TBTF for 1997-03-21: News has come to Harvard
Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 9 Mar 1997 18:02:04 -0500
Contents
- High court hears CDA arguments
--
Justices like the idea of protecting kids, but not of
criminalizing them
- Three security bulletins
--
Usenet servers under attack; Microsoft sues a cracker;
This week's crop of Microsoft security holes
- Three horsemen
--
Has strong crypto impeded law enforcement? Cryptographers find a flaw in
digital cell-phone code; Do online payment systems foster money laundering?
- Two conferences
--
Financial Cryptography 97; VRML 97
|
|
 |
The Communications Decency Act
See also TBTF for
1999-02-01,
1998-12-15,
12-07,
10-27,
10-19,
10-12,
09-14,
07-27,
1997-11-17,
06-30,
03-21,
more...
|
High court hears CDA arguments
Three security bulletins
Usenet servers under attack
Unknown crackers are broadcasting forged control messages, normally
used in the routine maintenance of Usenet News, across the Internet
in an apparently successful attempt to extract sensitive system
information from thousands of news servers. For details and examples
see this New York Times story
[5];
it may not remain online as long as this coverage from PC Week
[6].
The attack targets InterNetNews,
the software commonly used to manage the flow of Usenet news, and
exploits a vulnerability that has been known -- and for which a fix
has existed -- for a year and a half. One system administrator who
accidentally sent a similar message while analyzing the attack
received sensitive files from hundreds of systems around the world.
The unknown perpetrators forged their messages so that they appeared
to come from David Lawrence <newgroups-request at uunet dot uu dot net>, the
moderator of news.announce.newgroups. The Times quotes Lawrence on
the possible outcome of the attacks:
This attack could [open] a previously inaccessible site for
shell access. The cracker would have the name of the site,
user names, and possible broken passwords for those sites.
Thanks to Monty Solomon < monty at roscom dot com> for quick notice on this
worrying development.
[5] <http://www.nytimes.com/library/cyber/week/031897news.html>
[6] <http://www.pcweek.com/news/0317/17mhack.html>
Microsoft sues a cracker
On Monday Microsoft filed suit
[7]
against Christopher Fazendin, a
23-year-old Minnesota resident who allegedly published a patch on
his Web page that defeats the 90-day license timeout of a trial
version of MS Office 97. The patch was so widely known and, presumably,
widely downloaded that Microsoft went straight to court, skipping the
usual courtesy of asking Fazendin to remove it from his page. Thanks
to Dan Kohn <dan at teledesic dot com> for passing along this story.
[7] <http://www5.zdnet.com/zdnn/content/pcwo/0318/pcwo0011.html>
This week's crop of Microsoft security holes
Note added 1997-06-06: See this
table
for a summary of all Microsoft security exploits covered by TBTF in 1997.
|
|
Microsoft security bugs and exploits
See also TBTF for
1999-08-30,
1998-02-02,
01-26,
01-19,
1997-11-17,
11-10,
10-20,
08-11,
06-23,
05-22,
05-08,
more...
|
This is getting boring. If the user community keeps finding
Microsoft security glitches at this rate TBTF may go to a scoreboard
system. A system administrator at the University of Washington, Aaron Spangler
<pokee at maxwell dot ee dot washington dot edu>, sent word of three new security
problems in Microsoft software. They all allow an attacker easy ways
to record the username and password of unsuspecting users. Spangler
found and documented #4 [9],
which is browser-independent (it fails using either Netscape Navigator or MSIE on Windows NT).
Users in the U.K. and Israel discovered
#5 [10] and
#6 [11], respectively.
The Birnbaum exploit site
[11] links an exhaustive and frequently
updated compendium
[12] of Windows NT security holes;
at this writing 50 are listed, most with patches or workarounds.
Note added 1997-03-22: Make that
four. A user in Singapore, Tea Vui Huang,
has posted a
page demonstrating
how a site can disable Internet Explorer's built-in security. I'm calling this bug #7.
