High court hears CDA arguments
Unknown crackers are broadcasting forged control messages, normally used in the routine maintenance of Usenet News, across the Internet in an apparently successful attempt to extract sensitive system information from thousands of news servers. For details and examples see this New York Times story ; it may not remain online as long as this coverage from PC Week . The attack targets InterNetNews, the software commonly used to manage the flow of Usenet news, and exploits a vulnerability that has been known -- and for which a fix has existed -- for a year and a half. One system administrator who accidentally sent a similar message while analyzing the attack received sensitive files from hundreds of systems around the world. The unknown perpetrators forged their messages so that they appeared to come from David Lawrence <newgroups-request at uunet dot uu dot net>, the moderator of news.announce.newgroups. The Times quotes Lawrence on the possible outcome of the attacks:
Microsoft sues a cracker
On Monday Microsoft filed suit  against Christopher Fazendin, a 23-year-old Minnesota resident who allegedly published a patch on his Web page that defeats the 90-day license timeout of a trial version of MS Office 97. The patch was so widely known and, presumably, widely downloaded that Microsoft went straight to court, skipping the usual courtesy of asking Fazendin to remove it from his page. Thanks to Dan Kohn <dan at teledesic dot com> for passing along this story.
This week's crop of Microsoft security holes
This is getting boring. If the user community keeps finding Microsoft security glitches at this rate TBTF may go to a scoreboard system. A system administrator at the University of Washington, Aaron Spangler <pokee at maxwell dot ee dot washington dot edu>, sent word of three new security problems in Microsoft software. They all allow an attacker easy ways to record the username and password of unsuspecting users. Spangler found and documented #4 , which is browser-independent (it fails using either Netscape Navigator or MSIE on Windows NT). Users in the U.K. and Israel discovered #5  and #6 , respectively. The Birnbaum exploit site  links an exhaustive and frequently updated compendium  of Windows NT security holes; at this writing 50 are listed, most with patches or workarounds.
|Bug||Found by||Date||W-95||W-NT||Attacker obtains:|
|#4 ||Aaron Spangler||3/14||no||yes||username, hashed password|
|#5 ||Paul Ashton||3/17||yes||no||username, hashed password, more|
|#6 ||Steve Birnbaum||3/15||no||yes||cleartext password|
Has strong crypto impeded law enforcement?
Law-enforcement types who argue for limits on encryption technology have been known to claim that crypto interferes with criminal investigations. To my knowledge no documented case of such interference has ever been offered. At the CFP'97 conference Declan McCullagh challenged the Justice Department's Michael Vatis point-blank to name one such instance, and Vatis could not. Now Dorothy Denning <denning at cs dot georgetown dot edu>, a consistent government ally in the crypto wars, and William E. Baugh, Jr. <william.e.baugh.jr at cpmx dot saic dot com> have put out a call  for hard data on the question.
Cryptographers find a flaw in digital cell-phone code
Bruce Schneier and three other researchers subjected the once-secret CMEA algorithm, a symmetric cypher with a 64-bit key length, to "simple cryptanalysis." They found a flaw in the algorithm that effectively reduces its key length to 24 or 32 bits; communications encrypted using CMEA (including numbers punched on digital phones, but not voice) can now be broken on a run-of-the-mill PC in seconds or minutes. Details of CMEA were supposed to be a closely guarded secret known only to a small circle of industry engineers, but technical documents were leaked late last year and showed up on the Internet. (A poster to the Cryptography list wrote: "Actually it's worse than that. The documents are available to anybody with $300. I got mine from Global Engineering Documents, then called TIA and asked politely for 'Appendix A'.") This tactic, which the security community scornfully labels "security through obscurity," is hit hard in the researchers' press release: "Our work shows clearly why you don't do this behind closed doors. [We're] angry at the cell phone industry because when they changed to the new technology, they had a chance to protect privacy and they failed." The researchers have posted an account  of the exploit, and also host a copy of the New York Times writeup  on the affair.
