The week just ended has been a particularly trying one for the Internet. Numerous problems were caused by operator errors, mishaps with heavy equipment [1], and denial-of-service attacks. This page [2] collects links to press coverage of Internet outages. There were four reports in April of this year, three in May, and two in June. In the last two days at least 15 have appeared. (Note: some of the listed links are already stale because they pointed to topical stories in online newspapers. The stories are now either offline or have been moved to long-term URLs.)

Corrupted root name databases

At 2:30 am Eastern time on Thursday morning an operator at NSI ignored automated warnings and published corrupt databases for the domains .com (142 MB) and .net (10 MB). Some of the eight other root nameservers, which copy the master NSI data on a staggered schedule, also became corrupted over the next four hours before NSI discovered and fixed the error. (You might well wonder what happened to that overnight operator. "We're still talking to that individual," an NSI business manager said later on Thursday. "He is being dealt with very appropriately.")

The NY Times has the most thorough and technically accurate coverage [3] of the incident and its aftermath. Additional detail is at [4], which descends to a level so geeky as to list the nine root-level name servers and to explain the software particulars behind the spottiness and randomness of the incident's effects. Even the Good Grey Times makes a few small errors -- [4] erroneously stating that NSI began charging to register domain names in 1996 (it was 1995), and [3] misstating the number of root nameservers, a factoid cited correctly in [4]. Most of the press coverage is more confused. A common conflation (see for example this San Jose Mercury-News [5] story) is associating the root-name problem with the previous weekend's AlterNIC hack against the InterNIC servers (see story below). No one who knows how the network works would posit a link between these incidents.

Of backbones and backhoes

See [6] for a sketch of four separate recent instances of circuit loss, two involving backhoes [1] cutting fiber bundles. The backbone carriers had to route around the breaks until they were fixed some hours later. WorldCom was the provider most affected by these mishaps.

SYN flooding attacks on Macintosh sites

Macintosh users had an especially hard week. In addition to the above-mentioned network disruptions, they had to contend with denial-of-service attacks mounted against the Web servers of a number of popular Macintosh destinations: Macintouch, WebCentral, and Webintosh [7]. The SYN flooding attacks [8] followed a similar barrage directed against the "Crack-a-Mac" contest site [9] the week before, leading to speculation that the attackers may want to blemish the Mac's reputation as the least vulnerable Web server platform.

[1] http://www.jcb.co.uk/backhoe.gif
[2] http://www.clark.net/pub/rbenn/outages.html
[3] http://www.nytimes.com/library/cyber/week/071897network.html
[4] http://www.nytimes.com/library/cyber/week/071897dns.html
[5] http://www.sjmercury.com/news/netglitch071797.htm
[6] http://www.mmp.co.uk/mmp/informer/netnews/HTM/718n1k.htm
[7] http://www.internetnews.com:80/isp-news/1997/07/1702-syn.html
[8] http://www.tbtf.com/archive/1996-09-23.html
[9] http://hacke.infinit.se/

On 7/15, three developments crossed my screen that are indicative of the unsettled state of domain naming on the Net.

.usa.to registry

An enterprising Netizen has taken advantage of the Tonga registry [10] to set up an exclusive dealership in .usa.to addresses [11]. (Warning: this site dispenses cookies with abandon.) Aaron Brewster, president of Code:NET, Inc., seems to think that customers will be so delighted to be able to get mcdonalds.usa.to, that they won't think to acquire mcdonalds.to instead. Or in fact to acquire biz.to, with a plan to subdivide it and go head-to-head with Code:NET.

Hijacking the InterNIC

On a shadier note, a proponent of alternate top-level domains has produced a hack that promises to dramatically increase the portion of the Web that recognizes his AlterNIC naming scheme [12]. Eugene Kashpureff sends an artfully malformed response to a standard DNS query from another name server, and the result is hard to distinguish from a virus. Kashpureff is able to spread recognition of his names -- some would say to spread contagion -- to other name servers on the Net in the everyday course of business, and could potentially do so surruptitiously. And there's worse. Over the weekend of 7/12 Kashpureff somehow caused NSI's traffic to be redirected to AlterNIC [13] (he's not saying how he accomplished this) as a protest against NSI's claim to ownership of the .com domain. One poster on a network-operations mailing list opined, "Mr. Kashpureff is in deep doggy doo."

