t byfield on Mon, 23 Mar 1998 22:46:35 +0100 (MET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> FWD: TBTF [3/23/98]

[Obviously, the entire nettime subscription base is off having Holidays
in the Sun. Good for you--you all think *way* too much... Anyway, now I
got a reason to pass along the latest issue of one of the best publica-
tions on the net. 65% relevant to nettime, imo. Share and enjoy.  --TB]

[forwards ho...]


TBTF for 3/23/98: Chaffing and winnowing

    T a s t y   B i t s   f r o m   t h e   T e c h n o l o g y   F r o n t

    Timely news of the bellwethers in computer and communications
    technology that will affect electronic commerce -- since 1994

    Your Host: Keith Dawson

    This issue: < http://www.tbtf.com/archive/03-23-98.html >

C o n t e n t s

    Confidentiality without encryption
    Java in turmoil
    Intel's Merced locking out free OSs
    Single point of failure
    New sendmail will make spammers work harder
    Trelligram elegantly packs Webs to go
    The emergent behavior of bugs
    A modest Macintosh survey
    Fifth Certicom challenge (ECCp-97) falls
    Crypto policy
        US crypto fight's profile is rising
        DoJ won't seek mandatory back doors in domestic crypto -- yet
        Sun delaying shipment of Elvis+ strong crypto
        But Network Associates goes around the rules
        French up in arms over proposed US hegemony
        The price of .com is going down
        AlterNIC's Kashpureff pleads guilty
        A history of domain name developments

..Confidentiality without encryption

  One of the fathers of modern public-key crypto comes up with
  a third way

    If you want to communicate confidentially, until last week you had
    two choices: encryption or steganography [1]. Now Ron Rivest, the
    "R" in RSA, has given us a third. Called "chaffing and winnowing,"
    Rivest's scheme [2] allows two people who share an authentication
    key to achieve high levels of confidentiality without using en-
    cryption at all. Furthermore, a third party between the communica-
    ting pair can add arbitrary levels of security to the communication
    without even knowing any authentication key, and without either the
    knowledge or consent of the communicating parties.

    To put this technique to use is to reveal US crypto export law for
    the mockery it is. Rivest says, "As usual, the policy debate about
    regulating technology ends up being obsoleted by technological in-

    Here is Rivest describing the "man in the middle" who does two
    parties the favor of securing their communication.

      > Charles' computer, for whatever reason, then adds "chaff"
      > packets to the packet sequence from Alice to Bob. All of a
      > sudden, Charles' activities provide a very high degree of
      > confidentiality for the communications between Alice and Bob!
      > Alice's and Bob's software have not been modified in the least
      > to achieve this confidentiality! Charles does not know the
      > secret authentication key used between Alice and Bob! Alice
      > and Bob did not even want or care to have confidential com-
      > munications! Charles is not using encryption and does not
      > know any encryption key! Amazing!

    Read Rivest's paper [2]. This is important.

    [1]  http://www.thur.de/ulf/stegano/
    [2]  http://theory.lcs.mit.edu/~rivest/chaffing.txt

..Java in turmoil

  Microsoft, HP, and Sun itself deliver body blows to standardized

    Sun's JavaOne conference runs in San Francisco this week, and the
    world of Java could hardly be more fragmented. Microsoft is caus-
    ing some of the trouble, of course, announcing development tools
    that tie its version of the language ever more tightly to the Win-
    dows platform [3], [4] -- a strategy dubbed "Write Once, Run on
    Windows." (Don't need Java for that.) The Department of Justice is
    reportedly examining Microsoft's behavior in its Java dispute with
    Sun [5]. Microsoft also, as expected, refused to endorse the in-
    dustry-wide Enterprise JavaBeans spec [6], a server-side object
    component model.

    The more unexpected moves towards a balkanized Java came from HP
    and, mystifyingly, from Sun itself.

