TBTF for 2/16/98: Time and bits

Keith Dawson (dawson@world.std.com)
Mon, 16 Feb 1998 21:39:13 -0600


TBTF for 2/16/98: Time and bits

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/02-16-98.html >

C o n t e n t s

Soft Tempest
Eric Raymond on Netscape and open-source software
Microsoft accessibility questioned
Multithreading patents are vulnerable
XML: floor wax and dessert topping
Taking ownership of a security hole
What it is
Time and bits
But is he paranoid enough?
Quick bits
Fourth Certicom challenge (ECC2-89) falls
Flaws in a Net Wizards survey
Ad filtering software catching on?
A faster l0phtcrack

..Soft Tempest

How your keystrokes could be captured cheaply, and how you can
prevent it

Microsoft recently gave $20 million to Cambridge University. As it
turns out the gift was accompanied by a request for research into
technologies that could help Microsoft combat software piracy. The
computer scientist who ended up handling this problem, Ross Ander-
son, is well known for his work on privacy issues. This apparent
cognitive dissonance was questioned on a privacy mailing list after
the Washington Post carried a story [1] about Anderson's project,
called Soft Tempest. Anderson responded that the Post had gotten it
mostly wrong and asked list members to read his paper [2] and make
up their own minds. (Note -- this document requires Acrobat Reader
3.0 -- to my 2.0 reader it looked encrypted. Clever, that.)

"Tempest" is the term for the classified techniques used by military
and intelligence agencies to recover information from the incidental
electromagnetic radiation emitted by computer components, especially
VDTs. The term also applies to the problems of shielding one's own
computers so that their radiation can't be intercepted and mined.
Little open research has been published about this technology, but
it's been generally assumed that to read at a distance what some-
one types on a computer would require a van-load of very expensive
equipment. Anderson's Soft Tempest demonstrates ways to steal in-
formation off computer screens for an investment closer to $100 than
to $100,000. Further, the research points to methods software manu-
facturers could use to monitor software piracy from a van driving
down the street -- effectively causing your screen to broadcast the
serial numbers of installed software programs. (Microsoft professed
no interest in pursuing this technique.) Finally, Soft Tempest in-
vented a novel method of obfuscating screen radiation without expen-
sive shielding. The solution lies in specially designed screen fonts.

[1] http://www.washingtonpost.com/wp-srv/WPlate/1998-02/07/060l-020798-idx.html
[2] http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf

..Eric Raymond on Netscape and open-source software

"Free software" becomes "open source software" as the movement
goes mainstream

On 2/4 Eric Raymond met with people from Netscape at their invi-
tation. Raymond is the author of the Cathedral and Bazaar paper
[3] that Netscape credits as influential in its decision to give
away the source code for Communicator. On 2/4 Raymond spoke at a
meeting of the Silicon Valley Linux Group. Here is some of what
he said, as captured by Stig <stig@hackvan.com>:

[Raymond] came away from the meetings "with a really good im-
presion of the Netscape people. Even their lawyers have clues.
It gets better than that: even their marketing people have
clues. What a concept!

Of the source release, he said "they really mean it." Sometime
between a week from now and the end of March, Netscape will
post a prototype of license terms on the Net to invite public
comment. He said that several alternatives were being con-
sidered but that all of them met the "free software criteria"
of the Debian Project [4]. It was suggested that special ac-
commodations for linking against Sun's JDK might be made,
which would be a weakening of the normally-viral properties of
GPL-style licences.

Other ideas being considered at Netscape were said to include:

- As part of an effort to incentivize innovation in Com-
municator and related products, a multi-tiered awards
program for free software achievements and contributions
might be initiated (awards for projects such as The Gimp
[5], and grants and prizes for other quality work).

- Netscape may be spinning off a develpment group, autonomous
to some extent, that would be freely charged with assem-
bling and coordinating changes from the Net.

On 2/10 Raymond published a call [6] to the free software community
to stop using the term "free software" and begin saying "open source
software" instead.

