(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1998-08-31: Unclear on the concept

Keith Dawson ( dawson dot tbtf at gmail dot com )
Mon, 31 Aug 21:50:04 -0400


Contents


New domain-name organization taking form

"New IANA" plan pleases most of the people, most of the time

After a summer of meetings around the world [1], the "stakeholders" are near agreement on how to form the new corporation that will oversee Internet numbers and domain names. The proposal that has risen to the top was put forward by Jon Postel, head of the current Internet Assigned Numbers Agency. The proposed organization is being called, for the time, the "New IANA." Here are its FAQ [2], articles of incorporation [3], and the third iteration of its bylaws [4]. Some of the salients:

The New IANA must be up and running by September 30, when the US government's contracts with IANA and the InterNIC expire. This stage of the process aims only to form a New IANA that derives legitimacy and authority from the support of all parts of the Internet community worldwide. Most of the hard questions left unresolved by the US government's white paper [5] are still unresolved, and will be early on the agenda for the new organization.

Thanks to Adam Rifkin <adam at cs dot caltech dot edu> for this pointer.

[1] http://www.tbtf.com/archive/1998-06-29.html#s03
[2] http://www.iana.org/message-faqs.html
[3] http://www.iana.org/articles1.html
[4] http://www.iana.org/bylaws3.html
[5] http://www.tbtf.com/archive/1998-06-08.html#s01

______

Old emails haunt Microsoft

The smoking gun that shot DR-DOS

The Red Herring broke this story [6] last week containing some of the most damaging information on Microsoft's practices that I have seen made public. The memos in question were in the hands of the FTC when they were probing Microsoft in the early 1990s, but have only recently come out from under seal in the Caldera lawsuit [7]. The story was written by reporter Wendy Goldman Rohm from research for her book "The Microsoft File: The Secret Case Against Bill Gates" [8]. The Wall Street Journal picked up the story [9] (subscription required) and tied more of the threads together, but without crediting Rohm. (The WSJ had received a review copy of "The Microsoft File.")

The memos are email conversations among Microsoft executives in 1991 and 1992 that discuss deliberately crippling a beta copy of Windows 3.1 so it would produce an obscure error message if run atop DR-DOS, a competing operating system now owned by Caldera. The code to check for the existence of DR-DOS was encrypted and obfuscated -- it was the only encrypted code in the beta -- but was cracked by programmer Andrew Schulman and published in Dr. Dobbs Journal in 1993 [9a]. Schulman discovered that the code searched for tiny differences between MS-DOS and DR-DOS, and when it found the latter it displayed an obscure but worrying error message: "Non-fatal error detected: Error #4D53. (Please contact Windows 3.1 Beta Support.)" The non-MS-detecting code was dropped into 5 places in the beta Win 3.1 code and, according to Schulman, had no possible legitimate purpose in ensuring the proper functioning of Windows. The code was still present in three places in the shipping Win 3.1 product, but had a single byte flipped to disable it.

The WSJ article [9] ties together the code and Microsoft's statements at the time with the executives' email memos, and with the drop-off-a-cliff revenues for DR-DOS following the rigged Windows 3.1 beta. Here's a quote from email sent by Microsoft Senior VP Brad Silverberg in 1992:

"What the guy is supposed to do is feel uncomfortable and, when he has bugs, suspect the problem is DR-DOS and then go out to buy MS-DOS, or decide not to take the risk for the other machines he has to buy for in the office."
Microsoft says the memos were taken out of context, that in the Microsoft culture email is a vehicle for trying out ideas, and that the company was merely trying to control support costs with the non-MS-detecting software. Wherever the truth lies, this material could sway a jury in the Caldera case (which isn't scheduled to come to trial until next June), or in the antitrust case, if the feds or the states choose to introduce it.

I hope to review "The Microsoft File" [8] in an upcoming TBTF.

Thanks to Dan Kohn <dan at teledesic dot com>, a regular TBTF Irregular, for pointing out this story.

