(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1998-03-23: Chaffing and winnowing

Keith Dawson ( dawson dot tbtf at gmail dot com )
Mon, 23 Mar 00:43:16 -0400


Contents

  • The emergent behavior of bugs -- Microsoft says this bug is no biggie. Begging to differ...

  • A modest Macintosh survey -- Are TBTF readers are more loyal to their Macs than industry averages?

  • Fifth Certicom challenge (ECCp-97) falls -- Harley and his brave band of Linux Alphas do it again

  • Crypto policy -- US crypto fight's profile is rising; DoJ won't seek mandatory back doors in domestic crypto -- yet; Sun delaying shipment of Elvis+ strong crypto; But Network Associates goes around the rules

  • Nommage -- French up in arms over proposed US hegemony; The price of .com is going down; AlterNIC's Kashpureff pleads guilty; A history of domain name developments

Confidentiality without encryption

One of the fathers of modern public-key crypto comes up with a third way

If you want to communicate confidentially, until last week you had two choices: encryption or steganography [1]. Now Ron Rivest, the "R" in RSA, has given us a third. Called "chaffing and winnowing," Rivest's scheme [2] allows two people who share an authentication key to achieve high levels of confidentiality without using encryption at all. Furthermore, a third party between the communicating pair can add arbitrary levels of security to the communication without even knowing any authentication key, and without either the knowledge or consent of the communicating parties.

To put this technique to use is to reveal US crypto export law for the mockery it is. Rivest says, "As usual, the policy debate about regulating technology ends up being obsoleted by technological innovations."

Here is Rivest describing the "man in the middle" who does two parties the favor of securing their communication.

Charles' computer, for whatever reason, then adds "chaff" packets to the packet sequence from Alice to Bob. All of a sudden, Charles' activities provide a very high degree of confidentiality for the communications between Alice and Bob! Alice's and Bob's software have not been modified in the least to achieve this confidentiality! Charles does not know the secret authentication key used between Alice and Bob! Alice and Bob did not even want or care to have confidential communications! Charles is not using encryption and does not know any encryption key! Amazing!
Read Rivest's paper [2]. This is important.

[1] http://www.thur.de/ulf/stegano/
[2] http://theory.lcs.mit.edu/~rivest/chaffing.txt

______

Java in turmoil

Microsoft, HP, and Sun itself deliver body blows to standardized Java

Sun's JavaOne conference runs in San Francisco this week, and the world of Java could hardly be more fragmented. Microsoft is causing some of the trouble, of course, announcing development tools that tie its version of the language ever more tightly to the Windows platform [3], [4] -- a strategy dubbed "Write Once, Run on Windows." (Don't need Java for that.) The Department of Justice is reportedly examining Microsoft's behavior in its Java dispute with Sun [5]. Microsoft also, as expected, refused to endorse the industry-wide Enterprise JavaBeans spec [6], a server-side object component model.

The more unexpected moves towards a balkanized Java came from HP and, mystifyingly, from Sun itself.

When HP wanted a Java implementation that could work in consumer electronic devices such as PDAs and printers, it protested Sun's inflexible licensing terms and development policies. HP decided to roll its own [7], and is now marketing a clean-room implementation of the Java spec, which in deference to Sun's trademark will be termed "Java compliant," but not "Java compatible." Care to guess who was first in line to license HP's embeddable Java? Why Microsoft, of course, for use in its Windows CE machines (just say "Wince").

Finally, Sun itself has announced [8] Java extensions for 3D that will run on only a few platforms: its own Solaris, Irix, and Macintosh. The reason for the limitation is Sun's use of the OpenGL graphics library. VRML and 3D developers are puzzled; one said "If Microsoft pulled something like this [with Java], Sun would be screaming bloody murder." Sun argues that the rules covering the Java extensions, including 3D, are different than those for core Java. Technically true but politically dubious.

C|net has special coverage [9] of the chaos swirling around Java.