    When HP wanted a Java implementation that could work in consumer
    electronic devices such as PDAs and printers, it protested Sun's
    inflexible licensing terms and development policies. HP decided to
    roll its own [7], and is now marketing a clean-room implementation
    of the Java spec, which in deference to Sun's trademark will be
    termed "Java compliant," but not "Java compatible." Care to guess
    who was first in line to license HP's embeddable Java? Why Micro-
    soft, of course, for use in its Windows CE machines (just say

    Finally, Sun itself has announced [8] Java extensions for 3D that
    will run on only a few platforms: its own Solaris, Irix, and Mac-
    intosh. The reason for the limitation is Sun's use of the OpenGL
    graphics library. VRML and 3D developers are puzzled; one said "If
    Microsoft pulled something like this [with Java], Sun would be
    screaming bloody murder." Sun argues that the rules covering the
    Java extensions, including 3D, are different than those for core
    Java. Technically true but politically dubious.

    C|net has special coverage [9] of the chaos swirling around Java.

    [3]  http://www.news.com/News/Item/Textonly/0,25,19794,00.html?pfv
    [4]  http://www.news.com/News/Item/Textonly/0,25,19962,00.html?pfv
    [5]  http://www.news.com/News/Item/Textonly/0,25,20324,00.html?pfv
    [6]  http://www.techweb.com/news/story/TWB19980320S0012
    [7]  http://www.techweb.com/news/story/TWB19980320S0004
    [8]  http://www.news.com/News/Item/Textonly/0,25,20207,00.html?pfv
    [9]  http://www.news.com/News/Item/Textonly/0,25,20290,00.html?pfv

..Intel's Merced locking out free OSs

  "I do not believe that FreeBSD or Linux or any other free operating
  system will be quickly ported to the Merced, if ever" -- a FreeBSD

    On 3/9 Ralph Nader sent letters to six PC makers urging them to
    offer more operating-system choices [10]. Here is Compaq's letter
    [11]. Nader suggesting that they offer hardware configurations pre-
    installed with Linux, BeOS, or Rhapsody, in addition to Windows.
    I haven't seen any reaction from the PC makers to Nader's request,
    but I would be amazed if any of them dared a move so inimical to
    Microsoft's interests. Meanwhile Intel is busily rendering Nader's
    desire for OS choice more elusive in the future.

    Intel's 64-bit Merced chip, expected to be available in 1999, is a
    bandwagon everybody wants to jump onto [12]. Sun, HP, SCO, and DEC
    all aspire to the title of preeminent Unix implementation on Merced,
    in the process winning market share away from the common enemy, NT.
    Intel is allowing development on Merced only under non-disclosure
    agreement, which means that Linux and FreeBSD are excluded from the
    start. Further, Merced fits into the so-called PC98 architecture --
    another name for the I2O bus [13] -- and the I2O spec is closed to
    non-members of an exclusive club. See this discussion thread [14]
    on the closed I2O spec, carried on slashdot.org last week.

    [10] http://www.msnbc.com/news/151801.asp
    [11] http://www.essential.org/antitrust/ms/compaq.html
    [12] http://www.zdnet.com/zdnn/content/pcwo/0316/294991.html
    [13] http://www.tbtf.com/archive/08-04-97.html#s04

..Single point of failure

  Corrupted your NT registry? Slit your wrists now

    Two recent articles posted on the Risks forum highlight single points of
    failure for NT networks. In the first instance a 12-hour outage cost a
    large manufacturing company $10M.

    >>From Risks 19.60 [15]:

      > The recent power fluctuations here in [placename] corrupted
      > the NT registries in our [server-community-names]. As a re-
      > sult, our entire NT network (>10K machines) is down... Once
      > the registries got corrupted, the databases of user signons
      > went, too. And, of course, the tape backups won't load because
      > NT requires a timestamp somewhere in the guts that the tape
      > image doesn't match to the clock. So every NT server, and most
      > NT workstations, won't do anything except local work... [To
      > recover,] every desktop user will have to delete/disable their
      > <user>.pwl file to be able to get back on the network, because
      > that file hard-codes which domain server they are on. However,
      > if they do that, they can then not get into any other service
      > on their desktop for which they've stored the password, be-
      > cause they're all in that file.

    >>From Risks 19.61 [16]:

      > I got a mail bounce from a friend locally, so I called to find
      > out what was up. Seems that, over the weekend, someone broke
      > in and stole a computer. Turns out it was the MS Exchange
      > server. For the whole company.

