TBTF for 8/25/97: Ants go marching

Keith Dawson (dawson@world.std.com)
Mon, 25 Aug 1997 22:05:36 -0500


TBTF for 8/25/97: Ants go marching

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/08-25-97.html >

C o n t e n t s

Bring me a rock
Two crypto challenges
Crack a Mac Challenge reopened
Win a million
Comments on domain naming
The market is rejecting ActiveX
Final dispatch from IETF Munich

..Bring me a rock

The Commerce Department is circulating for comment proposed changes to
the rules that govern the export of cryptography. The changes mostly
fine-tune the mechanics of key recovery, but one whopper lurks in the
dense thicket of governmentese [1]. This is the proposal that anyone
in the US running a Web site from which crypto products can be down-
loaded might have to submit to a review by the Bureau of Export Affairs.
A NY Times story on the proposal is mirrored here [2]. If such a rule
goes into effect, companies such as Netscape, PGP, and Microsoft will
get to play the game of "bring me a rock" with government bureaucrats.
The game is beloved of Dilbertesque managers everywhere. The victim,
left to guess at the criteria for success, winds up carrying numerous
rocks upstairs to be judged wanting. Netscape's Peter Harter observes
that the proposed policy violates the spirit of Vice President Gore's
public stance toward regulating online commerce: the principle of "do
no harm." "I'm not aware of any procedure that would require retail
stores such as Fry's or Egghead to apply to the Commerce Department,"
Harter said.

[1] http://jya.com/bxa-ei-rule.htm
[2] http://jya.com/bxa-nyt.htm

..Two crypto challenges

1. Crack a Mac Challenge reopened

The Crack a Mac Challenge [3], which was broken Sunday [4], was reinstated
24 hours later after a Macintosh development company, Blue World Com-
munications, worked around the clock to fix the bug in their CGI pro-
duct that allowed the crack. Below is the note from Joakim Jardenberg
<joakim@infinit.se> announcing the reopening of the challenge.

> Crack a Mac is back again! It's true!!!

> The crack that was made possible due to a combination of
> different functions on the server has now been blocked by a
> patch for Lasso.

> Blue World did an amazing effort and released a patch for
> Lasso in less then 24 hours, and on a Sunday as well. The
> patch is recommended for all Lasso users running both versions
> 1.2 and 2.0 and can be found here [5].

> Blue World also proves what a great company it is by
> sponsoring the reward to Starfire, who found out how this
> combination could be exploited.

> More details on the combination will be posted soon.

> So the bottom line is -- Crack a Mac is back, we all have
> learned a lot, and we now have an even more secure server
> to trust.

> Best regards

> /Jocke

Apple's Chuq Von Rospach <chuqui@plaidworks.com> sent the follow-
ing details of the cracker's method.

> The site ran two third-party CGIs -- SiteEdit and Lasso. The
> first is, as you might think, a way to edit and update a web
> site through a CGI instead of FTP. Think of it as Netscape's
> file upload on steroids. Rather nice product. Lasso is a CGI
> database interface to FileMaker Pro.

> The latter was used to implement a guestbook on the site.
> Lasso... [leaves] a pointer to its "error" html file in the
> html available to the user. [The cracker] noticed that, and
> rewrote the form so that the error file field now pointed to
> the filename of the password file for SiteEdit. Then he quer-
> ied a non-existant file, and Lasso happily sent him the pass-
> word file.

> Oops. SiteEdit kept everything cleartext. Because obviously,
> there's no need to protect it: WebStar has a special MacOS
> signature byte which says "never download this, period." So
> there was no way to get the file without cracking the machine,
> so... Except Lasso didn't sanity-check its filenames and
> didn't honor the "no download" file restriction.

> So this crack has nothing to do with MacOS or Webstar. It's a
> problem in Lasso that takes advantage of something SiteEdit
> did. Lasso's patch is already on Blue World's website.

> Nice hack. A bunch of CGI authors need to go rethink their
> security. If Lasso does this, I'm sure others will too, and
> people will go snooping now that someone's thought of it. And
> it's another great reminder that passwords ought never to be
> cleartext, even if you keep them in your shorts.

> And I'm waiting for the first writer to make the assumption
> that this means the MacOS is insecure.

