(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1997-04-21: The hooks and hingles of the world

Keith Dawson (dawson dot tbtf at gmail dot com)
Mon, 21 Apr 1997 05:52:28 -0400


  • IAHC domain-naming plan advances as opposition mounts -- The forces are lining up for and against the international group's plan; bureaucrats in the U.S. and Europe say they want to play, too

  • Security news -- ODBC security hole opened in MS Office 97; AOL's version of Internet Explorer still not fixed; RPK: a public-key cryptosystem from New Zealand

  • Online commerce -- DigiCash e-cash expands its reach; SETback; Jack Rickard on AOL's death spiral

  • Hacks -- Sun suborned an ActiveX hack; You're in a miasma of twisty paranoias, all alike

  • Physics -- Back to the Oort Cloud; The hooks and hingles of the world

Threads Domain name policy
See also TBTF for
2000-04-19, 03-31, 1999-12-16, 10-05, 08-30, 08-16, 07-26, 07-19, 07-08, 06-14, 05-22, more...

IAHC domain-naming plan advances as opposition mounts

On 4/8 the Internet Society endorsed [1] the IAHC's plan for expanding the universe of global top-level domains. The plan has also won backing from Digital, AT&T, MCI, and UUnet, as well as the UN, WIPO, WTO, and the ITU. Later this month the IAHC plans to meet in Geneva, under ITU auspices, to sign a memorandum of understanding with some three dozen organizations, including some unnamed European telecomm agencies.

Also on 4/8 the New York Internet company PGP Media (no relation to PGP, Inc.) filed a restraint-of-trade lawsuit [2] against Network Solutions, the current monopoly issuer of global TLDs. PGP media has set up an registry called "name.space" under the renegade Extended Domain Naming System plan (see TBTF for 1997-03-09 [3]).

And on 4/14 NSI launched a campaign against the IAHC plan [4], [5]. Under the IAHC proposal NSI would lose its monopoly control over .com, .org, and .net when its contract with the U.S. government expires in 1998. NSI has released two drafts on the way to its own plan for gTLDs. A draft dated 4/10 called for the FCC to assert interim control over the Internet; this idea was dropped, possibly as a result of public outcry according to Declan McCullagh. The 4/15 draft is quite similar to the eDNS proposal [3]; in fact the head of NSI and the chief proponent of eDNS were both quoted as saying they hoped to come up with a combined proposal soon.

In what may be the most worrisome development for the future of Net self-regulation, both the White House and the OECD have convened task forces to look at issues of Internet naming and numbering [6]. The OECD is expected to declare domain names an issue of critical importance to member countries and to urge that governments set a framework in this area.

Stop Press

Note added 1997-04-24: Declan McCullagh <declan at well dot com> distributed late-breaking news over his fight-censorship mailing list: The European Community has weighed in against the IAHC plan. In a meeting [6a] with European domain-name administrators on 4/9 the EC urged them not to go along with the plan. Considerable criticism of the plan was voiced at this meeting, particularly its US-centrism and the lack of time for adequate review and input. You can find details in the Communications Week International article "Europe demands halt to U.S. domain name plans" [6b] by Kenneth Cukier. For an account of the 4/9 meeting by one of the participants see [6a].

In another late development, c|net on 4/23 carries news [6c] that the National Science Foundation has made an abrupt exit from the domain-name fray, catching the White House by surprise. The NSF offered strong encouragement to the IAHC plan at the expense of the rival plans of NSI and eDNS.

Asked to comment on these developments, IAHC member Dave Crocker <dcrocker at brandenburg dot com> said:

"There's a lot of over-interpretation going on concerning the recent public comments by various agencies. Keep watching the [IAHC] signatories page It's the best indicator of continuing acceptance."