[6] http://www.redherring.com/insider/1998/0825/microsoft.html
[7] http://www.tbtf.com/archive/1998-04-27.html#s03
[8] http://www.amazon.com/exec/obidos/ASIN/0812927168/tbtf
[9] http://interactive.wsj.com/articles/SB904177645701365500.htm
[9a] http://www.ddj.com/ddj/1993/1993_09/9309D/9309D.HTM

______

Dam breaks on e-commerce patents

Thought software patents were trouble? Next it's business models

Over the last 12 years US patent examiners, lacking the expertise and the resources to research prior art, have issued thousands of arguably bad patents for software inventions. Owing to the length of the application process, the mid-1990s saw the first lapping waves of what may become a floodtide of costly litigation over software patents. TBTF has been following this trend since 1995 [10], [11]. In the last week the mainstream technology press has produced its own flood of articles on the topic of patents and their likely impact on e-commerce. What got the hive stirred up was a July appeals court ruling favorable to patents on business processes [12], [13], which lawyers are regarding as a landmark. News.com paints the following scenario [14] to bring home the impact of patents on Net business models:

You're an Internet merchant ramping up for the holiday shopping season. Your store uses a shopping cart for buyers to select purchases, accepts credit card payments, and offers airline frequent flyer miles for purchases. You pay people who click on your banner ads and send email to notify regular customers of promotions, including a URL so they can go directly to the right page. For close-out items, you let shoppers name their price for an item... Call your patent attorney, because you may be violating six e-commerce patents, all issued since March.
Here are several companies recently granted e-commerce patents that will be bolstered by the appeals-court ruling -- news.com lists five more [12]:

UC Berkeley law professor Pamela Samuelson says, "If patents worked for manufacturers, surely they will work for the information economy" -- encouraging innovation instead of stifling it. I have serious doubts.

[10] http://www.tbtf.com/threads.html#Tspx
[11] http://www.tbtf.com/resource/sw-patents.html
[12] http://www.news.com/News/Item/Textonly/0,25,25705,00.html?tbtf
[13] http://www.law.emory.edu/fedcircuit/july98/96-1327.wpd.html
[14] http://www.news.com/News/Item/Textonly/0,25,25703,00.html?tbtf
[15] http://www.news.com/News/Item/Textonly/0,25,25111,00.html?tbtf
[16] http://www.news.com/News/Item/Textonly/0,25,25562,00.html?tbtf
[17] http://www.techweb.com/wire/story/TWB19980824S0009
[18] http://www.patents.ibm.com/details?patent_number=5794210

______

Killer Java applet sacks NT systems

Whatever you do, don't push that big red button

On August 14 a Norwegian programmer discovered how to write a Java applet that, when run, can bring down a Windows NT system. This is not supposed to be possible, of course. Tonny Espeset <esp2 at online dot no> accomplishes the trick by calling some Java methods with out-of-bounds arguments (the exploit page does not give details), and on about half of the NT systems tested the applet immediately crashes the system right down to a white-button reboot. On some other NT systems, running the applet corrupts system fonts and cursors; the symptoms are cured by a reboot. I tried the applet [19] on two NT 4.0 systems and crashed one, corrupted fonts on the other.

Greg Roelofs <roelofs at pmc dot philips dot com>, TBTF Irregular, tipped this story -- thanks.

[19] http://www.eyeone.no/KillerApp/KillerApp.htm

______

Linux community comes together over LSB standards effort

Churn and controversy yield to unity

Perhaps stimulated by the somewhat divisive events of the past two weeks [20], [21], the Linux community is rallying around the Linux Standard Base effort. The recently announced Linux Compatibility Standards Project [20] has been folded into LSB, which has relaunched with a new commitment, a new Web site [22], and new partners. Here's the press release [23]. Thanks to Robert S. Thau <rst at ai dot mit dot edu> for sending me a copy instantly upon release on 8/25, allowing TBTF to break the news to an indifferent world.

On a more mainstream note, the issue of Forbes Magazine featuring Linus Torvalds on the cover has hit the Web. Here's a thumbnail of the cover [24] and here's the story [25].

