(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1998-02-16: Time and bits

Keith Dawson (dawson dot tbtf at gmail dot com )
Mon, 16 Feb 21:33:21 -0400


  • Taking ownership of a security hole -- Lessons we learned from Microsoft: define it and name it to own it

  • What it is -- Whatis.com offers definitions and more with style and grace

  • Time and bits -- This organization wants to build a clock for the ages

  • But is he paranoid enough? -- Mix financial cryptography with a total solar eclipse for a potent brew

  • Quick bits -- Fourth Certicom challenge (ECC2-89) falls; Flaws in a Net Wizards survey; Ad filtering software catching on?; A faster l0phtcrack

Soft Tempest

How your keystrokes could be captured cheaply, and how you can prevent it

Microsoft recently gave $20 million to Cambridge University. As it turns out the gift was accompanied by a request for research into technologies that could help Microsoft combat software piracy. The computer scientist who ended up handling this problem, Ross Anderson, is well known for his work on privacy issues. This apparent cognitive dissonance was questioned on a privacy mailing list after the Washington Post carried a story [1] about Anderson's project, called Soft Tempest. Anderson responded that the Post had gotten it mostly wrong and asked list members to read his paper [2] and make up their own minds. (Note -- this document requires Acrobat Reader 3.0 -- to my 2.0 reader it looked encrypted. Clever, that.)

Tempest is the term for the classified techniques used by military and intelligence agencies to recover information from the incidental electromagnetic radiation emitted by computer components, especially VDTs. The term also applies to the problems of shielding one's own computers so that their radiation can't be intercepted and mined. Little open research has been published about this technology, but it's been generally assumed that to read at a distance what someone types on a computer would require a van-load of very expensive equipment. Anderson's Soft Tempest demonstrates ways to steal information off computer screens for an investment closer to $100 than to $100,000. Further, the research points to methods software manufacturers could use to monitor software piracy from a van driving down the street -- effectively causing your screen to broadcast the serial numbers of installed software programs. (Microsoft professed no interest in pursuing this technique.) Finally, Soft Tempest invented a novel method of obfuscating screen radiation without expensive shielding. The solution lies in specially designed screen fonts.

[1] http://www.washingtonpost.com/wp-srv/WPlate/1998-02/07/060l-020798-idx.html
[2] http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf


Threads Open source software and the Linux OS
See also TBTF for
1999-08-16, 05-22, 03-26, 02-15, 02-01, 1998-11-17, 11-11, 11-03, 10-27, 10-12, 08-31, more...

Eric Raymond on Netscape and open-source software

Free software becomes open source software as the movement goes mainstream

On 2/4 Eric Raymond met with people from Netscape at their invitation. Raymond is the author of the Cathedral and Bazaar paper [3] that Netscape credits as influential in its decision to give away the source code for Communicator. On 2/4 Raymond spoke at a meeting of the Silicon Valley Linux Group. Here is some of what he said, as captured by Stig <stig at hackvan dot com>:

[Raymond] came away from the meetings "with a really good impresion" of the Netscape people. Even their lawyers have clues. It gets better than that: even their marketing people have clues. What a concept!

Of the source release, he said "they really mean it." Sometime between a week from now and the end of March, Netscape will post a prototype of license terms on the Net to invite public comment. He said that several alternatives were being considered but that all of them met the "free software criteria" of the Debian Project [4]. It was suggested that special accommodations for linking against Sun's JDK might be made, which would be a weakening of the normally-viral properties of GPL-style licences.

Other ideas being considered at Netscape were said to include:

On 2/10 Raymond published a call [6] to the free software community to stop using the term free software and begin saying open source software.

[3] http://www.earthspace.net/~esr/writings/cathedral-bazaar/cathedral-bazaar.html
[4] http://www.debian.org/
[5] http://www.gimp.org/
[6] http://earthspace.net/~esr/open-source.html


Microsoft accessibility questioned

The company backs away from its accessibility interface just as the blindness community was beginning to embrace it

The World Wide Web Consortium has released the first installment in its Web Accessibility Initiative [7], a draft guideline [8] for making Web pages accessible to blind readers. The guideline is based on the use of HTML 4.0 and cascading style sheets.