[1] <http://www.merc.com/stories/cgi/story.cgi?id=2330654-256>
[2] <http://www.nytimes.com/library/cyber/week/032297domain.html>
[3] <http://www.tbtf.com/archive/1997-03-09.html>
[4] <http://cgi.pathfinder.com/netly/opinion/0,1042,847,00.html>
[5] <http://www.zdnet.com/intweek/daily/970417a.html>
[6] <http://www.news.com/News/Item/0,4,9525,00.html>
[6a] <http://www.tbtf.com/resource/EU-vs-IAHC.html>
[6b] <http://www.emap.com/cwi/183/183news5.html>
[6c] <http://www.news.com/News/Item/0,4,10003,00.html>


Security news

Threads Microsoft security bugs and exploits
See also TBTF for
1999-08-30, 1998-02-02, 01-26, 01-19, 1997-11-17, 11-10, 10-20, 08-11, 06-23, 05-22, 05-08, more...

one ODBC security hole opened in MS Office 97

The Trace facility in ODBC 3.0 (the Open Database Connectivity API), augmented for the release of Microsoft Office 97, now reportedly permits anyone who walks up to a logged-in computer running Windows 95 to see a record of all ODBC database accesses from that machine, including users' names and passwords in clear text [7]. (The recipe is Start, Settings, Control Panel, ODBC, Trace.) The problem was brought to light by Dan Gordon, a consultant working with an unnamed manufacturing company in the northwestern U.S. Gordon called the new feature "a massive, monstrous security hole" and claims that ODBC passwords can even be captured from another machine over the network. Microsoft's initial response was cautious [8]; at this writing (two days after the first press reports) there is nothing on their security site about this problem, and a search of the MS Knowledge Base for "ODBC 3.0 Trace" turns up only a single unrelated article.

Note added 1997-06-06: See this table for a summary of all Microsoft security exploits covered by TBTF in 1997.

[7] <http://www.infoworld.com/cgi-bin/displayStory.pl?970418.wodbc.htm>
[8] <http://www5.zdnet.com/zdnn/content/zdnn/0417/zdnn0013.html>

two AOL's version of Internet Explorer still not fixed

News [3] of security problems with MSIE is nearly two months old, and the availability of Microsoft's fixed version, 3.02, is not much younger. But the roughly 200,000 America Online members who use a browser derived from MSIE 3.0 still do not have a fix [9]. As of 4/11 an AOL spokesman said the company was testing a fixed version.

[9] <http://www.news.com/News/Item/0,4,9620,00.html>

three RPK: a public-key cryptosystem from New Zealand

Last December a new contender emerged in the international business of encryption. RPK is a New Zealand-based company with a presence in Silicon Valley. For several years it has been working on a cryptosystem based on some of the same mathematics that underlies Diffie-Hellman key distribution (discrete exponentiation over multiple finite fields). The technology is believed by its developers to be unencumbered by existing patents; and RPK has applied (two years since) for patents both in New Zealand and internationally. See [10] for a high-level introduction to the RPK cryptosystem. [11] summarizes its main distinguishing characteristics and [12] intro-duces its technical concepts. RPK is said to be speedy compared to established methods such as RSA and to be particularly well suited for implementing in silicon. The cryptosystem is believed to offer security equivalent to that of other modern systems. While RPK's strength cannot be directly compared with that of RSA -- any comparison based on key lengths is especially misleading -- the company offers some guidelines [13] to gauge how computationally difficult the system might be to crack.

Its developers acknowledge that RPK has not been examined or tested to nearly the same degree as other systems such as RSA. To expand RPK's base of trustworthiness the company is offering an ongoing "SafeCracker Challenge" [14] in which interested parties are given 60 days to extract either a secret message or the secret key with which it was encoded, for a prize of $3,000.

[10] <http://www.rpk.co.nz/intro1.htm>
[11] <http://www.rpk.co.nz/techinfo.htm>
[12] <http://www.rpk.co.nz/concept.htm>
[13] <http://www.rpk.co.nz/secrmark.htm>
[14] <http://www.rpk.co.nz/reward.htm>


Online commerce

one DigiCash e-cash expands its reach

DigiCash [15] announced that the largest banks in Norway and Austria, Den norske Bank and Bank Austria, have decided to issue e-cash [16]. Deutsche Bank and Advance Bank of Australia are now in the final implementation stages, and banks in the U.S. and Finland have fully operational programs that will convert e-cash to and from the local legal tender.

[15] <http://www.digicash.com/>
[16] <http://www.news.com/News/Item/0,4,9690,00.html>

two SETback

The much-delayed SET spec for online commerce by credit card, championed by Visa and MasterCard, will be delayed a further six weeks [17]; version 1 is now scheduled for release on May 30. Confusion reigned after Steve Mott, a MasterCard vice president, disclosed the delay, because he seemed to have said that SET v1.0 when it emerges will be cryptographically vendor-neutral, abandoning the required use of RSA encryption. Later accounts [18] clarified that he had been talking about plans for v2.0 of the SET spec, which will be opened up to allow other cryptosystems, for example RPK (see above) or Certicom's ECC [19], [20]. Mott did say that MasterCard has experimented with using non-RSA encryption in SET. The push for vendor-neutral encryption arises from performance concerns with the RSA algorithm, especially in computationally challenged environments such as smart cards.

