Archive for August, 1996

The ActiveX Intrusion

Tuesday, August 20th, 1996

(This column first appeared in the August 20, 1996 issue of PC Graphics Report)

Picture yourself about to enter the soft drink aisle of your local supermarket. The end cap display has Coca Cola, your normal brand of soda, so you pick up a six-pack. Pleased with not having to hunt through the shelves, you turn into the soft drink aisle to get to the cashier at the other end, only to be greeted by a major shopping cart and pedestrian traffic jam. Even worse, there are now people behind you, so you have no choice but to go forward.

Turns out the traffic jam and resulting chaos is the result of every imaginable vendor of soft drinks having set up a tasting table in the aisle, leaving little space for shoppers to pass. As if that weren’t bad enough, instead of serving samples in little one ounce tasting cups, the vendors adamantly insist that samplers must drink a full 12 ounce can. Why? The vendors say with only an ounce, consumers can’t possibly get a proper sense of how “wonderful” any given soft drink in question is, but 12 ounces should do the trick.

The final straw (pardon the pun) is that you can’t leave the aisle until you have sampled at least a half dozen of the hundreds of offerings there. And so, instead of just buying a six-pack of Coke for leisurely consumption, you’ve been forced to down the equivalent of a six-pack of soda you most likely didn’t care for beforehand, and certainly don’t now.

Where’s this scenario leading to?

Internet Explorer 3.0 (IE3), with a bunch of nice features (the “Coke” in my nightmare above), was officially released by Microsoft last week, and with it a flurry of press releases
offering support in the form of ActiveX controls (the 12 ounce soda samples).

Data Type Overload
As I expressed in my column last week, I think we’re on the verge of seeing a backlash by users against the onslaught of ActiveX controls and plug-ins, and this past week’s slew of announcements further enforces that notion. In the table below you’ll find a list of new Internet Explorer 3.0 ActiveX controls dealing with graphics and audio I compiled by searching the Web and perusing recent press releases.

Company ActiveX Control Control Type Web address
Adobe Acrobat Reader DTP
Astound WebMotion & WebPlayer multimedia
Autodesk Whip! drawing viewer
Black Diamond Surround Video panoramic viewer
Cornerstone Imaging ISIS imaging scanning
Dimension X Liquid Motion Java animation
Ephyx V-Active interactive Video
FutureWave Software FutureSplash custom animation
ichat ichat chatting
INFInet Op Lightning Strike wavelet based image CODEC
Macromedia Shockwave multimedia
mBED Software mBED multimedia
Mediamatics MPEG-1 MPEG-1 player
Micrographx QuickSilver presentation graphics
Microsoft VRML VRML 1.0 viewer
Softoholics OGL OpenGL access
Superscape Viscape 3D viewer
Tegosoft 3D Virtual Reality 2D to 3D converter
Template Graphics Software Visual 3Space VRML/3D viewer
Totally Hip Sizzler custom streaming animation
Tumbleweed Software Envoy DTP
VDOnet VDOLive! streaming video

Of the 23 ActiveX controls, only the ones from Macromedia and Mediamatics are actually being shipped as part of Internet Explorer 3.0. A small number of the controls listed support open, widely supported standards, and the remaining majority focus on promoting proprietary file formats, which are created by products sold by the providers of the ActiveX controls. Seems like this might be a good time for companies to get together and create some industry standard file formats which support all their extensions, much in the way everyone involved in the VRML 2.0 effort has done.

Oh, and if you’re a Netscape Navigator user, don’t despair that you’re missing out on the whole ActiveX madness. NCompass, a Canadian company, has developed a Netscape Plug-In which will let Navigator users punish themselves by allowing Navigator to run all the same ActiveX controls that IE3 users have access to. NCompass and their ActiveX plug-ins can be found at

Being Protected From One’s Self
Ironically enough, had I been searching for a more complete list of ActiveX controls just a week prior, I would have found a list exceeding 100 on Microsoft’s own Web site (at <a HREF=””></a>. But now, they’ve been taken off by Microsoft, and replaced by a message which includes the following excerpt:

“If you’ve visited the gallery before, you’ll remember it contained over 100 controls from over 30 companies. Now you’ll find only 12 controls from Microsoft. So where have all the controls gone? Well, now that the Internet Explorer 3.0 final release is out, we’ve asked our partners to digitally sign their controls for safe downloading, and we’ve temporarily pulled the controls while the code-signing takes place. We’ll be adding the controls back in after they’ve been signed, so please check back!”

