Skinny DuBaud's rumor column [1] in news.com alerted me to a Windows NT 4.0 security problem that allows anyone to consume all the CPU time on an NT Server or Workstation box from across the Internet. A description [2] of the problem was posted anonymously to 32bit.com's Pipeline site on 1/21:

> From your "Start" button, choose "Run..." and then type:

>      telnet some.nt.host.somewhere 135

> Once telnet connects, type 10-20 characters, any characters...
> Then disconnect or exit telnet... CPU usage on the NT 4.0
> machine... will hit 100% and remain there until rebooted. The
> 'rpcss.exe' process will eat the CPU out of house and home.

Two days later another user, Hector Isias, posted this workaround [3]:

> You can enable IP security (Control Panel / Network / protocols /
> tcp ip / properties / advanced) and filter TCP ports. You should
> permit only the neccessary ports: 20, 21, 25, 53, 70, 80, 110,
> 111, 119, 137, 138, 139 and any other required for your specific
> needs. The list above allow you to use NETBIOS over TPC/IP, HTTP,
> Gopher, TCP, etc. It should work even for a proxy server.

---

Note added 1997-06-06: See this table for a summary of all Microsoft security exploits covered by TBTF in 1997.

---

[1] <http://www.news.com/Rumors/0%2C29%2C%2C00.html?nd>
[2] <http://www.32bit.com/pipeline/pipenews.phtml?news=jan97/01219701>
[3] <http://www.32bit.com/pipeline/pipenews.phtml?news=jan97/01239701>

On March 19 the Supreme Court will hear oral arguments in their review of a lower-court ruling that the Communications Decency Act is unconstitutional. The government filed a 55-page brief last week [4], which the ACLU described as "at odds with the extensive factual findings of the trial court." Todd Lapin in the February Wired (p. 46) does some analysis in order to guess how the individual Justices might vote on this issue. He comes up with the Supremes upholding the lower court (i.e., striking down the CDA) by a vote of 6 to 3, with uncertainty in one of majority votes and all three of the minority. I can't point you to an online resource here because Wired doesn't put their print content on the Web until 6 weeks after press time. (Compare this policy to that of Scientific American.)

[4] <http://www.cdt.org/ciec/SC_appeal/970121_DOJ_brief.html>

The Electronic Privacy Information Center has introduced a page [5] to track privacy and online civil-liberties bills introduced in the 105th Congress.

[5] <http://www.epic.org/privacy/bill_track.html>

Opening day of the RSA Data Security conference

See [6] for first-day coverage from the premier crypto conference [7]. Aaron Burns, the recently appointed government "crypto czar" (he hates the term -- "I'm mindful of what happened to the real czar," he says), entered the lions' den and got points for showing up, though he simply reiterated the Administration's line on key recovery. Burns was preceded on the program by separate teleconferenced appearances from House and Senate lawmakers who promised to reintroduce legislation to ease crypto export (it stalled last term).

[6] <http://www.news.com/News/Item/0%2C4%2C7415%2C00.html?nd>
[7] <http://www.rsa.com/conf97/>
This is why you should use a longer key

Yesterday RSA posted the target cyphers in its new challenge (see TBTF for 1997-01-11 [8]) and the simplest, the 40-bit puzzle, was broken 3-1/2 hours later. Ian Goldberg, a UC Berkeley graduate student, announced that he had used about 250 idle machines in the university network to test 100 billion possible keys per hour. The challenge message, once deciphered, read "This is why you should use a longer key." Goldberg wins $1000 from RSA for the quick accomplishment. He is one of the grad students who in 1995 found a Netscape flaw and cracked their 40-bit encryption in under a minute [9]. Goldberg is also signed up as the instructor for the week-long intensive crypto workshop that precedes the Financial Cryptogaphy 97 conference [10] next month on the Caribbean island of Anguilla.

[8] <http://www.tbtf.com/archive/1997-01-11.html>
[9] <http://www.tbtf.com/archive/1995-09-20.html>
[10] <http://www.offshore.com.ai/fc97/>

NIST calls for a new government crypto standard

The National Institute of Standards and Technology has requested [11] a new encryption algorithm to replace the Data Encryption Standard, DES. The new standard is to be called the Advanced Encryption Standard (AES). It must be a public, symmetric-block cipher with a flexible key length, implementable into hardware or software, and free from patent restrictions. The NIST request reflects the marketplace's rejection of the Skipjack algorithm, which was implemented in the Clipper chip. A separate NIST advisory committee made up of government officials and supporters of key escrow is developing a "key management infrastructure" that would be used with AES.

