t byfield on Mon, 23 Mar 1998 22:46:35 +0100 (MET) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> FWD: TBTF [3/23/98] |
[Obviously, the entire nettime subscription base is off having Holidays in the Sun. Good for you--you all think *way* too much... Anyway, now I got a reason to pass along the latest issue of one of the best publica- tions on the net. 65% relevant to nettime, imo. Share and enjoy. --TB] [forwards ho...] -----BEGIN PGP SIGNED MESSAGE----- TBTF for 3/23/98: Chaffing and winnowing T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t Timely news of the bellwethers in computer and communications technology that will affect electronic commerce -- since 1994 Your Host: Keith Dawson This issue: < http://www.tbtf.com/archive/03-23-98.html > ________________________________________________________________________ C o n t e n t s Confidentiality without encryption Java in turmoil Intel's Merced locking out free OSs Single point of failure New sendmail will make spammers work harder Trelligram elegantly packs Webs to go The emergent behavior of bugs A modest Macintosh survey Fifth Certicom challenge (ECCp-97) falls Crypto policy US crypto fight's profile is rising DoJ won't seek mandatory back doors in domestic crypto -- yet Sun delaying shipment of Elvis+ strong crypto But Network Associates goes around the rules Nommage French up in arms over proposed US hegemony The price of .com is going down AlterNIC's Kashpureff pleads guilty A history of domain name developments ________________________________________________________________________ ..Confidentiality without encryption One of the fathers of modern public-key crypto comes up with a third way If you want to communicate confidentially, until last week you had two choices: encryption or steganography [1]. Now Ron Rivest, the "R" in RSA, has given us a third. Called "chaffing and winnowing," Rivest's scheme [2] allows two people who share an authentication key to achieve high levels of confidentiality without using en- cryption at all. Furthermore, a third party between the communica- ting pair can add arbitrary levels of security to the communication without even knowing any authentication key, and without either the knowledge or consent of the communicating parties. To put this technique to use is to reveal US crypto export law for the mockery it is. Rivest says, "As usual, the policy debate about regulating technology ends up being obsoleted by technological in- novations." Here is Rivest describing the "man in the middle" who does two parties the favor of securing their communication. > Charles' computer, for whatever reason, then adds "chaff" > packets to the packet sequence from Alice to Bob. All of a > sudden, Charles' activities provide a very high degree of > confidentiality for the communications between Alice and Bob! > Alice's and Bob's software have not been modified in the least > to achieve this confidentiality! Charles does not know the > secret authentication key used between Alice and Bob! Alice > and Bob did not even want or care to have confidential com- > munications! Charles is not using encryption and does not > know any encryption key! Amazing! Read Rivest's paper [2]. This is important. [1] http://www.thur.de/ulf/stegano/ [2] http://theory.lcs.mit.edu/~rivest/chaffing.txt ________________ ..Java in turmoil Microsoft, HP, and Sun itself deliver body blows to standardized Java Sun's JavaOne conference runs in San Francisco this week, and the world of Java could hardly be more fragmented. Microsoft is caus- ing some of the trouble, of course, announcing development tools that tie its version of the language ever more tightly to the Win- dows platform [3], [4] -- a strategy dubbed "Write Once, Run on Windows." (Don't need Java for that.) The Department of Justice is reportedly examining Microsoft's behavior in its Java dispute with Sun [5]. Microsoft also, as expected, refused to endorse the in- dustry-wide Enterprise JavaBeans spec [6], a server-side object component model. The more unexpected moves towards a balkanized Java came from HP and, mystifyingly, from Sun itself. When HP wanted a Java implementation that could work in consumer electronic devices such as PDAs and printers, it protested Sun's inflexible licensing terms and development policies. HP decided to roll its own [7], and is now marketing a clean-room implementation of the Java spec, which in deference to Sun's trademark will be termed "Java compliant," but not "Java compatible." Care to guess who was first in line to license HP's embeddable Java? Why Micro- soft, of