(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-02-11:
Four horsemen

Keith Dawson (dawson dot tbtf at gmail dot com)
Tue, 11 Feb 1997 20:06:10 -0500


IAHC adds seven top-level domains

The International Ad Hoc Committee has released its final recommendations [1] on expanding the number of top-level domains. Shown below are the seven new "generic top-level domains" or gTLDs that the committee suggests creating, with no further allocations until at least April 1998.
  .firm   for businesses, or firms
  .store   for businesses offering goods to purchase
  .web   for entities emphasizing activities related to the World Wide Web
  .arts   for entities emphasizing cultural and entertainment activities
  .rec   for entities emphasizing recreation/entertainment activities
  .info   for entities providing information services
  .nom   for those wishing individual or personal nomenclature, e.g. a personal nom de plume
The existing gTLDs are:
  .net   for entities emphasizing data networking activities, especially with respect to the Internet
  .org   for not-for-profit entities
  .com   for businesses or firms of a commercial nature
Up to 28 new domain-name granting agencies are to be selected by lottery from applicants worldwide -- 4 or fewer from each of 7 global regions defined by the World Trade Organization [2].

The committee also suggests creating trademark-specific name spaces, one each per country code (for example, .tm.us) and one for trademarks of an international scope (.tm.int). The current registrar for the .int top-level domain is urged to delegate .tm.int to an appropriate international body such as the World Intellectual Property Organization. Applicants with a valid trademark (somewhere) would be guaranteed a second-level domain name that includes their trademark -- presumably with some unique, assigned part to the name. IAHC suggests the establishment of a friendly, searchable trademark-based name-finding site, either one per trademark-related TLD or a global one for all.

The Economist magazine in the Feb. 8-14 issue editorializes [5a] that the "amateurs" -- including the IAHC and Jon Postel, the man who is the Internet Assigned Numbers Authority -- should make way for professionals to settle such matters. Who these professionals would be, what their qualifications, who their nominators, the magazine does not suggest.

Note added 1997-02-12: Dan Kohn <dan at teledesic dot com> opines:
[The Economist's] article unfairly accuses Jon Postel of mismanagement. The IAHC would love to allow competitive registrations for .com and .org, but the InterNIC has a monopoly until the end of its cooperative agreement with the NSF in March 1998.

[1] <http://www.iahc.org/draft-iahc-recommend-00.html>
[2] <http://www.iahc.org/docs/countries.html>
[3] <http://www.tbtf.com/archive/1997-01-11.html>
[4] <http://www.tbtf.com/archive/1996-12-24.html>
[5] <http://www.tbtf.com/archive/1996-11-12.html>
[5a] <http://www.economist.com/issue/08-02-97/st4139.html>


Illicit funds transfer via ActiveX

This scam is clever but not inherently surprising. Last week the Chaos Computer Club of Hamburg showed off a bank-robbing ActiveX control on nationwide German television [6]. The Club has posted a chronology at [7]; Intuit's official response is at [7a] (thanks to Monty Solomon <monty at roscom dot com>). The control was never made available on a public Web page, but if it had been, visitors to the site who happened to be running Intuit's Quicken on their PCs might find their bank accounts somewhat lighter. The control, once downloaded onto a victim's machine, looks to see if Quicken is running, and if it is adds a transaction to Quicken's pending queue that transfers money from the victim's bank account into some other account. The ActiveX control does not need to capture or guess at a password or PIN, as the victim will enter it willingly the next time s/he uses Quicken to send the queued transactions. The illicit transaction might be overlooked for days or weeks, perhaps until the arrival of next printed statement. This scam is a nice technology demonstration but hardly a serious threat, as the perpetrators could easily be traced through the receiving account. What it demonstrates is the promiscuousness of ActiveX -- unlike Java, there are no limits to what an ActiveX application can do once it is resident on your machine. Microsoft's solution to this quandary is an infrastructure of digital signatures and trust, which can provide at best an after-the-fact recourse in case of ActiveX fraud.
Note added 1997-02-26: A member of the Chaos Computer Club, Felix von Leitner <leitner at math dot fu-berlin dot de>, sent these clarifications to Glen McCready for his 0xdeadbeef mailing list, which had carried a story about the CCC's ActiveX / Quicken hack. von Leitner's note comments on both Intuit's and Microsoft's public responses to the hack. It appears on the TBTF archive by permission.

