The law firm of Fenwick & West LLP organized this forum, which should be the first of many if I'm any judge. Your humble correspondent was present today, in "business casual" attire as requested in the invitation, in the company of scores of lawyers who don't know the meaning of the term. The breaking news:

The 10-member international task force [1], [2] that will hammer out issues of domain-name contention has been named. Its members include two participants in the Symposium, Sally Abel of Fenwick & West and David Crocker of the Internet Mail Consortium and Brandenburg Consulting. The full roster, along with the Internet Society press release announcing the appointments, is here [3].

[1] <http://www.tbtf.com/archive/1996-10-31.html>
[2] <http://www.tbtf.com/archive/1996-08-25.html>
[3] <http://www.isoc.org/whatsnew/iahcmembers.html>

Services are becoming available that will allow you to dial a local ISP wherever you travel and connect transparently to your home ISP as if you'd never left home. One new company dedicated to this business is the i-Pass Alliance [4], which acts as a broker and a back-end settlement service for billing roamer access; another offering a similar service is AimQuest [5]. When an ISP signs up with i-Pass it sets up a four-way winning scenario: its own roaming customer gets a valuable service for a fee, and the local ISP, remote ISP, and i-Pass all share in the revenue. The i-Pass sytem has been in field trials since June and is now available. Some 20 ISPs worldwide have been participating in the trials, including UUNet and BBN; also notable is Scitor ITS, which has points-of-presence in 150 countries. (Eleven companies have announced their involvement with the i-Pass Alliance [6].) i-Pass's settlement servers are distributed and redundant, with automatic failover, and each connects to the Internet over multiple channels. If you would like to be able to access your normal Internet provider from Timbuktu by dialing a local number, have your ISP look at i-Pass and AimQuest.

[4] <http://www.ipass.com/>
[5] <http://www.aimquest.com/>
[6] <http://www.ipass.com/ispmembers.html>

In September researchers at Princeton University and Bellcore announced a new technique [7], differential fault analysis, for extracting secret keys from devices such as smart cards that encrypt using RSA-like public-key schemes. Soon others including Adi Shamir (the "S" in RSA) had extended DFA to attack secret-key systems such as DES [8]. By the end of the month Shamir and coworkers had found a way to apply DFA to cryptosystems of completely unknown design, such as the Skipjack system developed by the NSA. The DFA technique involves damaging an encrypting device in a controlled way and watching what kinds of mistakes it makes. The damage could be caused by microwave heating or UV radiation, for example. This news does not mean that RSA or DES are useless as encryption techniques. It does mean that cryptosystems designed around them must be strenghened with DFA in mind. Which all goes to bolster the point stressed by Bruce Schneier in a draft essay recently circulated titled "Why Cryptogaphy is Harder Than it Looks": we can have no confidence in the security of any cryptosystem until it has been subjected to lengthy and detailed scrutiny by experts. Thanks to Monty Solomon <monty at roscom dot com> for sending a steady stream of updates on DFA.

[7] <http://www.bellcore.com/SMART/secwp.html>
[8] <http://jya.com/dfa.htm>

Any machine running Windows 95 or Windows NT, or any machine at all that runs a small piece of publicly available code, can cause targeted devices anywhere on its connected net -- including the Internet -- to hang or crash. The mechanism is a ubiquitous, and usually innocuous, network service called "ping": it takes its name from what submariners do to probe their surroundings. A system that receives a ping over the network sends a response that means, "Yes, I'm alive." The normal size of a ping data packet is 50 to 60 bytes. Many systems don't respond well to receiving an extremely large ping packet, say 64K bytes. Vulnerable systems include Unix, Macintosh, and Windows computers as well as various printers, routers, bridges, and X terminals. Read full details on the Ping o' Death page [9], maintained by Mike Bremford <Mike.Bremford at bl dot uk>. No ironclad defense exists. Firewalls can be programmed to block ping packets to protect systems inside their perimeters, but doing so would cause some software that relies on ping to fail. A promising variant on this approach is to block only "fragmented" ping requests -- ones that have been broken up to travel over a network, as the dangerous 64K pings would be. I'm afraid the only real solution will come as manufacturers one by one implement fixes in their operating-system and network software, and the owners of vulnerable connected machines install upgrades -- a process that is bound to stretch out over months and years. Nick Brown <Nick.Brown at dct dot coe dot fr> brought this problem to the attention of Risks readers.

[9] <http://www.sophist.demon.co.uk/ping/>

Researchers at the San Diego Supercomputer Center announced that they have seen instances of a kind of attack on Unix security first described early in 1995. At that time a CERT advisory was issued (see [10] for the updated version) and many vendors issued patches to fix the vulnerability in their systems. It now develops that the "rpc.statd" attack can have consequences more severe than first imagined, and that such attacks have occurred on the Internet. See [11] for the SDSC's expansion on the CERT advisory. Thanks to Dan Kohn <dan at teledesic dot com> for tipping this story.