As of this writing (12:52 EST on 3/22), Microsoft has announced
[12b]
that they are working on a fix for #4, and have not publicly acknowledged #5, #6, or
#7.
Note added 1997-03-25: Microsoft has made available a full point release of MSIE,
3.02,
that addresses the first three security holes reported. There is still no apparent
acknowledgement of the problems #5 - #7 listed above. Previously the company had posted
a patch to address #1 - #3 but apparently decided stronger measures were called
for, to judge by the open letter
[12c]
to the Internet community from Microsoft Senior VP Brad Silverberg. In my reading the
company blows away much of the credibility and trust it is trying to establish with
the following bullet item near the bottom of the letter. In what way does opening a
hole in the Java sandbox enhance security?
- "...we are enhancing the Java security model to
allow capabilities-based access to services outside of the 'sandbox' (which prevents a
Java applet from accessing a computer or network's resources). This capability will be
featured in Internet Explorer 4.0."
Note added 1997-03-26: I sent a copy of the above text to
secure@microsoft.com, not expecting a reply, and got a detailed answer
the next morning. Microsoft has
acknowledged bugs #4, #5, and #6 on their Web site and has developed a
fix (to the
SMB protocol) and released it to industry security experts for review.
Microsoft claims that bug #7 is not a security issue, and after closer
examination I have to agree: Internet Explorer asks the user who has followed
a link to a .reg file whether s/he wants to save the file to disk (the default
choice) or to run it. Consequently I have removed #7 from the table above.
[9] <http://www.ee.washington.edu/computing/iebug/>
[10] <http://www.efsl.com/security/ntie/>
[11] <http://www.security.org.il/msnetbreak/>
[12] <http://www.ntsecurity.net/security/exploits.htm>
[12a] <http://www.scv.com.sg/~entea/security/reggap.htm>
[12b] <http://www.microsoft.com/ntserver/info/ntsecurity.htm>
[12c] <http://home.microsoft.com/reading/security.asp>
Three horsemen
Longtime readers of TBTF are acquainted with the Four Horsemen of the
Infocalypse
[13]
-- terrorists, pedophiles, drug dealers, and money
launderers -- in the Cypherpunk orthodoxy
[14]
the government's chosen
weapons for trampling strong crypto. Herewith some drumming hoofbeats
from three of the four.
[13] <http://shipwright.com/rah/horsemen.html>
[14] <http://www.oberlin.edu/~brchkind/cyphernomicon/>
Has strong crypto impeded law enforcement?
Law-enforcement types who argue for limits on encryption technology
have been known to claim that crypto interferes with criminal
investigations. To my knowledge no documented case of such interference
has ever been offered. At the CFP'97 conference
Declan McCullagh challenged the Justice Department's Michael Vatis point-blank to name
one such instance, and Vatis could not. Now Dorothy Denning
<denning at cs dot georgetown dot edu>, a consistent government ally in the crypto
wars, and William E. Baugh, Jr. <william.e.baugh.jr at cpmx dot saic dot com>
have put out a call
[16]
for hard data on the question.
[16] <http://www.tbtf.com/resource/horseman-arms.html>
Cryptographers find a flaw in digital cell-phone code
Bruce Schneier and three other researchers subjected the once-secret
CMEA algorithm, a symmetric cypher with a 64-bit key length,
to "simple cryptanalysis." They found a flaw in the algorithm that
effectively reduces its key length to 24 or 32 bits; communications
encrypted using CMEA (including numbers punched on digital phones,
but not voice) can now be broken on a run-of-the-mill PC in
seconds or minutes. Details of CMEA were supposed to be a closely
guarded secret known only to a small circle of industry engineers,
but technical documents were leaked late last year and showed up
on the Internet. (A poster to the Cryptography list wrote:
"Actually it's worse than that. The documents are available to anybody
with $300. I got mine from Global Engineering Documents, then called
TIA and asked politely for 'Appendix A'.")
