TBTF for 8/31/98: Unclear on the concept

Keith Dawson (dawson@world.std.com)
Sun, 30 Aug 1998 21:19:27 -0500


TBTF for 8/31/98: Unclear on the concept

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/08-31-98.html >

C o n t e n t s

New domain-name organization taking form
Old emails haunt Microsoft
Dam breaks on e-commerce patents
Killer Java applet sacks NT systems
Linux community comes together over LSB standards effort
Web Standards Project challenges browser developers
HotMail, others vulnerable to JavaScript exploit
IBM gives away a security breakthrough
Unclear on the concept

..New domain-name organization taking form

"New IANA" plan pleases most of the people, most of the time

After a summer of meetings around the world [1], the "stakeholders"
are near agreement on how to form the new corporation that will
oversee Internet numbers and domain names. The proposal that has
risen to the top was put forward by Jon Postel, head of the current
Internet Assigned Numbers Agency. The proposed organization is being
called, for the time, the "New IANA." Here are its FAQ [2], arti-
cles of incorporation [3], and the third iteration of its bylaws
[4]. Some of the salients:

- The New IANA will be a nonprofit organization based in Los

- The organization's main objectives will be to undertake what-
ever is necessary to maintain the operational stability of
the Internet and to manage the allocation of new top-level
domain names.

- It will managed by a nine-member board of directors that will
notify the public of any meetings via the Internet at least
14 days in advance.

- No government member can become a board member, but govern-
ments will have input through a special advisory committee.

- No more than half of the members of the board of directors can
be from one geographic region.

- Directors will serve three-year terms and will receive no pay.

The New IANA must be up and running by September 30, when the US
government's contracts with IANA and the InterNIC expire. This stage
of the process aims only to form a New IANA that derives legitimacy
and authority from the support of all parts of the Internet commun-
ity worldwide. Most of the hard questions left unresolved by the US
government's white paper [5] are still unresolved, and will be early
on the agenda for the new organization.

Thanks to Adam Rifkin <adam@cs.caltech.edu> for this pointer.

[1] http://www.tbtf.com/archive/06-29-98.html#s03
[2] http://www.iana.org/message-faqs.html
[3] http://www.iana.org/articles1.html
[4] http://www.iana.org/bylaws3.html
[5] http://www.tbtf.com/archive/06-08-98.html#s01

..Old emails haunt Microsoft

The smoking gun that shot DR-DOS

The Red Herring broke this story [6] last week containing some of
the most damaging information on Microsoft's practices that I have
seen made public. The memos in question were in the hands of the FTC
when they were probing Microsoft in the early 1990s, but have only
recently come out from under seal in the Caldera lawsuit [7]. The
story was written by reporter Wendy Goldman Rohm from research for
her book "The Microsoft File: The Secret Case Against Bill Gates"
[8]. The Wall Street Journal picked up the story [9] (subscription
required) and tied more of the threads together, but without credit-
ing Rohm. (The WSJ had received a review copy of "The Microsoft

The memos are email conversations among Microsoft executives in 1991
and 1992 that discuss deliberately crippling a beta copy of Windows
3.1 so it would produce an obscure error message if run atop DR-DOS,
a competing operating system now owned by Caldera. The code to check
for the existence of DR-DOS was encrypted and obfuscated -- it was
the only encrypted code in the beta -- but was cracked by programmer
Andrew Schulman and published in Dr. Dobbs Journal in 1993. Schulman
discovered that the code searched for two tiny differences between
MS-DOS and DR-DOS, and when it found the latter it halted the ma-
chine. The WSJ article [9] ties together the code and Microsoft's
statements at the time with the executives' email memos, and with
the drop-off-a-cliff revenues for DR-DOS following the rigged Win-
dows 3.1 beta. Here's a quote from email sent by Microsoft Senior
VP Brad Silverberg in 1992:

> "What the guy is supposed to do is feel uncomfortable and,
> when he has bugs, suspect the problem is DR-DOS and then
> go out to buy MS-DOS, or decide not to take the risk for
> the other machines he has to buy for in the office."

Microsoft says the memos were taken out of context, that in the
Microsoft culture email is a vehicle for trying out ideas, and
that the company was merely trying to control support costs with
the non-MS-detecting software. Wherever the truth lies, this
material could sway a jury in the Caldera case (which isn't
scheduled to come to trial until next June), or in the antitrust
case, if the feds or the states choose to introduce it.

I hope to review "The Microsoft File" [8] in an upcoming TBTF.

Thanks to Dan Kohn <dan@teledesic.com>, a regular TBTF Irregular,
for pointing out this story.

