On 4/8 the Internet Society endorsed [1] the IAHC's plan for expanding the universe of global top-level domains. The plan has also won backing from Digital, AT&T, MCI, and UUnet, as well as the UN, WIPO, WTO, and the ITU. Later this month the IAHC plans to meet in Geneva, under ITU auspices, to sign a memorandum of understanding with some three dozen organizations, including some unnamed European telecomm agencies.

Also on 4/8 the New York Internet company PGP Media (no relation to PGP, Inc.) filed a restraint-of-trade lawsuit [2] against Network Solutions, the current monopoly issuer of global TLDs. PGP media has set up an registry called "name.space" under the renegade Extended Domain Naming System plan (see TBTF for 1997-03-09 [3]).

And on 4/14 NSI launched a campaign against the IAHC plan [4], [5]. Under the IAHC proposal NSI would lose its monopoly control over .com, .org, and .net when its contract with the U.S. government expires in 1998. NSI has released two drafts on the way to its own plan for gTLDs. A draft dated 4/10 called for the FCC to assert interim control over the Internet; this idea was dropped, possibly as a result of public outcry according to Declan McCullagh. The 4/15 draft is quite similar to the eDNS proposal [3]; in fact the head of NSI and the chief proponent of eDNS were both quoted as saying they hoped to come up with a combined proposal soon.

In what may be the most worrisome development for the future of Net self-regulation, both the White House and the OECD have convened task forces to look at issues of Internet naming and numbering [6]. The OECD is expected to declare domain names an issue of critical importance to member countries and to urge that governments set a framework in this area.

---

---

Stop Press

---

---

[1] <http://www.merc.com/stories/cgi/story.cgi?id=2330654-256>
[2] <http://www.nytimes.com/library/cyber/week/032297domain.html>
[3] <http://www.tbtf.com/archive/1997-03-09.html>
[4] <http://cgi.pathfinder.com/netly/opinion/0,1042,847,00.html>
[5] <http://www.zdnet.com/intweek/daily/970417a.html>
[6] <http://www.news.com/News/Item/0,4,9525,00.html>
[6a] <http://www.tbtf.com/resource/EU-vs-IAHC.html>
[6b] <http://www.emap.com/cwi/183/183news5.html>
[6c] <http://www.news.com/News/Item/0,4,10003,00.html>

Microsoft security bugs and exploits See also TBTF for 1999-08-30, 1998-02-02, 01-26, 01-19, 1997-11-17, 11-10, 10-20, 08-11, 06-23, 05-22, 05-08, more...

ODBC security hole opened in MS Office 97

The Trace facility in ODBC 3.0 (the Open Database Connectivity API), augmented for the release of Microsoft Office 97, now reportedly permits anyone who walks up to a logged-in computer running Windows 95 to see a record of all ODBC database accesses from that machine, including users' names and passwords in clear text [7]. (The recipe is Start, Settings, Control Panel, ODBC, Trace.) The problem was brought to light by Dan Gordon, a consultant working with an unnamed manufacturing company in the northwestern U.S. Gordon called the new feature "a massive, monstrous security hole" and claims that ODBC passwords can even be captured from another machine over the network. Microsoft's initial response was cautious [8]; at this writing (two days after the first press reports) there is nothing on their security site about this problem, and a search of the MS Knowledge Base for "ODBC 3.0 Trace" turns up only a single unrelated article.

[7] <http://www.infoworld.com/cgi-bin/displayStory.pl?970418.wodbc.htm>
[8] <http://www5.zdnet.com/zdnn/content/zdnn/0417/zdnn0013.html>

AOL's version of Internet Explorer still not fixed

News [3] of security problems with MSIE is nearly two months old, and the availability of Microsoft's fixed version, 3.02, is not much younger. But the roughly 200,000 America Online members who use a browser derived from MSIE 3.0 still do not have a fix [9]. As of 4/11 an AOL spokesman said the company was testing a fixed version.