[3] http://www.news.com/News/Item/Textonly/0,25,19794,00.html?pfv
[4] http://www.news.com/News/Item/Textonly/0,25,19962,00.html?pfv
[5] http://www.news.com/News/Item/Textonly/0,25,20324,00.html?pfv
[6] http://www.techweb.com/news/story/TWB19980320S0012
[7] http://www.techweb.com/news/story/TWB19980320S0004
[8] http://www.news.com/News/Item/Textonly/0,25,20207,00.html?pfv
[9] http://www.news.com/News/Item/Textonly/0,25,20290,00.html?pfv

______

Intel's Merced locking out free OSs

"I do not believe that FreeBSD or Linux or any other free operating system will be quickly ported to the Merced, if ever" -- a FreeBSD developer

On 3/9 Ralph Nader sent letters to six PC makers urging them to offer more operating-system choices [10]. Here is Compaq's letter [11]. Nader suggesting that they offer hardware configurations pre-installed with Linux, BeOS, or Rhapsody, in addition to Windows. I haven't seen any reaction from the PC makers to Nader's request, but I would be amazed if any of them dared a move so inimical to Microsoft's interests. Meanwhile Intel is busily rendering Nader's desire for OS choice more elusive in the future.

Intel's 64-bit Merced chip, expected to be available in 1999, is a bandwagon everybody wants to jump onto [12]. Sun, HP, SCO, and DEC all aspire to the title of preeminent Unix implementation on Merced, in the process winning market share away from the common enemy, NT. Intel is allowing development on Merced only under non-disclosure agreement, which means that Linux and FreeBSD are excluded from the start. Further, Merced fits into the so-called PC98 architecture -- another name for the I2O bus [13] -- and the I2O spec is closed to non-members of an exclusive club. See this discussion thread [14] on the closed I2O spec, carried on slashdot.org last week.

[10] http://www.msnbc.com/news/151801.asp
[11] http://www.essential.org/antitrust/ms/compaq.html
[12] http://www.zdnet.com/zdnn/content/pcwo/0316/294991.html
[13] http://www.tbtf.com/archive/1997-08-04.html#s04
[14] http://206.150.185.149/slashdot.cgi?mode=article&artnum=1009

______

Single point of failure

Corrupted your NT registry? Slit your wrists now

Two recent articles posted on the Risks forum highlight single points of failure for NT networks. In the first instance a 12-hour outage cost a large manufacturing company $10M.

From Risks 19.60 [15]:

The recent power fluctuations here in [placename] corrupted the NT registries in our [server-community-names]. As a result, our entire NT network (>10K machines) is down... Once the registries got corrupted, the databases of user signons went, too. And, of course, the tape backups won't load because NT requires a timestamp somewhere in the guts that the tape image doesn't match to the clock. So every NT server, and most NT workstations, won't do anything except local work... [To recover,] every desktop user will have to delete/disable their .pwl file to be able to get back on the network, because that file hard-codes which domain server they are on. However, if they do that, they can then not get into any other service on their desktop for which they've stored the password, because they're all in that file.

From Risks 19.61 [16]:

I got a mail bounce from a friend locally, so I called to find out what was up. Seems that, over the weekend, someone broke in and stole a computer. Turns out it was the MS Exchange server. For the whole company.
[15] http://catless.ncl.ac.uk/Risks/19.60.html
[16] http://catless.ncl.ac.uk/Risks/19.61.html

______

New sendmail will make spammers work harder

Promiscuous relay is off by default, at last

The developer of sendmail, a piece of software that labors in obscurity to deliver most of the Net's mail, announced a new version with significant spam-fighting features and configuration changes. Eric Allman's sendmail 8.9 [17], now in beta testing, will make it easier to use the Realtime Blackhole List [18] to reject mail from known spammers, and by default it will require valid return addresses. Allman also launched Sendmail Inc. [19] to sell software and support services to businesses, while continuing to develop new features for the free version of the software.

[17] http://www.sendmail.com/8_9free.html
[18] http://www.tbtf.com/archive/1998-01-12.html#s02
[19] http://www.sendmail.com/

______

Trelligram elegantly packs Webs to go

You could send a Web to your grandmother

Trellix Corp., whose hypertext authoring tool was reviewed in TBTF for 1997-07-21 [20], has come up with an arrestingly audacious solution to a problem most of us didn't know we had, yet. The Trelligram [21] technology provides a simple, compact, and above all sanitary way to package and to consume standard HTML Webs. A Trelligram is a compact Win95/NT executable file that an author can attach to a mail message or send on a floppy disk. A recipient need only double-click on the Trelligram to launch its Web in a browser, unconcerned with plugins, helper applications, unzipping, extraction, or managing a nest of HTML and graphics files somewhere on the disk. Trelligram achieves this magic by the brilliant, if twisted, expedient of packaging a compact HTTP server -- the Trelligram Delivery Service -- with each Web. (Its overhead is currently 89K, and should shrink considerably in future releases.)

Trelligram is the brainchild of Buzz Kelley, Trellix's protean chief technologist and the father of this correspondent's goddaughter.

