Tasty Bits from the Technology Front: TBTF for 1997-06-16: Joshua fit the battle of Jericho

TBTF for 1997-06-16: Joshua fit the battle of Jericho

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 15 Jun 1997 23:07:11 -0500

Messages sorted by:
[ date ][ thread ][ subject ][ author ]
Next message: Keith Dawson: "TBTF for 1997-06-23: Obvious, useful, cool"
Previous message: Keith Dawson: "TBTF for 1997-05-22: Limning the lineaments"

And the walls come a-tumblin' down -- More signs, symbols, and portents that the Administration is losing the battle to restrict encryption export
A Dane finds a nasty Netscape bug but gets no bounty -- Extortionist or public-spirited Netizen? You decide
Anti-spam news -- The FTC may not move against spam, but the Congress is

The Internet weather report -- Everybody talks about the bit-storms, but ClearInk has done something about them
Cinnamon, repent -- The latest installment of Religion on the Net scrutinizes a singular bun in Tennesee

Cryptography export policy
See also TBTF for 2000-02-06, 1999-10-05, 08-30, 08-23, 08-16, 07-26, 05-22, 05-08, 04-21, 03-01, 01-26, more...

And the walls come a-tumblin' down

A recent accelerating cascade of events in the battle for encryption export all point toward defeat for the Clinton Administration's policies. What began as straws in the wind have given way, to extend the metaphor, to trashcan lids, automobiles, and house trailers.

5/19: Sun Goes Around [1]. Sun Microsystems, in a move that seems calculated to apply maximum torque to the noses of B. Clinton and A. Gore, announced that it will sell, worldwide, strong crypto products developed in conjunction with a Russian company in which Sun has invested. The company, Elvis+, will supply cryptographic components for Sun's virtual-tunnel technology. This puts Sun in a position to offer 128-bit and triple-DES (168-bit) crypto anywhere in the world, without key escrow or key recovery. Sun did not apply for an export license, because it will not export the Russian software from US sites. Sun had no hand in its development, beyond publishing the specs to which it was written.
5/21: Sybase Gets a Walk [2]. The current export rules, effective last January, stipulate that companies may apply for permission to export 56-bit crypto only if at the same time they file a plan for implementing key recovery within two years. Sybase announced that it had won approval to export database and server products with 56-bit DES encryption, even though the company has no model for key recovery.
5/28: VeriFone Gets OK for SET [3]. VeriFone announced that its Secure Electronic Transaction -based product suite has received export approval from the Commerce Department. This is the first time a SET-based, end-to-end, full-strength-crypto Net commerce solution has been cleared for export.
5/28: PGP Obtains a Blanket Waiver [4]. Well, sort of. The export rules always contained exceptions for software distributed to the overseas subsidiaries of US corporations. The news is that PGP does not have to apply one at a time for permission to ship its strong crypto products to anyone who works for one of the 107 companies on this list [5].
6/2: A Longtime Administration Backer Rethinks [6]. Dorothy Denning, long the only cryptographer the Administration could count on for support, is starting to waver in her position. "Maybe export controls should be lifted," she said. "But I'm not saying that all controls should be lifted. I've gotten into a state where I don't know and I'm not sure that I ever knew."
6/11: SJ Mercury News Editorializes [7]. In an editorial entitled "Feds have lost the battle against encryption," the San Jose newspaper says "Government warriors should pack up their rusty cannons, admit that they've lost this battle, and learn to live in the 1990s."
6/11: Overheard in the Halls. Declan McCullagh wrote to the Cryptography list: "I ran into Mike Nelson, the Clinton administration's former crypto-spokesperson. Now he's at the FCC... 'I'm so glad to be away from crypto,' he told me."

For past coverage of the debate over cryptography export policy, see TBTF Threads [8].

[1] <http://www.techweb.com/se/directlink.cgi?CWK19970519S0002>
[2] <http://www.sybase.com/inc/corpinfo/press/23f6.htm>
[3] <http://www.verifone.com/corporate_info/html/us_export.html>
[4] <http://www.pgp.com/newsroom/prel34.cgi>
[5] <http://www.pgp.com/newsroom/complist.cgi>
[6] <http://www.zdnet.com/intweek/daily/970602d.html>
[7] <http://www.sjmercury.com/opinion/docs/066550.htm>
[8] <http://www.tbtf.com/threads.html#Tcep>

A Dane finds a nasty Netscape bug but gets no bounty

By now you've probably heard the one about the Danish bounty hunter and the Netscape bug. You haven't? Well, then. Christian Orellana <bug at cabocomm dot dk> is one of two people in CaboComm, a Danish Internet solutions provider in Aarhus, west of Copenhagen. He discovered a way for a Web-site administrator to copy files from the disk of any user of any version of Netscape Navigator or Netscape Communicator, on any platform. Firewalls offer no protection. The user apparently needs to access a password-protected page on the bad guy's site (this is my inference from the various press reports), and the miscreant needs to know or guess a file's exact path and name in order to steal it.

