On 11/15, Pretty Good Privacy (PGP, Inc.) announced the purchase, effective immediately, of PrivNet, creator of Internet Fast Forward (press release at , FAQ at ). IFF offered banner-weary Win95 and NT users a way to block advertising from reaching their browsers. In addition the program could be configured to suppress animated .GIF graphics and to block any site from setting a cookie on the user's machine. IFF entered beta testing in April of this year and TBTF was the first publication to carry news of it . I eagerly awaited the Macintosh port of IFF and was in contact with the programmer doing the work. The merger has put further product development on hold for now; PGP expects to made announcements on product direction later this month.
Pretty Good Privacy was founded in March 1996 by Phil Zimmermann and Jonathan Seybold, among others.
TBTF for 1996-10-20 
"Push" technology -- Web content that can be tuned in like a television channel to arrive automatically at your desktop -- was everywhere at the Comdex show. In the last week I've read about the paradigm shift to "push" in the Boston Globe and heard it discussed on a non-technical radio broadcast.
>>From CNET News Dispatch (1996-11-19):
> Channel Surfing Online
> Net surfers may be spending less time watching television, but com-
> panies are nevertheless relying on a tried-and-true TV metaphor for
> drawing users to their information services: channels. This week at
> Comdex, Web sites are out while Web channels are conspicuously in,
> with companies such as Netscape Communications, IFusion Com , and
> AirMedia  offering technologies that illustrate the degree to which
> characteristics of the Internet and broadcast media are mingling.
Push technology from Tibco ,  (a subsidiary of Reuters) is currently in use by Intuit to push Quicken financial data over its private network. Tibco says it will announce on December 9 a strategic alliances with Cisco, Informix, Microsoft and others to "push" its Viper push technology towards standardization.
Here's an example of poor man's push technology that goes Newslinx  one better (see TBTF for 1996-11-12 ). Newshub , currently in beta, watches a number of news sites and uses old-fashioned server push to update a page of headline links every 15 minutes -- it requires Netscape 2.0+ or MSIE 3.0+. If you try it, send any feedback to Joseph McDonald <joe at smartlink dot net>, whose letter describing Newshub was published in the TechKnow Times.
On 11/18 Hewlett Packard unveiled a program called the International Cryptography Framework, or ICF . See  for Zdnet coverage of the initiative. ICF incorporates encryption technology from RSA Data Security that supports multiple plug-in modules for encryption and authentication, for current and future cryptographic algorithms and keys of any length. ICF also uses "RecoverKey" technology from Trusted Information Systems  -- a separately encrypted backup key travels with each message and allows its later decryption. Intel will manufacture cryptographic hardware that incorporates ICF technology and Microsoft's Crypto-API, which has been approved for export.
ICF is an implementation of the U.S. government's key-recovery proposal. Computers equipped with ICF chips will perform 40-bit encryption (unrestricted by U.S. export laws) by default; stronger encryption will be available only by using a "policy activation token" (a software module or smart card) issued by the government. The U.S. will only share token-granting authority with other countries that agree to the key-recovery approach. So far the governments of the U.S., Britain, and France have endorsed the ICF.
Privacy advocates take a dim view of HP's furthering of key recovery -- for example Keith Moore <moore at cs dot utk dot edu> has called for a boycott of all HP products. One of the many problems raised by key escrow (or key recovery) is the sticky question of whose key the authorities will go after. Ed Stone <estone at synernet dot com> posted this cautionary tale  to the newsgroup talk.politics.crypto.
1. Experts poke 13 holes in NT 4.0
>>From ClieNT Server NEWS (1996-11-15):
> A pair of NT experts have combined forces to poke holes in NT
> 4.0 -- 13 holes to be precise. Mark Russinovich... and... Bryce
> Cogswell say they've found a series of bugs in WIN32K.sys, the
> component added to NT 4.0 to move graphics directly into the
> kernel to improve performance. The two buddies... have written
> a piece of freeware for others to search for more bugs... Called
> NTCrash 1.0, the program reportedly... crashes NT in a flash when-
> ever it finds a bug. It works by barraging Win32K with random sys-
> tem calls until one triggers a crash. The good news is that the
> key NTOSKRNL.EXE file, which is most of the OS kernel, has so far
> proven immune... Redmond says the bugs uncovered by NTCrash aren't
> likely to occur very often in real life so they're in no hurry
> to fix them. Eventually fixes will appear in a Service Pack...
2. How secure is your NT Administrator password?
>>From RISKS Digest 18.62:
A poster to sci.crypt called attention to a company called MWC that offers  to recover your lost NT 3.5x or 4.0 Administrator's password, for a sliding fee that depends on your sense of urgency: $990 will get you guaranteed results within 48 hours, $4990 within 2 hours. For this latter service level MWC will dedicate four Pentium Pro-200 boxes. Another poster did a back-of-the-envelope calculation and announced that four PPro-200s would take ten quadrillion years to crack a 14-character password. Jeremy Allison <jra at cygnus dot com> speculated on the trick that MWC may have discovered:
> I believe I know how they are doing this. They have discovered a nasty
> little 'secret' in NT that I have been pursuing for a couple of years
> now... My guess would be, if you sent them a drive and told them you
> had lost your password, it would come back with a different Adminis-
> trator password than the one you sent it in with :-).
> It works like this. The NT password database in the registry is only
> as secure as UNIX shadow passwords (actually, a little less secure as
> they don't use salt in their hash technique, it's pure DES for the
> Lanman password, and MD4 for the NT password). The... secret is that
> the hashed password values are double encrypted (for 'obfuscation
> purposes' it says in the NT knowledgebase) in the SAM. I believe this
> company has worked out how that double encryption is done, and just
> overwrite the hashed password.