Who is the audience for this elegant, offbeat utility? Not writers comfortable with Web construction and possessed of access to a public Web server. In the past I've delivered reports in Web form by posting them to one of my sites (secured as necessary) and mailing the recipient a URL. Trelligram should appeal to the emerging mass of Netizens who use freely available tools, such as FrontPage and HotDog, to write for HTML delivery. The Trellix hypertext authoring product can now also produce Trelligrams directly, so Trellix users have a new avenue for distributing hypertexts to a wider audience. Newsletter authors can deliver rich HTML content, instead of boring old email (you listening, JOHO [22]?) -- but unfortunately to a Windows-only audience.

Visit the Trelligram site [21] and download the Trelligram Creator tool (1391K), free during a beta period. Among its limitations:

[20] http://www.tbtf.com/archive/1997-07-21.html#s04
[21] http://www.trelligram.com/
[22] http://www.hyperorg.com/

______

The emergent behavior of bugs

Microsoft says this bug is no biggie. Begging to differ...

Lloyd Wood loves to demonstrate emergent behavior in software -- the multiplying severity of conditions that may be relatively harmless in isolation. On this page [23] he combines the Getchell exploit [24] with the Intel "f00f" security hole [25] to crash your machine, if you are so rash as to visit running IE on Intel hardware.

[23] http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4object/
[24] http://www.news.com/News/Item/Textonly/0,25,20159,00.html?pfv
[25] http://www.tbtf.com/archive/1997-11-17.html#s03

______

A modest Macintosh survey

Are TBTF readers are more loyal to their Macs than industry averages?

TBTF for 1998-02-09 [26] reported on new upcoming PowerBook models from Apple, and ventured a modest probe of the company's prospects:

A survey: please send me a note if you presently use a Macintosh regularly. What is the probability that you will buy another MacOS system?
Before we get to the survey results, let's set a couple of items to rights. First and most important, the new low-end PowerBook may not employ the much-admired G3 processor (a.k.a. PowerPC 750); instead, ogrady.com informs us [27], Main Street may use the PowerPC 740, which lacks a backside cache. Its performance would be dramatically lower than that of a G3. Several readers wrote in with insights on pricing. One pointed out that the cost of a laptop is influenced far more by the quality of its screen than by its CPU (and that Main Street is rumored to feature a TFT screen -- bzzzt!). Another noted that $2000 Pentium machines with good specs are not hard to come by.

Mac Now to the survey results. 102 active Macintosh users responded with what amounts to resounding good news for Apple. (I guesstimate from these returns that about 10% of TBTF readers are Macintosh users.) The probability that a Mac user from this population will ever buy another MacOS system is 87%. Sixty-three percent of respondants said it is a certainty that they will buy another. Many expected to buy two or more; a few who influence purchases where they work said they plan to buy a dozen or more. Overall, these 102 people expect to buy 124 Macs in the future.

Frankly, these numbers floored me. The most recent figures I've seen for Macintosh loyalty indicate that it moved from a low of 16% last July to over 50% in January. But 87%?

[26] http://www.tbtf.com/archive/1998-02-09.html#s07
[27] http://ogrady.com/wallstreet.stm

______

Fifth Certicom challenge (ECCp-97) falls

Harley and his brave band of Linux Alphas do it again

On 2/18 Robert Harley <Robert.Harley at inria dot fr> announced [28] the defeat of the fifth in Certicom's series of crypto challenges. Harley's ever-growing team, now numbering 588, has been first to overcome each of the Certicom challenges broken to date. Harley figures that this crack was the fourth-largest distributed computation mounted to date.

[28] http://www.tbtf.com/resource/certicom5.html

______

Crypto policy

bul US crypto fight's profile is rising

Earlier this month one hundred companies, associations, and nonprofit organizations joined together to form a broad coalition called Americans for Computer Privacy. This group has serious money to spend on advertising and lobbying, and their aim is to defeat mandatory key escrow in the US and to get crypto export restrictions eased. Their Web site [29] is fairly uninteresting so far.

On the same day, Vice President Al Gore sent a letter to the Democratic leader in the Senate, urging him to work for compromise on the encryption question ("work together to find common ground"; a "balanced approach"). But any compromise, from the Administration's point of view, must include mandatory key recovery: "The Administration remains committed to finding ways to preserve the ability of the Nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information."

