Crackers insert trojan horses at Eindhoven University

Crackers have compromised ftp.win.tue.nl, a major software distribution center in the Netherlands. So far "trojan horse" code has been found in two packages on the site, TCP Wrappers [1] and util-linux-2.9g [2]. For now all code on ftp.win.tue.nl should be considered suspect.

TCP Wrappers is designed to tighten security on Unix-based machines. The compromised code, discovered on 1999-01-21, would give the perpetrators access to a root shell on any system on which it was installed and run. The owner of TCP Wrappers has moved its home site to another system. This distribution is PGP-signed, which means that anyone downloading it can verify that it is intact and unmodified, but does not guarantee that downloaders will do so. 52 downloads were recorded while the bogus distribution was in place. All of the downloading sites were warned of the trojan. Some of them may have been mirror sites that made the trojan available to yet more potential victims. CERT Advisory CA-99.01 [3] was issued to publicize this crack.

After the TCP Wrappers compromise came to light, it was discovered that another distribution on ftp.win.tue.nl had been backdoored [2]. In util-linux-2.9g the login utility had been modified to send usernames and hostnames to a Hotmail account.

[1] http://www.geek-girl.com/bugtraq/1999_1/0303.html
[2] http://www.geek-girl.com/bugtraq/1999_1/0269.html
[3] http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
[3a] http://www.geek-girl.com/bugtraq/1999_1/0358.html

Portals plus pipes equals gates?

On 1999-01-19 @Home, the cable Internet provider, announced [4] it will acquire Excite for $6.7 billion in stock, which was almost double Excite's market capitalization at announcement. The deal eclipses AOL's purchase of Netscape for $4.2 billion — though ballooning stock prices have inflated that deal to $6.2 billion so far, and no one knows where the values will be when it gets done.

I haven't paid much attention to the portal wars to date, but excite@home made me sit up and take notice. Think back to 1996, to when @Home was first being discussed breathlessly by George Gilder and like-minded techno-bunnies. Remember a cautionary thread warning that broadband Net access, if widespread, could bifurcate the Internet? (I don't remember who proposed this theory.) The media-rich experience pouring into the home over @Home's fat pipes and national backbone would bear little resemblance to the content we had known, this argument went. Subscribers hooked on its speed and flash would impatiently abandon all the content on the rest of the Net, constrained as it is by lossy peering exchange points and 56K network segments. They would happily sink into their carrier's lone embrace, clicking through its content providers' ads and buying from its partner merchants.

Fast-forward to 1999. Recall that AT&T recently bought the millions of customers and thousands of points-of-presence that IBM had built up as ibm.net. Recall that AT&T is close to completing its acquisition of Tele-Communications Incorporated, which holds a controlling stake in @Home, which will soon wear an Excite portal.

Consider Microsoft: its portal, its millions of members and thousands of POPs (msn.com), and its backbone (courtesy of UUnet).

Consider AOL: its portal (AOL + Netcenter), its millions of members and thousands of POPs, and (oops), no backbone. Let's see, who's available? Sprint, Qwest, even MCI Worldcom?

Consider Yahoo: today they're just a portal, no dial-in members and no pipes. With their market cap sailing above that of Sears, Yahoo could buy up some of the remaining national ISPs and engage AOL in a bidding war for one of the backbone companies.

Looks like the big guys have tacitly agreed on the formula for future Net success: portal + members + POPs + pipes. What's behind this thinking? Mark Anderson puts forward a plausible guess in last week's issue of his Strategic News Service [5] (subscription only, sample issues available): that these are not portals opening to the wonders of the Net, they are gates through which members pass into the closed communities of the portals' owners.

[4] http://www.wired.com/news/news/business/story/17402.html
[5] http://www.tapsns.com/

Security-vs.-privacy battle plays out in mere days

Early in the week of 18 January, rumors appeared claiming that Intel planned to embed a unique ID number in each Pentium III processor. By the time of Intel's announcement [6] of the feature on Thursday 21 January, Privacy organizations were in full cry over the scheme [7]. In the original plan, the ID number would be sent by default to every visited Web site; Intel would provide software to disable it, but the ID would come back after each reboot. Incredibly, Intel denied that the ID feature carries any privacy implications whatsoever. Pressure on the company increased when US congressman Edward J. Markey sent a letter [8] spotlighting privacy questions.