[6] <http://www.news.com/News/Item/0,4,7761,4000.html?latest>
[7] <http://www.iks-jena.de/mitarb/lutz/security/activex.en.html>
[7a] <http://www.tbtf.com/resource/intuit-activex.txt>


Ireland leads bid to ban intercept-resistent phones

Ireland will host an international meeting to agree on banning telephones whose calls cannot be intercepted, according to an article by Liz Allen (bylined as the Crime Correspondent) in the Irish newspaper the Sunday Independent (1997-02-02):
> Justice Minister Nora Owen is presiding over the conference
> which will agree on a memorandum of understanding whereby
> all of the 22 governments will agree to allow the sale of
> only telephones which can be intercepted. Among the countries
> which will be in attendance at the conference are America,
> Australia, Hong Kong, and Britain.

A poster on the Cryptography list speculated that the U.S. government might intend to use such a multinational declaration as a cudgel to get Congress to ratify a ban on secure telephony products. This purported strategy is in line with the Cypherpunks credo [8], which posits that the government will aim to control the spread of strong crypto by brandishing the Four Horsemen of the Infocalypse: terrorists, pedophiles, drug dealers, and money launderers [9]. The following more Unix-flavored analogy, covering two of the horsemen, is attributed to Phil Karn <karn at qualcomm dot com>, who is waging one of the closely watched court fights [10] of the restrictions currently placed on U.S. crypto exports:

> "National security" and "drugs" have become the root passwords
> to the US Constitution.

[8] <http://www.oberlin.edu/~brchkind/cyphernomicon/>
[9] <http://thumper.vmeng.com/rah/horsemen.html>
[10] <http://www.qualcomm.com/people/pkarn/export/index.html>


56-bit crypto approved for export

On 1997-02-03 the U.S. government granted approval for Digital Equipment Corp., Cylink Corp. [11], and Trusted Information Systems, Inc. to export 56-bit and higher encryption technology. Under the new EAR regulations, vendors applying for such approval must agree to develop key-recovery plans by 1999.

[11] <http://www.cylink.com/whatsnew/pressrel/govkey.htm>


In Java math, all architectures are not created equal

An independent mathematical consultant, Jerome Coonen, has carried out a study of math operations in the Java language and found that floating-point calculations will be performed significantly faster on some platforms than on others. Specifically, Java is most efficient running on Sparc and MIPS chips and less so on PowerPC and Intel chips. A JavaSoft official agreed with the assessment and said, "Java is only 500 days old... Math is on our list and we will get there." Microsoft had provided some of the funding for the study and the press coverage [12], [13] inevitably stresses the Sun-vs.-Microsoft angle. (The study itself does not seem to be available on the Web.) No-one actually believes that Sun, or JavaSoft, deliberately slanted the architecture to favor Sun's own chips. Coonen was quoted as saying, "Java's design goal was to achieve bit-identical results across all platforms. In the integer domain... that is quite achievable, but in... floating-point... it is less useful and commercially infeasible."