IBM for one won't wait for the final spec. On 4/9 the company announced [21] version 2 of its Net.Commerce server for shipment on May 30, with what IBM calls the first commercial implementation of SET built in -- though clearly it cannot now be the final spec.

[17] <http://www.news.com/News/Item/0,4,9579,00.html>
[18] <http://www.infoworld.com/cgi-bin/displayStory.pl?970418.wset.htm>
[19] <http://www.certicom.com/html/ecc.htm>
[20] <http://www.certicom.com/html/eccqa.htm>
[21] <http://www.news.com/News/Item/0,4,9538,00.html>

three Jack Rickard on AOL's death spiral

I recommend Mr. Rickard's editorial [22] in the March Boardwatch magazine. It covers a lot of ground, including one of the more sensible proposals I've read on how xDSL broadband technologies can spread rapidly and succeed -- implemented by ISPs, and emphatically not by telephone companies. Mr. Rickard also presents a closely reasoned essay on why, in his view, America Online is now doomed to sink from sight, dragging a fair chuck of the Internet's infrastructure down with it. A sample:

Had Mr. Case [CEO of AOL] the use of a pocket calculator and
anyone within forty miles with a clue, he no doubt would have
noted that dial-up Internet access with flat billing rates
spirals toward a ratio of 10 users per modem port... Across
3,640 Internet service providers, we find the extant ratio
to be 9.26:1. This isn't a guess, it's the reported numbers
of customers and modem ports... Mr. Case it would appear went
to flat rate service with... a ratio of 30.769 customers to
each well-lit modem port.

[22] <http://www.boardwatch.com/MAG/97/MAR/bwm1.htm>



one Sun suborned an ActiveX hack

During his keynote address at Sun's JavaOne conference earlier this month, CEO Scott McNealy invited an expert, Fred McLain, to demonstrate how Microsoft's ActiveX technology could be abused. McLain downloaded a signed ActiveX control that then took over his machine and rifled its files for personal financial information. The point of course was to highlight the security advantages of Java technology. The recent focus on Microsoft security issues all but guaranteed that the exploit would get ink in the press and attention in the newsgroups. The fact that you can make an ActiveX control behave so badly is hardly news. What makes the story interesting is that Sun paid McLain to develop the malicious control [23] -- a considerable escalation in a marketing battle that was already near the level of a barroom brawl. Microsoft emerged with dignity, Sun less so, in my opinion.

[23] <http://www.news.com/News/Item/0,4,9390,00.html>

two You're in a miasma of twisty paranoias, all alike

Netsurfer Digest (1997-04-13) carried this convoluted if cautionary tale:

ularly elegant bit of trickery is winding its way through a
favorite newsgroup near you. It appears in the form of a
provocative HTML message excitedly proclaiming that "PGP Has
Been Cracked!" and gives you a link to click for more in-
formation. In reality, the link leads to the Telnet (25) or
NNTP (119) ports of a certain ISP, where the really elegant
part comes in. It appears that this provider regards your
attempt to access these ports as an attempted hack. Further-
more, it is quite anal about complaining to your own ISP that
you tried to break into their machines. A clueless netsurfer
(that would be you) could lose his account if his own ISP is
of the "kick off first, ask questions later" school of cus-
tomer service. How this great mind hack plays on the paranoia
of all involved is what so enthralls us.
NetSurfer Digest failed to mention another wrinkle to the hoax: the message appeared to be PGP-signed by the legendary Usenet prankster Kibo (who was in fact uninvolved). The ISP in question is Fred Cohen of all.net. TBTF visited the subject of his controversial "zero tolerance" security policies last year [24], [25] -- policies that make all.net a lightning rod for cracker "distributed social engineering." RISKS for 1997-04-17 carried a note from Cohen disclaiming that he had ever written a 5-line program to crack PGP. Thank goodness for that.

