(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-03-21: News has come to Harvard

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 9 Mar 1997 18:02:04 -0500


Contents

  • High court hears CDA arguments -- Justices like the idea of protecting kids, but not of criminalizing them

  • Three security bulletins -- Usenet servers under attack; Microsoft sues a cracker; This week's crop of Microsoft security holes

  • Three horsemen -- Has strong crypto impeded law enforcement? Cryptographers find a flaw in digital cell-phone code; Do online payment systems foster money laundering?

  • Two conferences -- Financial Cryptography 97; VRML 97

High court hears CDA arguments

You have probably heard by now about the arguments before the Supreme Court on the Communications Decency Act. The Court granted ten minutes over its traditional hour to hear this historic case. The ACLU had put the session transcript [1] online within hours of the hearing last Wednesday. Wired's coverage [2], which appeared immediately after the hearing, represents the early concensus that the pro-CDA lawyer had a harder time of it. Later coverage in the Washington Post [3] and the New York Times [4] presents a more balanced view of the proceedings. The Court will rule on the CDA's constitutionality by July.

[1] <http://www.aclu.org/issues/cyber/trial/sctran.html>
[2] <http://www.wired.com/news/politics/story/2664.html>
[3] <http://www.washingtonpost.com/wp-srv/national/longterm/supcourt/supcourt.htm>
[4] <http://www.nytimes.com/library/cyber/week/032097decency.html>

______

Three security bulletins

one Usenet servers under attack

Unknown crackers are broadcasting forged control messages, normally used in the routine maintenance of Usenet News, across the Internet in an apparently successful attempt to extract sensitive system information from thousands of news servers. For details and examples see this New York Times story [5]; it may not remain online as long as this coverage from PC Week [6]. The attack targets InterNetNews, the software commonly used to manage the flow of Usenet news, and exploits a vulnerability that has been known -- and for which a fix has existed -- for a year and a half. One system administrator who accidentally sent a similar message while analyzing the attack received sensitive files from hundreds of systems around the world. The unknown perpetrators forged their messages so that they appeared to come from David Lawrence <newgroups-request at uunet dot uu dot net>, the moderator of news.announce.newgroups. The Times quotes Lawrence on the possible outcome of the attacks:

This attack could [open] a previously inaccessible site for
shell access. The cracker would have the name of the site,
user names, and possible broken passwords for those sites.

Thanks to Monty Solomon < monty at roscom dot com> for quick notice on this worrying development.

[5] <http://www.nytimes.com/library/cyber/week/031897news.html>
[6] <http://www.pcweek.com/news/0317/17mhack.html>

two Microsoft sues a cracker

On Monday Microsoft filed suit [7] against Christopher Fazendin, a 23-year-old Minnesota resident who allegedly published a patch on his Web page that defeats the 90-day license timeout of a trial version of MS Office 97. The patch was so widely known and, presumably, widely downloaded that Microsoft went straight to court, skipping the usual courtesy of asking Fazendin to remove it from his page. Thanks to Dan Kohn <dan at teledesic dot com> for passing along this story.

[7] <http://www5.zdnet.com/zdnn/content/pcwo/0318/pcwo0011.html>

three This week's crop of Microsoft security holes

Note added 1997-06-06: See this table for a summary of all Microsoft security exploits covered by TBTF in 1997.

This is getting boring. If the user community keeps finding Microsoft security glitches at this rate TBTF may go to a scoreboard system. A system administrator at the University of Washington, Aaron Spangler <pokee at maxwell dot ee dot washington dot edu>, sent word of three new security problems in Microsoft software. They all allow an attacker easy ways to record the username and password of unsuspecting users. Spangler found and documented #4 [9], which is browser-independent (it fails using either Netscape Navigator or MSIE on Windows NT). Users in the U.K. and Israel discovered #5 [10] and #6 [11], respectively. The Birnbaum exploit site [11] links an exhaustive and frequently updated compendium [12] of Windows NT security holes; at this writing 50 are listed, most with patches or workarounds.