    [15] http://catless.ncl.ac.uk/Risks/19.60.html
    [16] http://catless.ncl.ac.uk/Risks/19.61.html

..New sendmail will make spammers work harder

  Promiscuous relay is off by default, at last

    The developer of sendmail, a piece of software that labors in obscur-
    ity to deliver most of the Net's mail, announced a new version with
    significant spam-fighting features and configuration changes. Eric
    Allman's sendmail 8.9 [17], now in beta testing, will make it easier
    to use the Realtime Blackhole List [18] to reject mail from known
    spammers, and by default it will require valid return addresses. All-
    man also launched Sendmail Inc. [19] to sell software and support
    services to businesses, while continuing to develop new features for
    the free version of the software.

    [17] http://www.sendmail.com/8_9free.html
    [18] http://www.tbtf.com/archive/01-12-98#s02
    [19] http://www.sendmail.com/

..Trelligram elegantly packs Webs to go

  You could send a Web to your grandmother

    Trellix Corp., whose hypertext authoring tool was reviewed in TBTF
    for 7/21/97 [20], has come up with an arrestingly audacious solution
    to a problem most of us didn't know we had, yet. The Trelligram [21]
    technology provides a simple, compact, and above all sanitary way to
    package and to consume standard HTML Webs. A Trelligram is a compact
    Win95/NT executable file that an author can attach to a mail message
    or send on a floppy disk. A recipient need only double-click on the
    Trelligram to launch its Web in a browser, unconcerned with plugins,
    helper applications, unzipping, extraction, or managing a nest of
    HTML and graphics files somewhere on the disk. Trelligram achieves
    this magic by the brilliant, if twisted, expedient of packaging a
    compact HTTP server -- the Trelligram Delivery Service -- with each
    Web. (Its overhead is currently 89K, and should shrink considerably
    in future releases.)

    Trelligram is the brainchild of Buzz Kelley, Trellix's protean chief
    technologist and the father of this correspondent's goddaughter.

    Who is the audience for this elegant, offbeat utility? Not writers
    comfortable with Web construction and possessed of access to a pub-
    lic Web server. In the past I've delivered reports in Web form by
    posting them to one of my sites (secured as necessary) and mailing
    the recipient a URL. Trelligram should appeal to the emerging mass
    of Netizens who use freely available tools, such as FrontPage and
    HotDog, to write for HTML delivery. The Trellix hypertext authoring
    product can now also produce Trelligrams directly, so Trellix users
    have a new avenue for distributing hypertexts to a wider audience.
    Newsletter authors can deliver rich HTML content, instead of boring
    old email (you listening, JOHO [22]?) -- but unfortunately to a Win-
    dows-only audience.

    Visit the Trelligram site [21] and download the Trelligram Creator
    tool (1391K), free during a beta period. Among its limitations:

     - No file hierarchy is allowed; all files must reside in a single
       directory before feeding to Trelligram Creator. This restriction
       will almost certainly be lifted in a future release.

     - Trelligrams can be created and read only on Windows 95 or NT.

     - The Trelligram Delivery Service can't serve dynamic content: no
       CGI, Active Server Pages, database-driven content, etc. However,
       client-side scripting using JavaScript, and Java and ActiveX
       applets, works as expected.

    [20] http://www.tbtf.com/archive/07-21-97.html#s04
    [21] http://www.trelligram.com/
    [22] http://www.hyperorg.com/

..The emergent behavior of bugs

  Microsoft says this bug is no biggie. Begging to differ...

    Lloyd Wood <http://www.ee.surrey.ac.uk/Personal/L.Wood/> loves to
    demonstrate emergent behavior in software -- the multiplying sever-
    ity of conditions that may be relatively harmless in isolation. On
    this page [23] he combines the Getchell exploit [24] with the Intel
    "f00f" security hole [25] to crash your machine, if you are so rash
    as to visit running IE on Intel hardware.

    [23] http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4object/
    [24] http://www.news.com/News/Item/Textonly/0,25,20159,00.html?pfv
    [25] http://www.tbtf.com/archive/11-17-97.html#s03

..A modest Macintosh survey

  Are TBTF readers are more loyal to their Macs than industry averages?

    TBTF for 2/9/98 [26] reported on new upcoming PowerBook models from
    Apple, and ventured a modest probe of the company's prospects:

      > A survey: please send me a note if you presently use a Mac-
      > intosh regularly. What is the probability that you will buy
      > another MacOS system?