course, for use in its Windows CE machines (just say "Wince"). Finally, Sun itself has announced [8] Java extensions for 3D that will run on only a few platforms: its own Solaris, Irix, and Mac- intosh. The reason for the limitation is Sun's use of the OpenGL graphics library. VRML and 3D developers are puzzled; one said "If Microsoft pulled something like this [with Java], Sun would be screaming bloody murder." Sun argues that the rules covering the Java extensions, including 3D, are different than those for core Java. Technically true but politically dubious. C|net has special coverage [9] of the chaos swirling around Java. [3] http://www.news.com/News/Item/Textonly/0,25,19794,00.html?pfv [4] http://www.news.com/News/Item/Textonly/0,25,19962,00.html?pfv [5] http://www.news.com/News/Item/Textonly/0,25,20324,00.html?pfv [6] http://www.techweb.com/news/story/TWB19980320S0012 [7] http://www.techweb.com/news/story/TWB19980320S0004 [8] http://www.news.com/News/Item/Textonly/0,25,20207,00.html?pfv [9] http://www.news.com/News/Item/Textonly/0,25,20290,00.html?pfv ________________ ..Intel's Merced locking out free OSs "I do not believe that FreeBSD or Linux or any other free operating system will be quickly ported to the Merced, if ever" -- a FreeBSD developer On 3/9 Ralph Nader sent letters to six PC makers urging them to offer more operating-system choices [10]. Here is Compaq's letter [11]. Nader suggesting that they offer hardware configurations pre- installed with Linux, BeOS, or Rhapsody, in addition to Windows. I haven't seen any reaction from the PC makers to Nader's request, but I would be amazed if any of them dared a move so inimical to Microsoft's interests. Meanwhile Intel is busily rendering Nader's desire for OS choice more elusive in the future. Intel's 64-bit Merced chip, expected to be available in 1999, is a bandwagon everybody wants to jump onto [12]. Sun, HP, SCO, and DEC all aspire to the title of preeminent Unix implementation on Merced, in the process winning market share away from the common enemy, NT. Intel is allowing development on Merced only under non-disclosure agreement, which means that Linux and FreeBSD are excluded from the start. Further, Merced fits into the so-called PC98 architecture -- another name for the I2O bus [13] -- and the I2O spec is closed to non-members of an exclusive club. See this discussion thread [14] on the closed I2O spec, carried on slashdot.org last week. [10] http://www.msnbc.com/news/151801.asp [11] http://www.essential.org/antitrust/ms/compaq.html [12] http://www.zdnet.com/zdnn/content/pcwo/0316/294991.html [13] http://www.tbtf.com/archive/08-04-97.html#s04 [14] http://206.150.185.149/slashdot.cgi?mode=article&artnum=1009 ________________ ..Single point of failure Corrupted your NT registry? Slit your wrists now Two recent articles posted on the Risks forum highlight single points of failure for NT networks. In the first instance a 12-hour outage cost a large manufacturing company $10M. >>From Risks 19.60 [15]: > The recent power fluctuations here in [placename] corrupted > the NT registries in our [server-community-names]. As a re- > sult, our entire NT network (>10K machines) is down... Once > the registries got corrupted, the databases of user signons > went, too. And, of course, the tape backups won't load because > NT requires a timestamp somewhere in the guts that the tape > image doesn't match to the clock. So every NT server, and most > NT workstations, won't do anything except local work... [To > recover,] every desktop user will have to delete/disable their > <user>.pwl file to be able to get back on the network, because > that file hard-codes which domain server they are on. However, > if they do that, they can then not get into any other service > on their desktop for which they've stored the password, be- > cause they're all in that file. >>From Risks 19.61 [16]: > I got a mail bounce from a friend locally, so I called to find > out what was up. Seems that, over the weekend, someone broke > in and stole a computer. Turns out it was the MS Exchange > server. For the whole company. [15] http://catless.ncl.ac.uk/Risks/19.60.html [16] http://catless.ncl.ac.uk/Risks/19.61.html ________________ ..New sendmail will make spammers work harder Promiscuous relay is off by default, at last The developer of sendmail, a piece of software that labors in obscur- ity to deliver most of the Net's mail, announced a new version with significant spam-fighting features and configuration changes. Eric Allman's sendmail 8.9 [17], now in beta testing, will make it easier to use