For the last month Microsoft has been working on fixes to its Windows TCP/IP stacks as a program called WinNuke has spread on the Net. The program can instantly crash any machine directly connected to the Internet and running Windows 3.1, 95, NT 3.51, or NT 4.0. A reboot usually fixes the damage. The original author of winnuke.c is obscure; the earliest posting [1] I found, on the bugtraq mailing list, was by one myst <myst at light-house dot net>. The code has been ported to Windows, MacOS, Unix, and Linux platforms. It exploits the so-called OOB (out of band) bug in certain TCP/IP stacks and usually attacks via port 139, though any listening port will do.

On 5/12 Microsoft posted patches for NT 3.51 [2] and NT 4.0 [3] systems (this latter patch is also included in service pack 3 [4]). Today the company posted a patch for Windows 95 [5].

But patched NT systems are still vulnerable if attacked by the MacOS or Linux ports of WinNuke. Microsoft says updated fixes for all Windows platforms will be posted later this evening. The company has not prepared a fix for Windows 3.1 and says it will not do so "unless users request one."

Follow this link [6] for the best current summary I've found of the situation, with patches and workarounds beyond those currently supplied by Microsoft. Visit this page [7] to test whether your Windows machine is vulnerable. C|net's latest coverage is here [8].

[1] <http://www.geek-girl.com/bugtraq/1997_2/0200.html>
[2] <ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/oob-fix>
[3] <ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP2/oob-fix>
[4] <ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ussp3/>
[5] <http://www.microsoft.com/kb/articles/q168/7/47.htm>
[6] <http://www.mydesktop.com/features/macattack/>
[7] <http://pobox.leidenuniv.nl/~ewit/winnuke/>
[8] <http://www.news.com/News/Item/0%2C4%2C10933%2C00.html>

This week eleven cryptographers and computer scientists added substance to the cryptography policy debate with an analysis [9] of the costs and ramifications of implementing key recovery on a large scale, as the Administration proposes. See [10] for a summary. The report concludes:

The deployment of a global key-recovery-based infrastructure to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end user. Building the secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field.

What do you get when you implement an autonomous software agent as a Java applet? An "aglet" [11], according to IBM researchers who have proposed a standard [12] for the beasties. A large fraction of the Java Aglet API is devoted to security matters: the problems of aglet safety put those of mere applets in the shade. You have to arrange that no-one can read enroute the data your aglet is collecting for you, and to assure that it doesn't return to your home system riddled with viruses. Of course you have to guarantee that it will not harm any host computer, else no-one would agree to host it. The aglet must carry all of the code and data it will ever need from host to host, and it must know how to behave when its host becomes disconnected from the network. Two hundred thousand developers have downloaded IBM's Aglet Workshop [13], now in its fourth prerelease version.

[11] <http://www.economist.com/issue/17-05-97/st4267.html>
[12] <http://www.trl.ibm.co.jp/aglets/JAAPI-whitepaper.html>
[13] <http://www.trl.ibm.co.jp/aglets/download.html>

Writing in the June Scientific American [14], Anne Eisenberg plumbs a growing disenchantment with the Net. (David Suter's illustration [15] is alone worth the price of admission.) The article moves from the Saturn-Like Object near Comet Hale-Bopp [16] to the Heaven's Gate tragedy [17] and beyond to limn the lineaments of a young medium enduring a particularly rough adolescence.

[14] <http://www.sciam.com/0697issue/0697cyber.html>
[15] <http://www.sciam.com/0697issue/IMG/0697cyber.gif>
[16] <http://www.tbtf.com/archive/1997-01-11.html>
[17] <http://www.tbtf.com/archive/1997-04-04.html>

The Economist has published a clearheaded appraisal of the shape of online commerce [18] and the ways it hasn't grown in the expected directions. It's hard to fault the article's assertion [19] that the experts fundamentally misjudged online payment systems: the various forms of micropayments and electronic cash are in their infancy, while consumers have embraced the payment systems with which they're already familiar: subscriptions, advertising, and credit cards.

The survey spotlights Amazon.com [20] as an example of how to succeed in online commerce by tapping the power of your community of partners and customers. It seems that Amazon is on everyone's short list of favorite commerce sites lately. Digital is running ads featuring Amazon's CEO, Jim Bezos, talking up its Alpha servers. Amazon has yet to turn a profit, though.

The Barnes & Noble site [21] opened last week, and on the same day the giant bookseller filed suit [22] against the online upstart for calling itself "the world's biggest bookstore." Regardless, at Amazon's IPO [23] two days later its stock closed 30% above the target price, making Bezos the latest Internet millionaire.

Amazon's story as told by The Economist [20] reads like an unwavering progression toward the prize. Not all case studies are so neat. The Wall Street Journal's profile [24] of SiteSpecific, a successful Web advertising agency, is full of the Brownian zigging and tacking that most of us will recognize as the more typical course of a business.