Now, let’s take a look at what the above message actually means. By “digitally sign,” Microsoft’s note refers to the new Authenticode process Microsoft has instituted to protect us from ActiveX borne viruses. This process requires a digital ID from companies known as Certificate Authorities (the two that are mentioned are from VeriSign and GTE). The  digital ID is used to encrypt a “certificate” which becomes part of the ActiveX control. When IE3 detects the need for an ActiveX module and attempts to load it, it first checks for the Authenticode header.

If an Authenticode header is found, a digital “certificate” is displayed, allowing the user to determine if he/she wants to install that module. The certificate also displays the name of the software company which owns the header (and presumably the ActiveX control), as well as the name and Web link for the Certificate Authority. The user is also presented with the option to ignore all further certificates (i.e. automatically download and use all future code) from either the software company or the listed certificate authority or both.

If an Authenticode header isn’t found, IE3 posts a warning noting the “component has not been digitally ‘signed’ by its publisher. It may contain viruses or otherwise harm your computer,” and asks the user if he/she wants to continue anyway.

Microsoft appears pretty confident that Authenticode will work to ensure no viruses will be downloaded by users, and if by some chance they are, the source of the virus would be traceable, thanks to the digital ID. They also make the point that if a user chooses to ignore a lack of Authenticode in modules they download, they do so at their own risk. Microsoft’s virus note will certainly dissuade the meek, and is surely intended to encourage all software developers to obtain a digital ID.

I seriously doubt that the digital IDs are fool proof, and think that soon enough some hacker out there somewhere will figure out how to fake an Authenticode header and distribute all sorts of nasty viruses, just to prove a point. That’s in addition to the real threat of dormant viruses already having been planted in existing software which has been downloaded and installed on existing systems. My faith in Authenticode, both technically and conceptually, isn’t very strong.

Obtaining A Digital ID
Big brother is alive and well in Redmond. For a software developer to obtain a digital ID from Microsoft’s Authenticode partners, the developer has to provide financial information, in theory so that a user can be assured the developer is reputable, established, and will be around if you need to sue him for the damage his accidentally introduced virus caused. It also costs money to get a digital ID—not much, but multiplied over the thousands of Microsoft ISVs it adds up to a pretty bundle.

Keep in mind if you want to provide users with some sort of ActiveX control now, and want to avoid having users panic when they are warned about potential viruses, you’re going to have to get yourself and/or your company certified.

Here are the details I pulled off VeriSign’s Web site ( on the matter:

Based on Microsoft code signing program criteria, VeriSign will attempt to verify that your company meets a minimum financial stability level using ratings from Dun & Bradstreet Financial Services. Your certificate will indicate if you have met this level. Some software, such as the Microsoft Internet Explorer 3.0, offers end users an option to bypass making an explicit choice to trust code from each new software publisher. If an end user checks an option to trust all software signed by vendors who have met the financial criteria, code signed by these vendors will be run without any user intervention.

Pricing of Digital IDs for Software Validation:

Class 2 Digital ID for Validating Software: $20 annually [for Individual Software Publishers]

Class 3 Digital ID for Validating Software: $400 annually [for Commerical Software Publishers, i.e. companies]

You will need Microsoft Internet Explorer 3.0 build 1117 (beta 2) or build 1154 or later to apply for your credentials and view your signed software.

You will need the following information during the enrollment process:

Individual Software Publishers Commercial Software Publishers
• Your name, address, and e-mail address
• Date of birth
• Social Security Number
• Previous address (if you have moved in the past 2 years)
• Credit card information for billing
• Company name and location
• Your name, address, e-mail, phone, and fax
• information for a technical contact and an
• organizational contact
• Your company’s DUNS number, if any
• Billing information (credit card, P.O. or check), and billing contact information, if any

Sounds very much like applying for a credit card. It’s uncertain whether Microsoft gets a copy of this private information, but it’s invasive in any event. I’m sure that at least a list of certified developers will be provided to Microsoft, so the company can further toot its own horn about how popular ActiveX is.

In case you hadn’t noticed, the whole digital ID process is also very U.S.-centric, especially for the Individual Software Publishers. I guess if you’re a non-U.S.-based developer of software, you’re out of luck for now.