the Realtime Blackhole List [18] to reject mail from known spammers, and by default it will require valid return addresses. All- man also launched Sendmail Inc. [19] to sell software and support services to businesses, while continuing to develop new features for the free version of the software. [17] http://www.sendmail.com/8_9free.html [18] http://www.tbtf.com/archive/01-12-98#s02 [19] http://www.sendmail.com/ ________________ ..Trelligram elegantly packs Webs to go You could send a Web to your grandmother Trellix Corp., whose hypertext authoring tool was reviewed in TBTF for 7/21/97 [20], has come up with an arrestingly audacious solution to a problem most of us didn't know we had, yet. The Trelligram [21] technology provides a simple, compact, and above all sanitary way to package and to consume standard HTML Webs. A Trelligram is a compact Win95/NT executable file that an author can attach to a mail message or send on a floppy disk. A recipient need only double-click on the Trelligram to launch its Web in a browser, unconcerned with plugins, helper applications, unzipping, extraction, or managing a nest of HTML and graphics files somewhere on the disk. Trelligram achieves this magic by the brilliant, if twisted, expedient of packaging a compact HTTP server -- the Trelligram Delivery Service -- with each Web. (Its overhead is currently 89K, and should shrink considerably in future releases.) Trelligram is the brainchild of Buzz Kelley, Trellix's protean chief technologist and the father of this correspondent's goddaughter. Who is the audience for this elegant, offbeat utility? Not writers comfortable with Web construction and possessed of access to a pub- lic Web server. In the past I've delivered reports in Web form by posting them to one of my sites (secured as necessary) and mailing the recipient a URL. Trelligram should appeal to the emerging mass of Netizens who use freely available tools, such as FrontPage and HotDog, to write for HTML delivery. The Trellix hypertext authoring product can now also produce Trelligrams directly, so Trellix users have a new avenue for distributing hypertexts to a wider audience. Newsletter authors can deliver rich HTML content, instead of boring old email (you listening, JOHO [22]?) -- but unfortunately to a Win- dows-only audience. Visit the Trelligram site [21] and download the Trelligram Creator tool (1391K), free during a beta period. Among its limitations: - No file hierarchy is allowed; all files must reside in a single directory before feeding to Trelligram Creator. This restriction will almost certainly be lifted in a future release. - Trelligrams can be created and read only on Windows 95 or NT. - The Trelligram Delivery Service can't serve dynamic content: no CGI, Active Server Pages, database-driven content, etc. However, client-side scripting using JavaScript, and Java and ActiveX applets, works as expected. [20] http://www.tbtf.com/archive/07-21-97.html#s04 [21] http://www.trelligram.com/ [22] http://www.hyperorg.com/ ________________ ..The emergent behavior of bugs Microsoft says this bug is no biggie. Begging to differ... Lloyd Wood <http://www.ee.surrey.ac.uk/Personal/L.Wood/> loves to demonstrate emergent behavior in software -- the multiplying sever- ity of conditions that may be relatively harmless in isolation. On this page [23] he combines the Getchell exploit [24] with the Intel "f00f" security hole [25] to crash your machine, if you are so rash as to visit running IE on Intel hardware. [23] http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4object/ [24] http://www.news.com/News/Item/Textonly/0,25,20159,00.html?pfv [25] http://www.tbtf.com/archive/11-17-97.html#s03 ________________ ..A modest Macintosh survey Are TBTF readers are more loyal to their Macs than industry averages? TBTF for 2/9/98 [26] reported on new upcoming PowerBook models from Apple, and ventured a modest probe of the company's prospects: > A survey: please send me a note if you presently use a Mac- > intosh regularly. What is the probability that you will buy > another MacOS system? Before we get to the survey results, let's set a couple of items to rights. First and most important, the new low-end PowerBook may not employ the much-admired G3 processor (a.k.a. PowerPC 750); in- stead, ogrady.com informs us [27], Main Street may use the PowerPC 740, which lacks a backside cache. Its performance would be dra- matically lower than that of a G3. Several readers wrote in with insights on pricing. One pointed out that the cost of a laptop is influenced far more by the quality of its screen than by its CPU (and that Main Street is rumored to feature a TFT screen -- bzzzt!). Another noted that $2000 Pentium machines with good specs are not hard to come by. Now to the survey results. 