    Before we get to the survey results, let's set a couple of items
    to rights. First and most important, the new low-end PowerBook may
    not employ the much-admired G3 processor (a.k.a. PowerPC 750); in-
    stead, ogrady.com informs us [27], Main Street may use the PowerPC
    740, which lacks a backside cache. Its performance would be dra-
    matically lower than that of a G3. Several readers wrote in with
    insights on pricing. One pointed out that the cost of a laptop is
    influenced far more by the quality of its screen than by its CPU
    (and that Main Street is rumored to feature a TFT screen -- bzzzt!).
    Another noted that $2000 Pentium machines with good specs are not
    hard to come by.

    Now to the survey results. 102 active Macintosh users responded with
    what amounts to resounding good news for Apple. (I guesstimate
    from these returns that about 10% of TBTF readers are Macintosh
    users.) The probability that a Mac user from this population will
    ever buy another MacOS system is 87%. Sixty-three percent of re-
    spondants said it is a certainty that they will buy another. Many
    expected to buy two or more; a few who influence purchases where
    they work said they plan to buy a dozen or more. Overall, these 102
    people expect to buy 124 Macs in the future.

    Frankly, these numbers floored me. The most recent figures I've seen
    for Macintosh loyalty indicate that it moved from a low of 16% last
    July to over 50% in January. But 87%?

    [26] http://www.tbtf.com/archive/02-09-98.html#s07
    [27] http://ogrady.com/wallstreet.stm

..Fifth Certicom challenge (ECCp-97) falls

  Harley and his brave band of Linux Alphas do it again

    On 2/18 Robert Harley <Robert.Harley@inria.fr> announced [28] the
    defeat of the fifth in Certicom's series of crypto challenges.
    Harley's ever-growing team, now numbering 588, has been first to
    overcome each of the Certicom challenges broken to date. Harley
    figures that this crack was the fourth-largest distributed com-
    putation mounted to date.

    [28] http://www.tbtf.com/resource/certicom5.html

..Crypto policy

    ..US crypto fight's profile is rising

    Earlier this month one hundred companies, associations, and non-
    profit organizations joined together to form a broad coalition
    called Americans for Computer Privacy. This group has serious money
    to spend on advertising and lobbying, and their aim is to defeat
    mandatory key escrow in the US and to get crypto export restrictions
    eased. Their Web site [29] is fairly uninteresting so far.

    On the same day, Vice President Al Gore sent a letter to the Demo-
    cratic leader in the Senate, urging him to work for compromise on
    the encryption question ("work together to find common ground"; a
    "balanced approach"). But any compromise, from the Administration's
    point of view, must include mandatory key recovery: "The Administra-
    tion remains committed to finding ways to preserve the ability of
    the Nation's law enforcement community to access, under strictly
    defined legal procedures, the plain text of criminally related
    communications and stored information."

    [29] http://www.computerprivacy.org/

    ..DoJ won't seek mandatory back doors in domestic crypto -- yet

    At a Senate hearing last week, a Justice Department official said
    that the department will not seek to mandate key recovery in dom-
    estic crypto products [30]. For now. This position contradicts a
    long and vigorous campaign lead by the FBI to require government
    back doors. The administration position is that industry ought to
    provide key recovery features voluntarily. Industry reaction was
    lukewarm [31]. As Declan McCullagh reported it [32],

      > Negotiations over how much privacy Americans are allowed to
      > enjoy will continue for the next 60 days.

    [30] http://www.techweb.com/news/story/TWB19980317S0024
    [31] http://www.techweb.com/news/story/TWB19980319S0006
    [32] http://cgi.pathfinder.com/netly/afternoon/0,1012,1832,00.html

    ..Sun delaying shipment of Elvis+ strong crypto

    Sun is delaying the shipment of a strong crypto product while the
    Commerce Department investigates, interminably. The workstation
    maker had arranged [33] what looked like a perfect end-run around
    US encryption export controls. Sun planned to market worldwide a
    strong-crypto package containing no US-written code. The strong
    crypto was produced entirely by Elvis+, a company made up of former
    Soviet Union space agency workers, in which Sun had invested. Sun
    claimed, with watertight assurance, that they had provided zero
    technical assistance to Elvis+, but the Commerce Department, which
    controls crypto exports from the US, elected to investigate that
    claim. Sun had legal advice that it was at liberty to ship the
    product (initially set for last August) but decided to wait in a
    show of good corporate citizenship. Now, according to the Wall
    Street Journal, the Sun executive who led the effort to market
    Elvis+ has resigned to start an Internet security company with two
    principals from Elvis+, taking with them much of the software de-
    velopment team.

