How your keystrokes could be captured cheaply, and how you can prevent it
Microsoft recently gave $20 million to Cambridge University. As it turns out the gift was accompanied by a request for research into technologies that could help Microsoft combat software piracy. The computer scientist who ended up handling this problem, Ross Anderson, is well known for his work on privacy issues. This apparent cognitive dissonance was questioned on a privacy mailing list after the Washington Post carried a story  about Anderson's project, called Soft Tempest. Anderson responded that the Post had gotten it mostly wrong and asked list members to read his paper  and make up their own minds. (Note -- this document requires Acrobat Reader 3.0 -- to my 2.0 reader it looked encrypted. Clever, that.)
Tempest is the term for the classified techniques used by military and intelligence agencies to recover information from the incidental electromagnetic radiation emitted by computer components, especially VDTs. The term also applies to the problems of shielding one's own computers so that their radiation can't be intercepted and mined. Little open research has been published about this technology, but it's been generally assumed that to read at a distance what someone types on a computer would require a van-load of very expensive equipment. Anderson's Soft Tempest demonstrates ways to steal information off computer screens for an investment closer to $100 than to $100,000. Further, the research points to methods software manufacturers could use to monitor software piracy from a van driving down the street -- effectively causing your screen to broadcast the serial numbers of installed software programs. (Microsoft professed no interest in pursuing this technique.) Finally, Soft Tempest invented a novel method of obfuscating screen radiation without expensive shielding. The solution lies in specially designed screen fonts.
Free software becomes open source software as the movement goes mainstream
On 2/4 Eric Raymond met with people from Netscape at their invitation. Raymond is the author of the Cathedral and Bazaar paper  that Netscape credits as influential in its decision to give away the source code for Communicator. On 2/4 Raymond spoke at a meeting of the Silicon Valley Linux Group. Here is some of what he said, as captured by Stig <stig at hackvan dot com>:
Of the source release, he said "they really mean it." Sometime between a week from now and the end of March, Netscape will post a prototype of license terms on the Net to invite public comment. He said that several alternatives were being considered but that all of them met the "free software criteria" of the Debian Project . It was suggested that special accommodations for linking against Sun's JDK might be made, which would be a weakening of the normally-viral properties of GPL-style licences.
Other ideas being considered at Netscape were said to include:
The company backs away from its accessibility interface just as the blindness community was beginning to embrace it
The World Wide Web Consortium has released the first installment in its Web Accessibility Initiative , a draft guideline  for making Web pages accessible to blind readers. The guideline is based on the use of HTML 4.0 and cascading style sheets.
These developments contrast with the controversy surrounding Microsoft's Active Accessibility architecture. MSAA specifies rules that Windows application vendors can follow to make sure their screen displays are available to 3rd-party screen readers. The blindness community had been slow to embrace this Microsoft approach but was moving towards acceptance when a series of postings called into question Microsoft's commitment to MSAA. The questions arose not in regard to Web technology but rather to Microsoft Office.
Curtis Chong, technology director for the National Federation of the Blind, opened up the debate when he posted comments he had received from Steven Sinofsky, general manager of the office products unit at Microsoft. Chong's original posting is archived, with commentary, on the NFB site . Sinofsky's comments indicated that the group developing Microsoft Office was not eager to rely solely on Active Accessibility to pass information to screen-access software used by the blind. Instead the group wanted vendors of this software to use the object models that were already in place in the Office products.
A lone inventor sues Microsoft, but his claims look beatable
One Martin Reiffin has asserted two recently issued patents (Nos. 5,694,603 and 5,694,604) against Microsoft . Reiffin filed the patents in September 1982 and they finally issued, after three appeals, in December 1997. Can you say submarine? Correspondents on Greg Aharonian's Internet Patent News Service (see TBTF Sources ) opine that multithreading was not exactly novel in 1982. One writes:
Come on, you know you're going to have to come to grips with XML
Last week Tim Berners-Lee made it official -- XML is a W3C standard . If you keep your ear to the Net's railroad track you will have heard many experts predicting that Extensible Markup Language will be a Big Thing. Why is that exactly? The XML tutorials I've been reading (for example ) don't go much beyond describing XML as a meta-markup language. On a private mailing list Gregory Alan Bolcer <gbolcer at gambetta dot ics dot uci dot edu>, a UC Irvine grad student, posted the following pithy summary of what an XML document has in common with an object in a distributed object model.
Also imagine you have behaviors (methods). These methods aren't physically co-located and in fact are little snippets of code located elsewhere on the network. This distributed method inheritance is shared with even fewer object models. These behavior snippets can be applets written in Java, Python, Tcl, Ada95, Perl, whatever. They include an XML parser (or not) and have the ability to query and change values in the state -- the XML document -- easily and directly.
Also imagine you have communication restrictions on this document, again very lightweight: filtering domains, requiring permissions, etc. Imagine you can restrict the behaviors you want to by digitally signing these behavior snippets. This capability is embodied by most object models in public, private, and protected methods, but now you have a much finer granularity of how you can control the methods than is offered by just these three classical method types.