Orellana contacted Netscape on 6/9 but claims he was unsatisfied at the level of seriousness accorded his report. Netscape claims that Orellana refused to share technical details of the bug unless he was paid "a large unspecified amount" of money [9]. (CaboComm remembers it differently [10], [11] -- Orellana says he did not consider Netscape's offer of a $1,000 "bug bounty" an appropriate way to deal with a serious product issue.) Netscape refused to pay up, and later compared Orellana's demands to those of a terrorist. Orellana contacted the press, CNNfn and PC Magazine, and proved to their satisfaction that the bug exists as claimed. CNNfn reported [12] the bug on 6/12, on the final day of Netscape's developers' conference, and Netscape stock dropped about 5 percent. (It has since recovered.)

By 6/13 Netscape had located and fixed the bug with no help from CaboComm; no bounty will be paid. The company will deliver fixes first for Communicator, then for Navigator, beginning this week.

Here is a thoughtful piece [13] on the drawbacks and risks of Netscape's bug bounty program.

[9] <http://www.news.com/News/Item/0,4,11487,00.html>
[10] <http://www.cabocomm.dk>
[11] <http://www.news.com/News/Item/0,4,11502,00.html>
[12] <http://cnnfn.com/digitaljam/9706/12/netscape_pkg/>
[13] <http://www.news.com/News/Item/0,4,11494,00.html>

Email spam and antispam tactics

See also TBTF for 2000-07-20, 1999-07-19, 1998-11-17, 07-27, 03-30, 02-09, 01-12, 1997-11-24, 10-20, 09-29, 09-22, more...

Anti-spam news

The Federal Trade Commission held hearings last week on consumer privacy. Keith Lynch <kfl at clark dot net> attended the session on email spam on the morning of 6/12 and posted an account [14] to several Net-abuse newsgroups. Lynch concludes that the FTC is in no mood to regulate spam at this time. Congress, on the other hand, is pondering three separate anti-spam measures.

5/21, Sen. Frank Murkowski, R-Alaska [15], S.771: Unsolicited Commercial Electronic Mail Choice Act of 1997
5/22, Chris Smith, R-NJ [16], H.R.1748: Netizens Protection Act of 1997
6/11, Sen. Robert Torricelli, D-NJ [17], S.875: Electronic Mailbox Protection Act of 1997

(You can get the latest status on any of these bills from the Thomas site [18]; search by "Bill/Amendment No." I don't provide URLs here because the search results are cached only temporarily.)

The Murkowski bill as filed has been widely critizized because it puts the burden of filtering spam onto ISPs; one observer called it an "unfunded mandate." Worse, it makes a content-based distinction on the commercial nature of spam. First Amendment advocates consider this a no-no. The Smith bill takes the tack of extending the junk-fax ban to cover advertisements delivered by email.

Torricelli's bill is the most Net-friendly of the three: it aims directly at the worst practices of the spammers. S.875 restricts the harvesting of email addresses, and it requires senders of unsolicited email (including noncommercial messages) to use valid reply addresses, to honor "remove" requests, and to comply with Nettiquete regarding spam. Torricelli's bill also opens up spammers to class-action lawsuits. Sad but true: in the US the quick route to social change often involves appealing to lawyers' remunerative interests.