[12] <http://www.news.com/News/Item/0%2C4%2C7545%2C00.html?nd>
[13] <>


First Linux virus reported

Experts have long believed Unix immune to the sorts of viruses that plague personal-computer operating systems, because its more robust security model typically requires administrative privileges for anyone trying to infect a system. An unknown party has now developed and released into the wild a virus-like program, called "bliss," that has been proven to infect machines operating under Linux (a free variant of Unix) without benefit of root privileges. The perpetrator claims that the code is portable, so there is nothing limiting it to attacking only Linux systems -- "Bliss compiles clean (but was not run) on sunos, solaris, and openbsd," s/he writes. I've posted the author's letter describing the virus [14] on the TBTF Archive. MacAfee Software, developer of anti-virus tools, has made available an antidote to bliss amid many press releases. The company's public behavior has annoyed some in the security community who see it as grabbing credit it has not earned. I learned about the virus from Glen McCready's <glen at substance dot abuse dot blackdown dot org> 0xdeadbeef mailing list.

[14] <http://www.tbtf.com/resource/bliss.html>


Update: NT 4.0 security hole

Microsoft moved quickly to patch the Windows NT 4.0 network vulnerability described in the previous issue of TBTF [15] -- they have posted a patch at [16]. Note that Service Pack 2 will overwrite this patch, so if you reinstall SP2 (as you will need to do for certain configuration changes), install the new "RPC" patch again afterwards.
Note added 1997-06-06: See this table for a summary of all Microsoft security exploits covered by TBTF in 1997.

[15] <http://www.tbtf.com/archive/1997-01-29.html>
[16] <ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix>


Notable new Web services

one Micropayments by CyberCoin

CyberCash Inc. has unwrapped its Digital Newsstand [17], which uses the company's new CyberCoin micropayment service [18] to provide publishers a venue for "pay-per-view" access to their copyrighted material. CyberCoin enables secure transactions in the range from $0.25 to $10. Partners at the launch included American Banker Online, Barron's Online, Bloomberg, Data Broadcasting Corp., the Financial Times of London, the Los Angeles Times, and Quote.com. The Digital Newsstand is not yet operational; the Web site says to check back at the end of February.

[17] <http://www.cybercash.com/cybercash/dns/dns.html>
[18] <http://www.cybercash.com/cybercash/shoppers/coingenpage.html>

two Map SPOT map

The Scout Report for 1997-01-31 [19] spotlights a mutually illuminating pair of services: an uncommonly flexible map generator and a front-end to five years of SPOT satellite images. The U.S. Census Bureau's Tiger Mapping Service [20] generates maps of U.S. locations; you can choose from an eye-glazing array of "overlay" options including roads, bodies of water, county lines, and several flavors of data from the 1990 census. Best of all,

> Since the maps and accompanying data are available in the
> public domain, website creators can make a cgi-bin link to
> the TMS server that will return a customized map, complete
> with multicolored pins and labels, for placement on a web
> page.

Once you've pinpointed your house on a Tiger map, request pictures of its environs as captured by France's SPOT satellites [21]. The page will return up to five recent images, with cloud coverage of less than 10%, of any point on Earth, selected from an archive of more than 4.5 million images harvested since 1992.

[19] <http://wwwscout.cs.wisc.edu/scout/report/archive/scout-970131.html#5>
[20] <http://tiger.census.gov/>
[21] <http://catalogue.spotimage.fr:8001/www/dali/guest/s_req_libre.htmlx>

three Securing electronic documents

Late last month NetDox, Inc. announced a service [22] for the secure transfer, tracking, and delivery of electronic documents. NetDox was spawned from a partnership of the accounting firm Deloitte & Touche and the Thurston Group, a private merchant bank. The service [23] will track documents through delivery, return a receipt to the sender, and archive an electronic document "thumbprint" against any questions about its authenticity or delivery time. NetDox will be operational this summer. The service should be attractive to banks, law firms, insurance companies, and law enforcement agencies.

[22] <http://www.netdox.com/pressrelease.html>
[23] <http://www.netdox.com/faq.html>

four Semio

Semio [24] is a search engine with an eye-opening twist: a Java applet that constructs a visual map of concepts related to your query. You can motor around the concept space (somewhat clumsily, the 3D navigation needs work) and at any point request a list of Web pages relating to your current location.