These developments contrast with the controversy surrounding Microsoft's Active Accessibility architecture. MSAA specifies rules that Windows application vendors can follow to make sure their screen displays are available to 3rd-party screen readers. The blindness community had been slow to embrace this Microsoft approach but was moving towards acceptance when a series of postings called into question Microsoft's commitment to MSAA. The questions arose not in regard to Web technology but rather to Microsoft Office.

Curtis Chong, technology director for the National Federation of the Blind, opened up the debate when he posted comments he had received from Steven Sinofsky, general manager of the office products unit at Microsoft. Chong's original posting is archived, with commentary, on the NFB site [9]. Sinofsky's comments indicated that the group developing Microsoft Office was not eager to rely solely on Active Accessibility to pass information to screen-access software used by the blind. Instead the group wanted vendors of this software to use the object models that were already in place in the Office products.

[7] http://www.internetnews.com/wd-news/1998/02/0401-w3c.html
[8] http://www.w3.org/TR/1998/WD-WAI-PAGEAUTH-0203
[9] http://www.nfb.org/msaa.htm


Threads Software patents
See also TBTF for
2000-03-31, 1999-08-30, 06-14, 02-15, 01-26, 01-13, 1998-12-15, 08-31, 05-18, 05-11, 04-27, more...

Multithreading patents are vulnerable

A lone inventor sues Microsoft, but his claims look beatable

One Martin Reiffin has asserted two recently issued patents (Nos. 5,694,603 and 5,694,604) against Microsoft [10]. Reiffin filed the patents in September 1982 and they finally issued, after three appeals, in December 1997. Can you say submarine? Correspondents on Greg Aharonian's Internet Patent News Service (see TBTF Sources [11]) opine that multithreading was not exactly novel in 1982. One writes:

This approach to concurrency should look obvious to anyone
with a solid computer science background from the 70s which
emphasized the hardware and operating system levels.
The patent cites some prior art, but nothing (for example) from CMU's Spice project from the late 70s, whose principal architect, Rick Rashid, has been at Microsoft for years and worked on the original NT team.

[10] http://www.wired.com/news/news/business/story/10251.html
[11] http://www.tbtf.com/sources.html


XML: floor wax and dessert topping

Come on, you know you're going to have to come to grips with XML

Last week Tim Berners-Lee made it official -- XML is a W3C standard [12]. If you keep your ear to the Net's railroad track you will have heard many experts predicting that Extensible Markup Language will be a Big Thing. Why is that exactly? The XML tutorials I've been reading (for example [13]) don't go much beyond describing XML as a meta-markup language. On a private mailing list Gregory Alan Bolcer <gbolcer at gambetta dot ics dot uci dot edu>, a UC Irvine grad student, posted the following pithy summary of what an XML document has in common with an object in a distributed object model.

An object has state. Imagine an XML document sitting around someplace describing the structure of the state. It's an encapsulation, lightweight, easy to transport around the Net, to parse, understand, and change. This it shares with some object models. It's self describing in some way; this it shares with fewer models.

Also imagine you have behaviors (methods). These methods aren't physically co-located and in fact are little snippets of code located elsewhere on the network. This distributed method inheritance is shared with even fewer object models. These behavior snippets can be applets written in Java, Python, Tcl, Ada95, Perl, whatever. They include an XML parser (or not) and have the ability to query and change values in the state -- the XML document -- easily and directly.

Also imagine you have communication restrictions on this document, again very lightweight: filtering domains, requiring permissions, etc. Imagine you can restrict the behaviors you want to by digitally signing these behavior snippets. This capability is embodied by most object models in public, private, and protected methods, but now you have a much finer granularity of how you can control the methods than is offered by just these three classical method types.