[11] <http://www.epic.org/crypto/aes_notice.html>

Encrypted email coming for Scandanavia / Finland

It was as if an invisible hand wrote these events on the same page. An alliance of Finland, Norway, Sweden, and Denmark plans to introduce a smartcard-based secure email service [12] that will be available to all citizens of these countries. It will use PGP-based RSA encryption with a key length of 1024 bits, and no key escrow or key recovery. A Finnish official said, "Finnish policy has not been to start with regulations and fear of Net issues. The American discussion on this matter has been funny to watch, but I hope nobody in Europe or Finland starts to question the very basics of democracy."

[12] <http://www.wired.com/news/politics/story/1642.html>

A company called GlobeComm Inc. in New York has registered at least 517 domain names (list at [13] -- be warned, some of them are mildly offensive, some quite rude) and is using them as the basis for a "vanity" email and domain-name businesses. GlobeComm runs a domain-name brokerage [14]; they claim to have over 2400 domain names listed for sale, some of them their own, at prices ranging from a few hundred dollars upwards of a hundred thousand. And the company operates a vanity email business based on "iNames" [15], which they describe as a second-generation email P.O. box service. (Compare this service with the relative parsimony of ForeverMail [16], which runs a similar business on four domain names.)

Early in 1996 David Milligan founded VanityMail, which he claims was the first such operation to offer customized addresses, POP service, and lifetime forwarding. Milligan joined forces last year with Gary Millin at GlobeComm. The company is funded by private Wall Street capital and does not disclose earnings. In an interview with Millin and Milligan I asked whether GlobeComm had ever been sued over domain-name issues. Millin responded that the company has been involved in over 40 disputes, but that none has ended up in court. They are all either resolved or the complaintant simply faded away when GlobeComm didn't cower at receiving a cease-and-desist order from a lawyer. "I've got a file cabinet full of them," Millin said

[13] <http://www.tbtf.com/resource/globecomm-domains.txt>
[14] <http://www.bestdomains.com/>
[15] <http://www.scientist.com/>
[16] <http://www.tbtf.com/archive/1996-08-08.html>

The Scout Report outlines a fascinating experimental service [17] -- translation of Web pages from English to one of six other languages, and back.

>>From the Scout Report (1997-01-24):

> SYSTRAN Software, Inc. has made available an experimental (alpha-
> release) web page translation service that will translate non-
> framed pages of 10K or less for any URL you submit (be sure to
> understand what "fully qualified URL" means before you begin),
> from its original langauge to another for selected languages.
> At present, 6 languages (French, German, Italian, Portuguese,
> Spanish, and Russian) are available, though the language trans-
> lated from or to is always English. Translation times can take
> from 30 seconds to 3 minutes or longer, and translations (as
> might be expected) are at times somewhat wooden. This is an ex-
> periment that could foreshadow the hoped-for ideal translation
> services of the future. Note that Netscape and Internet Explorer
> are the only browsers that are fully supported.

Unfortunately the intrepid Internet Scout may have dealt a mortal blow to SYSTRAN, in the same way that a critic can ruin a good, undiscovered restaurant by reviewing it favorably. I finally got TBTF's Jargon Scout page [18] translated into Spanish -- see the result ("Explorador De la Jerga") here [19]. This success followed 19 attempts at all hours of the day and night over the preceding four days. Some of them timed out (taking up to 30 minutes) and some returned "Document contains no data." That's one overloaded translation server.

[17] <http://www.systranmt.com/translate.html>
[18] <http://www.tbtf.com/jargon-scout.html>
[19] <http://www.tbtf.com/explorador-jerga.html>

We all sense that technology is moving fast, but how fast exactly? In this month's Scientific American W. Brian Arthur takes a good shot at answering that question, and the answer is: 10 million times faster than biological evolution. His argument [20] isn't bulletproof but it is certainly thought-provoking. My thanks to Scientific American magazine for their enlightened policy of posting the full content of each issue on the Web at the same time as it hits the newsstand.

[20] <http://www.sciam.com/0297issue/0297wonders.html>

TBTF for 1996-10-31 [21] discussed the parallels between the growth of railroads in America and the spread of the Net in modern time. A similar analogy, this one to the early history of radio [22], has been developed by <bchris at server dot northernnet dot com> and was featured in NetSurfer Digest (1997-01-25):

> Then, as now, there were many innovators, experimenters, and compet-
> ing factions that included national governments. It was possible to
> communicate freely with other individuals worldwide with a small in-
> vestment of time and money. And the big companies wanted to control
> it all for themselves.

The radio analogy provides useful insight into (among other things) the widespresad uncertainty over business models -- i.e., how to make money from the Net. Neil Weiner <nweiner at mcs dot net> points out the ways in which today's Net, still well short of mass uptake and acceptance, compares to radio in the 1920s [23].