Of course, I’m sure all those companies who were thrilled to be listed in Microsoft’s ActiveX Gallery earlier and just got de-listed are feeling pretty up tight right now that Microsoft is forcing them to authenticode their code before allowing them to be listed. I question why this didn’t happen weeks ago so these companies would be able to share in the official IE3 roll-out being listed on the site. The answer is either Microsoft just barely got their act together, or they intentionally wanted to send a strong message that in order to play with Microsoft, companies need to do what Microsoft wants them to.

Microsoft Marketing Machine
And, speaking of what Microsoft wants you to do…

Microsoft, the company that recently chided Netscape for not adhering to industry accepted standards, has struck several exclusive deals with leading Web sites to promote how wonderful IE3 is. Oddly enough, the deals standards-obsessed Microsoft has struck requires IE3 to be used (much as you need IE3 to obtain a Digital ID for use with Authenticode). If you use Netscape Navigator or another Web browser on these sites, you either don’t see the special IE3-only portion of the site, or you get a Web page that insults your intelligence for daring to use a browser other than IE3.

The Web sites Microsoft has this “special” relationship with include ESPNET SportsZone, Hollywood Online,, MicroWarehouse, MTV Online,, Yahoo!, and The Wall Street Journal Interactive Edition.

Microsoft must have dangled a pretty nice carrot to have these organizations potentially alienate 80%+ of the Web surfing market which doesn’t use any form of Microsoft Web browser, and hasn’t, at least for the last several months, shown any urge to do so.

Believe it or not, it really bothers me to rant about Microsoft and their monopolistic, strong-arm tendencies. But, they keep insisting on giving me such great ammunition for my columns…

Anyhow, the list of graphical and audio ActiveX controls I listed at the beginning of this week’s column is only the tip of the iceberg. Expect to see another several dozen proprietary viewers of graphical, audio, and multimedia content before the end of the year, thus creating more chaos, confusion, and clamoring for the attention of users who just want to stick with whatever they already have. In other words, go home with their favorite six-pack of soda, and leave the others behind.


Tuesday, August 13th, 1996

(This column first appeared in the August 13, 1996 issue of PC Graphics Report)

It’s been some time since I was last at SIGGRAPH for more than five hours. In fact, I think it was Las Vegas, on my wife’s birthday. It wasn’t a particularly enjoyable time though, since Las Vegas was awash in water (two feet deep on some streets because their drainage system is non-existent) from unusual torrential rains, and the car we were in on our way to Linda’s birthday dinner was struck by a 1970s American-made monstrosity on wheels ambiguously directed by a deaf octogenarian.

You may understand, therefore, why I approached this year’s SIGGRAPH in Nawlins with some trepidation. My first move (or rather the lack thereof) was to NOT rent a car to be struck in. That turned out fine as the various taxis I was in were almost in several accidents. Anyhow, I survived this SIGGRAPH without any major scars, mental or physical or otherwise.

A Kinder, Gentler Microsoft?
As you may have read elsewhere, the big deal at SIGGRAPH was VRML 2.0. Everybody loves VRML2.0, and even if there was someone at SIGGRAPH that didn’t, they still said they did. This is the first time in many years that I can recall any published specification garnering such voluntary support in such a short time.

Of course, you might point out anytime Microsoft or Intel announces something, dozens of companies hop on the bandwagon and proclaim their undying fealty to whatever it is that was announced. VRML 2.0 was different because the support was voluntary, and because no PR machine was involved. To Microsoft’s credit, however, I did get a glimpse of something purported to be a kinder, gentler Microsoft this week. Mind you, I still think it’s all a plot, but I’m willing to give them the benefit of the doubt.

What I’m referring to is Microsoft dropping the confusing name of “ActiveVRML”, repositioning that product as ActiveAnimation, and then implicitly giving support to a non-Microsoft standard (VRML 2.0) by licensing a very good VRML 2.0 engine to provide, free of charge, to users of its Internet Explorer 3.0 virus… er… product. The Microsoft I’m more familiar with would have insisted on using its bulk and might to place ActiveVRML squarely in competition with VRML 2.0, telling everyone it knows better. Quite a change in behavior.

Then there’s the tidbit that Microsoft has actually teamed up with Netscape to fight a patent which claims to govern the digital broadcasting of audio. Wow. What’s this world coming to? Microsoft and Netscape working together.