This tactic, which the security community
scornfully labels "security through obscurity," is hit hard in the
researchers' press release: "Our work shows clearly why you don't do
this behind closed doors. [We're] angry at the cell phone industry
because when they changed to the new technology, they had a chance
to protect privacy and they failed." The researchers have posted an
account [17]
of the exploit, and also host a copy of the New York Times writeup
[18] on the affair.
The Times article says that unnamed telecommunications officials
fingered the NSA as a source of pressure to weaken the crypto.
Yesterday the NSA's Clint Brooks <cbrooks at romulus dot ncsc dot mil>
forwarded this official statement (which I saw on Declan McCullagh's
FC mailing list):
NSA had no role in the design or selection of the encryption
algorithm chosen by the Telecommunications Industry Association
(TIA). NSA also had no role in the design or manufacture
of the telephones themselves. As we understand the researchers'
claim, it appears that the algorithm selected and the way it
was implemented in the system has led to the stated flaws. NSA
provided the TIA with technical advice on the exportability of
these devices under U.S. export regulations and processes.
A poster to the Cryptography mailing list paraphrased this
disclaimer as: "NSA did not openly tell TIA not to use strong crypto in the
digital phone standards, and wasn't directly involved in the
decision about which uselessly weak cryptographic system in particular
they should select."
Today Omnipoint
[19] bought page A21 of the New York Times (paper
edition) to deliver a "public-service message" to users of wireless
phones that the Omnipoint system, based on GSM technology, is not
vulnerable to the publicized attack. "Self-serving message" is more
like it, though they do have a point: the researchers note
[20] that
their approach "affects both CDMA and TDMA cellular systems, but not
GSM systems."
[17] <http://www.counterpane.com/cmea.html>
[18] <http://www.counterpane.com/cmea-nytimes.html>
[19] <http://www.omnipoint.com/>
[20] <http://www.counterpane.com/cmea-response.html>
Do online payment systems foster money laundering?
The Wall Street Journal carried a story that the Financial Action
Task Force, a Paris-based group of 26 countries fighting
international money laundering, has released a report warning that new
Internet payment systems could obviate conventional means of
tracking suspect cash. Of particular concern were the "speed,
security, and anonymity" achievable with such systems. Under U.S.
law financial institutions must report suspicious activity, but
it is far from clear whether the law covers Internet payment
systems. The American Bankers Association is pushing for uniform
regulations for both banks and e-money providers: "Bankers want
to see some assurance that if we're told we have to do certain
things that our other competitors do, too."
Two conferences
Faithful readers will recall that I had planned to attend the FC'97
conference last month on the Caribbean island of Anguilla. It didn't
work out. However, I did make it to Computers, Freedom, and Privacy
97, and I'll write about that in some detail next week.
Financial Cryptography 97
These notes on FC'97
[21]
were written especially for TBTF by Wired
magazine's correspondent Charles Platt. Also online is an account
[22] of the
gathering by Alex van Someren, who is a founder and
managing director of nCipher Corporation Ltd. The piece has an
endnote by Duncan Goldie-Scot, founder and publisher of Banking
Technology and Online Finance.
[21] <http://www.tbtf.com/resource/anguilla-cp.html>
[22] <http://www.live.co.uk/ftvfr397.htm>
VRML 97
Greg Roelofs <roelofs at prpa dot philips dot com> attended the Virtual Reality
Markup Language symposium last month in Monterey, CA. He writes: "It
was loads of fun, especially eating seafood while wandering around
the Monterey Bay Aquarium." (Roelofs was raised in the middle of the
continent where any seafood he saw, at best, had just gotten off an
airplane; he lives on the west coast now.) His trip report
[23] appears
on the TBTF archive by special
arrangement. Roelofs is one of the developers of the Portable
Network Graphics spec. He notes, "Ironically, there's much better
support for PNG in Web browsers than in VRML 2 browsers, despite its
being a requirement for minimal VRML 2 conformance."