Set free .org and .net

An InterNIC official is urging regulators to let people apply for .org and .net domain names [14] in commercial contexts, relaxing the once hard-and-fast limitations on the use of these top-level domains.

[10] http://www.tbtf.com/archive/1997-06-23.html
[11] http://www.usa.to/default.htm
[12] http://www.wired.com/news/news/culture/story/4715.html
[13] http://www.news.com/News/Item/0,4,12382,00.html
[14] http://www5.zdnet.com/zdnn/content/ylio/0715/ylio0001.html

Last week DefCon 5, the hacker convention, happened to Las Vegas. For the local color -- and there was quite a bit of it -- see Declan McCullagh's writeup [15]. An excerpt will convey the flavor:

By the time the conference began, the hotel's antiquated phone system had been penetrated and instructions distributed on how to call long distance for free. The hotel's radio frequencies quickly appeared on the DefCon mailing list. And someone was carrying around a door to a GTE truck -- I never found out why.

Microsoft attended its first Black Hat Briefing [16] and heard from the inventors about the latest improvements [17] to security hole #8 (see [18] for earlier coverage and [19] for the collected Microsoft security exploits). L0phtcrack is a tool for delivering plaintext passwords for NT and LANMAN networks; in theory it allows one to obtain NT passwords without administrator privileges given network access between a client and the server under attack. The program comes with unusual license terms: it is $50 shareware to government and commercial users and freeware to all others

Microsoft systems, and NT in particular, are now being subjected to the tough love of hacker scrutiny that once focused on Unix (and to a lesser extent on Novell). The company has squared its shoulders and resolved to work with the hackers with what good grace it can muster. A Microsoft spokesman said, "The hackers do a service. We're listening and we're learning."

[15] http://www.cnn.com/TECH/9707/16/netly.news/index.html
[16] http://www.techweb.com/se/directlink.cgi?EET19970714S0021
[17] http://www.l0pht.com/advisories/l0phtcrack15.txt
[18] http://www.tbtf.com/archive/1997-04-04.html
[19] http://www.tbtf.com/resource/ms-sec-exploits.html

The wraps are coming off Dan Bricklin's new company (see TBTF for 1996-07-02 [20]) and its product, Trellix 1.0, is bold indeed. (Full disclosure: I know a good many of the people at Trellix, having worked with them in past lives, and I participated in the company's market research and First Look programs.) In an era when not even Microsoft can buck the Web's dominance with impunity, Bricklin, co-inventor of Visicalc, looks anew at the problems of writing, reading, navigating, and printing hypertexts. Trellix 1.0 is a Win-32 environment designed from the ground up to excel at these tasks in a business environment. It's the first application to use the ActiveX Hyperlinking Protocols -- in fact the product is made up of ActiveX controls, which are themselves containers for each other. Its files are OLE-native structured storage files. Its import and export functions, including of course to and from HTML, are written in Visual Basic and are open to extension by VARs and corporate developers. The Trellix 1.0 environment features a freeform visual map of document structure; the author can easily define canned "tours" through the hypertext content, which the reader is free to follow or to depart from. The map will appeal instantly to anyone who has struggled to visualize a hypertext under development, or who has gotten lost in hyperspace because browser navigation is linear and single-threaded. When Trellix 1.0 exports a hypertext to HTML, the visual map is preserved as a Java applet keyed to the HTML pages. And Trellix 1.0 is smart about printing -- it can follow through links, tours, and sequences to print an entire hypertext document complete with table of contents.

On Monday 7/21 the Trellix site [21] will open for free downloads of "Sneak Peek" version 0.8. I urge everyone who runs Windows 95 or Windows NT to give Trellix a close look.