[9] <http://www.news.com/News/Item/0,4,9620,00.html>

RPK: a public-key cryptosystem from New Zealand

Last December a new contender emerged in the international business of encryption. RPK is a New Zealand-based company with a presence in Silicon Valley. For several years it has been working on a cryptosystem based on some of the same mathematics that underlies Diffie-Hellman key distribution (discrete exponentiation over multiple finite fields). The technology is believed by its developers to be unencumbered by existing patents; and RPK has applied (two years since) for patents both in New Zealand and internationally. See [10] for a high-level introduction to the RPK cryptosystem. [11] summarizes its main distinguishing characteristics and [12] intro-duces its technical concepts. RPK is said to be speedy compared to established methods such as RSA and to be particularly well suited for implementing in silicon. The cryptosystem is believed to offer security equivalent to that of other modern systems. While RPK's strength cannot be directly compared with that of RSA -- any comparison based on key lengths is especially misleading -- the company offers some guidelines [13] to gauge how computationally difficult the system might be to crack.

Its developers acknowledge that RPK has not been examined or tested to nearly the same degree as other systems such as RSA. To expand RPK's base of trustworthiness the company is offering an ongoing "SafeCracker Challenge" [14] in which interested parties are given 60 days to extract either a secret message or the secret key with which it was encoded, for a prize of $3,000.

[10] <http://www.rpk.co.nz/intro1.htm>
[11] <http://www.rpk.co.nz/techinfo.htm>
[12] <http://www.rpk.co.nz/concept.htm>
[13] <http://www.rpk.co.nz/secrmark.htm>
[14] <http://www.rpk.co.nz/reward.htm>

DigiCash e-cash expands its reach

DigiCash [15] announced that the largest banks in Norway and Austria, Den norske Bank and Bank Austria, have decided to issue e-cash [16]. Deutsche Bank and Advance Bank of Australia are now in the final implementation stages, and banks in the U.S. and Finland have fully operational programs that will convert e-cash to and from the local legal tender.

[15] <http://www.digicash.com/>
[16] <http://www.news.com/News/Item/0,4,9690,00.html>

SETback

The much-delayed SET spec for online commerce by credit card, championed by Visa and MasterCard, will be delayed a further six weeks [17]; version 1 is now scheduled for release on May 30. Confusion reigned after Steve Mott, a MasterCard vice president, disclosed the delay, because he seemed to have said that SET v1.0 when it emerges will be cryptographically vendor-neutral, abandoning the required use of RSA encryption. Later accounts [18] clarified that he had been talking about plans for v2.0 of the SET spec, which will be opened up to allow other cryptosystems, for example RPK (see above) or Certicom's ECC [19], [20]. Mott did say that MasterCard has experimented with using non-RSA encryption in SET. The push for vendor-neutral encryption arises from performance concerns with the RSA algorithm, especially in computationally challenged environments such as smart cards.

IBM for one won't wait for the final spec. On 4/9 the company announced [21] version 2 of its Net.Commerce server for shipment on May 30, with what IBM calls the first commercial implementation of SET built in -- though clearly it cannot now be the final spec.

[17] <http://www.news.com/News/Item/0,4,9579,00.html>
[18] <http://www.infoworld.com/cgi-bin/displayStory.pl?970418.wset.htm>
[19] <http://www.certicom.com/html/ecc.htm>
[20] <http://www.certicom.com/html/eccqa.htm>
[21] <http://www.news.com/News/Item/0,4,9538,00.html>

Jack Rickard on AOL's death spiral

I recommend Mr. Rickard's editorial [22] in the March Boardwatch magazine. It covers a lot of ground, including one of the more sensible proposals I've read on how xDSL broadband technologies can spread rapidly and succeed -- implemented by ISPs, and emphatically not by telephone companies. Mr. Rickard also presents a closely reasoned essay on why, in his view, America Online is now doomed to sink from sight, dragging a fair chuck of the Internet's infrastructure down with it. A sample:

[22] <http://www.boardwatch.com/MAG/97/MAR/bwm1.htm>

Sun suborned an ActiveX hack

During his keynote address at Sun's JavaOne conference earlier this month, CEO Scott McNealy invited an expert, Fred McLain, to demonstrate how Microsoft's ActiveX technology could be abused. McLain downloaded a signed ActiveX control that then took over his machine and rifled its files for personal financial information. The point of course was to highlight the security advantages of Java technology. The recent focus on Microsoft security issues all but guaranteed that the exploit would get ink in the press and attention in the newsgroups. The fact that you can make an ActiveX control behave so badly is hardly news. What makes the story interesting is that Sun paid McLain to develop the malicious control [23] -- a considerable escalation in a marketing battle that was already near the level of a barroom brawl. Microsoft emerged with dignity, Sun less so, in my opinion.