Also imagine these behavior snippets, being all distributed, heteregenous (that means cross-language and -platform mostly), tightly controlled but more loosely typed depending upon the enforcement, are sometimes competing with one another. They allow query, locking, renaming, versioning, instancing -- so that concurrency happens at a finer level of abstraction than in the object encapsulations, allowing a type of re-entrancy and multithreading. Sort of like a threaded, persistent object built on top of a lightweight database. Even fewer object models and their implementation languages have persistence and threading built into them.
Imagine having a wide-area event mechanism that allows you to select portions of your state that are relevant to an appropriate task, download it, execute the behavior, and then resynchronize with the original state. The only object model I know that's getting close is Informix Datablades.
Now, here's the kicker: Imagine you have the ability to declare variables dynamically, to declare methods, to version and transistion state, to transport, cache, replicate, broadcast it all over the place to make it mobile and ubiquitious, but be able to utilize a naming and routing scheme such that you always know exactly where it is and how to get to it.
On one end of the spectrum you can do enforcement such that it has all the properties of a C++/CORBA/database program; on the other the possibilites are wide open depending on how you want to enforce the data consistency, access, state tracking, location, whatever.
Lessons we learned from Microsoft: define it and name it to own it
Miora Security Consultants  has come up with a novel way to extract value from a security vulnerability: define it, solve it, name it, and own it. They have invested their own time and expertise researching the dangers of hidden form fields -- not exactly news to Web designers alert to security concerns -- and are well on their way to claiming ownership of this topic. They've named the problem and the solution with their corporate brand as the MSC HFF vulnerability. (I guess that would be pronounced mischief.) Miora gives away white papers detailing the problem and the low-impact solution they have devised, but you have to register on their site to download them. News.com  and the NY Times  covered the story as if it were security news and not a press release.
Whatis.com offers definitions and more with style and grace
Net terminology evolving too fast for you? New to the Net and not a techie? Visit Whatis.com  for pithy definitions of all those terms you've wondered about. The site is speedy and the definitions are extensively cross-linked so it's easy to spend time exploring. (The definitions are served up with a lightweight ad -- you may see one for a familiar site there -- and a cookie .) The site is a labor of love built and meticulously grown by career tech writer Lowell Thing. Whatis.com has won awards and garnered press coverage; it's listed on the user-rated Web 100 , where it is currently number 9. Alexa ranks Whatis.com in the top 10,000 sites for traffic  -- on this scale TBTF barely registers . Whatis.com is evolving into a destination for Net information of any stripe. Give it a bookmark.
This organization wants to build a clock for the ages
The Long Now Foundation  held a conference last week called Time and Bits: Managing Digital Continuity . For some time historians and archivists have been worrying about the impermanence of digital media (see TBTF for 1995-07-23  and the January 1995 Scientific American, not online), in contrast to the longevity of paper and stone. Here's how the problem was stated by Danny Hillis, one of the founders of The Long Now Foundation:
Mix financial cryptography with a total solar eclipse for a potent brew
Next week FC98 , the second conference on financial cryptography, kicks off in Anguilla, BWI. The conference happens to intersect in time and place with a total solar eclipse , : on February 26 the path of totality will sweep across the Caribbean from South America. Since Anguilla is only a few miles outside the path, the conference organizers have planned an all-day outing by catamaran on eclipse day, all attendees invited. One of the attendees dubbed it the Ecliptical Curve Cruise and the name has stuck. Arrangements have been refined on the FC98 mailing list. On 2/13 one anonymous attendee-to-be posted this worried note:
Maybe I'll hang out back at the hotel.
A maze of twisty little items, all different
Fourth Certicom challenge (ECC2-89) falls
On 2/7 Robery Harley <Robert.Harley at inria dot fr> announced  the defeat of the fourth in Certicom's series of crypto challenges. Harley's ever-growing team, now numbering over 66, has been first to overcome each of the Certicom challenges broken to date. I asked Harley whether any other teams were even working on the problem, and he replied, "Yes, but their code sucks."
Flaws in a Net Wizards survey
Dr. Anton Nossik, editor of the Russian-language Evening Internet Daily, sends this note  on the Network Wizards January Internet Domain Survey , just published. This survey attempts to discover all extant Intetnet hosts by looking at which IP addresses have been assigned. Dr. Nossik points out that the counts and growth rates in this survey for both Russia and Israel are far below the figures obtained by other methods.
Ad filtering software catching on?
Solid Oak, a success story in the censorware space, announced  the addition of a banner-ad blocking feature to their CyberSitter product. They say customers were asking for the feature. The ad-blocking front has been relatively quiet since its first proponent, PrivNet , was bought by PGP  and their ad-filtering technology shelved.
A faster l0phtcrack
L0pht Heavy Industries has released a 2.0 version of its l0phtcrack  NT password cracker as $50 shareware. The hacker collective claims to be able to decypher an NT password in a week of background computation on a Pentium 200; cracking hundreds or thousands of passwords from the same registry costs little more. The program can get results so quickly because Microsoft is forced to water down NT's security protection for compatibility with Windows 95's weaker LANMAN passwords . L0phtcrack is widely used by system administrators and security consultants to audit password security.
TBTF home and archive at http://www.tbtf.com/ . To subscribe send the message "subscribe" to firstname.lastname@example.org. TBTF is Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.