[20] http://www.tbtf.com/archive/1996-07-02.html
[21] http://www.trellix.com/

Dave Crocker <dcrocker at brandenburg dot com>, a member of the original International Ad Hoc Committee and now of the ongoing working group, sent the following clarifications to the article "Justice Department to investigate Network Solutions" published in TBTF for 1997-07-14 [22]. I reproduce his comments as received and invite interested readers to visit the gtld-mou site [23] for their perspective.

> The plan worked out by the International Ad Hoc Committee to
> introduce competition to domain naming is on hold [8].

This assessment is incorrect. The IAHC is not on hold. It is very much proceeding. We are taking a bit longer to get the application form and second MoU (the ones the registrars must sign) out but we are within days of finishing it and starting to accept applications.

> on 7/10 an industry group called the Association for
> Interactive Media convened an "Open Internet Congress" in
> Washington [9], ostensibly to assure that business has a say
> in the governance of the Net.

Attendance was a whopping 48. They have no specific, constructive alternatives to the IAHC and, instead, seem only interested in stopping the IAHC work.

Your use of explicit citations underscores the rather troubling pattern of press coverage on this topic. Anyone who speaks out seems to be taken as credible, no matter how outrageous or factually incorrect their statements. The various AIM press releases are probably the most extreme example of this.

In reality, the list of supporting signatories for the gTLD MoU continues to grow and I encourage anyone who is interested to visit <http://www.gtld-mou.org> for details, including the most current version of the signatory list.

Andrew Herbert <ajh at digitivity dot com> sent the following note in response to the article "Wash that Trojan horse's mouth out with soap" in TBTF for 1997-07-14 [24]. Digitivity's CAGE scheme does indeed seem architected to provide stronger applet security than approaches like those of Finjan or McAfee, particularly for corporate intranets firewalled from the Internet. See the comparison table about two-thirds of the way down [25]. Herbert writes:

For an alternative to FinJan's filtering approach, have a look at my company's product which lets you run Java without having it cross your firewall.

Filtering approaches are either too severe, and stop you running anything at all, or else they run the risk of letting a hostile through. We solve the problem by running Java in a physically reinforced sandbox.

With the rate at which bugs in browser sandboxes turn up, keeping Java out of your intranet is the safest way.

Supplementary to the stuff described on [25] we plan to add a filter that removes Javascript and ActiveX to our AppRouter. We will just trash them rather than Cage them at this time.

[24] http://www.tbtf.com/archive/1997-07-14.html#s05
[25] http://www.digitivity.com/html/text/products.html

Last month news.com carried the story [26] of Danny Khoshnood, of Los Angeles, who registered the domain name microsoftnetwork.com and then began a spree of registering embarassing names to this fictitious entity. Some suggested racy content, others were uncomfortably close to actual Microsoft product names. (The story was spread far and wide by NetSurfer Digest [27].) More recently word has begun circulating of "interesting" domain names registered to the bona-fide Microsoft Corporation of Redmond, WA: names such as bill-is-lord.com, resistance-is-futile.com, and weshallprevail.com. These turn out to be copycat hoaxes. On 7/12 CobraBoy <tbyars at earthlink dot net> coerced the Domain Name Service into divulging all names then registered to any entity containing the string "microsoft" and posted the raw data on a private mailing list. See [28] for the snapshot as of that date. The box score was:

100 apparently bona-fide names registered to Microsoft Corp.

10 names registered to other apparently legitimate entities

61 names registered to Danny Khoshnood, Los Angeles, CA

6 "copycat" hoaxes, or other names registered to people outside of Microsoft, and not served by Microsoft name servers

5 apparently personal names registered to Microsoft employees (?)

[26] http://www.news.com/News/Item/0,4,11080,00.html
[27] http://cogsci.soton.ac.uk/~cjc/NSD/nsd0318.html#OC2
[28] http://www.tbtf.com/resource/moft-names.html

This week's TBTF title comes from Lewis Carroll, whose White Knight [29] has nearly as much fun with names, and pointers to names, as the Net has had this week.

[29] http://www.cs.toronto.edu/~chechik/courses/csc324/white.html

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.

NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject and with message:subscribe nsdigest-html . Web home at http://www.netsurf.com/ .

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.