The Commerce Department is circulating for comment proposed changes to the rules that govern the export of cryptography. The changes mostly fine-tune the mechanics of key recovery, but one whopper lurks in the dense thicket of governmentese [1]. This is the proposal that anyone in the US running a Web site from which crypto products can be downloaded might have to submit to a review by Commerce's Bureau of Export Affairs. A NY Times story on the proposal is mirrored here [2]. If such a rule goes into effect, companies such as Netscape, PGP, and Microsoft will get to play the game of bring me a rock with government bureaucrats. The game is beloved of Dilbertesque managers everywhere. The victim, left to guess at the criteria for success, winds up carrying numerous rocks upstairs to be judged wanting. Netscape's Peter Harter observes that the proposed policy violates the spirit of Vice President Gore's public stance toward regulating online commerce: the principle of do no harm. "I'm not aware of any procedure that would require retail stores such as Fry's or Egghead to apply to the Commerce Department," Harter said.

[1] http://jya.com/bxa-ei-rule.htm
[2] http://jya.com/bxa-nyt.htm

Crack a Mac Challenge reopened

The Crack a Mac Challenge [3], which was broken Sunday [4], was reinstated 24 hours later after a Macintosh development company, Blue World Communications, worked around the clock to fix the bug in their CGI product that allowed the crack. Below is the note from Joakim Jardenberg <joakim at infinit dot se> announcing the reopening of the challenge.

Crack a Mac is back again! It's true!!!

The crack that was made possible due to a combination of
different functions on the server has now been blocked by a
patch for Lasso.

Blue World did an amazing effort and released a patch for
Lasso in less then 24 hours, and on a Sunday as well. The
patch is recommended for all Lasso users running both versions
1.2 and 2.0 and can be found here [5].

Blue World also proves what a great company it is by
sponsoring the reward to Starfire, who found out how this
combination could be exploited.

More details on the combination will be posted soon.
So the bottom line is -- Crack a Mac is back, we all have
learned a lot, and we now have an even more secure server
to trust.

Best regards

/Jocke

Apple's Chuq Von Rospach <chuqui at plaidworks dot com> sent the following details of the cracker's method.

The site ran two third-party CGIs -- SiteEdit and Lasso. The
first is, as you might think, a way to edit and update a web
site through a CGI instead of FTP. Think of it as Netscape's
file upload on steroids. Rather nice product. Lasso is a CGI
database interface to FileMaker Pro.

The latter was used to implement a guestbook on the site.
Lasso... [leaves] a pointer to its "error" html file in the
html available to the user. [The cracker] noticed that, and
rewrote the form so that the error file field now pointed to
the filename of the password file for SiteEdit. Then he quer-
ied a non-existant file, and Lasso happily sent him the pass-
word file.

Oops. SiteEdit kept everything cleartext. Because obviously,
there's no need to protect it: WebStar has a special MacOS
signature byte which says "never download this, period." So
there was no way to get the file without cracking the machine,
so... Except Lasso didn't sanity-check its filenames and
didn't honor the "no download" file restriction.

So this crack has nothing to do with MacOS or Webstar. It's a
problem in Lasso that takes advantage of something SiteEdit
did. Lasso's patch is already on Blue World's website.

Nice hack. A bunch of CGI authors need to go rethink their
security. If Lasso does this, I'm sure others will too, and
people will go snooping now that someone's thought of it. And
it's another great reminder that passwords ought never to be
cleartext, even if you keep them in your shorts.

And I'm waiting for the first writer to make the assumption
that this means the MacOS is insecure.

[3] http://hacke.infinit.se/
[4] http://www.tbtf.com/archive/1997-08-18.html#s01
[5] http://www.blueworld.com/lasso/security_update.html

Win a million

A couple of years back Elementrix claimed [6] to offer encryption based on the cryptographers' holy grail, the one-time pad. But the claim proved hollow [7]. Now a startup called Crypto-Logic Corp. [8] has the genuine article. It's offering a $1M prize to anyone who can decipher a simple English challenge message within a year's time. Sure, why not a million, the encryption technique is provably unbreakable. Each message is encrypted by a key as long as the message itself and the keys are used once only. The software, Ultimate Privacy, runs on Windows 95 and NT. It costs $99 and includes two software pads, which allow you to encrypt 2000-4000 messages between yourself and a single recipient. The company sells pads for use if you exhaust the first pair, or if you wish to encrypt messages to a second recipient, but I could not find a price on their Web site.