[24] <http://www.tbtf.com/archive/1996-04-21.html>
[25] <http://www.tbtf.com/archive/1996-04-14.html>



one Back to the Oort Cloud

The friendliest comet this century is receding now, harder to see night by night in the light of the waxing moon but still visible on a clear night anywhere outside of a major city. Two days ago astronomers reported a third tail to Hale Bopp, this one composed of pure sodium and extending at an angle to the other two tails (one of dust and one of gas), straight as a geometer's line.

From AIP Physics (1997-04-16):

SPRINGTIME FOR COMET HALE-BOPP. Now past its prime in the dusk
sky, Hale-Bopp was first spotted two years ago as far away as
seven astronomical units, allowing astronomers to observe the
thawing process at an earlier stage than is usual for comet
watches. This in turn permitted the detection of trace species
not before seen on comets, such as SO2 and H2CS. What else do
we know? First of all, the size of the comet nucleus is esti-
mated to be 27-42 km, at least three times bigger than that of
Comet Halley. Of the cometary products vaporized on the inward
trip toward the sun, the chief gases are H2O, CO, and CO2,
which seem to be the main constituents of interstellar ice as
well. Dust jets are rich in crystalline olivine, and dust
production in general was more than 100 times stronger than
with Halley at comparable distances. Variations in the vented
jet activity will be used to determine Hale-Bopp's rotation
rate. Chemical composition suggests that the comet comes from
the Oort Cloud rather than the Kuiper Belt.

two The hooks and hingles of the world

After studying polarized light coming to Earth from 160 galaxies, some as distant as 7 billion light years, physicists John Ralston and Borge Nodland claim that the universe isn't the same in all directions. Their paper will be published today in the journal Physical Review Letters. You can glean insight into this result from Nodland's page [26] "A Peek into the Crystal Ball of an Anisotropic Universe"; it's rather dense technically for those not conversant with astrophysics and cosmology. (The New York Times site on Friday featured a masterful example of science journalism on the subject but the article appears not to be available any longer.)

The effect manifests itself by rotating the polarization plane of radiation coming from some directions more than others. It's as if the universe has a grain like a block of wood. The effect acts in some ways like the "spin" of an elementary particle; it's as if the universe has a rotation axis. From Earth the preferred direction, the hooks and hingles of the world, falls on a line between the constellations Sextans and Aquila.

Note added 1998-10-21: Daniel J. Eisenstein and Emory F. Bunn have pointed out an error in the Ralston-Nodland paper in their note Comment on the Appropriate Null Hypothesis for Cosmological Birefringence [26a], published in Physical Review Letters (vol. 79, p. 1957). The interpretation cited above is not now believed to be valid.

Ah well, at least I got a durn fine TBTF title out of it.

[26] <http://www.cc.rochester.edu/college/rtc/Borge/aniso.html
[26a] http://www.bates.edu/~ebunn/biref/prl/prl.html


one This issue's title comes from the 1594 tract "Exercises, or the fower chiefyst offices belonging to horsemanshippe etc." by Blundevil. The full quote (from the Oxford English Dictionary Online) is: "Upon which two Poles, otherwise called the hookes or hengils of the World, the heavens doe turne round about the earth." The word hingle is obsolete in English but appeared in dictionaries as recently as 1886 with the meaning "the handle of a pot or bucket, by which it hangs." It comes to English from German by way of Dutch, from a root that also underpins hang and hinge. In its earliest sense hingle meant half of what we would today call a hinge; specifically, that part of the hinge that attaches to a gate or door. The OED cites usage from 1487 and before of the term "hooks and hingles" meaning, collectively, hinges. You can follow this link if you have a beta account with the OED Online: <http://www.oed.com/cgi-bin/oedp?dtext1=oed&dtext=OED+Only&frametype=&dictcolor=color&colnum=1&format=Regular+Display&qregion=Defined+Terms&query=164988264>

two A new navigation aid, TBTF Threads, has made its debut -- see <http://www.tbtf.com/threads.html>. Threads features eleven topics which have each been covered in three or more issues of TBTF, linked in a graphically consistent style.


one For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

two E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.

three RISKS -- read the newsgroup comp.risks or mail risks-request@csl.sri.com without subject and with message: subscribe . Archive at <http://catless.ncl.ac.uk/Risks/>.

four NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject and with message:subscribe nsdigest-html . Web home at <http://www.netsurf.com/>.

five AIP Physics Update -- mail listserv@aip.org without subject and with message: add physnews . Searchable archive at <http://newton.ex.ac.uk/aip/>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.



Copyright © 1994-2017 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.