One of the fathers of modern public-key crypto comes up with a third way
If you want to communicate confidentially, until last week you had two choices: encryption or steganography . Now Ron Rivest, the "R" in RSA, has given us a third. Called "chaffing and winnowing," Rivest's scheme  allows two people who share an authentication key to achieve high levels of confidentiality without using encryption at all. Furthermore, a third party between the communicating pair can add arbitrary levels of security to the communication without even knowing any authentication key, and without either the knowledge or consent of the communicating parties.
To put this technique to use is to reveal US crypto export law for the mockery it is. Rivest says, "As usual, the policy debate about regulating technology ends up being obsoleted by technological innovations."
Here is Rivest describing the "man in the middle" who does two parties the favor of securing their communication.
Microsoft, HP, and Sun itself deliver body blows to standardized Java
Sun's JavaOne conference runs in San Francisco this week, and the world of Java could hardly be more fragmented. Microsoft is causing some of the trouble, of course, announcing development tools that tie its version of the language ever more tightly to the Windows platform ,  -- a strategy dubbed "Write Once, Run on Windows." (Don't need Java for that.) The Department of Justice is reportedly examining Microsoft's behavior in its Java dispute with Sun . Microsoft also, as expected, refused to endorse the industry-wide Enterprise JavaBeans spec , a server-side object component model.
The more unexpected moves towards a balkanized Java came from HP and, mystifyingly, from Sun itself.
When HP wanted a Java implementation that could work in consumer electronic devices such as PDAs and printers, it protested Sun's inflexible licensing terms and development policies. HP decided to roll its own , and is now marketing a clean-room implementation of the Java spec, which in deference to Sun's trademark will be termed "Java compliant," but not "Java compatible." Care to guess who was first in line to license HP's embeddable Java? Why Microsoft, of course, for use in its Windows CE machines (just say "Wince").
Finally, Sun itself has announced  Java extensions for 3D that will run on only a few platforms: its own Solaris, Irix, and Macintosh. The reason for the limitation is Sun's use of the OpenGL graphics library. VRML and 3D developers are puzzled; one said "If Microsoft pulled something like this [with Java], Sun would be screaming bloody murder." Sun argues that the rules covering the Java extensions, including 3D, are different than those for core Java. Technically true but politically dubious.
C|net has special coverage  of the chaos swirling around Java.
On 3/9 Ralph Nader sent letters to six PC makers urging them to offer more operating-system choices . Here is Compaq's letter . Nader suggesting that they offer hardware configurations pre-installed with Linux, BeOS, or Rhapsody, in addition to Windows. I haven't seen any reaction from the PC makers to Nader's request, but I would be amazed if any of them dared a move so inimical to Microsoft's interests. Meanwhile Intel is busily rendering Nader's desire for OS choice more elusive in the future.
Intel's 64-bit Merced chip, expected to be available in 1999, is a bandwagon everybody wants to jump onto . Sun, HP, SCO, and DEC all aspire to the title of preeminent Unix implementation on Merced, in the process winning market share away from the common enemy, NT. Intel is allowing development on Merced only under non-disclosure agreement, which means that Linux and FreeBSD are excluded from the start. Further, Merced fits into the so-called PC98 architecture -- another name for the I2O bus  -- and the I2O spec is closed to non-members of an exclusive club. See this discussion thread  on the closed I2O spec, carried on slashdot.org last week.
Corrupted your NT registry? Slit your wrists now
Two recent articles posted on the Risks forum highlight single points of failure for NT networks. In the first instance a 12-hour outage cost a large manufacturing company $10M.
From Risks 19.60 :
From Risks 19.61 :
Promiscuous relay is off by default, at last
The developer of sendmail, a piece of software that labors in obscurity to deliver most of the Net's mail, announced a new version with significant spam-fighting features and configuration changes. Eric Allman's sendmail 8.9 , now in beta testing, will make it easier to use the Realtime Blackhole List  to reject mail from known spammers, and by default it will require valid return addresses. Allman also launched Sendmail Inc.  to sell software and support services to businesses, while continuing to develop new features for the free version of the software.
You could send a Web to your grandmother
Trellix Corp., whose hypertext authoring tool was reviewed in TBTF for 1997-07-21 , has come up with an arrestingly audacious solution to a problem most of us didn't know we had, yet. The Trelligram  technology provides a simple, compact, and above all sanitary way to package and to consume standard HTML Webs. A Trelligram is a compact Win95/NT executable file that an author can attach to a mail message or send on a floppy disk. A recipient need only double-click on the Trelligram to launch its Web in a browser, unconcerned with plugins, helper applications, unzipping, extraction, or managing a nest of HTML and graphics files somewhere on the disk. Trelligram achieves this magic by the brilliant, if twisted, expedient of packaging a compact HTTP server -- the Trelligram Delivery Service -- with each Web. (Its overhead is currently 89K, and should shrink considerably in future releases.)
Trelligram is the brainchild of Buzz Kelley, Trellix's protean chief technologist and the father of this correspondent's goddaughter.
Who is the audience for this elegant, offbeat utility? Not writers comfortable with Web construction and possessed of access to a public Web server. In the past I've delivered reports in Web form by posting them to one of my sites (secured as necessary) and mailing the recipient a URL. Trelligram should appeal to the emerging mass of Netizens who use freely available tools, such as FrontPage and HotDog, to write for HTML delivery. The Trellix hypertext authoring product can now also produce Trelligrams directly, so Trellix users have a new avenue for distributing hypertexts to a wider audience. Newsletter authors can deliver rich HTML content, instead of boring old email (you listening, JOHO ?) -- but unfortunately to a Windows-only audience.