[23] <http://www.news.com/News/Item/0,4,9390,00.html>

You're in a miasma of twisty paranoias, all alike

Netsurfer Digest (1997-04-13) carried this convoluted if cautionary tale:

NetSurfer Digest failed to mention another wrinkle to the hoax: the message appeared to be PGP-signed by the legendary Usenet prankster Kibo (who was in fact uninvolved). The ISP in question is Fred Cohen of all.net. TBTF visited the subject of his controversial "zero tolerance" security policies last year [24], [25] -- policies that make all.net a lightning rod for cracker "distributed social engineering." RISKS for 1997-04-17 carried a note from Cohen disclaiming that he had ever written a 5-line program to crack PGP. Thank goodness for that.

[24] <http://www.tbtf.com/archive/1996-04-21.html>
[25] <http://www.tbtf.com/archive/1996-04-14.html>

Back to the Oort Cloud

The friendliest comet this century is receding now, harder to see night by night in the light of the waxing moon but still visible on a clear night anywhere outside of a major city. Two days ago astronomers reported a third tail to Hale Bopp, this one composed of pure sodium and extending at an angle to the other two tails (one of dust and one of gas), straight as a geometer's line.

The hooks and hingles of the world

After studying polarized light coming to Earth from 160 galaxies, some as distant as 7 billion light years, physicists John Ralston and Borge Nodland claim that the universe isn't the same in all directions. Their paper will be published today in the journal Physical Review Letters. You can glean insight into this result from Nodland's page [26] "A Peek into the Crystal Ball of an Anisotropic Universe"; it's rather dense technically for those not conversant with astrophysics and cosmology. (The New York Times site on Friday featured a masterful example of science journalism on the subject but the article appears not to be available any longer.)

The effect manifests itself by rotating the polarization plane of radiation coming from some directions more than others. It's as if the universe has a grain like a block of wood. The effect acts in some ways like the "spin" of an elementary particle; it's as if the universe has a rotation axis. From Earth the preferred direction, the hooks and hingles of the world, falls on a line between the constellations Sextans and Aquila.

[26] <http://www.cc.rochester.edu/college/rtc/Borge/aniso.html
[26a] http://www.bates.edu/~ebunn/biref/prl/prl.html

This issue's title comes from the 1594 tract "Exercises, or the fower chiefyst offices belonging to horsemanshippe etc." by Blundevil. The full quote (from the Oxford English Dictionary Online) is: "Upon which two Poles, otherwise called the hookes or hengils of the World, the heavens doe turne round about the earth." The word hingle is obsolete in English but appeared in dictionaries as recently as 1886 with the meaning "the handle of a pot or bucket, by which it hangs." It comes to English from German by way of Dutch, from a root that also underpins hang and hinge. In its earliest sense hingle meant half of what we would today call a hinge; specifically, that part of the hinge that attaches to a gate or door. The OED cites usage from 1487 and before of the term "hooks and hingles" meaning, collectively, hinges. You can follow this link if you have a beta account with the OED Online: <http://www.oed.com/cgi-bin/oedp?dtext1=oed&dtext=OED+Only&frametype=&dictcolor=color&colnum=1&format=Regular+Display&qregion=Defined+Terms&query=164988264>

A new navigation aid, TBTF Threads, has made its debut -- see <http://www.tbtf.com/threads.html>. Threads features eleven topics which have each been covered in three or more issues of TBTF, linked in a graphically consistent style.

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <../resource/E.CT.txt>.

RISKS -- read the newsgroup comp.risks or mail risks-request@csl.sri.com without subject and with message: subscribe . Archive at <http://catless.ncl.ac.uk/Risks/>.

NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject and with message:subscribe nsdigest-html . Web home at <http://www.netsurf.com/>.

AIP Physics Update -- mail listserv@aip.org without subject and with message: add physnews . Searchable archive at <http://newton.ex.ac.uk/aip/>.

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.