(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1998-11-17: Friends like these

Keith Dawson ( dawson dot tbtf at gmail dot com )
Tue, 17 Nov 23:33:16 -0400


Network Associates and the Key Recovery Alliance: nothing new

This widely circulated story is without substance

PGP key

Wired News originated a story [1] claiming that NAI had quietly rejoined the KRA, after publicly disavowing it [2] following its acquisition of PGP last December [3]. Here are the facts: NAI acquired Trusted Information Systems in May 1998. TIS had been a leader in the Alliance, and its technology was considered to be among the best solutions in this space. NAI resigned the leadership posts that TIS had held in the Alliance and continued to monitor its work, but stopped attending its meetings. The NAI name still appears on the KRA Web site [4], as it has since May. There is no news here. Perhaps Wired was tipped by a disgruntled KRA member after Network Associates sent a representative to a recent meeting to suggest that they disband, because Open Source development provides greater security and assurance than any approach based on key recovery. The following statement was sent to me by Jon Callas, CTO of Total Network Security (formerly PGP Inc.) at Network Associates.

Hash: SHA1

Here is the official statement:

"NAI officially withdrew from the Key Recovery Alliance in late
1997.  In May of 1998, NAI acquired Trusted Information Systems,
which had been an active member of the KRA.  NAI subsequently
reliquished the leadership role TIS had taken in the
organization.  NAI Labs' TIS Advanced Research Division
continues to monitor the KRA's activities from a technical
perspective, but Network Associates in no way advocates
mandatory key recovery."


Version: PGP 6.0


[1] http://www.wired.com/news/print_version/technology/story/16219.html
[2] http://www.wired.com/news/news/technology/story/9010.html
[3] http://tbtf.com/archive/1997-12-08.html#s01
[4] http://www.kra.org/roster/roster3.html#netassoc


A new spoof: all frames-based sites are vulnerable

Exploit can strike through JavaScript, plain HTML, or even email

SecureXpert Labs has discovered a deep and troubling security hole in the implementation of HTML frames [5]. All recent versions of Netscape Navigator and MS Internet Explorer are vulnerable, and any Web site using frames can be exploited. The "frame spoof" vulnerability is breathtaking in its scope and simplicity. It represents not so much a bug in the browsers' code as a flaw in the security policy they implement.

The bug was announced by Dr. Richard Reiner, CEO of SecureXpert Labs' parent company FSC Internet. SecureXpert has posted two sample exploits [6], one that requires JavaScript and one that relies on nothing but HTML. Both demonstrate how unauthorized information can be displayed in the frame of a known and trusted site, such as citibank.com or disney.com. Here are technical details [7].

SecureXpert will be working with Netscape and Microsoft on client-side fixes for the problem, but Dr. Reiner mused to the BugTraq list that the browser may not be the most appropriate place to patch this hole.

[S]hould there not be a more deeply entrenched, more reliable, more open, better audited, better trusted mechanism of some sort? Our thinking is that leaving these aspects of security policy to the Web browser software is a bad thing.
SecureXpert Labs has developed server-side fixes for the frame-spoof vulnerability, which will be made available first to its paying clients. Dr. Reiner wrote to me:
We do intend to make a free, general release of at least two server-side solutions, both of which are reasonably effective in stopping the known exploits for this vulnerability.
Note added 1998-11-18: Jon Cox writes to offer workarounds and comments:
Here's one solution for the TARGET frame attack -- but it involves some extra work:

  1. Make frame name unguessable on a per-session basis This can be achieved by using 32bit random strings instead of things like "main_frame" or "toplevel".

  2. Make frame names unguessable across sessions by using different names in each session (thus thwarting the classic "replay" attack).
Remarks: 1. is easy, but 2. involves a lot of extra ongoing work.
Corollary: There is no such thing as a secure frame-based static web page.

[5] http://www.securexpert.com/framespoof/index.html
[6] http://www.securexpert.com/framespoof/start.html
[7] http://www.securexpert.com/framespoof/tech.html


Threads Domain name policy
See also TBTF for
2000-04-19, 03-31, 1999-12-16, 10-05, 08-30, 08-16, 07-26, 07-19, 07-08, 06-14, 05-22, more...

Domain name meeting short on consensus

ICANN is flapping hard but gaining little altitude

The organization set to inherit dominion over Net naming and numbering held its first public meeting on 14 November. ICANN anticipated rough sailing and they certainly encountered it [8] from an audience of more than 150. Fewer than one-third raised their hands when interim chairwoman Esther Dyson asked how many thought that a concensus on general principles could be reached at the meeting. One participant, complaining about the secret process by which ICANN's initial board had been selected, said "The board has sprung as a virgin birth from some unknown entity." (In fact the "unknown entity" was the late Jon Postel, as a lawyer working with Postel's agency IANA explained.) Dyson asked the meeting, "How many think ICANN is an out-and-out fraud and are here to try to stop it?" Only a few hands went up, but someone shouted, "Could you separate those questions?" This meeting indicates how hard it will be for ICANN to find common ground in the naming transition -- a process rendered vastly more fraught by the death of Postel, the resignation of the Network Solutions CEO [9], and the imminent departure from the Clinton administration of Ira Magaziner [10], one of the few visible White House staffers who has a clue on the Net. The ICANN board will hold a second public meeting in Brussels on 25 November; the European Commission will host.

[8] http://www.wired.com/news/print_version/business/story/16277.html?wnpg=all
[9] http://www.thestandard.com/articles/article_print/0,1454,2551,00.html?02
[10] http://www.latimes.com/HOME/NEWS/POLITICS/ELECT98/NATELECTW/tCB00a1487.html

space ______

Threads Email spam and antispam tactics
See also TBTF for
2000-07-20, 1999-07-19, 1998-11-17, 07-27, 03-30, 02-09, 01-12, 1997-11-24, 10-20, 09-29, 09-22, more...