[3] http://www.earthspace.net/~esr/writings/cathedral-bazaar/cathedral-bazaar.html
[4] http://www.debian.org/
[5] http://www.gimp.org/
[6] http://earthspace.net/~esr/open-source.html

..Microsoft accessibility questioned

The company backs away from its accessibility interface just
as the blindness community was beginning to embrace it

The World Wide Web Consortium has released the first installment in
its Web Accessibility Initiative [7], a draft guideline [8] for
making Web pages accessible to blind readers. The guideline is based
on the use of HTML 4.0 and cascading style sheets.

These developments contrast with the controversy surrounding Micro-
soft's Active Accessibility architecture. MSAA specifies rules that
Windows application vendors can follow to make sure their screen
displays are available to 3rd-party screen readers. The blindness
community had been slow to embrace this Microsoft approach but was
moving towards acceptance when a series of postings called into
question Microsoft's commitment to MSAA. The questions arose not
in regard to Web technology but rather to Microsoft Office.

Curtis Chong, technology director for the National Federation of the
Blind, opened up the debate when he posted comments he had received
from Steven Sinofsky, general manager of the office products unit
at Microsoft. Chong's original posting is archived, with commentary,
on the NFB site [9]. Sinofsky's comments indicated that the group
developing Microsoft Office was not eager to rely solely on Active
Accessibility to pass information to screen-access software used by
the blind. Instead the group wanted vendors of this software to use
the object models that were already in place in the Office products.

[7] http://www.internetnews.com/wd-news/1998/02/0401-w3c.html
[8] http://www.w3.org/TR/1998/WD-WAI-PAGEAUTH-0203
[9] http://www.nfb.org/msaa.htm

..Multithreading patents are vulnerable

A lone inventor sues Microsoft, but his claims look beatable

One Martin Reiffin has asserted two recently issued patents (Nos.
5,694,603 and 5,694,604) against Microsoft [10]. Reiffin filed the
patents in September 1982 and they finally issued, after three ap-
peals, in December 1997. Can you say "submarine?" Correspondents
on Greg Aharonian's Internet Patent News Service (see TBTF Sources
[11]) opine that multithreading was not exactly novel in 1982. One

> This approach to concurrency should look obvious to anyone
> with a solid computer science background from the 70s which
> emphasized the hardware and operating system levels.

The patent cites some prior art, but nothing (for example) from
CMU's Spice project from the late 70s, whose principal architect,
Rick Rashid, has been at Microsoft for years and worked on the
original NT team.

[10] http://www.wired.com/news/news/business/story/10251.html
[11] http://www.tbtf.com/sources.html

..XML: floor wax and dessert topping

Come on, you know you're going to have to come to grips
with XML

Last week Tim Berners-Lee made it official -- XML is a W3C standard
[12]. If you keep your ear to the Net's railroad track you will have
heard many experts predicting that Extensible Markup Language will
be a Big Thing. Why is that exactly? The XML tutorials I've been
reading (for example [13]) don't go much beyond describing XML as
a meta-markup language. On a private mailing list Gregory Alan Bolcer
<gbolcer@gambetta.ics.uci.edu>, a Cal Tech grad student, posted the
following pithy summary of what an XML document has in common with
an object in a distributed object model.

> An object has state. Imagine an XML document sitting around
> someplace describing the structure of the state. It's an
> encapsulation, lightweight, easy to transport around the net,
> to parse, understand, and change. This it shares with some
> object models. It's self describing in some way; this it
> shares with fewer models.

> Also imagine you have behaviors (methods). These methods
> aren't physically co-located and in fact are little snippets
> of code located elsewhere on the network. This distributed
> method inheritance is shared with even fewer object models.
> These behavior snippets can be applets written in Java, Py-
> thon, Tcl, Ada95, Perl, whatever. They include an XML parser
> (or not) and have the ability to query and change values in
> the state -- the XML document -- easily and directly.

> Also imagine you have communication restrictions on this doc-
> ument, again very lightweight: filtering domains, requiring
> permissions, etc. Imagine you can restrict the behaviors you
> want to by digitally signing these behavior snippets. This
> capability is embodied by most object models in public, pri-
> vate, and protected methods, but now you have a much finer
> granularity of how you can control the methods than is offered
> by just these three classical method types.