The Times article says that unnamed telecommunications officials fingered the NSA as a source of pressure to weaken the crypto. Yesterday the NSA's Clint Brooks <cbrooks at romulus dot ncsc dot mil> forwarded this official statement (which I saw on Declan McCullagh's FC mailing list):
A poster to the Cryptography mailing list paraphrased this disclaimer as: "NSA did not openly tell TIA not to use strong crypto in the digital phone standards, and wasn't directly involved in the decision about which uselessly weak cryptographic system in particular they should select."
Today Omnipoint  bought page A21 of the New York Times (paper edition) to deliver a "public-service message" to users of wireless phones that the Omnipoint system, based on GSM technology, is not vulnerable to the publicized attack. "Self-serving message" is more like it, though they do have a point: the researchers note  that their approach "affects both CDMA and TDMA cellular systems, but not GSM systems."
Do online payment systems foster money laundering?
The Wall Street Journal carried a story that the Financial Action Task Force, a Paris-based group of 26 countries fighting international money laundering, has released a report warning that new Internet payment systems could obviate conventional means of tracking suspect cash. Of particular concern were the "speed, security, and anonymity" achievable with such systems. Under U.S. law financial institutions must report suspicious activity, but it is far from clear whether the law covers Internet payment systems. The American Bankers Association is pushing for uniform regulations for both banks and e-money providers: "Bankers want to see some assurance that if we're told we have to do certain things that our other competitors do, too."
Financial Cryptography 97
These notes on FC'97  were written especially for TBTF by Wired magazine's correspondent Charles Platt. Also online is an account  of the gathering by Alex van Someren, who is a founder and managing director of nCipher Corporation Ltd. The piece has an endnote by Duncan Goldie-Scot, founder and publisher of Banking Technology and Online Finance.
Greg Roelofs <roelofs at prpa dot philips dot com> attended the Virtual Reality Markup Language symposium last month in Monterey, CA. He writes: "It was loads of fun, especially eating seafood while wandering around the Monterey Bay Aquarium." (Roelofs was raised in the middle of the continent where any seafood he saw, at best, had just gotten off an airplane; he lives on the west coast now.) His trip report  appears on the TBTF archive by special arrangement. Roelofs is one of the developers of the Portable Network Graphics spec. He notes, "Ironically, there's much better support for PNG in Web browsers than in VRML 2 browsers, despite its being a requirement for minimal VRML 2 conformance."
javElink aims to clue you as to when, whether, and how much the Web pages you care about have changed. You create a private, password-protected checklist of pages and folders of pages (which you can jump-start by uploading a Netscape bookmark file); javElink monitors each page and summarizes the changes to your personal checklist in a unique, flexible, and intuitive tabular / graphical format. You can find out what's changed, and the degree of change, from any Web browser at any time. You can group pages in folders and for each one javElink will accumulate the composite change score of the contained pages. The site requires no plugins, no Java or ActiveX (the name javElink derives from "javelin") -- it's all just HTML and CGI written in perl.
For now the service is free; soon a monthly charge will kick in. The current thinking is that a fee of $15 to monitor up to 50 Web pages will appeal to thousands of users with a serious need to keep on top of rapidly changing information -- lawyers, journalists, executives, developers, webmasters.
And there's a gimmie: if you use Netscape Navigator you can store your bookmarks for free on the javElink site, in a private area, and access them from anywhere. You don't have to pay for an account to take advantage of this convenience.
I talked to the javeLink creators, Julie Stock <jstock at ingetech dot com> and Gary Stock <gstock at ingetech dot com> of InGenius Technologies. They're old pros at the entrepeneurial game and seem to have put together a well thought-out, professionally run business. Their initial offering is quite impressive. Do give it a look.
The Department of Transportation hosts an Aircraft Situation Display page  that provides a near-realtime display of air traffic in and around the U.S. (Factoid: 61,000 people on average are airborn over the U.S. at any one time.) You can zoom in; you can color-code all the flights in the air approaching and/or departing any airport of interest; you can click on a single plane for its flight details. The site can be slow -- be thankful that air-traffic control isn't handled over the open Internet.