Also imagine these behavior snippets, being all distributed, heteregenous (that means cross-language and -platform mostly), tightly controlled but more loosely typed depending upon the enforcement, are sometimes competing with one another. They allow query, locking, renaming, versioning, instancing -- so that concurrency happens at a finer level of abstraction than in the object encapsulations, allowing a type of re-entrancy and multithreading. Sort of like a threaded, persistent object built on top of a lightweight database. Even fewer object models and their implementation languages have persistence and threading built into them.

Imagine having a wide-area event mechanism that allows you to select portions of your state that are relevant to an appropriate task, download it, execute the behavior, and then resynchronize with the original state. The only object model I know that's getting close is Informix Datablades.

Now, here's the kicker: Imagine you have the ability to declare variables dynamically, to declare methods, to version and transistion state, to transport, cache, replicate, broadcast it all over the place to make it mobile and ubiquitious, but be able to utilize a naming and routing scheme such that you always know exactly where it is and how to get to it.

On one end of the spectrum you can do enforcement such that it has all the properties of a C++/CORBA/database program; on the other the possibilites are wide open depending on how you want to enforce the data consistency, access, state tracking, location, whatever.

For further edification, here's a collection of links from webdeveloper.com to XML tutorials, software, and books [14].

[12] http://www.zdnet.com/intweek/daily/980210j.html
[13] http://www.webdeveloper.com/categories/html/html_xml_1.html
[14] http://www.webdeveloper.com/categories/html/html_xml_4.html


Taking ownership of a security hole

Lessons we learned from Microsoft: define it and name it to own it

Miora Security Consultants [15] has come up with a novel way to extract value from a security vulnerability: define it, solve it, name it, and own it. They have invested their own time and expertise researching the dangers of hidden form fields -- not exactly news to Web designers alert to security concerns -- and are well on their way to claiming ownership of this topic. They've named the problem and the solution with their corporate brand as the MSC HFF vulnerability. (I guess that would be pronounced mischief.) Miora gives away white papers detailing the problem and the low-impact solution they have devised, but you have to register on their site to download them. News.com [16] and the NY Times [17] covered the story as if it were security news and not a press release.

[15] http://www.miora.com/
[16] http://www.news.com/News/Item/Textonly/0,25,19108,00.html?pfv
[17] http://nytsyn.com/IMDS%7CCND7%7Cread%7C/home/.../453


What it is

Whatis.com offers definitions and more with style and grace

Net terminology evolving too fast for you? New to the Net and not a techie? Visit Whatis.com [18] for pithy definitions of all those terms you've wondered about. The site is speedy and the definitions are extensively cross-linked so it's easy to spend time exploring. (The definitions are served up with a lightweight ad -- you may see one for a familiar site there -- and a cookie [19].) The site is a labor of love built and meticulously grown by career tech writer Lowell Thing. Whatis.com has won awards and garnered press coverage; it's listed on the user-rated Web 100 [20], where it is currently number 9. Alexa ranks Whatis.com in the top 10,000 sites for traffic [21] -- on this scale TBTF barely registers [22]. Whatis.com is evolving into a destination for Net information of any stripe. Give it a bookmark.

[18] http://www.whatis.com/
[19] http://www.whatis.com/cookie.htm
[20] http://www.web100.com/
[21] http://widener.alexa.com/sitedata/www.whatis.com/
[22] http://widener.alexa.com/sitedata/www.tbtf.com/


Time and bits

This organization wants to build a clock for the ages

The Long Now Foundation [23] held a conference last week called Time and Bits: Managing Digital Continuity [24]. For some time historians and archivists have been worrying about the impermanence of digital media (see TBTF for 1995-07-23 [25] and the January 1995 Scientific American, not online), in contrast to the longevity of paper and stone. Here's how the problem was stated by Danny Hillis, one of the founders of The Long Now Foundation:

Historians will look back on this era and see a period of very
little information. A "digital gap" will span from the
beginning of the widespread use of the computer until the time we
eventually solve this problem. What we're all trying to do
is to shorten that gap.
[23] http://www.longnow.org/
[24] http://www.wired.com/news/news/culture/story/10301.html
[25] http://www.tbtf.com/archive/1995-07-23.html#archival


But is he paranoid enough?

