It's just about as chilling as the most paranoid Cypherpunk feared. On Wednesday the FBI director testified before Congress and revealed his not-entirely-hidden agenda on the encryption question [1]. Louis Freeh is not overly worried about the export of strong crypto. He wants restrictions on its domestic use, with guaranteed access to individual users' keys by authorities, without a court order and without notification to the user. Freeh proposes to transform the small but growing infrastructure of Certificate Authorities into centers of access to users' keys [2]. In the same week European officials both at the Bonn Internet conference and at a meeting of the European Union slammed American positions on key recovery and privacy [3]. The US posture threatens to derail international Internet commerce before it ever pulls out of the station. If Director Freeh's desires are realized in law, Internet commerce in the Net's most populous market will die unborn. I will go EFF co-founder John Perry Barlow one better: they cannot have my private key, even if they attempt to pry it from my cold, dead fingers.

[1] http://www.news.com/News/Item/Textonly/0,25,12317,00.html
[2] http://www.nytimes.com/library/cyber/week/071197encrypt.html
[3] ftp://vorlon.mit.edu/pub/f-c/v02.n327

Last week the National Security Agency asked Sun Microsystems and a Russian networking company in which Sun has a 10% stake to turn over the source code of its SunScreen SKIP E+ [4]. Last month Sun ran a lateral Arabesque around US crypto export restrictions [5],[6] by announcing the worldwide availability of its SunScreen virtual tunneling technology with strong encryption provided by the Russian partner company. Exactly why the NSA has gotten involved in the issue was not clear; NSA scientists may be acting as consultants to the Commerce Department, which now has the oversight of crypto export policy.

[4] http://192.215.107.71/wire/news/jul/0706nsa.html
[5] http://www.tbtf.com/archive/1997-06-16.html#s01
[6] http://skip.incog.com/press-elvis.htm

NSI informed potential investors on Friday that its operations are under investigation by Federal antitrust agents [7]. The Feds also want information from NSI's parent company, Science Applications International Corp. NSI, currently the monopoly grantor of top-level domain names, plans to go public; it disclosed the pending investigation in papers filed with the SEC. A Justice Department spokesman confirmed that an investigation is under way. Neither Justice nor NSI will speculate on its scope or possible outcome. The investigation clouds still further the future of domain naming on the Net. NSI will lose its monopoly contract from the NSF next March, but has said it will keep control of the top-level domains it currently administers. The plan worked out by the International Ad Hoc Committee to introduce competition to domain naming is on hold [8]. And on 7/10 an industry group called the Association for Interactive Media convened an "Open Internet Congress" in Washington [9], ostensibly to assure that business has a say in the governance of the Net.

[7] http://www.yahoo.com/headlines/970708/tech/stories/probe_1.html
[8] http://www.tbtf.com/archive/1997-07-07.html
[9] http://192.215.107.71/wire/news/jul/0708stake.html

Here's ironic news in the week after the European Computer Manufacturers' Association standardized JavaScript [10], and it has taught me to pay attention when John Robert LoVerso <loverso at osf dot org> forwards a tip. Last Tuesday LoVerso sent word of a troubling new JavaScript bug. I decided not to publish it as the next day's Tasty Bit, and now it's big news [11]. The defect allows a bad guy to capture the history of your Navigator 3.01 session, in clear text, including any passwords or PINs that you might type into forms. Here is an exploit page [12] for the defect. Its discoverer Dan Brumleve <nothing at aleph2 dot com> notified CERT, Microsoft, and Netscape of the problem. CERT recommended that all users immediately disable JavaScript in their browsers. (Personally, I've run without benefit of JavaScript since LoVerso won a Netscape Bug Bounty early last year [13].) Netscape developed a fix and released Navigator 3.02, but a closely related problem still exists in this version [14].