Posters to the Cryptography list noted that a hardware-resident ID conveys no guarantee of security, since software must be invoked to use it.

Over the weekend, privacy watchdog EPIC teamed up with JunkBusters to organize a boycott called Big Brother Inside [9]. Four hours later Intel partially relented [10], saying that all new chips off the manufacturing line will have the ID feature disabled by default; Intel will provide software to turn on the ID. The boycott organizers have not immediately dismantled the effort, claiming that the existence of the ID feature will lead to pressure to require its use by Web sites indifferent to privacy concerns.

[6] http://www.zdnet.com/filters/printerfriendly/0,6061,2189721-2,00.html
[7] http://www.news.com/News/Item/Textonly/0,25,31309,00.html?tbtf
[8] http://www.techserver.com/noframes/story/0,2294,10374-17815-128519-0,00.html
[9] http://www.privacy.org/bigbrotherinside/
[10] http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/...

Police raid knocks Swiss site off the air

The National Music Publishers' Association, acting on behalf of several US music publishers, filed a criminal complaint against the International Lyrics Server [11]. A local attorney general ordered a raid on the site's owner, technical consultant, and ISP, seizing equipment and databases [12]. The NMPA acted through its licensing subsidiary The Harry Fox Agency [13] against the popular site, operated on a not-for-profit basis by Net consultant Pascal de Vries. The site accepted advertising to offset ISP charges of over $14,000 per month to serve a million hits a day. De Vries contends that he posted no copyrighted material; he says the site functioned like a bulletin board on which its readers discussed and posted song lyrics. The ISP that hosted the lyrics server may be vulnerable because Switzerland has not yet updated its laws to shield ISPs as common carriers. Yesterday Wired filed a story [14] reporting that de deVries has spoken to the head of NMPA and is hopeful they can work out a settlement allowing him to put the lyrics server back online.

[11] http://www.lyrics.ch/
[12] http://www.netclue.ch/nytimes.html
[13] http://www.netclue.ch/nmpa.html
[14] http://www.wired.com/news/print_version/culture/story/17499.html?wnpg=all

RSA contest won while RSA conference is still in session

Less than 24 hours after RSA's new DES Challenge III was announced, the secret key was discovered [15] by Deep Crack, the purpose-built machine that took the prize last time around [16]. Deep Crack had been assembled at the RSA Data Security conference where the new challenge was launched. This time the EFF's crypto cracker had assistance from over 100,000 machines organized by distributed.net, which was the winner last February [17]. At peak this partnership was checking 220 billion keys per second; Deep Crack accounted for 80 billion of those.

  DES I     96   days  04/97  by Rocke Verser

  DES II    41   days  02/98  by Distributed.net [17]

  DES II-2   2.3 days  07/98  by EFF Deep Crack  [16]
           (=4.5 days to 50% of the keyspace)

  DES III    0.9 days  01/99  by Deep Crack / Distributed.net
           (=2.0 days to 50%)

[15] http://www.eff.org/pub/Privacy/Crypto_misc/DESCracker/HTML/...
[16] http://tbtf.com/archive/1998-07-20.html#s01
[17] http://tbtf.com/archive/1998-03-02.html#s04

Will allow internal use of 128-bit software, for now

As reported here in a Tasty Bit of the Day, France has relaxed its policy on the use of cryptography by its citizens [18]. (Look about halfway down this page for a section beginning "(c) Le troisieme chantier legislatif concerne la cryptologie." The following seven paragraphs, fed to the Babelfish [19], come out like this [20]. Here is a human-crafted translation [21] that was posted to the Cryptography list.) The new French rules allow the use of 128-bit crypto until a new law is finalized, a process that could take several months. Before the new rules were announced the French economy and finance minister, Domenique Strauss-Kahn, was quoted as saying that the French were at the mercy of "large ears" who did not care about personal privacy, possibly a veiled reference to United States spy agencies widely believed to eavesdrop on a significant fraction of the telephone and Internet traffic in Europe.