I was relieved to find out that my world had not changed completely. Turns out that last week, in the midst of all the touchy-feely nice stuff going on with Microsoft, its lawyers sent Netscape a scathing letter demanding they change their pricing comparison of their Web server product versus Microsoft’s. It appears that Microsoft only ships its Web server with the Windows NT 4.0 Server Edition, which is expensive, at least compared to the Windows NT 4.0 Workstation Edition with which Netscape promotes its Web server software. So what’s the big deal all about? Well, when Microsoft got lots and lots of complaints about Windows NT 4.0 Workstation Edition having a physical limit of only 10 TCP/IP connections, they decided to remove the restriction in the software. However, they never changed the restriction in the license agreement.

Microsoft’s tiff with Netscape is that Netscape is encouraging people to violate their Windows NT 4.0 Workstation Edition license agreements by presenting the Workstation version of NT in Netscape’s price comparison (see versus Microsoft’s Web server, which comes “free” with only the more costly Windows NT 4.0 Server Edition. Note that there’s nothing in the Windows NT Workstation Edition software which would prevent thousands of Web server connections from existing simultaneously.

Now, Microsoft’s NT Workstation license has a whole bunch of ISVs and users steamed, since it imposes an artificial limit on the operating system, and basically tells people how they must use the software. This artificial restriction is akin to a graphics board company telling its users that they may only view business data with the board, and they would be in legal trouble if they used the board to view games, adult materials, or surf the Web (or all three at once).

See? Isn’t this the Microsoft we’ve all come to know over the years?

Well, Netscape is so incensed that they have retained Gary Reback, the Silicon Valley attorney known for filing and pursuing anti-trust actions against Microsoft. Reback’s job now is to once again pursue Microsoft, via the U.S. Department of Justice, for anti-competitive practices and restraint of trade. While on the topic of Netscape vs. Microsoft vs. Netscape, I suggest you check out the comparison Netscape has posted on their Web site ( between Navigator 3.0 and Internet Explorer. Ouch (if you’re Microsoft).

A Kinder, Gentler Microsoft? Part II
A couple of weeks ago, Microsoft announced it was planning to move all of ActiveX over to an open standards body, and I was suspicious of that move, but couldn’t figure out what was wrong. As it turns out, an editorial in last week’s InfoWorld has shed new light on the matter. ActiveX, you may recall is just a new and fancy name for OLE. Well, IBM owns the OLE patents, and Microsoft’s license to those patents appears to be on the verge of running out. By turning OLE Controls a la ActiveX over to an open standards body, Microsoft might be hoping to defuse the strength of IBM’s patents, while still retaining the ability to adopt an open standard it was responsible for making open. Seems pretty devious, doesn’t it? How much truth there is to this theory isn’t clear, but I have to give InfoWorld credit for their research.

No More Plug-Ins or ActiveX!
First, there was Nancy Reagan and her “Just Say No!” campaign to get kids (and presumably adults too) to turn drugs away before they became a problem. Then there was the “Just Say No!” knee-jerk reaction from PC users around the world in response to having every software vendor trying to force unnecessary software updates and upgrades down their throats.

Now there’ll be the “Just Say No!” response to more Netscape Navigator Plug-ins and Internet Explorer ActiveX controls. Why? Because people (myself included) are starting to get annoyed with having to download yet another new plug-in or control in order to view yet another proprietary data format (or proprietary extension to a standard format). Case in point: At SIGGRAPH, I counted over a dozen VRML 2.0 browsers. Each one featured a slightly different interface, different performance, and occasionally different features and extensions. Now, if you were a typical user, and you had the newest version of Navigator or IE, which includes a robust VRML 2.0 browser, would you bother to download another one?

Probably not. Especially not if you found out that downloading and installing an alternate browser might cause your built-in browser to no longer be accessible. Granted, there will always be people that want to check out the latest and greatest technology, no matter how badly it screws up their system after being installed, or how redundant it might actually be. But picture your computer illiterate (and possibly computer phobic) neighbors doing this. Not a pretty sight, is it? I suspect as Web browsers continue to offer more and more functionality, users will download and install far fewer plug-ins and ActiveX controls.