Six states also have anti-spam legislation pending. Here is a valuable site [19] for tracking both state and federal legislation. Finally, for those who can't wait for legislative relief, peruse this collection of anti-spam sites and resources:

Outlaw Junk E-mail Now! [20]
No Junk E-mail [21]
Blacklist of Internet Advertisers [22]
Stop Junk E-Mail [23]
Private Citizen anti-junk e-mail site [24]

[14] <http://www.clark.net/pub/kfl/ftc.html>
[15] <http://www.senate.gov/~murkowski/commercialemail/EmailBillText.html>
[16] <http://www.jmls.edu/cyber/statutes/email/npa1.html>
[17] <http://www.senate.gov/~torricelli/junkmail.html>
[18] <http://thomas.loc.gov/bss/d105query.html>
[19] <http://www.jmls.edu/cyber/statutes/email/>
[20] <http://www.public.asu.edu/~dtopping/ojen.html>
[21] <http://www.ripco.com:8080/~glr/nojunk.html>
[22] <http://www.cco.caltech.edu/~cbrown/BL/>
[23] <http://www.mcs.com/~jcr/junkmail.html>
[24] <http://www.ctct.com/>

The Internet weather report

No, we're not talking climate-type weather here on earth as reported via the Internet. We're talking bitwise weather. Storms in the aether. The ebb and flow, the squalls and bottlenecks on the largest Net backbone carriers. The folks at ClearInk [25], a California "E-vertising" agency, offer the indispensible Internet Weather Report [26]: a quick-loading tabular summary, updated every 15 minutes, of packet loss and "ping" round-trip times from their location to 15 nationwide carriers. At this moment AGIS is losing 8% of the packets ClearInk sends them. Why? Perhaps it's due to the hackings, flames, and vandalism [27] directed against this ISP, the only remaining safe haven for "spam king" Sanford Wallace's Cyber Promotions. (For more on CyberPromo, visit TBTF Threads [28] and follow one of the two spam topics.)

[25] <http://www.clearink.com/>
[26] <http://www.internetweather.com/>
[27] <http://www.news.com/Rumors/0%2C29%2C00.html>
[28] <http://www.tbtf.com/threads.html>

Cinnamon, repent

The latest addition to Religion on the Net [29] relates only obliquely to religion: it's a page celebrating the NunBun, a cinnamon bun that emerged from the ovens of the Bongo Java coffee shop, in Nashville, Tennesee, molded into an unmistakable likeness of the good woman of Calcutta [30] -- one of only five people ever voted by Congress to the distinction of honorary citizen of the United States of America, in the company of William Penn and Raoul Wallenberg. Christopher Hitchens reflects pithily on the story in The Nation [31]; his article is entitled "Mother Theresa on a Roll."

[29] <http://www.tbtf.com/religion.html>
[30] <http://www.qecmedia.com/nunbun/>
[31] <http://www.thenation.com/issue/970317/0317hitc.htm>

Notes

Joshua fit the battle of Jericho (sometimes spelled "fought" and occasionally "fit de") is a spiritual of American origin. You can get a sense, if only a dim one, of the tune from this soulless rendition [32]. The song tells the Biblical story of Joshua reducing to rubble the walls of a contemporaneous city (from Joshua 4.1 [33]).

[32] <http://www.wizard.net/~dsr/dt106/joshua.mid>
[33] <http://tn.areaguide.com/sr/kjv/josh/4.html>

Those of you who have visited TBTF on the Web in the last few days have noticed that I've begun producing this newsletter in daily installments. The Tasty Bit of the Day will be posted on each day by 9:00 am in my time zone (GMT -0400 / -0500). The retro-push (email) edition should be in your mailboxes each Monday morning. This new regime will allow me to begin producing TBTF on a predictable schedule despite my own somewhat unpredictable one.

My consulting business now has a name -- The Technology Front -- and a home page -- <http://www.technologyfront.com/>. Do visit if you're curious about what I do for a living or if you think you might be able to use my services.

Please welcome The Technology Front's first partner company, Ingenius Technologies, Inc. [34], and check out their javElink [35] service. javElink was reviewed in TBTF for 1997-03-21 [36].

[34] <http://www.ingetech.com/>
[35] <http://www.javelink.com/>
[36] <http://www.tbtf.com/archive/1997-03-21.html>

Sources

For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html>.

E.Commerce Today -- this commercial publication provided background information for some of the pieces in this issue of TBTF. For complete subscription details see <http://www.tbtf.com/resource/E.CT.txt>.

Cryptography -- mail majordomo@c2.net without subject and with message: subscribe cryptography [ your@email.address ] .

TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
_______________________________________________
Keith Dawson               dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

Next message: Keith Dawson: "TBTF for 1997-06-23: Obvious, useful, cool"
Previous message: Keith Dawson: "TBTF for 1997-05-22: Limning the lineaments"


TBTF HOME	CURRENT ISSUE	TBTF LOG	TABLE OF CONTENTS	TBTF THREADS	SEARCH TBTF