Black hole contemplated for Network Solutions spam

C-spam: domain-name holders receive unsolicited commercial email

Was it [11] spam? It's a grey area. The recipients were customers of the sender, Network Solutions, and it might be claimed that an unsolicited emailing to customers could not be objectionable. But this mailing had a few points against it that shade it over into the black end of grey. Let's call it c-spam -- customer spam.

Paul Vixie, proprietor of the Realtime Blackhole List [12], [13], posted a request for commentary [11] to NANOG: Should he blackhole netsol.com? If were entered onto the RBL, the domain would suddenly become invisible to large portions of the Net. (Note: internic.net would not be affected by such an action.) One poster commented that the usual means of fighting spam don't work in this case: one can't complain to NetSol's upstream provider and request that its connectivity be yanked. Another pointed out that if NetSol got sufficiently annoyed with Vixie they could simply deactivate vix.com and put him out of business.

At this writing the debate is still rolling on NANOG, Vixie is in discussions with NetSol sales/marketing management, the domain is not blackholed, and NetSol has agreed to hold off any further mailings until the discussions conclude.

[11] http://www.cctec.com/maillists/nanog/current/msg00488.html
[12] http://tbtf.com/archive/1998-01-12.html#s02
[13] http://maps.vix.com/rbl/

space ______

Patent offers clue to Transmeta's plans

Technology from Area 51?

A favorite sport among the geeks who frequent slashdot.org is speculating on the nature of the product Transmeta is developing [14]. Their curiosity is understandable as the father of Linux, Linus Torvalds, works there. Now the ultra-secretive company may have offered the first glimpse of its technology, courtesy of a patent [15] issued earlier this month. Somewhat mysteriously titled Memory controller for a microprocessor for detecting a failure of speculation on the physical nature of a component being addressed, the patent reveals a chip that can translate Intel instructions into a more advanced format, VLIW (Very Long Instruction Word). It should run Windows faster than anything yet seen on the planet. It could also be highly efficient running Java or RISC processor code.

Some have speculated that the microprocessor is reverse-engineered from alien technology. This news.com story [16] catches an industry analyst in mid-quip:

This is not your mother's x86.
Here are two summary readings and explications of the patent [17], [18], in order of comprehensiveness. I can't vouch for either author's technical chops but I know both writeups leave me in the dust after paragraph 1.

[14] http://tbtf.com/archive/1998-09-07.html#s08
[15] http://www.patents.ibm.com/details?pn=US05832205__&s_clms=1
[16] http://www.news.com/News/Item/Textonly/0%2C25%2C28737.html?tbtf
[17] http://slashdot.org/features/98/11/12/1935212.shtml
[18] http://scottlangley.com/patent.htm


ISPs must register to avoid copyright penalties

Each must name a designated copyright contact

The Digital Millenium Copyright Act, which was signed into law last month, requires [19] all ISPs to register with the Copyright Office and to name a designated contact for complaints of copyright violation. The rules are only an interim step in the new law's implementation; regulators will draft permanent rules and host a public comment period within the next several months.

[19] http://www.news.com/News/Item/Textonly/0,25,28357,00.html?tbtf


Threads Open source software and the Linux OS
See also TBTF for
1999-08-16, 05-22, 03-26, 02-15, 02-01, 1998-11-17, 11-11, 11-03, 10-27, 10-12, 08-31, more...

I2O SIG frees its spec

Fears of Open Software lockout ease

The I2O Special Interest Group is developing specifications for an advanced I/O subsystem. On 4 November the group announced [20] that it had made version 1.5 of the I2O spec publicly available to all product developers at no cost. This announcement lays to rest year-old fears [21] that the I2O Consortium might use its closed membership roster and non-disclosure terms to hobble Linux implementation of the I/O system, especially on Intel's Merced chip. Here is discussion of the I2O development on Slashdot [22].

[20] http://www.newsalert.com/free/story?StoryId=CnJ_FubKbytaWndm
[21] http://tbtf.com/archive/1997-08-04.html#s04
[22] http://slashdot.org/articles/98/11/04/1123235.shtml

space ______

With friends like these

Taking a Tomahawk for a test cruise

On 16 November, Los Angeles television station KCOP posted on its Web site a piece titled Rockets Red Glare (no longer up as far as I can determine):

A British submarine now lurking off Newport Beach will fire unarmed Tomahawk cruise missiles toward the Mojave Desert. The British, notwithstanding their rich naval history, have neither the experience nor the tracking stations to launch cruise missiles within the United Kingdom and they've never launched a Tomahawk. U.S. Navy experts will be helping the crew of HMS Splendid during the test. The British government is buying 65 Tomahawks in a $320 million deal.
The British were not saying how many missiles they planned to test. The missiles were to fly 80 miles, hugging the terrain 200 feet over suburban Los Angeles, to the Mojave Desert west of Edwards Air Force Base. Must have been impressive. Our British cousins thought, perhaps, that the Angelinos would mistake the Tomahawks for daylight Leonids [23].

[23] http://tbtf.com/archive/1998-10-12.html#s08


bul For a complete list of TBTF's (mostly email) sources, see http://tbtf.com/sources.html.

TBTF home and archive at http://tbtf.com/ . To subscribe send the
the message "subscribe" to tbtf-request@world.std.com. TBTF is Copy-
right 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.



Copyright © 1994-2022 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.