> Also imagine these behavior snippets, being all distributed,
> heteregenous (that means cross-language and -platform mostly),
> tightly controlled but more loosely typed depending upon the
> enforcement, are sometimes competing with one another. They
> allow query, locking, renaming, versioning, instancing -- so
> that concurrency happens at a finer level of abstraction than
> in the object encapsulations, allowing a type of re-entrancy
> and multithreading. Sort of like a threaded, persistent object
> built on top of a lightweight database. Even fewer object
> models and their implementation languages have persistence and
> threading built into them.

> Imagine having a wide-area event mechanism that allows you to
> select portions of your state that are relevant to an appro-
> priate task, download it, execute the behavior, and then re-
> synchronize with the original state. The only object model I
> know that's getting close is Informix Datablades.

> Now, here's the kicker: Imagine you have the ability to de-
> clare variables dynamically, to declare methods, to version
> and transistion state, to transport, cache, replicate, broad-
> cast it all over the place to make it mobile and ubiquitious,
> but be able to utilize a naming and routing scheme such that
> you always know exactly where it is and how to get to it.

> On one end of the spectrum you can do enforcement such that it
> has all the properties of a C++/CORBA/database program; on the
> other the possibilites are wide open depending on how you want
> to enforce the data consistency, access, state tracking, loc-
> ation, whatever.

For further edification, here's a collection of links from webde-
veloper.com to XML tutorials, software, and books [14].

[12] http://www.zdnet.com/intweek/daily/980210j.html
[13] http://www.webdeveloper.com/categories/html/html_xml_1.html
[14] http://www.webdeveloper.com/categories/html/html_xml_4.html

..Taking ownership of a security hole

Lessons we learned from Microsoft: define it and name it to
own it

Miora Security Consultants [15] has come up with a novel way to ex-
tract value from a security vulnerability: define it, solve it, name
it, and own it. They have invested their own time and expertise re-
searching the dangers of "hidden" form fields -- not exactly news
to Web designers alert to security concerns -- and are well on their
way to claiming ownership of this topic. They've named the problem
and the solution with their corporate brand as the "MSC HFF" vul-
nerability. (I guess that would be pronounced "mischief.") Miora
gives away white papers detailing the problem and the low-impact
solution they have devised, but you have to register on their site
to download them. News.com [16] and the NY Times [17] covered the
story as if it were security news and not a press release.

[15] http://www.miora.com/
[16] http://www.news.com/News/Item/Textonly/0,25,19108,00.html?pfv
[17] http://nytsyn.com/IMDS%7CCND7%7Cread%7C/home/content/users/imds/feeds/nytsyn/1998/02/12/cndin/4551-0096-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1998/02/13/cndin/6438-0008-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1998/02/12/cndin/453

..What it is

Whatis.com offers definitions and more with style and grace

Net terminology evolving too fast for you? New to the Net and not a
techie? Visit Whatis.com [18] for pithy definitions of all those
terms you've wondered about. The site is speedy and the definitions
are extensively cross-linked so it's easy to spend time exploring.
(The definitions are served up with a lightweight ad -- you may see
one for a familiar site there -- and a cookie [19].) The site is a
labor of love built and meticulously grown by career tech writer
Lowell Thing. Whatis.com has won awards and garnered press coverage;
it's listed on the user-rated Web 100 [20], where it is currently
number 9. Alexa ranks Whatis.com in the top 10,000 sites for traf-
fic [21] -- on this scale TBTF barely registers [22]. Whatis.com is
evolving into a destination for Net information of any stripe. Give
it a bookmark.

[18] http://www.whatis.com/
[19] http://www.whatis.com/cookie.htm
[20] http://www.web100.com/
[21] http://widener.alexa.com/sitedata/www.whatis.com/
[22] http://widener.alexa.com/sitedata/www.tbtf.com/

..Time and bits

This organization wants to build a clock for the ages

The Long Now Foundation [23] held a conference last week called Time
and Bits: Managing Digital Continuity [24]. For some time historians
and archivists have been worrying about the impermanence of digital
media (see TBTF for 7/23/95 [25] and the January 1995 Scientific Am-
erican, not online), in contrast to the longevity of paper and stone.
Here's how the problem was stated by Danny Hillis, one of the found-
ers of The Long Now Foundation:

> Historians will look back on this era and see a period of very
> little information. A "digital gap" will span from the begin-
> ning of the widespread use of the computer until the time we
> eventually solve this problem. What we're all trying to do
> is to shorten that gap.