Visit the Trelligram site  and download the Trelligram Creator tool (1391K), free during a beta period. Among its limitations:
Microsoft says this bug is no biggie. Begging to differ...
Lloyd Wood loves to demonstrate emergent behavior in software -- the multiplying severity of conditions that may be relatively harmless in isolation. On this page  he combines the Getchell exploit  with the Intel "f00f" security hole  to crash your machine, if you are so rash as to visit running IE on Intel hardware.
Are TBTF readers are more loyal to their Macs than industry averages?
TBTF for 1998-02-09  reported on new upcoming PowerBook models from Apple, and ventured a modest probe of the company's prospects:
Now to the survey results. 102 active Macintosh users responded with what amounts to resounding good news for Apple. (I guesstimate from these returns that about 10% of TBTF readers are Macintosh users.) The probability that a Mac user from this population will ever buy another MacOS system is 87%. Sixty-three percent of respondants said it is a certainty that they will buy another. Many expected to buy two or more; a few who influence purchases where they work said they plan to buy a dozen or more. Overall, these 102 people expect to buy 124 Macs in the future.
Frankly, these numbers floored me. The most recent figures I've seen for Macintosh loyalty indicate that it moved from a low of 16% last July to over 50% in January. But 87%?
Harley and his brave band of Linux Alphas do it again
On 2/18 Robert Harley <Robert.Harley at inria dot fr> announced  the defeat of the fifth in Certicom's series of crypto challenges. Harley's ever-growing team, now numbering 588, has been first to overcome each of the Certicom challenges broken to date. Harley figures that this crack was the fourth-largest distributed computation mounted to date.
Earlier this month one hundred companies, associations, and nonprofit organizations joined together to form a broad coalition called Americans for Computer Privacy. This group has serious money to spend on advertising and lobbying, and their aim is to defeat mandatory key escrow in the US and to get crypto export restrictions eased. Their Web site  is fairly uninteresting so far.
On the same day, Vice President Al Gore sent a letter to the Democratic leader in the Senate, urging him to work for compromise on the encryption question ("work together to find common ground"; a "balanced approach"). But any compromise, from the Administration's point of view, must include mandatory key recovery: "The Administration remains committed to finding ways to preserve the ability of the Nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information."
DoJ won't seek mandatory back doors in domestic crypto -- yet
At a Senate hearing last week, a Justice Department official said that the department will not seek to mandate key recovery in domestic crypto products . For now. This position contradicts a long and vigorous campaign lead by the FBI to require government back doors. The administration position is that industry ought to provide key recovery features voluntarily. Industry reaction was lukewarm . As Declan McCullagh reported it ,
Sun delaying shipment of Elvis+ strong crypto
Sun is delaying the shipment of a strong crypto product while the Commerce Department investigates, interminably. The workstation maker had arranged  what looked like a perfect end-run around US encryption export controls. Sun planned to market worldwide a strong-crypto package containing no US-written code. The strong crypto was produced entirely by Elvis+, a company made up of former Soviet Union space agency workers, in which Sun had invested. Sun claimed, with watertight assurance, that they had provided zero technical assistance to Elvis+, but the Commerce Department, which controls crypto exports from the US, elected to investigate that claim. Sun had legal advice that it was at liberty to ship the product (initially set for last August) but decided to wait in a show of good corporate citizenship. Now, according to the Wall Street Journal, the Sun executive who led the effort to market Elvis+ has resigned to start an Internet security company with two principals from Elvis+, taking with them much of the software development team.
But Network Associates goes around the rules
The company that bought PGP announced that its Dutch subsidiary is selling 128-bit PGP software worldwide . The software was developed by the Swiss firm Cnlab Software from printed books containing the PGP source code. US crypto export regulations place no restrictions on printed material. Network Associates says they kept Commerce Department officials apprised of their plans over the last several months, but a Commerce spokesman claimed that they had seen only a press release a day before the strong crypto software went on sale.
They've coined a new word to describe domain-naming issues. The French are lobbying hard within the EU for coordinated opposition to the Green Paper plan  for a US-based corporation to control global top-level domains. A technology advisor to the French government claims  that this position is supported by Spain and Italy, less so by Germany, and opposed by Britain and the Scandanavian countries. The head of the French branch of the Internet Society warned that unless the Americans make real concessions from the Green Paper positions that a rival European-led internet could be established.
The price of .com is going down
The National Science Foundation announced  that on 1998-04-01 NSI will stop collecting the $30 "tax" on new registrations that has been collected for an Internet Intellectual Infrastructure fund. This action follows a suggestion in the Green Paper on domain naming , even though that paper is a draft with no legal force. As of 4/1 registering a domain name with NSI will cost $70 rather than $100 for the first two years; annual renewals will go for $35 rather than $50.
AlterNIC's Kashpureff pleads guilty
A history of domain name developments
This investigative report  gives useful background to the politics of domain naming, back to the days when Network Solutions was a tiny, minority-owned business with little understanding of the ways of government contracting. The same will never be said of NSI's parent, Science Applications International Inc.
TBTF home and archive at http://www.tbtf.com/ . To subscribe send the message "subscribe" to firstname.lastname@example.org. TBTF is Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.