[10] http://www.news.com/News/Item/Textonly/0,25,11967,00.html
[11] http://www.news.com/News/Item/Textonly/0,25,12282,00.html
[12] http://www.aleph2.com/tracker/
[13] http://www.tbtf.com/archive/1996-02-27.html
[14] http://www.news.com/News/Item/Textonly/0,25,12347,00.html

This is either the story of an entertaining and mildly malicious hack, or a brilliant PR sally by McAfee associates. The anti-virus software company claims that some joker developed an ActiveX control called CussOut [15]. When you access a page containing the control and it is downloaded to your Windows machine, CussOut is said to rifle through your email folders and to send an obscene message to every address it can find. On Monday, McAfee will introduce a program, WebScanX, to screen out such hostile ActiveX controls or Java applets downloaded from Web sites or received via email. McAfee has recently been smarting from the attention the tiny Israeli company Finjan [16] has garnered for its SurfinShield and SurfinGate products, which claim similar prophalactic benefits. I could not find a URL for any page containing the CussOut control, or an example of one of its messages, or any discussion of the problem outside of the (McAfee-generated) news.com story.

[15] http://www.news.com/News/Item/Textonly/0,25,12333,00.html
[16] http://www.finjan.com/

An article [17] in the Seattle Post-Intelligencer suggests the moniker "Silicon Forest" for the Puget Sound region. However, solid documentation exists for Portland's pre-existing claim to the name [18]. The Seattle Post-Intelligencer article also makes feints at Silicon Valley North (claimed by Ottawa) and Telecom Valley (San Diego). It's clear the Post-Intelligencer reporter, Warren Wilson, had never visited TBTF's Siliconia page [18].

[17] http://nytsyn.com/live/Latest/189_070897_104200_14707.html
[18] http://www.tbtf.com/siliconia.html

Surely you've visited the Sagan Station [19], neé Mars Pathfinder, on the Web by now. This URL links the 15 US and 8 international mirror sites, which collectively can handle 120 million hits per day. The Mars exploration is a mega-event with wide appeal [20]. Consider this news item, forwarded by an old friend with whom I crossed the continent to be at NASA-Ames for Pioneer 10's rendezvous with Saturn, in 1979.

Sales have taken off for Mattel's Hot Wheels Mars Rover
Action Pack, which includes a detailed version of the
rover and its mother ship. Mattel declined to release
sales figures for the rover toy, but a supply of 1,500
at JPL's souvenir shop sold out in 20 minutes Tuesday.

Completely overshadowed by the Martian goings-on was the quietly successful climax of another NASA mission the week before: the fly-by and photo shoot of the near-earth asteroid Mathilde [21]. The images page [22] is appealing; but unless your browser plugs directly into the mother of all Net pipes, turn off image loading before you visit. Read the captions and decide which of the six pictures you want to see; they range in size from 34K to 117K.

Closer to home, the following timely note comes from the Preview Release of the Be Operating System. It was forwarded by Timothy Dion <timd at advis dot com> and Keith Bostic <bostic at mongoose dot bostic dot com>.

To celebrate, the Be staff took a few hours off and went to see
the movie "Men in Black." I won't spoil the plot for those who
haven't seen it, but the movie makes a point that is somehow
appropriate -- it is impossible to rid the universe completely
of bugs, but at least you can drive something fast, arm your-
self with powerful tools, and look good doing it.

[19] http://mpfwww.jpl.nasa.gov/
[20] http://192.215.107.71/wire/news/jul/0710Martian.html
[21] http://sd-www.jhuapl.edu/NEAR/Mathilde/
[22] http://sd-www.jhuapl.edu/NEAR/Mathilde/images.html

OK, this one is hackish [23], I admit, but if you can find amusement in bizarre snippets of C code, do visit the home of The International Obfuscated C Code Contest [24]. The contest will next run in 1998. Here are two examples of past winners [25]. One of them is a program that approximates pi by computing its own area. (Admit it: you got lost in the Jargon site, didn't you? You knew that GNU stands for "GNU's not Unix!" but you hadn't heard the derivation [26] for the company called CYGNUS, had you?)

[23] http://www.wins.uva.nl/~mes/jargon/h/hackish.html
[24] http://reality.sgi.com/csp/ioccc/
[25] http://www.wins.uva.nl/~mes/jargon/o/ObfuscatedCContest.html
[26] http://www.wins.uva.nl/~mes/jargon/r/recursiveacronym.html

Starting tomorrow your correspondent takes on full-time responsibility as Director of Internet Strategy for a startup that will for the moment remain nameless. When the time comes you'll hear plenty about it, believe me. My plan is to continue TBTF as before. After a few weeks there may be some changes as I accommodate a new schedule, but overall I'm quite happy with the Tasty Bit of the Day format and the predictability it brings to the retro-push edition. Hope you are too.

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html .

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.