TBTF for 1996-04-14 [1]

The previous issue recounted a days-long series of attacks and attempted breakins at all.net, whose proprietor Fred Cohen <fc at all dot net> publicly proclaims a policy of "zero tolerance" for anyone probing at his systems. Is this policy workable, or is it in part to blame for Cohen's troubles? Last week's article drew a chilly blast [2] from Richard Johnson <Richard.Johnson at colorado dot edu>, who considers Cohen far outside the mainstream with his zero-tolerance stance. (Johnson's missive is posted on the TBTF archive by permission.) Johnson expresses amusement that I was "taken in" by Cohen's arguments, and calls the firestorm that swirled around all.net "distributed social control." He explains in a later note:

> BTW, "distributed social control" is code for the kinds of immature
> reactions that followed Canter and Seigel's spamming. These included
> email bombing, putting their house up for sale, faxing them a loop of
> black paper, subscribing them to nearly every magazine in existence,
> etc. Sadly, in an anarchy, that's the only even marginally effective
> recourse against such [people].

What does "zero tolerance" mean? To explore this question is to plumb the shared culture and mindset of the system administrators who keep the Internet humming. Some of these guys (they are mostly guys) have been plying the Internet since the days when "reading news" meant spending 15 minutes to ingest everything that had come over Usenet that day. A spirit of mutual respect, tolerance, altruism, and cooperation has grown up among the admins -- the very stuff of the Internet culture in its pre-commercial incarnation. In this crowd your reputation is everything -- and your reputation is formed by the collective weight of your online utterances and public actions. The admins cooperate with each other and rely absolutely on their fellows' cooperation. Someone who is thought a fool or worse will get no cooperation. Admins generally handle attempted breakins and other forms of online mischief by cooperative action (as compellingly described in Clifford Stoll's first book "The Cuckoo's Egg"). If an admin of the old school suspects that someone is attacking his system, he personally gets in touch with the admin in charge of the system from which the attacks appear to originate. Such a request for help is usually met with ready cooperation.

What Cohen's system all.net does is to send an automated mail message to the admin of any system from which a probe, or even a telnet request, is launched. No human judgement has been applied. Many admins are annoyed by such automated dunning. They may tune it out, they may trash the messages, but they are unlikely to cooperate.

See [3] for a complete transcript of a correspondence launched by one of these all.net automated messages.

To throw more outside light on the appropriateness of the zero-tolerance approach I forwarded my article and Johnson's reply [2] to three well-known admins whose opinions I respect, asking for their perspectives on zero tolerance, all.net, and its proprietor. Two replied and gave permission to post their responses. See [4] for the views of Rich Graves <llurch at networking dot stanford dot edu> and [5] for those of Chuq Von Rospach <chuqui at plaidworks dot com>. Von Rospach summarizes his perspective thus:

> Right off the bat, IMHO, this is a no-win situation. People will poke.
> This is "Just Say No" gone on-line. Might have worked for Nancy Reagan,
> but it sure didn't do much but feed the anti-drug bureacracy.

Finally, [6] is Cohen's response after I sent him Johnson's note. You can make up your own mind about zero tolerance. I've made up mine.

[1] <http://www.tbtf.com/archive/1996-04-14.html>
[2] <http://www.tbtf.com/resource/zt-rj.html>
[3] <http://www.dhp.com/amusement.html>
[4] <http://www.tbtf.com/resource/zt-rg.html>
[5] <http://www.tbtf.com/resource/zt-cvr.html>
[6] <http://www.tbtf.com/resource/zt-fc.html>

On 1996-03-18 a coalition of Net telephone and audio/video conferencing companies organized to fight ACTA's FCC filing. Grag Aharonian's Internet Patent News Service for 1996-04-16 carried word of the formation of Voice on the Net (VON) [9]. U.S. citizens with an opinion on Net telephony can make their views known -- until May 8 -- to the Federal Communications Commission at <rm8775 at fcc dot gov>. Any email sent to this address should be followed up with snailmail. Aharonian suplies the details, noting "these mailings [are] a good example of how the computer revolution isn't leading to a reduction in paperwork."

> ...original plus four copies to the Office of Secretary, Federal Com-
> munications Commission, 1919 M Street NW, Room 222, Washington, DC,
> 20554. Copies should also be sent to Wanda Harris, Common Carrier
> Bureau, FCC, Room 518, 1919 M Street NW, Washington, DC, 20554, and
> to the Commission's contractor for public service records duplication,
> ITS Inc., 2100 M Street NW, Suite 140, Washington, DC 20037.