Despite the Clinton administration's comforting-sounding policies to keep hands off the Internet -- as enunciated at CFP'97 by keynote speaker Ira Magaziner, a senior advisor to the President -- the government continues to speak with many voices on Net issues. An example is the recent trial balloon floated by the National Science Foundation questioning whether the government should retake the domain-naming business when the current NSI contract expires next year. The question was broached in a confidential report to the NSF's oversight agency. The only online account I have found is this one at Network World's Fusion site  -- to view it you will have to sign up for a free account, a lengthy process, and request article #1032.
NSI registers its one-millionth domain name
Bonnyview.com was registered to the owners of the Bonny View Cottage Furniture company in Michigan, USA. A year ago there were 306,000 active domain names, 18 months ago only 120,000. Today NSI registers on average 3,000 new names a day. Herewith a compressed and selective history of domain names.
|01 Jan 85||com|| first day of domain registration
|| Mar 85||symbolics.com
|| first computer company domain
||24 Apr 85||cmu.edu
||24 Apr 85||bbn.com
||24 Apr 85||ucla.edu
||23 May 85||mit.edu
||10 Jul 85||mitre.org
||30 Sep 85||dec.com
|| first minicomputer company domain
||04 Oct 85||stanford.edu
||17 Jan 86||sri.com
||19 Mar 86||sun.com
||19 Mar 86||ibm.com
||25 Apr 86||att.com
||05 Nov 86||nsf.net
||19 Feb 87||apple.com
||14 May 87||cisco.com
||02 Jun 88||apollo.com
||26 Jul 90||interop.com
||26 Feb 91||atria.com
||02 May 91||microsoft.com
||10 Jan 94||infoseek.com
|| First commercial Internet search company
||01 Jun 94||mcom.com
|| "Mosaic Netscape Communications"
||15 Dec 94||netscape.com
||18 Jan 95||yahoo.com
||13 Apr 95||lycos.com
|| Apr 95|| toys-r-us sues rru.com over "roadkills-r-us"
||20 Apr 95||compaq.com
||05 Jun 95||impatiens.com
||15 Aug 95||buchanan96.org
|| "Satire Online"
||16 Aug 95||underarm.com
|| One of 44 registered to Procter & Gamble
||18 Sep 95|| InterNIC begins charging for registration
||23 Feb 96||tbtf.com
||24 Aug 96|| IANA issues plan for new top-level domains
||22 Oct 96|| ISOC sidelines IANA plan, announces IAHC
||01 Nov 96||m1crosoft.com
|| note numeral one in place of letter i
||02 Nov 96||micr0soft.com
|| note numeral zero in place of first letter o
||12 Nov 96|| Int'l Ad Hoc Committee members named
||22 Dec 96|| IAHC plan published
||11 Jan 97|| IAHC plan drawing fire
||25 Feb 97|| IANA, IAHC sued by ".web"
||04 Mar 97|| eDNS proposes takeover of namespace
Elements 104 to 109
News has come to Harvard  of six new elements, recently endowed with their official names.
The names of elements 104-109 have finally been accepted by
nuclear scientists and certified by the International Union
of Pure and Applied Chemistry. The delay over the names was
caused partly by rival claims to priority; the pertinent
experiments rendered mere handfuls of atoms. Physics and
chemistry students worldwide will now have to memorize the
following additions to the Periodic Table:
Rutherfordium Rf 104 Dubnium Db 105 Seaborgium Sg 106 Bohrium Bh 107 Hassium Hs 108 Meitnerium Mt 109
E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.
FC -- mail email@example.com without subject and with message: subscribe . Web home at <http://www.eff.org/~declan/fc/>.
Cryptography -- mail firstname.lastname@example.org without subject and with message: subscribe cryptography [ email@example.com ] .
AIP Physics Update -- mail firstname.lastname@example.org without subject and with message "add physnews" . Searchable archive at <http://newton.ex.ac.uk/aip/>.
TBTF home and archive at <http://www.tbtf.com/>. To subscribe send the message "subscribe" to email@example.com. TBTF is Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.
Most recently updated 2000-10-21