    [33] http://www.tbtf.com/archive/06-16-97.html#s01

    ..But Network Associates goes around the rules

    The company that bought PGP announced that its Dutch subsidiary is
    selling 128-bit PGP software worldwide [34]. The software was de-
    veloped by the Swiss firm Cnlab Software from printed books con-
    taining the PGP source code. US crypto export regulations place
    no restrictions on printed material. Network Associates says they
    kept Commerce Department officials apprised of their plans over the
    last several months, but a Commerce spokesman claimed that they had
    seen only a press release a day before the strong crypto software
    went on sale.

    [34] http://www.news.com/News/Item/Textonly/0,25,20286,00.html?pfv


    ..French up in arms over proposed US hegemony

    They've coined a new word to describe domain-naming issues. The
    French are lobbying hard within the EU for coordinated opposition
    to the Green Paper plan [35] for a US-based corporation to control
    global top-level domains. A technology advisor to the French gov-
    ernment claims [36] that this position is supported by Spain and
    Italy, less so by Germany, and opposed by Britain and the Scand-
    anavian countries. The head of the French branch of the Internet
    Society warned that unless the Americans make real concessions from
    the Green Paper positions that a rival European-led internet could
    be established.

    [35] http://www.tbtf.com/archive/02-02-98.html#s01
    [36] http://www.techweb.com/wire/story/domnam/TWB19980310S0012

    ..The price of .com is going down

    The National Science Foundation announced [37] that on 4/1/98 NSI
    will stop collecting the $30 "tax" on new registrations that has
    been collected for an Internet Intellectual Infrastructure fund.
    This action follows a suggestion in the Green Paper on domain nam-
    ing [35], even though that paper is a draft with no legal force.
    As of 4/1 registering a domain name with NSI will cost $70 instead
    of $100 for the first two years; annual renewals will go for $35
    instead of $50.

    [37] http://www.nsf.gov/od/lpa/news/press/pr9817.htm

    ..AlterNIC's Kashpureff pleads guilty

    Eugene Kashpureff, the domain name system hacker who successfully
    rerouted millions of Web users last year [38], pleaded guilty to
    federal charges of computer fraud on Thursday [39].

    [38] http://www.tbtf.com/archive/07-21-97#s02
    [39] http://www.techweb.com/news/story/TWB19980320S0014

    ..A history of domain name developments

    This investigative report [40] gives useful background to the pol-
    itics of domain naming, back to the days when Network Solutions
    was a tiny, minority-owned business with little understanding of
    the ways of government contracting. The same will never be said
    of NSI's parent, Science Applications International Inc.

    [40] http://www.NewHavenAdvocate.com/articles/raiders.html

N o t e s

> Greg Roelofs <roelofs@pmc.philips.com> writes to correct a bit of
    physics nomenclature that I had flung with abandon, and impre-
    cision, in TBTF for 3/9/98. Turns out I stepped on a term from
    his dissertation.

      > The "C" in MACHO stands for "compact," not "cometary," and the
      > halo in question is the galactic halo, not the Oort Cloud. The
      > idea was that there could be a whole host of brown dwarfs (big
      > Jupiters) orbiting galactic nuclei invisibly and creating that
      > really big gravitational potential that keeps galactic rota-
      > tion curves flat for insanely large radii.

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
    http://www.tbtf.com/sources.html .

    TBTF home and archive at http://www.tbtf.com/ . To subscribe send
    the message "subscribe" to tbtf-request@world.std.com. TBTF is
    Copyright 1994-1998 by Keith Dawson, <dawson@world.std.com>. Com-
    mercial use prohibited. For non-commercial purposes please forward,
    post, and link as you see fit.
    Keith Dawson               dawson@world.std.com
    Layer of ash separates morning and evening milk.

Version: PGP for Personal Privacy 5.5


[forwards avast...]

#  distributed via nettime-l : no commercial use without permission
#  <nettime> is a closed moderated mailinglist for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@desk.nl and "info nettime-l" in the msg body
#  URL: http://www.desk.nl/~nettime/  contact: nettime-owner@desk.nl