[18] <http://www.economist.com/surveys/elcom/>
[19] <http://www.economist.com/surveys/elcom/ec5.html>
[20] <http://www.economist.com/surveys/elcom/ec3.html>
[21] <http://www.barnesandnoble.com/>
[22] <http://www.news.com/News/Item/0,4,10605,00.html>
[23] <http://www.news.com/News/Item/0,4,10678,00.html>
[24] <http://www.wsj.com/public/current/articles/SB863705277956136000.htm>

Email spam is the favorite gripe of most Netizens, excepting the spammers. Congress is considering legislation [25] to limit the practice of sending unwanted commercial email in bulk. Not everyone thinks this is a good idea. See [26] for a thread from an ongoing debate on Declan McCullagh's fight-censorship mailing list. George Matyjewicz <mosaic1 at ix dot netcom dot com> did a modest experiment on a week's worth of his email -- he is on 56 mailing lists and gets around 200 messages a day -- to gauge how widespread the problem actually is. Matyjewicz posted these results:

Mailing-list owners share information on the addresses from which commercial spam messages originate. Recently Alexander Verbraeck <A.Verbraeck at duticai dot twi dot tudelft dot nl> posted a particularly comprehensive list of purported spammers. I have taken the liberty of preserving a snapshot on the TBTF archive [27], sorted both by email address and by "virulence" -- the total number of messages sent by each spammer over a given time period to two of Verbraeck's lists. Thanks to Tom Parmenter <tompar at world dot std dot com> for the tip.

[25] <http://www.news.com/News/Item/0%2C4%2C10875%2C00.html>
[26] <http://www.tbtf.com/resource/to-ban-spam.html>
[27] <http://www.tbtf.com/resource/spammers.html>
[27a] (removed)

TBTF for 1995-12-18 [28]

Researchers are harnessing the weirdness of the quantum world in hopes of realizing computers that can solve in seconds problems that might require years on a classical supercomputer. People interested in breaking cryptographic codes salivate at the prospect of finding prime factors in polynomial time rather than exponential time. Some researchers have been trying to fashion "qubits" out of single atoms cooled near absolute zero by laser beams. (Such "atom traps" also figure in studies of the Bose-Einstein condensate [29].) This is one way to produce "Schrödinger's kittens": objects that exist in several states at once and so could represent (for example) zero and one simultaneously. (The June 1997 Scientific American features an excellent survey of these experiments, titled "Bringing Schrödinger's Cats to Life," but it is not available on the Web.) An approach using more everyday materials -- quantum computing in a coffee cup -- is being investigated by two groups of researchers, an MIT-Los Alamos team and a Harvard-MIT group. See [30] and [31] for general coverage and [32] for the MIT page of Neil Gershenfeld and Isaac Chuang -- but turn off image loading before visiting the latter site. (Their use of coffee as a computing medium echoes Douglas Adams's fanciful invention of the Infinite Improbability Drive [33], [34], whose principal component was a cup of hot tea.) Gershenfeld and Chuang have constructed a 3-qubit computer and used it to perform the calculation 1+1=2; they believe they can reach 10 qubits by the end of the year and see no fundamental impediments up to 30 qubits. Such a machine would take 20 minutes to factor a 1000-digit number, versus conventional machines which, under conservative assumptions, would calculate for several quadrillion times as long as the universe has existed to date.

Thanks to Peter Broadwell <peter at koi dot meer dot net>, who sent me a note after attending a talk by Gershenfeld and Chuang.

[28] <http://www.tbtf.com/archive/1995-12-18.html>
[29] <http://newton.ex.ac.uk/aip/physnews.305.html>
[30] <http://www.aip.org/enews/physnews/1997/physnews.310.htm>
[31] <http://www.sciencenow.org/html/970117c.htm>
[32] <http://physics.www.media.mit.edu/projects/spins/home.html>
[33] <http://www.fys.uio.no/~bor/doc/infinite-drive.html>
[34] <http://www.powells.com/cgi-bin/partner?partner_id=23196&cgi=search/search&searchtype=isbn&searchfor=0345391802>

In the last issue [35] I reported with a straight keyboard that Linus Tovalds, the creator of Linux, had recently gone to work for Sun Microsystems. Turns out the "press release" [36] I fell for was an April Fools posting crafted by Liem Bahneman <roland at starfleet dot com> to resemble a Reuters news release. Linus is still at Transmeta, a startup chip design company. Thanks to Greg Roelofs <roelofs at prpa dot philips dot com> for pointing out the egg on my face. You can find the bogus story of Sun's abandoning Solaris development to embrace "Solinux" in a number of places on the Web [37], [38], most of them omitting Bahneman's "April Fools" note at the bottom.

[35] <http://www.tbtf.com/archive/1997-05-08.html#s12>
[36] <http://www.tara-lu.com/~jimb/aklug/0551.html>
[37] <http://lucifier.rosprint.ru/lists/1997_04_01/Linux-Kernel/msg00211.html>
[38] <http://www.pop-mg.rnp.br/portugues/servicos/listas/tec-l/msg00007.html>

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For com- plete subscription details see <../resource/E.CT.txt>.

FC -- mail fight-censorship-announce-request@vorlon.mit.edu without subject and with message: subscribe . Web home at <http://www.eff.org/~declan/fc/>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.