[6] http://www.tbtf.com/archive/1995-10-03.html
[7] http://www.tbtf.com/archive/1995-12-18.html
[8] http://www.ultimateprivacy.com

On 7/1 the Commerce Department's National Telecommunications and Information Administration requested public comments [9] on Internet domain naming, to be submitted by 1997-08-18. Over 300 responses [10] were filed (32 of them on the deadline date). NTIA doesn't make it easy to get an overview of the responses: the Web page presents them sorted by date received, with no index of submitters and no ability to search. The 18 people and organizations who responded non-electronically [11] fared better -- they got indexed by name and their contributions are available by individual URLs, not aggregated with all the other respondants of the day. Coverage by news.com [12] and Wired [13] tends to stress the various and flaky nature of the many contributions, a stark demonstration of why the Internet has evolved on the basis of "rough concensus." In cyberspace concensus doesn't come any other way.

Here are highlights from the thoughtful responses of three serious organizations.

Policy Oversight Committee [14] -- the body carrying forward the proposals of the International Ad Hoc Committee offered a detailed response. The document gives some insight into the thought behind the positions that emerged in the gTLD Memorandum of Understanding. The POC points out the sheer volume of Internet community input the IAHC considered and worked into its proposals, implicitly calling into question the wisdom of the NTIA's decision to start the comment process all over again.

Computer Professionals for Social Resopnsibility [15] -- CSPR wants to pull back and allow time for far wider input into the IAHC process. "Whatever its merits, the IAHC process was closed, rushed and unbalanced," the CSPR opines. They believe that there is "no current crisis" needing immediate resolution.

Electronic Frontier Foundation -- The EFF's position paper had not been posted at this writing; when it is it will probably appear here [16]. The EFF generally supports the gTLD Memorandum of Understanding, but is not a signatory to it. EFF's views diverge from the IETF position over the question of the balance of rights. EFF regards the IAHC proposal as highly skewed toward the rights of the holders of intellectual property, at the expense of other Net stakeholders. The EFF paper slaps NSI for trying to claim the original top-level domains as their own property.

[9] http://www.ntia.doc.gov/ntiahome/domainname/dn5notic.htm
[10] http://www.ntia.doc.gov/ntiahome/domainname/domainname.htm
[11] http://www.ntia.doc.gov/ntiahome/domainname/not-emailed/
[12] http://www.news.com/News/Item/0,4,13669,00.html
[13] http://www.wired.com/news/news/politics/story/6297.html
[14] http://www.gtld-mou.org/docs/poc-doc-rfc.html
[15] http://www.cpsr.org/dox/issues/names.html
[16] http://www.eff.org/pub/GII_NII/DNS_control/

International Data Corp. did a survey of 20 million web pages and found less than 1000 using ActiveX. This remarkable factoid appeared in the August 1997 Boardwatch in an article by Doug Shaker, who notes, "That, my friends is less than .005 percent. If that doesn't constitute market rejection, I don't know what does". Here's another metric: the numbers of packages linked on Web pages devoted to ActiveX and to its rival technology, Java. Even discounting the categories on the Gamelan site that represent other than code, Java still enjoys a better than 10-to-1 advantage. Thanks to Jon Cox <jcox at cs dot tufts dot edu> for the pointer to Boardwatch.

ActiveX (www.activex.com)			Java (www.gamelan.com)
Browser Enhancements	34		Arts and Entertainment	259
Online Applications	20		Business and Finance	215
Tools & Utilities	240		Commercial Java	449
Site Development	56		Educational	813
Application Development	250		Games	1204
Database Connectivity	30		How-to and Help	71
Control Development	13		Java-Enhanced Sites	787
total	643		JavaBeans	48
			Miscellaneous	119
			Multimedia	455
			Network / Communications	414
			Programming in Java	1302
			Publications	172
			Related Technologies	1398
			Special Effects	829
			Tools & Utilities	676
			total	9211

Rodney Thayer <rodney at sabletech dot com>, coderpunk and bon vivant, sent dispatches to TBTF from the week-long meeting of the Internet Engineering Task Force in Munich. Here is his final bulletin. The entire week's reporting on the folks who define the Net resides on the TBTF archive [17] by permission.