France has been many years behind the rest of Europe in its embrace of the Internet, having invested heavily in the 1980s in the now somewhat quaint Minitel technology. Allowing its citizens to use cryptography to protect credit-card transactions is the rock-bottom first step at the nation needs to take in order to participate with the rest of the world in Internet commerce.

Thanks to ted byfield <tbyfield at panix dot com>, who sent me the first heads-up on this story.

[18] http://www.premier-ministre.gouv.fr/PM/D190199.HTM
[19] http://babelfish.altavista.digital.com/cgi-bin/translate?
[20] http://tbtf.com/resource/fr128-babel.txt
[21] http://tbtf.com/resource/fr128-human.txt

Berkeley session will update the Magaziner Report

A conference [22] coming up in March will interest those of you involved in the legal and policy aspects of E-commerce. Co-sponsored by the Berkeley Center for Law and Technology, the two-day session will feature speakers such as Peter Swire, Pamela Samuelson, Hal Varian, and Lawrence Lessig addressing issues of intellectual property, security, privacy protection, and the proper role of governments in the Net's future. The motivation for the gathering is the second anniversary of the Magaziner Report, which ages ago in Net time sketched out a policy framework for governments confronting the growth of a new commercial medium. The conference will be held March 5 and 6 on the UC Berkeley campus, and you can get further details here [22].

[22] http://www.sims.berkeley.edu/BCLT/ecom/

Tired: software patents; Wired: business model patents

Patents on Internet business models had already begun to cast a worrying shadow over new Net businesses [23] before the Supreme Court this month blessed the concept [24]. Priceline.com, claimer of one of the newfangled patents, is being challenged [25] not on the principle of the thing but on a conflict of filing dates. A little-remarked case recently heard in an Indianapolis court, however, may supply the first test of whether business-model patents are enforceable. Computer consulting firm Charles E. Hill & Associates has charged CompuServe with violating its 1996 patent [26] describing a process for remotely updating electronic catalogs. A so-called Markman hearing, in which a judge rules on whether the defendant has infringed the patent, was concluded earlier this month; after briefs are filed later this week the judge will take the case under advisement. If the judge rules in Hill's favor the case will go before a jury trial for damages. Compuserve has not challenged the validity of the patent itself, but could still do so.

Hill has no Web presence. I spoke to Don Knevel of Barnes & Thornburg, the lawyer representing Hill, and he said none of the public information from this trial has been posted on the Web. If the ruling is appealed, however, the outcome of the appeal should in due course appear on this page [27].

[23] http://www.tbtf.com/archive/1998-08-31.html#s03
[24] http://www.tbtf.com/archive/1999-01-13.html#s04
[25] http://www.zdnet.com/intweek/stories/prtfriendly/0,4557,2187471,00.html
[26] http://www.patents.ibm.com/details?pn=US05528490__&language=en
[27] http://www.kenlaw.com/7circuit/1999/jan/

Multiple-PC homes are the tip of the iceberg for future networks

A two-day seminar on home networking convened by the Yankee Group looked ahead to a market that isn't here yet, but might start to emerge in 1999 [28]. Multiple-PC households are beginning to see networking solutions for sharing files, printers, and Net connections — over telephone wiring, electrical circuits, or wireless. Earlier this month networking giant Cisco announced plans to supply this market, and Intel was not far behind [29]. Intel's offering is based on phone wiring, as befits a member of the Home Phoneline Networking Alliance [30]. Other phoneline-based systems were previewed at last November's Comdex by Epigram and Tut Systems. Startups Proxim and ShareWave offer wireless solutions for the home; these tend to cost about twice what the wired ones do.

Getting home PCs and peripherals to talk together more easily is a small battle to the larger war of defining standards for a vastly enlarged global network [31]. Sun's Jini [32] is the latest high-profile entry into the fray. Two camps have emerged: computer-cen- tric (Microsoft, HP, IBM, and Lucent) vs. appliance-centric (Sun, Sony, and Philips). (There is a typo in the final paragraph of [31]; for Sun read Sony.)

