This widely circulated story is without substance

Wired News originated a story [1] claiming that NAI had quietly rejoined the KRA, after publicly disavowing it [2] following its acquisition of PGP last December [3]. Here are the facts: NAI acquired Trusted Information Systems in May 1998. TIS had been a leader in the Alliance, and its technology was considered to be among the best solutions in this space. NAI resigned the leadership posts that TIS had held in the Alliance and continued to monitor its work, but stopped attending its meetings. The NAI name still appears on the KRA Web site [4], as it has since May. There is no news here. Perhaps Wired was tipped by a disgruntled KRA member after Network Associates sent a representative to a recent meeting to suggest that they disband, because Open Source development provides greater security and assurance than any approach based on key recovery. The following statement was sent to me by Jon Callas, CTO of Total Network Security (formerly PGP Inc.) at Network Associates.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is the official statement:

"NAI officially withdrew from the Key Recovery Alliance in late
1997.  In May of 1998, NAI acquired Trusted Information Systems,
which had been an active member of the KRA.  NAI subsequently
reliquished the leadership role TIS had taken in the
organization.  NAI Labs' TIS Advanced Research Division
continues to monitor the KRA's activities from a technical
perspective, but Network Associates in no way advocates
mandatory key recovery."

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0

iQA/AwUBNlC9e335wubxKSepEQJI6wCfSExUUVyfhEO3Nd0xOgu+7gF4SYQAnRBN
35N5BTvab2T8v+PEzhlbzv++
=l7xe
-----END PGP SIGNATURE-----

[1] http://www.wired.com/news/print_version/technology/story/16219.html
[2] http://www.wired.com/news/news/technology/story/9010.html
[3] http://tbtf.com/archive/1997-12-08.html#s01
[4] http://www.kra.org/roster/roster3.html#netassoc

Exploit can strike through JavaScript, plain HTML, or even email

SecureXpert Labs has discovered a deep and troubling security hole in the implementation of HTML frames [5]. All recent versions of Netscape Navigator and MS Internet Explorer are vulnerable, and any Web site using frames can be exploited. The "frame spoof" vulnerability is breathtaking in its scope and simplicity. It represents not so much a bug in the browsers' code as a flaw in the security policy they implement.

The bug was announced by Dr. Richard Reiner, CEO of SecureXpert Labs' parent company FSC Internet. SecureXpert has posted two sample exploits [6], one that requires JavaScript and one that relies on nothing but HTML. Both demonstrate how unauthorized information can be displayed in the frame of a known and trusted site, such as citibank.com or disney.com. Here are technical details [7].

SecureXpert will be working with Netscape and Microsoft on client-side fixes for the problem, but Dr. Reiner mused to the BugTraq list that the browser may not be the most appropriate place to patch this hole.

[5] http://www.securexpert.com/framespoof/index.html
[6] http://www.securexpert.com/framespoof/start.html
[7] http://www.securexpert.com/framespoof/tech.html

ICANN is flapping hard but gaining little altitude

The organization set to inherit dominion over Net naming and numbering held its first public meeting on 14 November. ICANN anticipated rough sailing and they certainly encountered it [8] from an audience of more than 150. Fewer than one-third raised their hands when interim chairwoman Esther Dyson asked how many thought that a concensus on general principles could be reached at the meeting. One participant, complaining about the secret process by which ICANN's initial board had been selected, said "The board has sprung as a virgin birth from some unknown entity." (In fact the "unknown entity" was the late Jon Postel, as a lawyer working with Postel's agency IANA explained.) Dyson asked the meeting, "How many think ICANN is an out-and-out fraud and are here to try to stop it?" Only a few hands went up, but someone shouted, "Could you separate those questions?" This meeting indicates how hard it will be for ICANN to find common ground in the naming transition -- a process rendered vastly more fraught by the death of Postel, the resignation of the Network Solutions CEO [9], and the imminent departure from the Clinton administration of Ira Magaziner [10], one of the few visible White House staffers who has a clue on the Net. The ICANN board will hold a second public meeting in Brussels on 25 November; the European Commission will host.