[10] <ftp://ftp.cert.org/pub/cert_advisories/CA-96.09.rpc.statd> CERT
[11] <http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd>

Java is taking the world of Net application development by storm, but let's not forget that it is a young language that hasn't had the seasoning of a C, C++, or Perl. TechWeb reports in an exclusive story [12] that a major Web-site development effort has encountered bugs in the current version (1.0.2) of the Java Virtual machine that cause applications to break down under load. JavaSoft engineers have acknowledged problems in thread scheduling and memory management and say they are fixed in version 1.1 of the JVM, which will not be widely available until Q1 of 1997.

[12] <http://www.techweb.com/wire/news/1109bug.html>

TBTF for 1996-10-20 [13]

On November 6 Microsoft made good on its promise to deliver the Internet Explorer 3.0 browser cross-platform: it introduced the first beta for Macintosh. Download the PowerPC version from [14]. (Microsoft had announced Mac support for the ActiveX SDK on 10/17 [15].) IE 3.0b1 supports Java, but the release notes tell us not to expect much stability until the next beta, because Apple's Java Virtual Machine is itself in beta. Marimba's site [16] offers the following backhanded comment about Apple's JVM. (At the next IE beta users will be able to choose the Metrowerks JVM, which is said to be considerably more stable.)

> Bongo runs on Windows NT, Windows 95, and Solaris... Other platforms
> may be supported in future releases... A Macintosh version will be
> available as soon as there is a stable Java Virtual Machine for the
> Macintosh.

The Microsoft browser runs in a svelte 4 MB on a PowerPC Mac, compared to 9 MB for Netscape Navigator 3.0. To be fair the latter includes Mail and News modules. I don't use these but Netscape doesn't give me the option not to load them. Adding Mail and News to IE brings the required memory to 6 MB. The browser seems fast, goes out of its way for compatibility with Netscape's, and has some nice interface touches. I especially like the cross-session history of visited sites, which has the same interface as that used for bookmarks (called "favorites" in IE). IE does not do frames but does do cascading style sheets.

I make no secret of rooting for Apple, whatever Be-comes of its OS [17], [18]. But give Bill Gates his due [19], Internet Explorer for the Mac is a middling good piece of code. I keep it on my desktop along with Navigator 2.02 and 3.0 Gold and I use them all at need. Even in the first beta IE is reasonably stable -- it's crashed my machine only three times in the last seven hours, a record I doubt could have been matched with any beta of any version of Navigator.

Browser war update: three weeks ago the battle looked worse for Netscape than it does today (see TBTF for 1996-10-20 [13]). By Interse's measurement [20], in the month of October Navigator gained 9 percentage points at IE's expense, reversing a trend established last May. Still, one sees an increasing number of sites [21] marked "Best viewed with {Netscape Navigator 3.0 button} {Microsoft Internet Explorer 3.0 button} Download today!"

[13] <http://www.tbtf.com/archive/1996-10-20.html>
[14] <http://www.microsoft.com/msdownload/ie/11002.htm>
[15] <http://www.microsoft.com/corpinfo/press/1996/Oct96/macpr.htm>
[16] <http://www.marimba.com/products/bongo.html>
[17] <http://www.macweek.com/mw_1043/news_be_think.html>
[18] <http://www.be.com/>
[19] <http://www.theonion.com/onion2924/text2924/billgates.html>
[20] <http://www.interse.com/webtrends/>
[21] <http://www.techweb.com/>

Hungry for daily news about the Web? Bite into the meaty Newslinx [22] for a concise, bulleted summary of current news items, hand-selected by someone with evident discernment. Now cleanse your palette on a calorie-free exercise in pure gonzo Zen Web emptiness [23]. For desert, a dense fudge brownie -- Hotsheet [24] is a single-page launch pad for four hundred or so popular destinations. Full yet?

[22] <http://www.newslinx.com/>
[23] <http://www.beepcom.net/deborah/>
[24] <http://www.hotsheet.com/>

TBTF for 1995-10-15 [25]

From time to time I like to revisit the fearless predictions made in these pages. Reality usually takes place at some angle to the prediction; such is the lot of prognosticators. A year ago [25] TBTF made so bold as to advise the creator of the Internet Index. (Mr. Treese did not reply.)

> Win Treese at Open Market publishes the Internet Index on no fixed
> schedule. See [26] for past issues and source citations.
>
> > Percentage of advertisements containing URLs, in the first 18 pages
> > of the September, 1995, issue of Scientific American: 50
> > Percentage of advertisements containing toll-free telephone numbers,
> > in [the same issue]: 90
> >
> > Number of subscribers to Internet World magazine: 208,000
> > Number of subscribers to Cosmopolitan: 2.3 million
> ...
> Perhaps next time Mr. Treese will count the URLs in Cosmo ads. When
> that index rises above 50% we'll know the era of online commerce is
> at hand.

