"New IANA" plan pleases most of the people, most of the time

After a summer of meetings around the world [1], the "stakeholders" are near agreement on how to form the new corporation that will oversee Internet numbers and domain names. The proposal that has risen to the top was put forward by Jon Postel, head of the current Internet Assigned Numbers Agency. The proposed organization is being called, for the time, the "New IANA." Here are its FAQ [2], articles of incorporation [3], and the third iteration of its bylaws [4]. Some of the salients:

• The New IANA will be a nonprofit organization based in Los Angeles.

• The organization's main objectives will be to undertake whatever is necessary to maintain the operational stability of the Internet and to manage the allocation of new top-level domain names.

• It will be managed by a nine-member board of directors that will notify the public of any meetings via the Internet at least 14 days in advance.

• No government member can become a board member, but governments will have input through a special advisory committee.

• No more than half of the members of the board of directors can be from one geographic region.

• Directors will serve three-year terms and will receive no pay.

The New IANA must be up and running by September 30, when the US government's contracts with IANA and the InterNIC expire. This stage of the process aims only to form a New IANA that derives legitimacy and authority from the support of all parts of the Internet community worldwide. Most of the hard questions left unresolved by the US government's white paper [5] are still unresolved, and will be early on the agenda for the new organization.

Thanks to Adam Rifkin <adam at cs dot caltech dot edu> for this pointer.

[1] http://www.tbtf.com/archive/1998-06-29.html#s03
[2] http://www.iana.org/message-faqs.html
[3] http://www.iana.org/articles1.html
[4] http://www.iana.org/bylaws3.html
[5] http://www.tbtf.com/archive/1998-06-08.html#s01

The smoking gun that shot DR-DOS

The Red Herring broke this story [6] last week containing some of the most damaging information on Microsoft's practices that I have seen made public. The memos in question were in the hands of the FTC when they were probing Microsoft in the early 1990s, but have only recently come out from under seal in the Caldera lawsuit [7]. The story was written by reporter Wendy Goldman Rohm from research for her book "The Microsoft File: The Secret Case Against Bill Gates" [8]. The Wall Street Journal picked up the story [9] (subscription required) and tied more of the threads together, but without crediting Rohm. (The WSJ had received a review copy of "The Microsoft File.")

The memos are email conversations among Microsoft executives in 1991 and 1992 that discuss deliberately crippling a beta copy of Windows 3.1 so it would produce an obscure error message if run atop DR-DOS, a competing operating system now owned by Caldera. The code to check for the existence of DR-DOS was encrypted and obfuscated -- it was the only encrypted code in the beta -- but was cracked by programmer Andrew Schulman and published in Dr. Dobbs Journal in 1993 [9a]. Schulman discovered that the code searched for tiny differences between MS-DOS and DR-DOS, and when it found the latter it displayed an obscure but worrying error message: "Non-fatal error detected: Error #4D53. (Please contact Windows 3.1 Beta Support.)" The non-MS-detecting code was dropped into 5 places in the beta Win 3.1 code and, according to Schulman, had no possible legitimate purpose in ensuring the proper functioning of Windows. The code was still present in three places in the shipping Win 3.1 product, but had a single byte flipped to disable it.

The WSJ article [9] ties together the code and Microsoft's statements at the time with the executives' email memos, and with the drop-off-a-cliff revenues for DR-DOS following the rigged Windows 3.1 beta. Here's a quote from email sent by Microsoft Senior VP Brad Silverberg in 1992:

I hope to review "The Microsoft File" [8] in an upcoming TBTF.

Thanks to Dan Kohn <dan at teledesic dot com>, a regular TBTF Irregular, for pointing out this story.

[6] http://www.redherring.com/insider/1998/0825/microsoft.html
[7] http://www.tbtf.com/archive/1998-04-27.html#s03
[8] http://www.amazon.com/exec/obidos/ASIN/0812927168/tbtf
[9] http://interactive.wsj.com/articles/SB904177645701365500.htm
[9a] http://www.ddj.com/ddj/1993/1993_09/9309D/9309D.HTM

Thought software patents were trouble? Next it's business models

Over the last 12 years US patent examiners, lacking the expertise and the resources to research prior art, have issued thousands of arguably bad patents for software inventions. Owing to the length of the application process, the mid-1990s saw the first lapping waves of what may become a floodtide of costly litigation over software patents. TBTF has been following this trend since 1995 [10], [11]. In the last week the mainstream technology press has produced its own flood of articles on the topic of patents and their likely impact on e-commerce. What got the hive stirred up was a July appeals court ruling favorable to patents on business processes [12], [13], which lawyers are regarding as a landmark. News.com paints the following scenario [14] to bring home the impact of patents on Net business models:

• Priceline.com (Connecticut), for its buyer-driven, "name-your- price" business model [15]

• NetDelivery (Colorado), for a proprietary billing and cataloging process [16] that it says covers all "push" technologies

• Cybergold (California), for its "paying for eyeballs" advertising model [17], [18]

UC Berkeley law professor Pamela Samuelson says, "If patents worked for manufacturers, surely they will work for the information economy" -- encouraging innovation instead of stifling it. I have serious doubts.