I wrote in TBTF for 1996-03-10 [7]:

> The FCC has moved with uncharacteristic speed in scheduling public
> comment on the [ACTA] question; petitions for rule-making commonly
> sit for weeks or months without action, but within 2 days the agency
> had set [a] date...

This haste does not necessarily imply anything about the weight or probable outcome of ACTA's request, as my earlier comment might have implied. The FCC has mobilized to respond to an unprecedented level of demand for its services; the Telecommunications Reform Act in particular calls for the agency to make more than twice the usual volume of rulings within the next year. This is occurring against a backdrop of gradual downsizing and fundamental institutional challenges from Congress. Frank Charlie Charlie, as amateur radio operators used to call the agency, has seen brighter days.

[7] <http://www.tbtf.com/archive/1996-03-10.html>
[8] <http://www.tbtf.com/archive/1996-03-24.html>
[9] <http://www.von.org/>

TBTF for 1996-04-07 [10]

I've been wanting to write about a most useful free service hosted by the company that provides the collection of freebies profiled in [10]. The company is NetMind and the service is URL-Minder [11]. While I use URL-Minder extensively, I haven't wanted to air it on TBTF until some privacy concerns were addressed. On 1996-02-24 I sent a note to <URL-master at netmind dot com> asking for details of the company's privacy policy. Today I received the following response, signed only "Jon," with no explanation for the 8-week delay. It satisfies all of my concerns so I can now recommend this service to you unreservedly.

URL-Minder sends you email when a URL that you register changes. It's that simple, and it's free.

URL-Minder represents an example of the now classic model of early Internet commerce (before the wide availibility of encrypted transactions, before offline settlement, before non-repudiation and authentication). The model is to give away something of value, capture information about your users, and find a way to exploit that information for gain without compromising your users' privacy. The best examples of this model (see for example NetSurfer Digest [12] and Newshare [13]) state forthrightly how they intend to make money and what their privacy policies are.

Here is NetMind's response (n>) interleaved with my queries (kd>).

kd> I'd like to see a statement from Netmind regarding the privacy of the
kd> data you collect. A correlated listing of email addresses with the web
kd> sites of interest to those users might be perceived as valuable by
kd> direct-mail marketers and others.

n> You have definately found our "pot of gold", so to speak.

kd> Do you sell this data now? If not, have you ever been approached with a
kd> proposal to sell it? Do you have plans to sell it in the future? Can you
kd> state categorically that you will never sell the data? If so, what hap-
kd> pens to the data if your company is bought or goes bankrupt?

n> No, we do not sell this data. Yes, we have been approached many times
n> about selling this information, but have declined all offers.

n> No, we have no plans to sell it, and yes, we can categorically state
n> that we will never sell the data. One of our primary tenants is that
n> our services should be as anonymous as possible, and one of our
n> primary concerns is protecting the anonymity of our users.

n> If our company is ever bought, protecting this data will be one of the
n> conditions of the sale. If this cannot be agreed to, the sale will
n> not take place. Yes, we _will_ get it in writing. (We don't intend
n> to sell the company, but who knows what the future will hold...)

n> If we go bankrupt, the data will be destroyed.

kd> I looked over your web site and retrieved and read the help info and did
kd> not see any mention of this topic. With a service such as URL-minder I
kd> believe it's essential to lay out your approach to privacy matters, even
kd> though the service is free. Or perhaps particularly because it's free --
kd> one might wonder (I did) whether you make money from it in other ways.

n> I'm going to have to double-check. We used to have a statement on the
n> pages about our attitudes about privacy. Now, _WE_ do marketing. Our
n> change-notice messages from the URL-minder include adverstising
n> material from our sponsors. Our sponsors, however, do not have any
n> access to our databases. As we grow, one of our marketing strategies
n> is to group people by interest based on the URLs they are watching,
n> yet again, sponsors will never get any information beyond what the
n> categories are, and a count of how many people are in the category.
n> They will _not_ get the names for their own use.

n> I hope this answers your questions and adequately addresses your
n> concerns. If I have omitted anything, or said something that brings
n> new questions to mind, please feel free to write back.