102 active Macintosh users responded with what amounts to resounding good news for Apple. (I guesstimate from these returns that about 10% of TBTF readers are Macintosh users.) The probability that a Mac user from this population will ever buy another MacOS system is 87%. Sixty-three percent of re- spondants said it is a certainty that they will buy another. Many expected to buy two or more; a few who influence purchases where they work said they plan to buy a dozen or more. Overall, these 102 people expect to buy 124 Macs in the future. Frankly, these numbers floored me. The most recent figures I've seen for Macintosh loyalty indicate that it moved from a low of 16% last July to over 50% in January. But 87%? [26] http://www.tbtf.com/archive/02-09-98.html#s07 [27] http://ogrady.com/wallstreet.stm ________________ ..Fifth Certicom challenge (ECCp-97) falls Harley and his brave band of Linux Alphas do it again On 2/18 Robert Harley <[email protected]> announced [28] the defeat of the fifth in Certicom's series of crypto challenges. Harley's ever-growing team, now numbering 588, has been first to overcome each of the Certicom challenges broken to date. Harley figures that this crack was the fourth-largest distributed com- putation mounted to date. [28] http://www.tbtf.com/resource/certicom5.html ________________ ..Crypto policy ..US crypto fight's profile is rising Earlier this month one hundred companies, associations, and non- profit organizations joined together to form a broad coalition called Americans for Computer Privacy. This group has serious money to spend on advertising and lobbying, and their aim is to defeat mandatory key escrow in the US and to get crypto export restrictions eased. Their Web site [29] is fairly uninteresting so far. On the same day, Vice President Al Gore sent a letter to the Demo- cratic leader in the Senate, urging him to work for compromise on the encryption question ("work together to find common ground"; a "balanced approach"). But any compromise, from the Administration's point of view, must include mandatory key recovery: "The Administra- tion remains committed to finding ways to preserve the ability of the Nation's law enforcement community to access, under strictly defined legal procedures, the plain text of criminally related communications and stored information." [29] http://www.computerprivacy.org/ ________________ ..DoJ won't seek mandatory back doors in domestic crypto -- yet At a Senate hearing last week, a Justice Department official said that the department will not seek to mandate key recovery in dom- estic crypto products [30]. For now. This position contradicts a long and vigorous campaign lead by the FBI to require government back doors. The administration position is that industry ought to provide key recovery features voluntarily. Industry reaction was lukewarm [31]. As Declan McCullagh reported it [32], > Negotiations over how much privacy Americans are allowed to > enjoy will continue for the next 60 days. [30] http://www.techweb.com/news/story/TWB19980317S0024 [31] http://www.techweb.com/news/story/TWB19980319S0006 [32] http://cgi.pathfinder.com/netly/afternoon/0,1012,1832,00.html ________________ ..Sun delaying shipment of Elvis+ strong crypto Sun is delaying the shipment of a strong crypto product while the Commerce Department investigates, interminably. The workstation maker had arranged [33] what looked like a perfect end-run around US encryption export controls. Sun planned to market worldwide a strong-crypto package containing no US-written code. The strong crypto was produced entirely by Elvis+, a company made up of former Soviet Union space agency workers, in which Sun had invested. Sun claimed, with watertight assurance, that they had provided zero technical assistance to Elvis+, but the Commerce Department, which controls crypto exports from the US, elected to investigate that claim. Sun had legal advice that it was at liberty to ship the product (initially set for last August) but decided to wait in a show of good corporate citizenship. Now, according to the Wall Street Journal, the Sun executive who led the effort to market Elvis+ has resigned to start an Internet security company with two principals from Elvis+, taking with them much of the software de- velopment team. [33] http://www.tbtf.com/archive/06-16-97.html#s01 ________________ ..But Network Associates goes