The Java applet is compact and does not crash my Mac -- two points in its favor. It's instructive to open the Java Console, if you're using Netscape, and watch the applet's interoperation with [24].

[24] <http://www.semio.com/>


Bad robot, bad robot

Usenet was buzzing last week with curiousity, amusement, and mild panic from recipients of a new email hoax called NaughtyRobot. The message claims to have been sent -- from the victim's own machine -- by "an Internet spider that crawls into your server through a tiny hole in the World Wide Web." This phrasing tipped off knowledgable Net users that something funny was afoot, but less experienced users may have believed the NaughtyRobot's claim to have captured their "Email and physical addresses, as well as... phone and credit card numbers."

I've placed a representative NaughtyRobot message, with annotated email headers, on the TBTF Archive [25]. This Deja News link [26] lists (at this moment) 50 messages on the subject. Mark Frauenfelder wrote about the buzz in Wired [27]. He quotes a security expert as speculating that the perpetrators may have written an ActiveX spider to prowl the Web collecting target addresses. ActiveX or not, a spider seems likely as the hoax was sent to people whose email address appears in a mailto: URL somewhere on the Web. An Ultraseek or Alta Vista search could finger thousands of potential victims. The perpetrators covered their tracks nicely, sending the messages through multiple Smail servers and modifying various mail headers -- see [25] for an example. Smail servers were targeted in preference to the more robust sendmail because a known vulnerability makes it easier for imposters to forge Received: headers.

Thanks as usual to Dan Kohn <dan at teledesic dot com> for the tip on NaughtyRobot.

[25] <http://www.tbtf.com/resource/NaughtyRobot.html>
[26] <http://xp7.dejanews.com/dnquery.xp?search=thread&filter=&svcclass=dncurrent&threaded=1&CONTEXT=855242737.27259&HIT_CONTEXT=855242737.27259&HIT_NUM=0&recnum=%3ca-3101971400190001 at 172 dot 16 dot 19 dot 60%3e%231/1>
[27] <http://www.wired.com/news/culture/story/1798.html>


Of statistics and Office 97

Last month the Wall Street Journal reported on Office 97 when it was released; subscribers can read the article here [28]. Dan Kohn <dan at teledesic dot com> forwarded the following provocative factoid -- "My second favorite statistic," he calls it -- adding that his all-time fave is "the fact that more Generation Xers believe in UFOs than [believe] they'll receive Social Security."
> Ease of use has been a big concern, [the Microsoft spokesman]
> said. The program is so big (191 megabytes in its largest ver-
> sion) and broad (Que Corp.'s book on how to master it runs 780
> pages) that discovering a function can be an adventure. In fact,
> a quarter of customer calls to a Microsoft "wish line" recom-
> mending new Office features suggested functions that were
> already in the software.

[28] <http://interactive2.wsj.com/edition/current/articles/SB853430115452943000.htm>


one I'm now wrapping URLs in the email edition that would stretch beyond 80 characters. If you copy-and-paste these URLs into a browser you will need to delete the spaces and newlines.

two This issue marks the first redesign of TBTF's email edition since its inception (the Web edition has been evolving steadily), prompted by your feedback on the question of monospaced Ascii art -- in particular, The Lips. Hope you like the new clean and sober look.


bul For a complete list of TBTF's (mostly email) sources, see <http://www.tbtf.com/sources.html>.

bul E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription information see <http://www.tbtf.com/resource/E.CT-today.txt>.

bul 0xdeadbeef: mail 0xdeadbeef-request@substance.abuse.blackdown.org without subject and with message: subscribe .

bul Cryptography -- mail majordomo@c2.net without subject and with message: subscribe cryptography [ your@email.address ] .

bul Scout Report -- mail listserv@lists.internic.net without subject and with message: subscribe scout-report Your Name . Web home at <http://rs.internic.net/scout/index.html>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is Copy-
right 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial
use prohibited. For non-commercial purposes please forward and post
as you see fit.
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.