[3] http://hacke.infinit.se/
[4] http://www.tbtf.com/archive/08-18-97.html#s01
[5] http://www.blueworld.com/lasso/security_update.html

2. Win a million

A couple of years back Elementrix claimed [6] to offer encryption
based on the cryptographers' holy grail, the one-time pad. But the
claim proved hollow [7]. Now a startup called Crypto-Logic Corp.
[8] has the genuine article. It's offering a $1M prize to anyone
who can decipher a simple English challenge message within a year's
time. Sure, why not a million, the encryption technique is provably
unbreakable. Each message is encrypted by a key as long as the mes-
sage itself and the keys are used once only. The software, Ulti-
mate Privacy, runs on Windows 95 and NT. It costs $99 and includes
two software pads, which allow you to encrypt 2000-4000 messages
between yourself and a single recipient. The company sells pads for
use if you exhaust the first pair, or if you wish to encrypt mes-
sages to a second recipient, but I could not find a price on their
Web site.

[6] http://www.tbtf.com/archive/10-03-95.html
[7] http://www.tbtf.com/archive/12-18-95.html
[8] http://www.ultimateprivacy.com

..Comments on domain naming

On 7/1 the Commerce Department's National Telecommunications and In-
formation Administration requested public comments [9] on Internet
domain naming, to be submitted by 8/18/97. Over 300 responses [10]
were filed (32 of them on the deadline date). NTIA doesn't make it
easy to get an overview of the responses: the Web page presents them
sorted by date received, with no index of submitters and no ability
to search. The 18 people and organizations who responded non-elec-
tronically [11] fared better -- they got indexed by name and their
contributions are available by individual URLs, not aggregated with
all the other respondants of the day. Coverage by news.com [12] and
Wired [13] tends to stress the various and flaky nature of the many
contributions, a stark demonstration of why the Internet has evolved
on the basis of "rough concensus." In cyberspace concensus doesn't
come any other way.

Here are highlights from the thoughtful responses of three serious

Policy Oversight Committee [14] -- the body carrying forward the
proposals of the International Ad Hoc Committee offered a detailed
response. The document gives some insight into the thought behind
the positions that emerged in the gTLD Memorandum of Understanding.
The POC points out the sheer volume of Internet community input the
IAHC considered and worked into its proposals, implicitly calling
into question the wisdom of the NTIA's decision to start the comment
process all over again.

Computer Professionals for Social Resopnsibility [15] -- CSPR wants
to pull back and allow time for far wider input into the IAHC pro-
cess. "Whatever its merits, the IAHC process was closed, rushed and
unbalanced," the CSPR opines. They believe that there is "no current
crisis" needing immediate resolution.

Electronic Freedom Foundation -- The EFF's position paper had not been
posted at this writing; when it is it will probably appear here [16].
The EFF generally supports the gTLD Memorandum of Understanding, but
is not a signatory to it. EFF's views diverge from the IETF position
over the question of the balance of rights. EFF regards the IAHC pro-
posal as highly skewed toward the rights of the holders of intellec-
tual property, at the expense of other Net stakeholders. The EFF paper
slaps NSI for trying to claim the original top-level domains as their
own property.

[9] http://www.ntia.doc.gov/ntiahome/domainname/dn5notic.htm
[10] http://www.ntia.doc.gov/ntiahome/domainname/domainname.htm
[11] http://www.ntia.doc.gov/ntiahome/domainname/not-emailed/
[12] http://www.news.com/News/Item/0,4,13669,00.html
[13] http://www.wired.com/news/news/politics/story/6297.html
[14] http://www.gtld-mou.org/docs/poc-doc-rfc.html
[15] http://www.cpsr.org/dox/issues/names.html
[16] http://www.eff.org/pub/GII_NII/DNS_control/

..The market is rejecting ActiveX

International Data Corp. did a survey of 20 million web pages and
found less than 1000 using ActiveX. This remarkable factoid ap-
peared in the August 1997 Boardwatch in an article by Doug Shaker,
who notes, "That, my friends is less than .005 percent. If that
doesn't constitute market rejection, I don't know what does".
Here's another metric: the numbers of packages linked on Web pages
devoted to ActiveX and to its rival technology, Java. Even discount-
ing the categories on the Gamelan site that represent other than
code, Java still enjoys a better than 10-to-1 advantage. Thanks to 
Jon Cox <jcox@cs.tufts.edu> for the pointer to Boardwatch.