around the rules The company that bought PGP announced that its Dutch subsidiary is selling 128-bit PGP software worldwide [34]. The software was de- veloped by the Swiss firm Cnlab Software from printed books con- taining the PGP source code. US crypto export regulations place no restrictions on printed material. Network Associates says they kept Commerce Department officials apprised of their plans over the last several months, but a Commerce spokesman claimed that they had seen only a press release a day before the strong crypto software went on sale. [34] http://www.news.com/News/Item/Textonly/0,25,20286,00.html?pfv ________________ ..Nommage ..French up in arms over proposed US hegemony They've coined a new word to describe domain-naming issues. The French are lobbying hard within the EU for coordinated opposition to the Green Paper plan [35] for a US-based corporation to control global top-level domains. A technology advisor to the French gov- ernment claims [36] that this position is supported by Spain and Italy, less so by Germany, and opposed by Britain and the Scand- anavian countries. The head of the French branch of the Internet Society warned that unless the Americans make real concessions from the Green Paper positions that a rival European-led internet could be established. [35] http://www.tbtf.com/archive/02-02-98.html#s01 [36] http://www.techweb.com/wire/story/domnam/TWB19980310S0012 ________________ ..The price of .com is going down The National Science Foundation announced [37] that on 4/1/98 NSI will stop collecting the $30 "tax" on new registrations that has been collected for an Internet Intellectual Infrastructure fund. This action follows a suggestion in the Green Paper on domain nam- ing [35], even though that paper is a draft with no legal force. As of 4/1 registering a domain name with NSI will cost $70 instead of $100 for the first two years; annual renewals will go for $35 instead of $50. [37] http://www.nsf.gov/od/lpa/news/press/pr9817.htm ________________ ..AlterNIC's Kashpureff pleads guilty Eugene Kashpureff, the domain name system hacker who successfully rerouted millions of Web users last year [38], pleaded guilty to federal charges of computer fraud on Thursday [39]. [38] http://www.tbtf.com/archive/07-21-97#s02 [39] http://www.techweb.com/news/story/TWB19980320S0014 ________________ ..A history of domain name developments This investigative report [40] gives useful background to the pol- itics of domain naming, back to the days when Network Solutions was a tiny, minority-owned business with little understanding of the ways of government contracting. The same will never be said of NSI's parent, Science Applications International Inc. [40] http://www.NewHavenAdvocate.com/articles/raiders.html ________________________________________________________________________ N o t e s > Greg Roelofs <[email protected]> writes to correct a bit of physics nomenclature that I had flung with abandon, and impre- cision, in TBTF for 3/9/98. Turns out I stepped on a term from his dissertation. > The "C" in MACHO stands for "compact," not "cometary," and the > halo in question is the galactic halo, not the Oort Cloud. The > idea was that there could be a whole host of brown dwarfs (big > Jupiters) orbiting galactic nuclei invisibly and creating that > really big gravitational potential that keeps galactic rota- > tion curves flat for insanely large radii. ________________________________________________________________________ S o u r c e s > For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html . ________________________________________________________________________ TBTF home and archive at http://www.tbtf.com/ . To subscribe send the message "subscribe" to [email protected]. TBTF is Copyright 1994-1998 by Keith Dawson, <[email protected]>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson [email protected] Layer of ash separates morning and evening milk. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5 iQCVAwUBNRXyTGAMawgf2iXRAQEeagP9GRc5Va2I8nO/bBD3CgUi+AsHzGd+8SRj +F7V7PEUmnlaDkwmvqPu8CQswinMZobZq6QaPX7GAHtMycHoIeqn89J9YW/B6VVI j+yB6wS0tFz8O2rS2osSfNU44otBIqjfTpj6L/3eOMDNrZbcvcjt5DhxEDpqYf+r uriFPPMqu9g= =OtkD -----END PGP SIGNATURE----- [forwards avast...] --- # distributed via nettime-l : no commercial use without permission # <nettime> is a closed moderated mailinglist for net criticism, # collaborative text filtering and cultural politics of the nets # more info: [email protected] and "info nettime-l" in the msg body # URL: http://www.desk.nl/~nettime/ contact: [email protected]