[23] <http://www.tbtf.com/resource/vrml97-gr.html>
javElink: Web notification done right
This site is unusual in a number of ways: javElink
[24] is just out
of beta and all the links work. The interface is simple, pleasing,
and speedy. There's complete documentation and help, with nary a typo
or grammo to mar the polish. Site organization and navigation could
scarce be improved.
javElink aims to clue you as to when, whether, and how much the Web
pages you care about have changed. You create a private, password-protected
checklist of pages and folders of pages (which you can jump-start
by uploading a Netscape bookmark file); javElink monitors
each page and summarizes the changes to your personal checklist in
a unique, flexible, and intuitive tabular / graphical format. You can find out
what's changed, and the degree of change, from any Web browser at any
time. You can group pages in folders and for each one javElink will
accumulate the composite change score of the contained pages. The site
requires no plugins, no Java or ActiveX (the name javElink derives
from "javelin") -- it's all just HTML and CGI written in perl.
For now the service is free; soon a monthly charge will kick in. The
current thinking is that a fee of $15 to monitor up to 50 Web pages
will appeal to thousands of users with a serious need to keep on top
of rapidly changing information -- lawyers, journalists, executives,
developers, webmasters.
And there's a gimmie: if you use Netscape Navigator you can store
your bookmarks for free on the javElink site, in a private area, and
access them from anywhere. You don't have to pay for an account to
take advantage of this convenience.
I talked to the javeLink creators, Julie Stock <jstock at ingetech dot com>
and Gary Stock <gstock at ingetech dot com> of InGenius Technologies. They're
old pros at the entrepeneurial game and seem to have put together a
well thought-out, professionally run business. Their initial offering
is quite impressive. Do give it a look.
[24] <http://www.javelink.com/>
Followup: Another way to view commercial flights
TBTF for 1996-12-14
[25]
The Department of Transportation hosts an Aircraft Situation Display
page
[26] that provides
a near-realtime display of air traffic in and around the U.S. (Factoid:
61,000 people on average are airborn over the U.S. at any one time.)
You can zoom in; you can color-code all the flights in
the air approaching and/or departing any airport of interest; you can
click on a single plane for its flight details. The site can be slow --
be thankful that air-traffic control isn't handled over the open
Internet.
[25] <http://www.tbtf.com/archive/1996-12-14.html>
[26] <http://tms1.vntsc.dot.gov/docs/asd.html>
|
|
Domain name policy
See also TBTF for
2000-04-19,
03-31,
1999-12-16,
10-05,
08-30,
08-16,
07-26,
07-19,
07-08,
06-14,
05-22,
more...
|
Three questions of naming
NSF mulls taking back the business of naming domains
Despite the Clinton administration's comforting-sounding policies
to keep hands off the Internet -- as enunciated at CFP'97 by
keynote speaker Ira Magaziner, a senior advisor to the President --
the government continues to speak with many voices on Net issues.
An example is the recent trial balloon floated by the National
Science Foundation questioning whether the government should
retake the domain-naming business when the current NSI contract
expires next year. The question was broached in a confidential
report to the NSF's oversight agency. The only online account I
have found is this one at Network World's Fusion site
[27] -- to
view it you will have to sign up for a free account, a lengthy
process, and request article #1032.
[27] <http://www.nwfusion.com/>
NSI registers its one-millionth domain name
Bonnyview.com was registered to the owners of the Bonny View Cottage
Furniture company in Michigan, USA. A year ago there were 306,000
active domain names, 18 months ago only 120,000. Today NSI registers
on average 3,000 new names a day. Herewith a compressed and selective
history of domain names.