In Cyberspace, Nobody can see you fall asleep in your soup

It's Monday evening. The IETF meeting ended last Friday, at approximately 11:30 AM, local time.

So why am I writing this on Monday? Well, as the techies would say, "the IETF doesn't scale well."

It seems that, traditionally, IETF meetings were always four days in length. However, due to the number of groups meeting, that became difficult. They even went to evening meetings (thus interfering with the important business of schmoozing with one's fellows) and still four days wasn't enough. So it finally dawned on them to expand the meeting to five days. This was a fine idea, except that the traditional thing to do was to shut down the network in the terminal room late Thursday or early Friday. This meant that the network connection went away moments after the end of the last meeting, thus I was stuck (gasp!) without an Internet feed.

Add to this the non-compatability of German telephones and my US modem, plus a day's travel to get back to my office, and you end up with me writing the Day Five report on Monday.

But back to my IETF story.

On Friday, we had the IPsec meeting. Now at this meeting we had one mild disagreement, one calmly worded surprise, and a couple of relatively new observations. Since we have nineteen documents actually, I count 21, but what's two drafts among 175 debating Internet folk?), this is considered a mild meeting. There are drafts for architecture, packet formats, almost a dozen encryption ciphers (don't blame me, my name's only on four of the documents), and miscellaneous other proposals.

The good news is, people are definitely realizing that [Attention news flash here] people are currently using the Internet without encryption. Since this is happening, there is agreement -- "rough consensus" as the mantra says -- that we need to get this stuff done as soon as possible.

There are still problems. The main document that isn't done is the architecture spec. This means we wrote 20 or so documents based on an old architecture spec and some notes written on the back of an envelope. Some have characterized this as "firing a gun and then running ahead of the bullet to paint a target where it's going to hit." This may be true, but in all fairness this is the third generation of the architecture document, so at least for those hardy folk who have been around for a while the architecture is known.

The scary thing is, there was consensus on another point: with all those documents, we realized that sometime soon we are bound to hear that someone has written "IP Security For Dummies."

[17] http://www.tbtf.com/resource/ietf-munich-rt.html

Web publishing doesn't get any easier than this. Myrmidon, from Terry Morse Software, is a Macintosh-only product that lets you generate a Web from any document you can print. The print-driver approach to format conversion was pioneered to good effect by Adobe in the Acrobat family of products. Myrmidon does a smart job of figuring out where the headers, lists, and tables are in a document and generates appropriate (and readable!) HTML. The result is a Web document that we might call WYSIWYU (what you see is what you upload), but only if we were very tired. The WYS is accomplished by invisible tables and invisible spacer images, a technique honed by NetObjects Fusion and GoLive CyberStudio. Myrmidon version 1 has been shipping for a year [18] and version 2 is just out in beta [19]. The author, asked about the imminence of a Windows port, replied that he needed to grow the business first. (Terry Morse Software at this point is just him.) If you develop Webs in a Mac environment by all means download the beta [19]. Better yet, buy Myrmidon version 1.2 now -- Cyberian Outpost has it for $49.95 [20] and MacWarehouse for $54.95 [21] -- and upgrade when v2.0 is ready.

[18] http://www.terrymorse.com/comments.html
[19] http://www.terrymorse.com/
[20] http://www.cybout.com/cgi-bin/product_info?item=16947
[21] http://www.warehouse.com/oasis/bin/catproduct.dll?product_id=8330

Today's TBTF title comes from a children's camp song taught to me by my wife in a moment when I couldn't defend myself. Catchy little tune. A Myrmidon was one of the legendary Greek warrior people of ancient Thessaly who followed their king Achilles on the expedition against Troy. Today a myrmidon is a faithful follower who carries out orders unquestioningly. ("Do what I mean.") The word derives from the Greek murmex: ant.

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.

TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.