BugFound by DateW-95W-NTAttacker obtains:
#4 [9] Aaron Spangler 3/14 no yes username, hashed password
#5 [10] Paul Ashton 3/17 yes no username, hashed password, more
#6 [11] Steve Birnbaum3/15 no yes cleartext password
Note added 1997-03-22: Make that four. A user in Singapore, Tea Vui Huang, has posted a page demonstrating how a site can disable Internet Explorer's built-in security. I'm calling this bug #7. As of this writing (12:52 EST on 3/22), Microsoft has announced [12b] that they are working on a fix for #4, and have not publicly acknowledged #5, #6, or #7.
Note added 1997-03-25: Microsoft has made available a full point release of MSIE, 3.02, that addresses the first three security holes reported. There is still no apparent acknowledgement of the problems #5 - #7 listed above. Previously the company had posted a patch to address #1 - #3 but apparently decided stronger measures were called for, to judge by the open letter [12c] to the Internet community from Microsoft Senior VP Brad Silverberg. In my reading the company blows away much of the credibility and trust it is trying to establish with the following bullet item near the bottom of the letter. In what way does opening a hole in the Java sandbox enhance security?
Note added 1997-03-26: I sent a copy of the above text to secure@microsoft.com, not expecting a reply, and got a detailed answer the next morning. Microsoft has acknowledged bugs #4, #5, and #6 on their Web site and has developed a fix (to the SMB protocol) and released it to industry security experts for review. Microsoft claims that bug #7 is not a security issue, and after closer examination I have to agree: Internet Explorer asks the user who has followed a link to a .reg file whether s/he wants to save the file to disk (the default choice) or to run it. Consequently I have removed #7 from the table above.

[9] <http://www.ee.washington.edu/computing/iebug/>
[10] <http://www.efsl.com/security/ntie/>
[11] <http://www.security.org.il/msnetbreak/>
[12] <http://www.ntsecurity.net/security/exploits.htm>
[12a] <http://www.scv.com.sg/~entea/security/reggap.htm>
[12b] <http://www.microsoft.com/ntserver/info/ntsecurity.htm>
[12c] <http://home.microsoft.com/reading/security.asp>

______

Three horsemen

Longtime readers of TBTF are acquainted with the Four Horsemen of the Infocalypse [13] -- terrorists, pedophiles, drug dealers, and money launderers -- in the Cypherpunk orthodoxy [14] the government's chosen weapons for trampling strong crypto. Herewith some drumming hoofbeats from three of the four.

[13] <http://shipwright.com/rah/horsemen.html>
[14] <http://www.oberlin.edu/~brchkind/cyphernomicon/>

one Has strong crypto impeded law enforcement?

Law-enforcement types who argue for limits on encryption technology have been known to claim that crypto interferes with criminal investigations. To my knowledge no documented case of such interference has ever been offered. At the CFP'97 conference Declan McCullagh challenged the Justice Department's Michael Vatis point-blank to name one such instance, and Vatis could not. Now Dorothy Denning <denning at cs dot georgetown dot edu>, a consistent government ally in the crypto wars, and William E. Baugh, Jr. <william.e.baugh.jr at cpmx dot saic dot com> have put out a call [16] for hard data on the question.

[16] <http://www.tbtf.com/resource/horseman-arms.html>

two Cryptographers find a flaw in digital cell-phone code

Bruce Schneier and three other researchers subjected the once-secret CMEA algorithm, a symmetric cypher with a 64-bit key length, to "simple cryptanalysis." They found a flaw in the algorithm that effectively reduces its key length to 24 or 32 bits; communications encrypted using CMEA (including numbers punched on digital phones, but not voice) can now be broken on a run-of-the-mill PC in seconds or minutes. Details of CMEA were supposed to be a closely guarded secret known only to a small circle of industry engineers, but technical documents were leaked late last year and showed up on the Internet. (A poster to the Cryptography list wrote: "Actually it's worse than that. The documents are available to anybody with $300. I got mine from Global Engineering Documents, then called TIA and asked politely for 'Appendix A'.") This tactic, which the security community scornfully labels "security through obscurity," is hit hard in the researchers' press release: "Our work shows clearly why you don't do this behind closed doors. [We're] angry at the cell phone industry because when they changed to the new technology, they had a chance to protect privacy and they failed." The researchers have posted an account [17] of the exploit, and also host a copy of the New York Times writeup [18] on the affair.

The Times article says that unnamed telecommunications officials fingered the NSA as a source of pressure to weaken the crypto. Yesterday the NSA's Clint Brooks <cbrooks at romulus dot ncsc dot mil> forwarded this official statement (which I saw on Declan McCullagh's FC mailing list):

NSA had no role in the design or selection of the encryption
algorithm chosen by the Telecommunications Industry Association
(TIA). NSA also had no role in the design or manufacture
of the telephones themselves. As we understand the researchers'
claim, it appears that the algorithm selected and the way it
was implemented in the system has led to the stated flaws. NSA
provided the TIA with technical advice on the exportability of
these devices under U.S. export regulations and processes.

A poster to the Cryptography mailing list paraphrased this disclaimer as: "NSA did not openly tell TIA not to use strong crypto in the digital phone standards, and wasn't directly involved in the decision about which uselessly weak cryptographic system in particular they should select."