[8] http://www.wired.com/news/print_version/business/story/16277.html?wnpg=all
[9] http://www.thestandard.com/articles/article_print/0,1454,2551,00.html?02
[10] http://www.latimes.com/HOME/NEWS/POLITICS/ELECT98/NATELECTW/tCB00a1487.html

C-spam: domain-name holders receive unsolicited commercial email

Was it [11] spam? It's a grey area. The recipients were customers of the sender, Network Solutions, and it might be claimed that an unsolicited emailing to customers could not be objectionable. But this mailing had a few points against it that shade it over into the black end of grey. Let's call it c-spam -- customer spam.

• The email claimed that the recipient was now on a list to receive an email newsletter, and needed to opt out if this was unwanted.

• No mechanism was given, and none is believed to exist, to opt out of all such future mailings.

• The c-spam benefitted Verisign, not Network Solutions itself. (Note that Verisign holds a seat on NetSol's board.)

• Some domain-name holders got multiple copies; one reported receiving 30.

• Network Solutions currently has no competition for .com/.net/.org names -- disgusted customers have no recourse.

Paul Vixie, proprietor of the Realtime Blackhole List [12], [13], posted a request for commentary [11] to NANOG: Should he blackhole netsol.com? If 208.226.58.70 were entered onto the RBL, the domain would suddenly become invisible to large portions of the Net. (Note: internic.net would not be affected by such an action.) One poster commented that the usual means of fighting spam don't work in this case: one can't complain to NetSol's upstream provider and request that its connectivity be yanked. Another pointed out that if NetSol got sufficiently annoyed with Vixie they could simply deactivate vix.com and put him out of business.

At this writing the debate is still rolling on NANOG, Vixie is in discussions with NetSol sales/marketing management, the domain is not blackholed, and NetSol has agreed to hold off any further mailings until the discussions conclude.

[11] http://www.cctec.com/maillists/nanog/current/msg00488.html
[12] http://tbtf.com/archive/1998-01-12.html#s02
[13] http://maps.vix.com/rbl/

Technology from Area 51?

A favorite sport among the geeks who frequent slashdot.org is speculating on the nature of the product Transmeta is developing [14]. Their curiosity is understandable as the father of Linux, Linus Torvalds, works there. Now the ultra-secretive company may have offered the first glimpse of its technology, courtesy of a patent [15] issued earlier this month. Somewhat mysteriously titled Memory controller for a microprocessor for detecting a failure of speculation on the physical nature of a component being addressed, the patent reveals a chip that can translate Intel instructions into a more advanced format, VLIW (Very Long Instruction Word). It should run Windows faster than anything yet seen on the planet. It could also be highly efficient running Java or RISC processor code.

Some have speculated that the microprocessor is reverse-engineered from alien technology. This news.com story [16] catches an industry analyst in mid-quip:

[14] http://tbtf.com/archive/1998-09-07.html#s08
[15] http://www.patents.ibm.com/details?pn=US05832205__&s_clms=1
[16] http://www.news.com/News/Item/Textonly/0%2C25%2C28737.html?tbtf
[17] http://slashdot.org/features/98/11/12/1935212.shtml
[18] http://scottlangley.com/patent.htm

Each must name a designated copyright contact

The Digital Millenium Copyright Act, which was signed into law last month, requires [19] all ISPs to register with the Copyright Office and to name a designated contact for complaints of copyright violation. The rules are only an interim step in the new law's implementation; regulators will draft permanent rules and host a public comment period within the next several months.

[19] http://www.news.com/News/Item/Textonly/0,25,28357,00.html?tbtf

Fears of Open Software lockout ease

The I2O Special Interest Group is developing specifications for an advanced I/O subsystem. On 4 November the group announced [20] that it had made version 1.5 of the I2O spec publicly available to all product developers at no cost. This announcement lays to rest year-old fears [21] that the I2O Consortium might use its closed membership roster and non-disclosure terms to hobble Linux implementation of the I/O system, especially on Intel's Merced chip. Here is discussion of the I2O development on Slashdot [22].

[20] http://www.newsalert.com/free/story?StoryId=CnJ_FubKbytaWndm
[21] http://tbtf.com/archive/1997-08-04.html#s04
[22] http://slashdot.org/articles/98/11/04/1123235.shtml

Taking a Tomahawk for a test cruise

On 16 November, Los Angeles television station KCOP posted on its Web site a piece titled Rockets Red Glare (no longer up as far as I can determine):

[23] http://tbtf.com/archive/1998-10-12.html#s08

TBTF home and archive at http://tbtf.com/ . To subscribe send the
the message "subscribe" to tbtf-request@world.std.com. TBTF is Copy-
right 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.