What is more important, figuring out who first exploited a vulnerability, or preventing the vulnerability from being exploited? The former is base quibbling, unsuited for thinking human beings. But then again, the popularly (mayby even legally) elected President of the U.S. is teaching a no-credit course at Columbia because U.S. citizens haven't figured out how to rank their ballots. Maybe punch cards are finally on their way out. Maybe Microsoft will learn that three alphanumeric characters are a few bytes too small for a modern type-space. They used to be "easy to use" when active content was limited to .COM, .BAT, and .BAS. Now it is a problem to be solved. Borenstein and Freed of the IETF solved it long ago, and for a while it looked like Microsoft was almost in the clear, but the guild mentality got the best of their customers. "Let the buyer beware!" some might say. "Hang the vandals!" call others. "Please study the security considerations!" is sometimes drowned out. Cheers, James