Simply put, Plug-ins and ActiveX controls are to the Web enabled era what TSRs (Terminate and Stay Resident programs, for those of you who have filed that memory away) were to DOS, and CONFIG.SYS and AUTOEXEC.BAT files. However, I’ve determined that having a large variety of plug-ins and ActiveX controls does serve a very real purpose, although not necessarily the one intended by their developers. The variety of such programs helps create a culling field for Netscape and Microsoft. When unique plug-ins/ActiveX controls are developed, and overcome amazing odds to gain mindshare and diskshare, Netscape and Microsoft just step in with a marketing offer to either bundle the technology (making it a real plug-in or ActiveX control no longer) or just buy it outright if its really good. It’s really a great scam – both companies benefit from the R&D efforts of thousands of other companies, all by virtue of just having created an interface for those companies to support – no real R&D dollars of their own are spent developing such product. In warped Darwinian fashion, the winners of the plug-in/ActiveX battles survive because some form of industry “deity” plucks them from the competing masses and places them on a pedestal above their former peers. However, the survivors then become slaves to the “deities.” Ah, capitalism, ain’t it grand?

SIGGRAPH also showed me that the hunt for the elusive Lotus 1-2-3 of 3D applications is alive and well.

Everyone talks about how great their hardware is for mass-market 3D, or how their 3D authoring tool is going to set new records by enabling the masses with 3D. But, when asked what the masses will do with 3D, silence reigns. A voice in the corner might pipe up and say “Games!” with enthusiasm. Others will ask, “Isn’t there anything else out there other than games to show off 3D?” Someone might offer “CAD and animation,” which are promptly shot down as being high end applications, not well suited to the mass-market Killer App concept everyone is yearning for.

So why aren’t games the Killer App? Because not enough game developers believe 3D hardware can truly improve their games enough, both from market share and technology perspectives, to justify the development of a 3D hardware specific game. Also, the Killer App can’t require a peripheral or other application that costs significantly more than the Killer App itself, which rules out games for the most part unless the requisite tool (hardware or software) is priced sub-$50.

So where does that leave us? With 3D uses that are both innovative and natural. I think it’s going to take some time to get to that point, because consumers need to get comfortable with 3D gradually. For people used to dealing with media in 2D (newspapers, television, coloring books, movies, etc.), 3D is a big step. Just as with attempting to use a computer to accomplish something that’s more complicated to do on the computer than by hand (addressing envelopes, storing recipes, etc.), many current 3D applications of a computer are too cumbersome to be of real use. A SIGGRAPH example of this was a technology demonstration of something called Virtual Lego. Took a poor fellow three minutes to place a single Lego block on a structure using a data glove. Given real Lego blocks, I could do a hell of a lot better in three minutes.

The same applies to creating 3D worlds as alternative navigation mechanism to things better represented by 2D text menus. What’s easier? Finding an electronic book of a given title in a 3D virtual library which mimics the library metaphor of having to use a card file organized via the Dewey decimal system, or using a textual menu to locate the book? Nevermind that the text menu updates on the screen a lot faster than 3D navigation anyway.

All that aside, here are some uses of 3D I believe will prove to be useful (or at least intriguing) to the masses. Enough so that they might be willing to spend money on them, either directly or indirectly:

  • Games. This category has already proven it can excite people, but not enough to shell out big bucks to make the game look prettier or run faster.
  • Interactive gaming. This is already the biggest technology hit on the market for 1996.
  • “Virtual Conferencing.” Consider this a replacement for Video Conferencing, with the ability to do a better job on presentations because you control all the space around you, not just that on a whiteboard behind you. The frame rate is currently better in 3D than in video conferencing systems using the same telecommunications links.
  • 3D Chat Worlds. Chatting is already one of the most popular types of content on services like AOL. A number of companies have grasped this concept dealing with the basic human need to communicate and have tried to translate it to 3D. Black Sun, OnLive!, Worlds Away, and Worlds Inc. number among them. They are still too early on the acceptance curve though because consumer telecommunications bandwidth is too limited currently. Virtual Training. This means being trained for a given task via VR and 3D. It’s another version of Virtual Conferencing.
  • Exercise. Picture the StairMaster 3D exercise machine in which you have to climb the Eiffel Tower, the Washington Monument, or the outside of the Empire State Building like King Kong did in his movies. Similar concepts apply to all sorts of exercise gear.
  • Rental VR. I met a fellow at SIGGRAPH last week who provides Virtuality network VR systems for parties and other populated events. Certainly makes high-speed 3D entertainment more cost effective for the masses. All they have to do is get invited.

I’m sure there are more useful ideas for applying 3D, but I still don’t have a formula for the 3D Killer App.

In closing, let me suggest you forget trying to convince users to use 3D hardware to make pretty 3D spreadsheet charts. It just isn’t necessary, and it’s certainly not the Killer App. Oddly enough, it’s the first thing many business folks I speak to think of when I mention 3D.