[23] http://www.longnow.org/
[24] http://www.wired.com/news/news/culture/story/10301.html
[25] http://www.tbtf.com/archive/07-23-95.html#archival

..But is he paranoid enough?

Mix financial cryptography with a total solar eclipse for a
potent brew

Next week FC98 [26], the second conference on financial cryptography,
kicks off in Anguilla, BWI. The conference happens to intersect in
time and place with a total solar eclipse [27], [28]: on February 26
the path of totality will sweep across the Caribbean from South
America. Since Anguilla is only a few miles outside the path, the
conference organizers have planned an all-day outing by catamaran
on eclipse day, all attendees invited. One of the attendees dubbed
it the Ecliptical Curve Cruise and the name has stuck. Arrangements
have been refined on the FC98 mailing list. On 1/13 one anonymous
attendee-to-be posted this worried note:

> Interesting "failure point": Cat crammed with almost all of
> the cryptographic threats to the hegemony of the States of the
> World sails (in the Bermuda Triangle), next to the world's
> most active volcano, in the middle of a total eclipse, after
> telling the whole world including the Navy Seals and the UK's
> Special Boat Squadrons (not to mention the US Space Command
> "buried deep under Cheyenne Mountain") exactly when and where
> they'll be.

> Maybe I'll hang out back at the hotel.

[26] http://www.fc98.ai/
[27] http://planets.gsfc.nasa.gov/eclipse/TSE1998/TSE1998.html
[28] http://planets.gsfc.nasa.gov/eclipse/TSE1998/TSE1998map/T98Fig13.gif

..Quick bits

A maze of twisty little items, all different

..Fourth Certicom challenge (ECC2-89) falls

On 2/7 Robery Harley <Robert.Harley@inria.fr> announced [29] the
defeat of the fourth in Certicom's series of crypto challenges.
Harley's ever-growing team, now numbering over 66, has been first
to overcome each of the Certicom challenges broken to date. I asked
Harley whether any other teams were even working on the problem,
and he replied, "Yes, but their code sucks."

[29] http://www.tbtf.com/resource/certicom4.html

..Flaws in a Net Wizards survey

Dr. Anton Nossik, editor of the Russian-language Evening Internet
Daily, sends this note [30] on the Network Wizards January Internet
Domain Survey [31], just published. This survey attempts to discover
all extant Intetnet hosts by looking at which IP addresses have
been assigned. Dr. Nossik points out that the counts and growth
rates in this survey for both Russia and Israel are far below the
figures obtained by other methods.

[30] http://www.tbtf.com/resource/nw-ru-il.html
[31] http://www.nw.com/zone/WWW/report.html

..Ad filtering software catching on?

Solid Oak, a success story in the censorware space, announced [32]
the addition of a banner-ad blocking feature to their CyberSitter
product. They say customers were asking for the feature. The ad-
blocking front has been relatively quiet since its first propon-
ent, PrivNet [33], was bought by PGP [34] and their ad-filtering
technology shelved.

[32] http://www.news.com/News/Item/Textonly/0,25,19156,00.html?pfv
[33] http://www.tbtf.com/archive/04-28-96.html#privnet
[34] http://www.tbtf.com/archive/12-02-96.html

..A faster l0phtcrack

L0pht Heavy Industries has released a 2.0 version of its l0phtcrack
[35] NT password cracker as $50 shareware. The hacker collective
claims to be able to decypher an NT password in a week of background
computation on a Pentium 200; cracking hundreds or thousands of pass-
words from the same registry costs little more. The program can get
results so quickly because Microsoft is forced to water down NT's
security protection for compatibility with Windows 95's weaker LAN-
MAN passwords [36]. L0phtcrack is widely used by system administra-
tors and security consultants to audit password security.

[35] http://www.l0pht.com/l0phtcrack/
[36] http://www.wired.com/news/news/business/story/10303.html

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html .

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1998 by Keith Dawson, < dawson@world.std.com >.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: PGP for Personal Privacy 5.5