David Harris <David.Harris at pmail dot gen dot nz>, the author of Pegasus Mail, has struck a blow for freedom from spam. Pmail  is a popular free mailer that runs under Windows and Netware; because it is free and unencumbered, Pmail is favored by companies that sell products to the direct-email (spamming) community. Harris has now amended  the license agreement for Pegasus Mail to forbid its bundling with any product whose purpose is to spam. (The text of the amendment is posted on the TBTF archive by permission.) Harris threatens legal action against any company that flaunts this new license provision. Thanks to David Weeks <dweeks at ccnet3 dot ccnet dot com> for the tip.
TBTF for 1996-11-12 
Beta users of Microsoft's Internet Explorer on the Macintosh now have an option for more robust Java support . Unfortunately the Metrowerks Java Virtual Machine isn't available as a separate package, so those of us who downloaded the beta browser (3.4 MB) get to download again ; this time it's 5.7 MB.
I have become less enamored of the beta IE after it repeatedly scrambled my Favorites list (i.e., bookmarks). The first time it did so I meticulously reconstructed the list in IE's Navigator-like Favorites editor; the next time I didn't bother.
TBTF for 1996-11-12 
The IAHC, formed to recommend improvements in the way top-level domain names are granted, has established a mailing list and a Web archive  for public discussion of domain-name issues. To subscribe to the mailing list, email firstname.lastname@example.org with the message: subscribe (the subject is ignored). Traffic on the list has slowed from its initial frenetic pace to something like 25 messages per day.
The story of how Mil Specs live forever, recounted in passing in TBTF for 1996-10-31 , caught the imagination of faithful reader E. M. Ganin <eganin at sri dot webmate dot com>. After an impressive bout of online sleuthing Ganin crafted a nicely written account  of the spread of this Internet fable, slow at first and then building to the critical density that signals the birth of a new urban legend. (Myself, I'm getting in shape for the next Bulwer-Lytton contest .)
In TBTF for 1996-09-23  I asked if anyone knew a way to query the InterNIC for the registered domains associated with a NIC handle. Perhaps better, the Dreamwave list this week brought news from Patricia Pomerleau <patpom at alphasight dot com> of a Web site  that returns all the domain names registered by any given company. (The search takes a while; it may be a brute-force, unindexed search across the NIC database.) At last I could discover all the domains registered by Procter and Gamble on August 16, 1995, the day before the InterNIC first began to charge a registration fee. There are 44 of them. Just add .com to each of
Apologies in advance to readers outside the U.S., but this piece concerns a peculiarly American form of privacy incursion that has grown up on this soil in the last few decades. Europeans especially may find it downright odd that the activities described here are legal in this country.
America is a consumer culture and for years advertisers and marketers have been segmenting us into ever-finer granularities, the better to target their sales pitches. The impetus for adding four more digits to U.S. Zip codes came from the direct-mail (a.k.a. "junk-mail") industry. An information industry has grown up in support of direct mail, and its commodity is detailed information about consumers, in the agregate and personally.
Now Equifax National Decision Systems, the company that recently rode out a storm of protest when it made citizens' Social Security numbers available to any enquirer, offers average Web surfers a glimpse of where they stand on the segmenters' radar screens. Visit Equifax's LifeQuiz page , give your Zip code and email address (or anyone else's), and you'll see the top three population segments in the given Zip code from Equifax's MicroVision consumer-segmentation system. (Warning: the page is delivered to your browser with three Kodak-moment photographs of happy families and homeowners, each one 50K to 80K. Once the text is laid out in its table you can ask your browser to stop loading.)
Equifax describes their consumer-segmentation system this way:
> MicroVision uses demographic data and aggregated consumer demand data
> at the ZIP+4 level of geography to classify every household in the U.S.
> into unique market segments. Each segment consists of households that
> share similar interests, purchasing patterns, financial behavior, and
> demand for products and services.
The "Zip+4" level has a granularity, roughly speaking, of a single house or address. The 50 segments have names such as Rustic Homesteaders, Bedrock America, Mid-Life Success, Lap of Luxury, etc. See  and  for sample Equifax reports that a company might order before opening a new retail outlet.
It was news in 1994  when the Cypherpunks broke the 429-bit key of a challenge message ("the words are squeamish ossifrage"), working over a period of 8 months with 1500 Unix workstations distributed around the Internet. Now it's the Pentiums' turn . George Woltman, a programmer in Florida, wrote code for Intel machines to find Mersenne primes and encouraged people around the world to run it. Last month a programmer in Paris, Joel Armengaud <joe at apsydev dot com>, announced that one of 18 Pentiums he had set to searching had found the 35th Mersenne prime: 2 to the power 1,398,269 minus 1. (The 34th Mersenne prime had been found earlier this year using a Cray supercomputer.) Thanks to Dan Kohn <dan at teledesic dot com> (as usual) for the heads-up on this story.
>>As of this week I've become an independent consultant specializing in Internet product development, marketing, and online commerce. The plans for TBTF remain unchanged except that the schedule will become more regular and dependable. Please drop me a note if you have a line on any suitable opportunities. Thanks.
>>E.Commerce Today -- this commercial publication provided background in-
formation for some of the pieces in this issue of TBTF. For complete
subscription information see <http://www.tbtf.com/resource/e.commerce-today.txt>.
>>TechKnow Times -- mail email@example.com with subject:
subscribe . Web site at <http://www.TechKnowTimes.com/>.
>>RISKS -- read the newsgroup comp.risks or mail firstname.lastname@example.org
without subject and with message: subscribe . Archive at <http://catless.ncl.ac.uk/Risks/>.
>>DreamWave -- mail email@example.com without subject and with message:
subscribe dreamwave . Archive at <http://www.cybercom.net/~wmcguire/dreamwave/>.
_______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.