Today Omnipoint [19] bought page A21 of the New York Times (paper edition) to deliver a "public-service message" to users of wireless phones that the Omnipoint system, based on GSM technology, is not vulnerable to the publicized attack. "Self-serving message" is more like it, though they do have a point: the researchers note [20] that their approach "affects both CDMA and TDMA cellular systems, but not GSM systems."

[17] <http://www.counterpane.com/cmea.html>
[18] <http://www.counterpane.com/cmea-nytimes.html>
[19] <http://www.omnipoint.com/>
[20] <http://www.counterpane.com/cmea-response.html>

three Do online payment systems foster money laundering?

The Wall Street Journal carried a story that the Financial Action Task Force, a Paris-based group of 26 countries fighting international money laundering, has released a report warning that new Internet payment systems could obviate conventional means of tracking suspect cash. Of particular concern were the "speed, security, and anonymity" achievable with such systems. Under U.S. law financial institutions must report suspicious activity, but it is far from clear whether the law covers Internet payment systems. The American Bankers Association is pushing for uniform regulations for both banks and e-money providers: "Bankers want to see some assurance that if we're told we have to do certain things that our other competitors do, too."

______

Two conferences

Faithful readers will recall that I had planned to attend the FC'97 conference last month on the Caribbean island of Anguilla. It didn't work out. However, I did make it to Computers, Freedom, and Privacy 97, and I'll write about that in some detail next week.

one Financial Cryptography 97

These notes on FC'97 [21] were written especially for TBTF by Wired magazine's correspondent Charles Platt. Also online is an account [22] of the gathering by Alex van Someren, who is a founder and managing director of nCipher Corporation Ltd. The piece has an endnote by Duncan Goldie-Scot, founder and publisher of Banking Technology and Online Finance.

[21] <http://www.tbtf.com/resource/anguilla-cp.html>
[22] <http://www.live.co.uk/ftvfr397.htm>

two VRML 97

Greg Roelofs <roelofs at prpa dot philips dot com> attended the Virtual Reality Markup Language symposium last month in Monterey, CA. He writes: "It was loads of fun, especially eating seafood while wandering around the Monterey Bay Aquarium." (Roelofs was raised in the middle of the continent where any seafood he saw, at best, had just gotten off an airplane; he lives on the west coast now.) His trip report [23] appears on the TBTF archive by special arrangement. Roelofs is one of the developers of the Portable Network Graphics spec. He notes, "Ironically, there's much better support for PNG in Web browsers than in VRML 2 browsers, despite its being a requirement for minimal VRML 2 conformance."

[23] <http://www.tbtf.com/resource/vrml97-gr.html>

______

javElink: Web notification done right

This site is unusual in a number of ways: javElink [24] is just out of beta and all the links work. The interface is simple, pleasing, and speedy. There's complete documentation and help, with nary a typo or grammo to mar the polish. Site organization and navigation could scarce be improved.

javElink aims to clue you as to when, whether, and how much the Web pages you care about have changed. You create a private, password-protected checklist of pages and folders of pages (which you can jump-start by uploading a Netscape bookmark file); javElink monitors each page and summarizes the changes to your personal checklist in a unique, flexible, and intuitive tabular / graphical format. You can find out what's changed, and the degree of change, from any Web browser at any time. You can group pages in folders and for each one javElink will accumulate the composite change score of the contained pages. The site requires no plugins, no Java or ActiveX (the name javElink derives from "javelin") -- it's all just HTML and CGI written in perl.

For now the service is free; soon a monthly charge will kick in. The current thinking is that a fee of $15 to monitor up to 50 Web pages will appeal to thousands of users with a serious need to keep on top of rapidly changing information -- lawyers, journalists, executives, developers, webmasters.

And there's a gimmie: if you use Netscape Navigator you can store your bookmarks for free on the javElink site, in a private area, and access them from anywhere. You don't have to pay for an account to take advantage of this convenience.

I talked to the javeLink creators, Julie Stock <jstock at ingetech dot com> and Gary Stock <gstock at ingetech dot com> of InGenius Technologies. They're old pros at the entrepeneurial game and seem to have put together a well thought-out, professionally run business. Their initial offering is quite impressive. Do give it a look.

[24] <http://www.javelink.com/>

______

Followup: Another way to view commercial flights

TBTF for 1996-12-14 [25]

The Department of Transportation hosts an Aircraft Situation Display page [26] that provides a near-realtime display of air traffic in and around the U.S. (Factoid: 61,000 people on average are airborn over the U.S. at any one time.) You can zoom in; you can color-code all the flights in the air approaching and/or departing any airport of interest; you can click on a single plane for its flight details. The site can be slow -- be thankful that air-traffic control isn't handled over the open Internet.