[10] <http://www.tbtf.com/archive/1996-04-07.html>
[11] <http://www.netmind.com/URL-minder/URL-minder.html>
[12] <http://www.netsurf.com/>
[13] <http://www.newshare.com/>

Early in 1995 Daniel Bernstein, a math graduate student at Berkeley, filed a lawsuit against several U.S. government agencies with the intention of rendering unconstitutional the ITAR provisions that limit export of cryptographic algorithms from the U.S. Bernstein claimed that the restriction on his cryptographic algorithm "Snuffle," which he had been fighting since 1991, is unconstitutional prior retraint of protected speech. On 1996-04-15 U.S. District Judge Marilyn Patel ruled that the source code for Snuffle is speech that is protected from prior restraint by the First Amendment to the U.S. Constitution. The decision in this widely followed case will have implications far beyond the issue of cryptographic export; it will affect questions of secure electronic commerce and First Amendment protection of electronic communication.

See [14] for background on the Bernstein case and on the constitutional questions it raises. See [16] for the full text of the Patel decision.

[14] <http://www.albany.globalone.net/theMESH/claw13.html>
[15] [obsoleted]
[16] <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DOS/Legal/960415.decision>

Sometimes the most elegant interfaces are constructed from the crudest components. James M. Julstrom <JJulstrom at aol dot com> hosts a weather page [17] that is a miracle of concision. The main-page interface is a map of the U.S. drawn in monospaced Ascii characters (!) and weighing in at a svelte 25K. Further, the page is set up so that all the action happens through links; the map page itself will rarely if ever need to change, so your browser will almost always load it from cache.

From the map you can link to any of three different current radar views centered on each major U.S. airport, courtesy of IntelliCast [18]. Each letter of the airport's abbriviation links to a different radar portrait: for example, for Boston's Logan Airport, the letter "B" gets you doppler radar, "O" regional composite radar, and "S" regional informative radar. Also in each state a separate four-part legend links to National Weather Service forecasts [19]: hourly, summary, zone, and state. Finally, current regional satellite photos [20] are linked covering the continental U.S. in six JPEG images of about 125K each. Hint: before viewing the map page [17] set your browser's monospaced font to a small size. At 6-point Courier my 14" display spans from the west coast to Ohio, or from the east coast to Colorado.

Go in at Julstrom's top page [21] if you want to be counted by his visitor counter.

[17] <http://members.aol.com/weathernow/index.html>
[18] <http://www.intellicast.com/icast/weather/usa/>
[19] <http://iwin.nws.noaa.gov/iwin/main.html>
[20] <http://rap.ucar.edu/staff/gthompsn/cur_wx/wx_index.html>
[21] <http://members.aol.com/weathernow/>
[21a] <http://www.weather.com/>
[21b] <http://thunder.atms.purdue.edu/>

Bill Cheswick's <ches at plan9 dot bell-labs dot com> home page [22] has never won a whole bunch of awards, so it flaunts the many awards it has never won, at considerable length. Half a megabyte in length. (The elements on the page are small but they are legion.) Give it a glance if you've got (a) copious memory in your computer, (b) copious time on your hands, and (c) fat pipes. Cheswick writes, "...the awards are real, at least most are. They were all collected from sites I visited on the net. The search was aided by altavista with such strings as 'this site awarded,' 'site received the following,' 'we have been awarded,' etc."

[22] <http://cm.bell-labs.com/who/ches/index.html>

I've been running Netscape Navigator 2.01 since it was available on Unix, Mac, and Windows platforms, and it seems recently to have become less reliable about refreshing pages on request from the Net. That is, I will ask Navigator to reload a page whose source I know has changed (e.g., I just changed it), and Navigator will redraw the old page from its cache. Computer Industry Daily for 1996-04-15 carried an item that may explain this behavior. I have not seen any other discussion or corraboration on this problem. (Most of the U.S. switched to Daylight Savings Time 3 weeks ago.)

> Many users of Netscape Navigator 2.0 and beta version 3.0
> experienced a major bug related to shifting clocks to daylight
> savings time. As a result users may view pages stored in cache
> rather than the current Web page without being aware of it. The
> bug affects Mac, Unix, and Windows editions. Temporary work-
> arounds include reverting to an earlier Netscape version, re-
> setting computer clocks to ignore daylight savings time, and
> bypassing or shutting down cache. A Netscape spokesperson
> admitted that the company was aware of the bug but offered no
> further information.