[6] http://www.redherring.com/insider/1998/0825/microsoft.html
[7] http://www.tbtf.com/archive/04-27-98.html#s03
[8] http://www.amazon.com/exec/obidos/ASIN/0812927168/tbtf
[9] http://interactive.wsj.com/articles/SB904177645701365500.htm

..Dam breaks on e-commerce patents

Thought software patents were trouble? Next it's business models

Over the last 12 years US patent examiners, lacking the
expertise and the resources to research prior art, have issued
thousands of arguably bad patents for software inventions. Owing
to the length of the application process, the mid-1990s saw the
first lapping waves of what may become a floodtide of costly lit-
igation over software patents. TBTF has been following this trend
since 1995 [10], [11]. In the last week the mainstream technology
press has produced its own flood of articles on the topic of pat-
ents and their likely impact on e-commerce. What got the hive
stirred up was a July appeals court ruling favorable to patents
on business processes [12], [13], which lawyers are regarding as
a landmark. News.com paints the following scenario [14] to bring
home the impact of patents on Net business models:

> You're an Internet merchant ramping up for the holiday shop-
> ping season. Your store uses a shopping cart for buyers to
> select purchases, accepts credit card payments, and offers
> airline frequent flyer miles for purchases. You pay people who
> click on your banner ads and send email to notify regular
> customers of promotions, including a URL so they can go dir-
> ectly to the right page. For close-out items, you let shoppers
> name their price for an item... Call your patent attorney,
> because you may be violating six e-commerce patents, all is-
> sued since March.

Here are several companies recently granted e-commerce patents that
will be bolstered by the appeals-court ruling -- news.com lists five
more [12]:

- Priceline.com (Connecticut), for its buyer-driven, "name-your-
price" business model [15]

- NetDelivery (Colorado), for a proprietary billing and catalog-
ing process [16] that it says covers all "push" technologies

- Cybergold (California), for its "paying for eyeballs" advertising
model [17], [18]

UC Berkeley law professor Pamela Samuelson says, "If patents worked
for manufacturers, surely they will work for the information econ-
omy" -- encouraging innovation instead of stifling it. I have serious

[10] http://www.tbtf.com/threads.html#Tspx
[11] http://www.tbtf.com/resource/sw-patents.html
[12] http://www.news.com/News/Item/Textonly/0,25,25705,00.html?tbtf
[13] http://www.law.emory.edu/fedcircuit/july98/96-1327.wpd.html
[14] http://www.news.com/News/Item/Textonly/0,25,25703,00.html?tbtf
[15] http://www.news.com/News/Item/Textonly/0,25,25111,00.html?tbtf
[16] http://www.news.com/News/Item/Textonly/0,25,25562,00.html?tbtf
[17] http://www.techweb.com/wire/story/TWB19980824S0009
[18] http://www.patents.ibm.com/details?patent_number=5794210

..Killer Java applet sacks NT systems

Whatever you do, don't push that big red button

On August 14 a Norwegian programmer discovered how to write a Java
applet that, when run, can bring down a Windows NT system. This is
not supposed to be possible, of course. Tonny Espeset <esp2@online.-
no> accomplishes the trick by calling some Java methods with out-of-
bounds arguments (the exploit page does not give details), and on
about half of the NT systems tested the applet immediately crashes
the system right down to a white-button reboot. On some other NT
systems, running the applet corrupts system fonts and cursors; the
symptoms are cured by a reboot. I tried the applet [19] on two NT
4.0 systems and crashed one, corrupted fonts on the other.

Greg Roelofs <roelofs@pmc.philips.com>, TBTF Irregular, tipped this
story -- thanks.

[19] http://www.eyeone.no/KillerApp/KillerApp.htm

..Linux community comes together over LSB standards effort

Churn and controversy yield to unity

Perhaps stimulated by the somewhat divisive events of the past two
weeks [20], [21], the Linux community is rallying around the Linux
Standard Base effort. The recently announced Linux Compatibility
Standards Project [20] has been folded into LSB, which has relaunched
with a new commitment, a new Web site [22], and new partners. Here's
the press release [23]. Thanks to Robert S. Thau <rst@ai.mit.edu>
for sending me a copy instantly upon release on 8/25, allowing TBTF
to break the news to an indifferent world.

On a more mainstream note, the issue of Forbes Magazine featuring
Linus Torvalds on the cover has hit the Web. Here's a thumbnail of
the cover [24] and here's the story [25].