Mix financial cryptography with a total solar eclipse for a potent brew

Next week FC98 [26], the second conference on financial cryptography, kicks off in Anguilla, BWI. The conference happens to intersect in time and place with a total solar eclipse [27], [28]: on February 26 the path of totality will sweep across the Caribbean from South America. Since Anguilla is only a few miles outside the path, the conference organizers have planned an all-day outing by catamaran on eclipse day, all attendees invited. One of the attendees dubbed it the Ecliptical Curve Cruise and the name has stuck. Arrangements have been refined on the FC98 mailing list. On 2/13 one anonymous attendee-to-be posted this worried note:

Interesting "failure point": Cat crammed with almost all of
the cryptographic threats to the hegemony of the States of the
World sails (in the Bermuda Triangle), next to the world's
most active volcano, in the middle of a total eclipse, after
telling the whole world including the Navy Seals and the UK's
Special Boat Squadrons (not to mention the US Space Command
"buried deep under Cheyenne Mountain") exactly when and where
they'll be.

Maybe I'll hang out back at the hotel.

[26] http://www.fc98.ai/
[27] http://planets.gsfc.nasa.gov/eclipse/TSE1998/TSE1998.html
[28] http://planets.gsfc.nasa.gov/eclipse/TSE1998/TSE1998map/T98Fig13.gif


Quick bits

A maze of twisty little items, all different

bul Fourth Certicom challenge (ECC2-89) falls

On 2/7 Robery Harley <Robert.Harley at inria dot fr> announced [29] the defeat of the fourth in Certicom's series of crypto challenges. Harley's ever-growing team, now numbering over 66, has been first to overcome each of the Certicom challenges broken to date. I asked Harley whether any other teams were even working on the problem, and he replied, "Yes, but their code sucks."

[29] http://www.tbtf.com/resource/certicom4.html

bul Flaws in a Net Wizards survey

Dr. Anton Nossik, editor of the Russian-language Evening Internet Daily, sends this note [30] on the Network Wizards January Internet Domain Survey [31], just published. This survey attempts to discover all extant Intetnet hosts by looking at which IP addresses have been assigned. Dr. Nossik points out that the counts and growth rates in this survey for both Russia and Israel are far below the figures obtained by other methods.

[30] http://www.tbtf.com/resource/nw-ru-il.html
[31] http://www.nw.com/zone/WWW/report.html

bul Ad filtering software catching on?

Solid Oak, a success story in the censorware space, announced [32] the addition of a banner-ad blocking feature to their CyberSitter product. They say customers were asking for the feature. The ad-blocking front has been relatively quiet since its first proponent, PrivNet [33], was bought by PGP [34] and their ad-filtering technology shelved.

[32] http://www.news.com/News/Item/Textonly/0,25,19156,00.html?pfv
[33] http://www.tbtf.com/archive/1996-04-28.html#privnet
[34] http://www.tbtf.com/archive/1996-12-02.html

bul A faster l0phtcrack

L0pht Heavy Industries has released a 2.0 version of its l0phtcrack [35] NT password cracker as $50 shareware. The hacker collective claims to be able to decypher an NT password in a week of background computation on a Pentium 200; cracking hundreds or thousands of passwords from the same registry costs little more. The program can get results so quickly because Microsoft is forced to water down NT's security protection for compatibility with Windows 95's weaker LANMAN passwords [36]. L0phtcrack is widely used by system administrators and security consultants to audit password security.

[35] http://www.l0pht.com/l0phtcrack/
[36] http://www.wired.com/news/news/business/story/10303.html


bul For a complete list of TBTF's (mostly email) sources, see http://www.tbtf.com/sources.html.

TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

space ______


Copyright © 1994-2023 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.