ActiveX (from www.activex.com) | Java (from www.gamelan.com)
Browser Enhancements 34 | Arts and Entertainment 259
Online Applications 20 | Business and Finance 215
Tools & Utilities 240 | Commercial Java 449
Site Development 56 | Educational 813
Application Development 250 | Games 1204
Database Connectivity 30 | How-to and Help 71
Control Development 13 | Java-Enhanced Sites 787
| JavaBeans 48
(total) 643 | Miscellaneous 119
| Multimedia 455
| Network / Communications 414
| Programming in Java 1302
| Publications 172
| Related Technologies 1398
| Special Effects 829
| Tools and Utilities 676
| (total) 9211

..Final dispatch from IETF Munich

Rodney Thayer <rodney@sabletech.com>, coderpunk and bon vivant, sent
dispatches to TBTF from the week-long meeting of the Internet Engin-
eering Task Force in Munich. Here is his final bulletin. The entire
week's reporting on the folks who define the Net resides on the TBTF
archive [17] by permission.

..In Cyberspace, Nobody can see you fall asleep in your soup

It's Monday evening. The IETF meeting ended last Friday, at approx-
imately 11:30 AM, local time.

So why am I writing this on Monday? Well, as the techies would say,
"the IETF doesn't scale well."

It seems that, TRADITIONALLY, IETF meetings were always four days in
length. However, due to the number of groups meeting, that became
difficult. They even went to evening meetings (thus interfering with
the important business of schmoozing with one's fellows) and still
four days wasn't enough. So it finally dawned on them to expand the
meeting to five days. This was a fine idea, except that the tradi-
tional thing to do was to shut down the network in the terminal
room late Thursday or early Friday. This meant that the network con-
nection went away moments after the end of the last meeting, thus I
was stuck (gasp!) without an Internet feed.

Add to this the non-compatability of German telephones and my US
modem, plus a day's travel to get back to my office, and you end up
with me writing the Day Five report on Monday.

But back to my IETF story.

On Friday, we had the IPsec meeting. Now at this meeting we had
one mild disagreement, one calmly worded surprise, and a couple
of relatively new observations. Since we have nineteen docu-
ments actually, I count 21, but what's two drafts among 175 de-
bating Internet folk?), this is considered a mild meeting. There
are drafts for architecture, packet formats, almost a dozen en-
cryption ciphers (don't blame me, my name's only on four of the
documents), and miscellaneous other proposals.

The good news is, people are definitely realizing that [Attention
news flash here] people are currently using the Internet without
encryption. Since this is happening, there is agreement -- "rough
consensus" as the mantra says -- that we need to get this stuff
done as soon as possible.

There are still problems. The main document that isn't done is the
architecture spec. This means we wrote 20 or so documents based on
an old architecture spec and some notes written on the back of an
envelope. Some have characterized this as "firing a gun and then
running ahead of the bullet to paint a target where it's going to
hit." This may be true, but in all fairness this is the third gen-
eration of the architecture document, so at least for those hardy
folk who have been around for a while the architecture is known.

The scary thing is, there was consensus on another point: with all
those documents, we realized that sometime soon we are bound to
hear that someone has written "IP Security For Dummies".

[17] http://www.tbtf.com/resource/ietf-munich-rt.html


Web publishing doesn't get any easier than this. Myrmidon, from
Terry Morse Software, is a Macintosh-only product that lets you
generate a Web from any document you can print. The print-driver
approach to format conversion was pioneered to good effect by
Adobe in the Acrobat family of products. Myrmidon does a smart
job of figuring out where the headers, lists, and tables are in
a document and generates appropriate (and readable!) HTML. The
result is a Web document that we might call WYSIWYU (what you see
is what you upload), but only if we were very tired. The WYS is
accomplished by invisible tables and invisible spacer images, a
technique honed by NetObjects Fusion and GoLive CyberStudio. Myr-
midon version 1 has been shipping for a year [18] and version 2
is just out in beta [19]. The author, asked about the imminence
of a Windows port, replied that he needed to grow the business
first. (Terry Morse Software at this point is just him.) If you
develop Webs in a Mac environment by all means download the beta
[19]. Better yet, buy Myrmidon version 1.2 now -- Cyberian Out-
post has it for $49.95 [20] and MacWarehouse for $54.95 [21] --
and upgrade when v2.0 is ready.

[18] http://www.terrymorse.com/comments.html
[19] http://www.terrymorse.com/
[20] http://www.cybout.com/cgi-bin/product_info?item=16947
[21] http://www.warehouse.com/oasis/bin/catproduct.dll?product_id=8330

N o t e s

> Today's TBTF title comes from a children's camp song taught to me by
my wife in a moment when I couldn't defend myself. Catchy little
tune. A Myrmidon was one of the legendary Greek warrior people of
ancient Thessaly who followed their king Achilles on the expedition
against Troy. Today a myrmidon is a faithful follower who carries
out orders unquestioningly. ("Do what I mean.") The word derives
from the Greek murmex: ant.

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2, by FileCrypt 1.0