[20] http://www.tbtf.com/archive/08-17-98.html#s02
[21] http://www.tbtf.com/archive/08-24-98.html#s02
[22] http://www.linuxbase.org/
[23] http://www.linuxbase.org/announce.html
[24] http://www.forbes.com/forbes/98/0810/gifs/coversm2.jpg
[25] http://www.forbes.com/forbes/98/0810/6209094a.htm

..Web Standards Project challenges browser developers

This WaSP packs a sting

The Web Standards Project [26] is two weeks old and has already gar-
nered significant ink, and pixels, in the world's press (summary
here [27]). The project is the effort of a group of high-profile Web
designers to shame Microsoft and Netscape into implementing com-
pletely the standards upon which the Web is based before venturing
off into proprietary extensions [28]. The developers of the Opera
browser [29], which is just about the only currently viable compe-
tition to the Netscape-Microsoft hegemony, have supported WaSP from
the first. The project's Web site is the epitome of cool: simple
design, unified feel, plenty of variety, and speedy loading. Thanks
to Julianne Chatelain for the pointer.

[26] http://www.webstandards.org/
[27] http://www.webstandards.org/news.html
[28] http://www.webstandards.org/mission.html
[29] http://opera.nta.no/

..HotMail, others vulnerable to JavaScript exploit

Rewriting the interface to steal your account

A programmer in Canada discovered a way to steal Hotmail users'
login IDs and passwords [30]. The exploit uses JavaScript to rewrite,
transparently, part of HotMail's Web interface for email. When a
victim receives an email message containing the Trojan-horse Java-
Script and reads it in the HotMail account, s/he is prompted to re-
enter name and password, which have supposedly expired. This dia-
log looks like an official HotMail request. The name and password
are captured and emailed to the perpetrator. Here is the discov-
erers' exploit page [31]. Microsoft and HotMail were notified of the
vulnerability and worked at top speed on a fix. When they posted
what was billed as a "partial fix" (filtering out JavaScript code)
on 8/24, the exploit's discoverer quickly put up a workaround that
causes the same end result [32]. (He hid the JavaScript code within
IMG tags.) Other Web-based free email services are also thought to
be vulnerable to this exploit. Users of such services might consid-
er doing without JavaScript for now.

[30] http://www.wired.com/news/news/technology/story/14617.html
[31] http://www.because-we-can.com/hotmail/default.htm
[32] http://www.news.com/News/Item/Textonly/0,25,25657,00.html?tbtf

..IBM gives away a security breakthrough

System is provably secure against an adaptive chosen ciphertext

Two researchers have devised a way to secure cryptosystems against
"active" attacks [33]. Victor Shoup of IBM Research and Ronald
Cramer of the Swiss Federal Institute of Technology revealed their
new security scheme [34] on 8/24 at Crypto '98 in Santa Barbara.
Their new system would thwart attacks of the sort devised last
spring by Bell Labs researcher Daniel Bleichenbacher (see TBTF for
7/20/98 [35]). The leader of an IBM team of hackers for hire said,
"This is not the sort of stuff you hold tight and patent. This is
the sort of stuff you publish ... and hope everyone adopts it

[33] http://www.wired.com/news/news/technology/story/14590.html
[34] http://www.cs.wisc.edu/~shoup/papers/cs.ps.Z
[35] http://www.tbtf.com/archive/07-20-98.html#s06

..Unclear on the concept

How not to update a Web site

Patrick S. Malone was driving to work with the radio on and heard
the DJ bragging about the radio station's Web site, extolling the
virtues of their ISP. The DJ made a particular point of the advan-
tage of using a local ISP:

> "And they're right here in _____, so we have a relationship.
> We can just call them up and say, 'We're about to send you a
> fax with something for the Web site.'"

Thanks to Keith Bostic <nev@bostic.com> for the forward.

N o t e s

> Last week's TBTF title came from a song by Creedence Clearwater Rev-
ival. Not 3 Dog Night. John Fogerty's Creedence Clearwater Revival.
I know this now. Thirty-one of you told me so. Visit last week's
issue on the Web [36] for some amusing sidelights from this corres-

[36] http://www.tbtf.com/archive/08-24-98.html#its-CCR

> I've added a new TBTF Thread [37] that may be of interest to fans of
computational physics. It links 9 TBTF articles, from 1995 to this
year, on quantum computing and the frontiers of research into the
quantum realm.

[37] http://www.tbtf.com/threads.html#Tqpc

> "Stakeholder" is current business jargon for "someone who has an in-
terest." The term was popularized, or at least promulgated, in the
US government's green paper and white paper on domain naming. To
me the stakeholder is the lead guy in a vampire hunt.

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html .

TBTF home and archive at http://www.tbtf.com/ . To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson, <dawson@world.std.com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: PGP for Personal Privacy 5.5