[28] http://www.news.com/News/Item/Textonly/0,25,31276,00.html?tbtf
[29] http://www.news.com/News/Item/Textonly/0,25,31198,00.html?tbtf
[30] http://www.homepna.org/
[31] http://www.news.com/News/Item/Textonly/0,25,31282,00.html?tbtf
[32] http://dailynews.yahoo.com/headlines/tc/story.html?s=v/nm/19990126/tc/sun_4.html

Net publishing pioneer tells all

John Labovitz started his listing [33] of online magazines in 1993. Last summer the impending 5th anniversary of his e-zine list, which had moved from Usenet to the Web, prompted Art Bin magazine to invite Labovitz to write about the list's history. The result [34] is a savory brew of Net lore, memoir, and the background of publishing on the Net.

[33] http://www.meer.net/~johnl/e-zine-list/
[34] http://www.art-bin.com/art/alabovitz.html

Pot calls kettle non-Y2K-compliant

Last summer Microsoft crooked a finger at Lotus cc:Mail customers with a series of ads asking, "It's 1900, do you know where your messages are?" It seems that cc:Mail's large installed base was wrestling with hard choices as Lotus fixed their Y2K problems in that product line, such as whether to submit to the pain of upgrading to a new version. Microsoft probably intended for fed-up Lotus customers to switch to MS Exchange; they certainly weren't publicizing the fact that their own legacy mail system, MS Mail, had serious Y2K problems of its own. Now the company has posted documents outlining the need for Microsoft Mail users to download and install service packs, and the large customer base of that legacy product gets to wrestle with the same upgrade problems that faced their Lotus-using brothers-in-arms, only a year later and closer to the immovable deadline. The analysts aren't treating Microsoft kindly over this one. Read the details here [35]. Thanks to TBTF Irregular Steve Rothman <srothman at ma dot ultranet dot com> for the tip.

[35] http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/02/t19-02.23.htm

Report of a very Confucian incentive is a joke

The following too-good-to-be-true story has been widely reported [36] (including by this august rag, as a Tasty Bit of the Day):

Well, the part about the pirated software is correct anyway. A German magazine's Web site [37] carries this note: [36] http://dailynews.yahoo.com/headlines/tc/story.html?s=v/nm/19990116/tc/china_2.html
[37] http://www.ix.de/newsticker/data/svs-15.01.99-000/

One million thanks and kudos to thom stuart <thom at obsess dot com>, who quickly and professionally automated the TBTF Threads feature. The site now uses php/fi [38], an Open Source scripting environment for the Apache server, to serve Threads.

[38] http://support.imagiware.com/devel/php/doc/

TBTF's Web host, Imagiware, Inc., has become a sponsor. You'll notice a pointer to their hosting service [39] at the bottom of TBTF's main page and also on the new FAQ and Details page [40]. The proprietors at Imagiware deliver a level of service that is extremely rare in the Web era. They answer the phone themselves and fix whatever your problem is, pronto. If you're looking for Web hosting I recommend Imagiware without reservation. Tell them TBTF sent you.

[39] http://webhost.imagiware.com/
[40] http://tbtf.com/faq.html

I've accepted a position as director of the Electronic Business Strategies service for The Hurwitz Group [41], a technology analyst and consulting firm in the Boston area. For a look at the Hurwitz slant on E-business, visit the premiere edition of our new online magazine; access is free through 29 January. Sign up as a guest user [42] (you must have cookies enabled) and follow the link to Electronic Business Monthly.

My hope and plan is to keep TBTF coming to you as usual.

[41] http://www.hurwitz.com/
[42] http://hurwitz-nt.harvard.net/Hurwitz/DDS/User/dds_signup.asp

For a complete list of TBTF's (mostly email) sources, see http://tbtf.com/sources.html.

TBTF home and archive at http://tbtf.com/ . To subscribe send the
the message "subscribe" to tbtf-request@tbtf.com. TBTF is Copyright
1994-1999 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use pro-
hibited. For non-commercial purposes please forward, post, and link as
you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.