[10] http://www.tbtf.com/threads.html#Tspx
[11] http://www.tbtf.com/resource/sw-patents.html
[12] http://www.news.com/News/Item/Textonly/0,25,25705,00.html?tbtf
[13] http://www.law.emory.edu/fedcircuit/july98/96-1327.wpd.html
[14] http://www.news.com/News/Item/Textonly/0,25,25703,00.html?tbtf
[15] http://www.news.com/News/Item/Textonly/0,25,25111,00.html?tbtf
[16] http://www.news.com/News/Item/Textonly/0,25,25562,00.html?tbtf
[17] http://www.techweb.com/wire/story/TWB19980824S0009
[18] http://www.patents.ibm.com/details?patent_number=5794210

Whatever you do, don't push that big red button

On August 14 a Norwegian programmer discovered how to write a Java applet that, when run, can bring down a Windows NT system. This is not supposed to be possible, of course. Tonny Espeset <esp2 at online dot no> accomplishes the trick by calling some Java methods with out-of-bounds arguments (the exploit page does not give details), and on about half of the NT systems tested the applet immediately crashes the system right down to a white-button reboot. On some other NT systems, running the applet corrupts system fonts and cursors; the symptoms are cured by a reboot. I tried the applet [19] on two NT 4.0 systems and crashed one, corrupted fonts on the other.

Greg Roelofs <roelofs at pmc dot philips dot com>, TBTF Irregular, tipped this story -- thanks.

[19] http://www.eyeone.no/KillerApp/KillerApp.htm

Churn and controversy yield to unity

Perhaps stimulated by the somewhat divisive events of the past two weeks [20], [21], the Linux community is rallying around the Linux Standard Base effort. The recently announced Linux Compatibility Standards Project [20] has been folded into LSB, which has relaunched with a new commitment, a new Web site [22], and new partners. Here's the press release [23]. Thanks to Robert S. Thau <rst at ai dot mit dot edu> for sending me a copy instantly upon release on 8/25, allowing TBTF to break the news to an indifferent world.

On a more mainstream note, the issue of Forbes Magazine featuring Linus Torvalds on the cover has hit the Web. Here's a thumbnail of the cover [24] and here's the story [25].

[20] http://www.tbtf.com/archive/1998-08-17.html#s02
[21] http://www.tbtf.com/archive/1998-08-24.html#s02
[22] http://www.linuxbase.org/
[23] http://www.linuxbase.org/announce.html
[24] http://www.forbes.com/forbes/98/0810/gifs/coversm2.jpg
[25] http://www.forbes.com/forbes/98/0810/6209094a.htm

This WaSP packs a sting

The Web Standards Project [26] is two weeks old and has already garnered significant ink, and pixels, in the world's press (summary here [27]). The project is the effort of a group of high-profile Web designers to shame Microsoft and Netscape into implementing completely the standards upon which the Web is based before venturing off into proprietary extensions [28]. The developers of the Opera browser [29], which is just about the only currently viable competition to the Netscape-Microsoft hegemony, have supported WaSP from the first. The project's Web site is the epitome of cool: simple design, unified feel, plenty of variety, and speedy loading. Thanks to Julianne Chatelain for the pointer.

[26] http://www.webstandards.org/
[27] http://www.webstandards.org/news.html
[28] http://www.webstandards.org/mission.html
[29] http://opera.nta.no/

Rewriting the interface to steal your account

A programmer in Canada discovered a way to steal Hotmail users' login IDs and passwords [30]. The exploit uses JavaScript to rewrite, transparently, part of HotMail's Web interface for email. When a victim receives an email message containing the Trojan-horse JavaScript and reads it in the HotMail account, s/he is prompted to reenter name and password, which have supposedly expired. This dialog looks like an official HotMail request. The name and password are captured and emailed to the perpetrator. Here is the discoverers' exploit page [31]. Microsoft and HotMail were notified of the vulnerability and worked at top speed on a fix. When they posted what was billed as a "partial fix" (filtering out JavaScript code) on 8/24, the exploit's discoverer quickly put up a workaround that causes the same end result [32]. (He hid the JavaScript code within IMG tags.) Other Web-based free email services are also thought to be vulnerable to this exploit. Users of such services might consider doing without JavaScript for now.

[30] http://www.wired.com/news/news/technology/story/14617.html
[31] http://www.because-we-can.com/hotmail/default.htm
[32] http://www.news.com/News/Item/Textonly/0,25,25657,00.html?tbtf

System is provably secure against an adaptive chosen ciphertext attack

Two researchers have devised a way to secure cryptosystems against "active" attacks [33]. Victor Shoup of IBM Research and Ronald Cramer of the Swiss Federal Institute of Technology revealed their new security scheme [34] on 8/24 at Crypto '98 in Santa Barbara. Their new system would thwart attacks of the sort devised last spring by Bell Labs researcher Daniel Bleichenbacher (see TBTF for 1998-07-20 [35]). The leader of an IBM team of hackers for hire said, "This is not the sort of stuff you hold tight and patent. This is the sort of stuff you publish ... and hope everyone adopts it quickly."

[33] http://www.wired.com/news/news/technology/story/14590.html
[34] http://www.cs.wisc.edu/~shoup/papers/cs.ps.Z
[35] http://www.tbtf.com/archive/1998-07-20.html#s06

How not to update a Web site

Patrick S. Malone was driving to work with the radio on and heard the DJ bragging about the radio station's Web site, extolling the virtues of their ISP. The DJ made a particular point of the advantage of using a local ISP:

[36] http://www.tbtf.com/archive/1998-08-27.html#its-CCR

[37] http://www.tbtf.com/threads.html#Tqpc

TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.