1998 under the then-new Washington state anti-spam law. Like most states, Washington state requires that legal pleadings be personally served on the folks being sued. Corporations can be served by delivering a copy to a registered agent or a corporate officer. It quickly became apparent that "Worldtouch Network, Inc." was not incorporated at all, despite the misleading business name. "Christopher Lee Knight" turned out to be one of several aliases. While we could easily track the movements of his business - he changed the business address once per month every month after being sued - finding Mr. "Knight" turned out to be far more difficult. In the end, it took more than a year and the services of three private investigators. Obviously, hiring attorneys and private investigators can be expensive. Washington state's law also provides that the state's Attorney General can bring an action against a spammer. The Attorney General's office has greater resources than the average individual to locate spammers. But the Attorney General's office is inundated with spam complaints and is being selective about the cases they bring. That leaves unsolved the problem of how to deal with scofflaw spammers who will simply ignore federal and state law, falsify their return address and routing headers, and continue spamming. Another problem is that of the international spammer. A person who sends spam from another country is not subject to the jurisdiction of U.S. courts unless the U.S. and that country have a treaty giving jurisdiction. Enterprises in the Bahamas and other nations without strong regulation of unfair business practices and without jurisdictional treaties with the U.S. have already been the source of problems with offshore Internet gambling sites. As the legal environment for spammers becomes less friendly in the United States, U.S. residents can expect to see more and more spam coming from outside national borders. The issue has only begun to be discussed internationally. No other nation has the volume of Internet traffic that the U.S. does, and not all cultures encourage unrestricted capitalism as strongly the U.S. does. So it may be some time before a meaningful international solution develops. **Summing Up** -- In the United States, Internet accounts are becoming pervasive. Advertisers prominently display Web URLs, more and more media provide some content on the Web, and small businesses are putting up Web sites in potentially vain attempts to compete with the big boys. Individuals and business without Internet access are beginning to feel as out of touch as those without telephones. With the commercialization of the Internet come the abuses, the hard sells, the unwanted solicitations. And with those abuses come complaints, followed closely by government regulation. That regulation is currently in fast-paced flux with states enacting a sometimes confusing welter of overlapping laws, and the federal government considering whether and how to enact federal regulation of commercial speech on the Internet. In most respects, regulation of abuses like spam are important, necessary and generally well received. But there is another, more insidious consideration. The more we ask the government to intervene in the Internet, the more regulations we will receive. Not all of those regulations will be to our liking, and some very well may be the exact opposite of what we as consumers would like to see. We would all do well to bear in mind the warning of the sages: Be careful what you wish for. $$ Non-profit, non-commercial publications may reprint articles if full credit is given. Others please contact us. We don't guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. This file is formatted as setext. For more information send email to . A file will be returned shortly. For information: how to subscribe, where to find back issues, and more, email . TidBITS ISSN 1090-7017. Send comments and editorial submissions to: Back issues available at: And: Full text searching available at: -------------------------------------------------------------------