| 01 Jan 85 | com
| first day of domain registration
| Mar 85 | symbolics.com
|  first computer company domain
| 24 Apr 85 | cmu.edu
|
| | 24 Apr 85 | bbn.com
|
| | 24 Apr 85 | ucla.edu
|
| | 23 May 85 | mit.edu
|
| | 10 Jul 85 | mitre.org
|
| | 30 Sep 85 | dec.com
| first minicomputer company domain
| 04 Oct 85 | stanford.edu
|
| | 17 Jan 86 | sri.com
|
| | 19 Mar 86 | sun.com
|
| | 19 Mar 86 | ibm.com
|
| | 25 Apr 86 | att.com
|
| | 05 Nov 86 | nsf.net
|
| | 19 Feb 87 | apple.com
|
| | 14 May 87 | cisco.com
|
| | 02 Jun 88 | apollo.com
|
| | 26 Jul 90 | interop.com
|
| | 26 Feb 91 | atria.com
|
| | 02 May 91 | microsoft.com
|
| | 10 Jan 94 | infoseek.com
| First commercial Internet search company
| 01 Jun 94 | mcom.com
| "Mosaic Netscape Communications"
| 15 Dec 94 | netscape.com
|
| | 18 Jan 95 | yahoo.com
|
| | 13 Apr 95 | lycos.com
|
| | Apr 95 |
| toys-r-us sues rru.com over "roadkills-r-us"
[28]
| 20 Apr 95 | compaq.com
|
| | 05 Jun 95 | impatiens.com
|
| | 15 Aug 95 | buchanan96.org
| "Satire Online"
[29]
| 16 Aug 95 | underarm.com
| One of 44 registered to Procter & Gamble
[30]
| 18 Sep 95 |
| InterNIC begins charging for registration
| 23 Feb 96 | tbtf.com
|
| | 24 Aug 96 |
| IANA issues plan for new top-level domains
| 22 Oct 96 |
| ISOC sidelines IANA plan, announces IAHC
| 01 Nov 96 | m1crosoft.com
| note numeral one in place of letter i
| 02 Nov 96 | micr0soft.com
| note numeral zero in place of first letter o
| 12 Nov 96 |
| Int'l Ad Hoc Committee members named
| 22 Dec 96 |
| IAHC plan published
| 11 Jan 97 |
| IAHC plan drawing fire
| 25 Feb 97 |
| IANA, IAHC sued by ".web"
| 04 Mar 97 |
| eDNS proposes takeover of namespace
| | | | | | | | | | | | | | | | | |
[28] <http://www.tbtf.com/archive/1996-05-05.html>
[29] <http://www.tbtf.com/archive/1995-09-03.html>
[30] <http://www.tbtf.com/archive/1996-12-02.html#s09>
Elements 104 to 109
News has come to Harvard
[31]
of six new elements, recently endowed
with their official names.
From AIP Physics Update (1997-03-06):
The names of elements 104-109 have finally been accepted by
nuclear scientists and certified by the International Union
of Pure and Applied Chemistry. The delay over the names was
caused partly by rival claims to priority; the pertinent
experiments rendered mere handfuls of atoms. Physics and
chemistry students worldwide will now have to memorize the
following additions to the Periodic Table:
Rutherfordium Rf 104
Dubnium Db 105
Seaborgium Sg 106
Bohrium Bh 107
Hassium Hs 108
Meitnerium Mt 109
[31] <http://www.keaveny.demon.co.uk/lehrer/elements.htm>
Notes
This week's TBTF title comes from the song "The Chemical Elements"
[31]
by Tom Lehrer, one-time mathemetics professor at Harvard College.
It's sung to the tune of Gilbert & Sullivan's "I Am the Very Model
of a Modern Major General."
Sources
For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html>.
E.Commerce Today -- this commercial publication provided background
information for some of the pieces in this issue of TBTF. For
complete subscription details see <../resource/E.CT.txt>.
FC -- mail fight-censorship-announce-request@vorlon.mit.edu without
subject and with message: subscribe . Web home at
<http://www.eff.org/~declan/fc/>.
Cryptography -- mail majordomo@c2.net without subject and with message:
subscribe cryptography [ your@email.address ] .
AIP Physics Update -- mail listserv@aip.org without subject and
with message "add physnews" . Searchable archive at
<http://newton.ex.ac.uk/aip/>.
TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.
Copyright © 1994-2023 by
Keith Dawson.
Commercial use prohibited. May be excerpted, mailed,
posted, or linked for non-commercial purposes.
Most recently updated 2000-10-21
NSI registers its one-millionth domain name;
Elements 104 to 109