[29] http://www.computerprivacy.org/

bul DoJ won't seek mandatory back doors in domestic crypto -- yet

At a Senate hearing last week, a Justice Department official said that the department will not seek to mandate key recovery in domestic crypto products [30]. For now. This position contradicts a long and vigorous campaign lead by the FBI to require government back doors. The administration position is that industry ought to provide key recovery features voluntarily. Industry reaction was lukewarm [31]. As Declan McCullagh reported it [32],

Negotiations over how much privacy Americans are allowed to enjoy will continue for the next 60 days.
[30] http://www.techweb.com/news/story/TWB19980317S0024
[31] http://www.techweb.com/news/story/TWB19980319S0006
[32] http://cgi.pathfinder.com/netly/afternoon/0,1012,1832,00.html

bul Sun delaying shipment of Elvis+ strong crypto

Sun is delaying the shipment of a strong crypto product while the Commerce Department investigates, interminably. The workstation maker had arranged [33] what looked like a perfect end-run around US encryption export controls. Sun planned to market worldwide a strong-crypto package containing no US-written code. The strong crypto was produced entirely by Elvis+, a company made up of former Soviet Union space agency workers, in which Sun had invested. Sun claimed, with watertight assurance, that they had provided zero technical assistance to Elvis+, but the Commerce Department, which controls crypto exports from the US, elected to investigate that claim. Sun had legal advice that it was at liberty to ship the product (initially set for last August) but decided to wait in a show of good corporate citizenship. Now, according to the Wall Street Journal, the Sun executive who led the effort to market Elvis+ has resigned to start an Internet security company with two principals from Elvis+, taking with them much of the software development team.

[33] http://www.tbtf.com/archive/1997-06-16.html#s01

bul But Network Associates goes around the rules

The company that bought PGP announced that its Dutch subsidiary is selling 128-bit PGP software worldwide [34]. The software was developed by the Swiss firm Cnlab Software from printed books containing the PGP source code. US crypto export regulations place no restrictions on printed material. Network Associates says they kept Commerce Department officials apprised of their plans over the last several months, but a Commerce spokesman claimed that they had seen only a press release a day before the strong crypto software went on sale.

[34] http://www.news.com/News/Item/Textonly/0,25,20286,00.html?pfv

______

Nommage

bul French up in arms over proposed US hegemony

They've coined a new word to describe domain-naming issues. The French are lobbying hard within the EU for coordinated opposition to the Green Paper plan [35] for a US-based corporation to control global top-level domains. A technology advisor to the French government claims [36] that this position is supported by Spain and Italy, less so by Germany, and opposed by Britain and the Scandanavian countries. The head of the French branch of the Internet Society warned that unless the Americans make real concessions from the Green Paper positions that a rival European-led internet could be established.

[35] http://www.tbtf.com/archive/1998-02-02.html#s01
[36] http://www.techweb.com/wire/story/domnam/TWB19980310S0012

bul The price of .com is going down

The National Science Foundation announced [37] that on 1998-04-01 NSI will stop collecting the $30 "tax" on new registrations that has been collected for an Internet Intellectual Infrastructure fund. This action follows a suggestion in the Green Paper on domain naming [35], even though that paper is a draft with no legal force. As of 4/1 registering a domain name with NSI will cost $70 rather than $100 for the first two years; annual renewals will go for $35 rather than $50.

[37] http://www.nsf.gov/od/lpa/news/press/pr9817.htm

bul AlterNIC's Kashpureff pleads guilty

Eugene Kashpureff, the domain name system hacker who successfully rerouted millions of Web users last year [38], pleaded guilty to federal charges of computer fraud on Thursday [39].

[38] http://www.tbtf.com/archive/1997-07-21.html#s02
[39] http://www.techweb.com/news/story/TWB19980320S0014

bul A history of domain name developments

This investigative report [40] gives useful background to the politics of domain naming, back to the days when Network Solutions was a tiny, minority-owned business with little understanding of the ways of government contracting. The same will never be said of NSI's parent, Science Applications International Inc.

[40] http://www.NewHavenAdvocate.com/articles/raiders.html


Notes

bul Greg Roelofs <roelofs at pmc dot philips dot com> writes to correct a bit of physics nomenclature that I had flung with abandon, and imprecision, in TBTF for 1998-03-09. Turns out I stepped on a term from his dissertation.
The "C" in MACHO stands for compact, not cometary, and the halo in question is the galactic halo, not the Oort Cloud. The idea was that there could be a whole host of brown dwarfs (big Jupiters) orbiting galactic nuclei invisibly and creating that really big gravitational potential that keeps galactic rotation curves flat for insanely large radii.

Sources

bul For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.


TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

space ______