[25] <http://www.tbtf.com/archive/1996-12-14.html>
[26] <http://tms1.vntsc.dot.gov/docs/asd.html>

______

Three questions of naming

one NSF mulls taking back the business of naming domains

Despite the Clinton administration's comforting-sounding policies to keep hands off the Internet -- as enunciated at CFP'97 by keynote speaker Ira Magaziner, a senior advisor to the President -- the government continues to speak with many voices on Net issues. An example is the recent trial balloon floated by the National Science Foundation questioning whether the government should retake the domain-naming business when the current NSI contract expires next year. The question was broached in a confidential report to the NSF's oversight agency. The only online account I have found is this one at Network World's Fusion site [27] -- to view it you will have to sign up for a free account, a lengthy process, and request article #1032.

[27] <http://www.nwfusion.com/>

two NSI registers its one-millionth domain name

Bonnyview.com was registered to the owners of the Bonny View Cottage Furniture company in Michigan, USA. A year ago there were 306,000 active domain names, 18 months ago only 120,000. Today NSI registers on average 3,000 new names a day. Herewith a compressed and selective history of domain names.

01 Jan 85com  first day of domain registration
Mar 85symbolics.com emended first computer company domain
24 Apr 85cmu.edu  
24 Apr 85bbn.com  
24 Apr 85ucla.edu  
23 May 85mit.edu  
10 Jul 85mitre.org  
30 Sep 85dec.com  first minicomputer company domain
04 Oct 85stanford.edu  
17 Jan 86sri.com  
19 Mar 86sun.com  
19 Mar 86ibm.com  
25 Apr 86att.com  
05 Nov 86nsf.net  
19 Feb 87apple.com  
14 May 87cisco.com  
02 Jun 88apollo.com  
26 Jul 90interop.com  
26 Feb 91atria.com  
02 May 91microsoft.com  
10 Jan 94infoseek.com  First commercial Internet search company
01 Jun 94mcom.com  "Mosaic Netscape Communications"
15 Dec 94netscape.com  
18 Jan 95yahoo.com  
13 Apr 95lycos.com  
Apr 95   toys-r-us sues rru.com over "roadkills-r-us" [28]
20 Apr 95compaq.com  
05 Jun 95impatiens.com  
15 Aug 95buchanan96.org  "Satire Online" [29]
16 Aug 95underarm.com  One of 44 registered to Procter & Gamble [30]
18 Sep 95   InterNIC begins charging for registration
23 Feb 96tbtf.com  
24 Aug 96   IANA issues plan for new top-level domains
22 Oct 96   ISOC sidelines IANA plan, announces IAHC
01 Nov 96m1crosoft.com  note numeral one in place of letter i
02 Nov 96micr0soft.com  note numeral zero in place of first letter o
12 Nov 96   Int'l Ad Hoc Committee members named
22 Dec 96   IAHC plan published
11 Jan 97   IAHC plan drawing fire
25 Feb 97   IANA, IAHC sued by ".web"
04 Mar 97   eDNS proposes takeover of namespace

[28] <http://www.tbtf.com/archive/1996-05-05.html>
[29] <http://www.tbtf.com/archive/1995-09-03.html>
[30] <http://www.tbtf.com/archive/1996-12-02.html#s09>

three Elements 104 to 109

News has come to Harvard [31] of six new elements, recently endowed with their official names.

From AIP Physics Update (1997-03-06):

The names of elements 104-109 have finally been accepted by
nuclear scientists and certified by the International Union
of Pure and Applied Chemistry. The delay over the names was
caused partly by rival claims to priority; the pertinent
experiments rendered mere handfuls of atoms. Physics and
chemistry students worldwide will now have to memorize the
following additions to the Periodic Table:

   Rutherfordium     Rf      104
   Dubnium           Db      105
   Seaborgium        Sg      106
   Bohrium           Bh      107
   Hassium           Hs      108
   Meitnerium        Mt      109

[31] <http://www.keaveny.demon.co.uk/lehrer/elements.htm>


Notes

bul This week's TBTF title comes from the song "The Chemical Elements" [31] by Tom Lehrer, one-time mathemetics professor at Harvard College. It's sung to the tune of Gilbert & Sullivan's "I Am the Very Model of a Modern Major General."


Sources

one For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

two E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.

three FC -- mail fight-censorship-announce-request@vorlon.mit.edu without subject and with message: subscribe . Web home at <http://www.eff.org/~declan/fc/>.

four Cryptography -- mail majordomo@c2.net without subject and with message: subscribe cryptography [ your@email.address ] .

five AIP Physics Update -- mail listserv@aip.org without subject and with message "add physnews" . Searchable archive at <http://newton.ex.ac.uk/aip/>.


TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

______

Most recently updated 2000-10-21