[21] <http://www.tbtf.com/archive/1996-10-31.html>
[22] <http://www.the-bridge.net/~bchris/index.htm>
[23] <http://www.backgroundbriefing.com/radio.html>

Easter eggs are the amusing personal messages that engineers leave buried in commercial software. Often they are made visible by some complicated sequence of key presses and screen events, such as "Type Control-Shift-Meta-Cokebottle while moving your mouse over the cockroach icon when the moon is full." See the Easter Egg Archive [24] for hundreds of them. Historically, eggs have been platform-specific, but Netscape -- pioneer that it is -- has introduced the cross-platform egg with its "about:" feature. Try typing "about:logo" into Navigator's Location: box. There used to be an egg at "about:authors" but it has been removed. Try it and Navigator tells you so, too loudly (but keep a close watch on the status line). Type "about:foo" and Mozilla replies with one of two mock-Ebonic phrases, either one of which might be the 90s equivalent of "Syntax error." (The phases come from Americon TV sitcoms of the 1980s: Different Strokes starring Gary Coleman and In Living Color starring Dayman Wayans. Thanks to Rich Holland <holland at pobox dot com> for the details.)

Among the many undocumented things Navigator will tell you about are these two useful ones, turned up by Aaron Breckenridge <dbr056 at airmail dot net>:

about:cache -- lists the contents of Netscape's disk cache
about:global -- lists your global history

The global history is everything you've ever visited; it's how Navigator knows to render a link in the "visited" color. If you're a packrat, as I am, go to Options > General Preferences > Appearance and set "Followed Links Expire" to "Never." Your history file can grow very large if you do this. Mine was 2.8 MB when I asked Navigator about it. The program took a very long time to run out of memory, even after I had granted it 50 MB to play in, and on the Mac at least it can't be interrupted while doing so.

We'll give the last word to Mozilla, the mythical Godzilla-like creature who is Netscape's totem. (I had always assumed that the name derives from "Mosaic gorilla," 900-pound variety; but reader Alejandro Gomez <nezumi at aurora dot teesa dot com> supplied the more reasonable guess that Mozilla's parents are Mosaic and Godzilla. Recall that the original name of the corporation now called Netscape was Mosaic Netscape Communications.)

about:mozilla

> And the beast shall come forth surrounded by a roiling cloud of
> vengeance. The house of the unbelievers shall be razed and they
> shall be scorched to the earth. Their tags shall blink until the
> end of days. -- The Book of Mozilla, 12:10

There are two kinds of people on the Net: those who don't see anything wrong with blinking text and animated .GIFs and those can't abide them. It's a religious issue. The divide that cleaves the two camps is their answer to the following question:

> When you ply the Net, is the experience you're looking for
> like watching TV, or is it like reading?

Thanks to Keith Bostic <bostic at bsdi dot com> for the eggfest.

[24] <http://weber.u.washington.edu/~davidnf/eggs/>

Today's TBTF title comes from The Invisible Hand Society, a shadowy association of journalists whose sole reason for organizing is to foster competition in getting past their respective editors and into print the phrase "It was as if an invisible hand..." They have not invited me to join. Perhaps a journalist who is his own editor and publisher enjoys too great a competitive advantage. (The original popularizer of the invisible hand was Adam Smith, in his book The Wealth of Nations, 1776.)

I recently had the disorienting experience of reading TBTF as it arrived in the email of an AOL subscriber. The default AOL mailer font is proportionally spaced. So for all you AOL subscribers who have been wondering about the meaningless jumble of characters at the beginning of each issue: it's a pair of lips rendered in Ascii characters and intended for monospaced display -- a quaint example of a soon-to-be-forgotten art. Set the mailer's font to Courier; or read TBTF on the Web, you betta' off.

This issue marks the 100th published TBTF. Raise a glass with me.

For a complete list of TBTF's (mostly email) sources, see <http://www.tbtf.com/sources.html>.

E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription information see <http://www.tbtf.com/resource/e.commerce-today.txt>.

Scout Report -- mail majordomo@dsmail.internic.net without subject and with message: subscribe scout-report . Web home at <http://rs.internic.net/scout/index.html>.

NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject and with message: subscribe nsdigest-html /or/ subscribe nsdigest-text . Web home at <http://www.netsurf.com/>.

TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. Published since
1994. See the archive at <http://www.tbtf.com/>. To subscribe send the mes-
sage "subscribe" to tbtf-request@world.std.com. TBTF is Copyright 1996 by
Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-
commercial purposes please forward and post as you see fit.
_______________________________________________
Keith Dawson               dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.