Well, the Cosmo Girl site has gone live; are we having online commerce yet?

> New York, NY (November 6, 1996) -- Cosmopolitan launches new Web site
> [27] with "your weekly bedside astrologer," Cosmo quizzes, expanded
> bachelor of the month, beauty giveaways and more!

A consistent trend in Web demographics since the earliest measurements has been the growing proportion of women (and girls) online. Hungry advertisers and Web merchants are increasingly targeting female Netizens. One result is a flurry of fashion-related pages, such as the award-winning Fashion Internet site [28]. Windows Magazine said in naming it Best Overall Page, "Fashion Internet proves that a Web site can never be too rich or too thin." (Pity they don't credit TBTF for the lips.)

[25] <http://www.tbtf.com/archive/1995-10-15.html>
[26] <http://www.openmarket.com/intindex/>
[27] <http://www.cosmomag.com/>
[28] <http://www.finy.com/>

Let's play Next Big Thing. Had you been a venture capitalist or an angel, where would you have placed your bets as the Internet phenomenon gathered itself to explode around you? My reading is that the bets were placed in roughly this order, starting in (say) 1993:

1. infrastructure
   • wiring, plumbing (e.g. Cascade, Cisco)
   • ISPs (PSI, Netcom)
2. browsers (Netscape, Spry)
3. search engines (Lycos, Yahoo, Excite)
4. metrics (I/Pro, Interse, net.Genesis)
5. content (c|net, Yahoo, Excite)
6. locality (boston.com, CitySearch / Sidewalk)

What's next? The Red Herring in their December 1996 (sic) issue bets on Web development tools (HAHT, Rogue Wave, Wallop, NetObjects). Maybe for the little-i intranet, but for the Big-I I'd say watch the trend towards personalization. This concept when applied to manufacturing has been called "mass customization" -- a newspaper published for a readership of one. You can experience something close at My Yahoo [29]. After you personalize your site, you return there at <http://my.yahoo.com/>, with a username and password, for the news topics, weather cities, stock quotes, and sports scores you have chosen to see, all up to date. Firefly [30] takes another approach to personalization -- agents that you train. The Red Herring profiles Firefly CEO Pattie Maes [31], who emerged from the MIT Media Lab to form Agents, Inc. in 1995, which changed its name to Firefly when its Web site garnered stronger name recognition than the parent company. (In this Firefly follows the example of Mosaic Netscape and Architext.) Firefly's current incarnation -- agents as builders of community -- is a technology demonstration in which you tell an agent what you like in the way of music and movies. The agent recommends other things you might like, based on what people who like what you like, like. (Got it?) Red Herring says "It's an interesting site, but to recognize in it the grander applications of Firefly's technology requires a sympathetic imagination." Five hundred thousand people have signed up on the Firefly network since the spring.

[29] <http://local.yahoo.com>
[30] <http://www.firefly.com/>
[31] <http://www.herring.com/mag/issue37/light.html>

I've joined a new mailing list called dreamwave (see Sources below), on which one receives early notice of promising Web sites and other bleeding-edge stuff. Recently the list has hosted a discussion of the relative merits of search engines new and old, meta-search sites, etc. The list pointed me to EuroSearch [32], which can filter returned sites by language (it knows 23 of them). Recently Charles Seiter of Macworld Online reviewed a number of search engines [33] and fingered Infoseek's Ultraseek [34] as the most accurate and up-to-date of the lot. Just this afternoon the dreamwave list brought word of a new, experimental, semi-parallel, multi-engine search site called Arfie [35] that takes a boolean, parenthesized search string and submits it to multiple engines, feeding each one the format it wants. This is somewhat like SavvySearch [36], [37] (whose interface now speaks, coincidentally, 23 languages), but Arfie is more general. As a test I tried to find a Web instance of The History of the Net [38], a fable possibly written by Andrew Bennett of MIT's Department of Ocean Engineering. I submitted to Arfie a syntax like "phrase 1" and "phrase 2" and "phrase 3," choosing phrases from the text for their unusualness. Here are the results from 13 search engines. For this kind of search HotBot [39] emerges a sure winner.

[32] <http://euroseek.freeside.net/(uk)/index.shtml>
[33] <http://www.macworld.com/pages/december.96/Column.2893.html>
[34] <http://ultra.infoseek.com/>
[35] <http://www.dogpile.com/>
[36] <http://www.tbtf.com/archive/1995-11-29.html>
[37] <http://guaraldi.cs.colostate.edu:2000/form/>
[38] <http://naftalab.bus.utexas.edu/~chandler/humor/genesis.net.txt>
[39] <http://www.hotbot.com/>