[20] http://www.tbtf.com/archive/1998-08-17.html#s02
[21] http://www.tbtf.com/archive/1998-08-24.html#s02
[22] http://www.linuxbase.org/
[23] http://www.linuxbase.org/announce.html
[24] http://www.forbes.com/forbes/98/0810/gifs/coversm2.jpg
[25] http://www.forbes.com/forbes/98/0810/6209094a.htm

______

WaSP sting

Web Standards Project challenges browser developers

This WaSP packs a sting

The Web Standards Project [26] is two weeks old and has already garnered significant ink, and pixels, in the world's press (summary here [27]). The project is the effort of a group of high-profile Web designers to shame Microsoft and Netscape into implementing completely the standards upon which the Web is based before venturing off into proprietary extensions [28]. The developers of the Opera browser [29], which is just about the only currently viable competition to the Netscape-Microsoft hegemony, have supported WaSP from the first. The project's Web site is the epitome of cool: simple design, unified feel, plenty of variety, and speedy loading. Thanks to Julianne Chatelain for the pointer.

[26] http://www.webstandards.org/
[27] http://www.webstandards.org/news.html
[28] http://www.webstandards.org/mission.html
[29] http://opera.nta.no/

______

HotMail, others vulnerable to JavaScript exploit

Rewriting the interface to steal your account

A programmer in Canada discovered a way to steal Hotmail users' login IDs and passwords [30]. The exploit uses JavaScript to rewrite, transparently, part of HotMail's Web interface for email. When a victim receives an email message containing the Trojan-horse JavaScript and reads it in the HotMail account, s/he is prompted to reenter name and password, which have supposedly expired. This dialog looks like an official HotMail request. The name and password are captured and emailed to the perpetrator. Here is the discoverers' exploit page [31]. Microsoft and HotMail were notified of the vulnerability and worked at top speed on a fix. When they posted what was billed as a "partial fix" (filtering out JavaScript code) on 8/24, the exploit's discoverer quickly put up a workaround that causes the same end result [32]. (He hid the JavaScript code within IMG tags.) Other Web-based free email services are also thought to be vulnerable to this exploit. Users of such services might consider doing without JavaScript for now.

[30] http://www.wired.com/news/news/technology/story/14617.html
[31] http://www.because-we-can.com/hotmail/default.htm
[32] http://www.news.com/News/Item/Textonly/0,25,25657,00.html?tbtf

______

IBM gives away a security breakthrough

System is provably secure against an adaptive chosen ciphertext attack

Two researchers have devised a way to secure cryptosystems against "active" attacks [33]. Victor Shoup of IBM Research and Ronald Cramer of the Swiss Federal Institute of Technology revealed their new security scheme [34] on 8/24 at Crypto '98 in Santa Barbara. Their new system would thwart attacks of the sort devised last spring by Bell Labs researcher Daniel Bleichenbacher (see TBTF for 1998-07-20 [35]). The leader of an IBM team of hackers for hire said, "This is not the sort of stuff you hold tight and patent. This is the sort of stuff you publish ... and hope everyone adopts it quickly."

[33] http://www.wired.com/news/news/technology/story/14590.html
[34] http://www.cs.wisc.edu/~shoup/papers/cs.ps.Z
[35] http://www.tbtf.com/archive/1998-07-20.html#s06

______

Unclear on the concept

How not to update a Web site

Patrick S. Malone was driving to work with the radio on and heard the DJ bragging about the radio station's Web site, extolling the virtues of their ISP. The DJ made a particular point of the advantage of using a local ISP:

"And they're right here in _____, so we have a relationship. We can just call them up and say, 'We're about to send you a fax with something for the Web site.'"
Thanks to Keith Bostic <nev at bostic dot com> for the forward.

Notes

bul Last week's TBTF title came from a song by Creedence Clearwater Revival. Not 3 Dog Night. John Fogerty's Creedence Clearwater Revival. I know this now. Thirty-one of you told me so. Visit last week's issue on the Web [36] for some amusing sidelights from this correspondence.

[36] http://www.tbtf.com/archive/1998-08-27.html#its-CCR

bul I've added a new TBTF Thread [37] that may be of interest to fans of computational physics. It links 9 TBTF articles, from 1995 to this year, on quantum computing and the frontiers of research into the quantum realm.

[37] http://www.tbtf.com/threads.html#Tqpc

bul Stakeholder is current business jargon for "someone who has an interest." The term was popularized, or at least promulgated, in the US government's green paper and white paper on domain naming. To me the stakeholder is the lead guy in a vampire hunt.

Sources

bul For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.


TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

___