TBTF for 7/14/97: Cold, dead fingers

Keith Dawson (dawson@world.std.com)
Sun, 13 Jul 1997 13:22:41 -0400


TBTF for 7/14/97: Cold, dead fingers

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/07-14-97.html >

C o n t e n t s

FBI director shows his hand
Sun encryption workaround draws NSA scrutiny
Justice Department to investigate Network Solutions
A large hole in JavaScript
Wash that Trojan horse's mouth out with soap
A Silicon Forest wannabe
Mars rocks, space rocks, and bugs
Obfuscated C

..FBI director shows his hand

It's just about as chilling as the most paranoid Cypherpunk feared.
On Wednesday the FBI director testified before Congress and revealed
his not-entirely-hidden agenda on the encryption question [1]. Louis
Freeh is not overly worried about the export of strong crypto. He
wants restrictions on its domestic use, with guaranteed access to
individual users' keys by authorities, without a court order and
without notification to the user. Freeh proposes to transform the
small but growing infrastructure of Certificate Authorities into
centers of access to users' keys [2]. In the same week European of-
ficials both at the Bonn Internet conference and at a meeting of
the European Union slammed American positions on key recovery and
privacy [3]. The US posture threatens to derail international In-
ternet commerce before it ever pulls out of the station. If Direc-
tor Freeh's desires are realized in law, Internet commerce in the
Net's most populous market will die unborn. I will go EFF co-founder
John Perry Barlow one better: they cannot have my private key, even
if they attempt to pry it from my cold, dead fingers.

[1] http://www.news.com/News/Item/0,4,12317,00.html
[2] http://www.nytimes.com/library/cyber/week/071197encrypt.html
[3] ftp://vorlon.mit.edu/pub/f-c/v02.n327

..Sun encryption workaround draws NSA scrutiny

Last week the National Security Agency asked Sun Microsystems and
a Russian networking company in which Sun has a 10% stake to turn
over the source code of its SunScreen SKIP E+ [4]. Last month Sun
ran a lateral Arabesque around US crypto export restrictions [5],
[6] by announcing the worldwide availability of its SunScreen vir-
tual tunneling technology with strong encryption provided by the
Russian partner company. Exactly why the NSA has gotten involved
in the issue was not clear; NSA scientists may be acting as con-
sultants to the Commerce Department, which now has the oversight
of crypto export policy.

[5] http://www.tbtf.com/archive/06-16-97.html#s01
[6] http://skip.incog.com/press-elvis.htm

..Justice Department to investigate Network Solutions

NSI informed potential investors on 7/7 that its operations are
under investigation by Federal antitrust agents [7]. The Feds also
want information from NSI's parent company, Science Applications
International Corp. NSI, currently the monopoly grantor of top-
level domain names, plans to go public; it disclosed the pending
investigation in papers filed with the SEC. A Justice Department
spokesman confirmed that an investigation is under way. Neither
Justice nor NSI will speculate on its scope or possible outcome.
The investigation clouds still further the future of domain naming
on the Net. NSI will lose its monopoly contract from the NSF next
March, but has said it will keep control of the top-level domains
it currently administers. The plan worked out by the International
Ad Hoc Committee to introduce competition to domain naming is on
hold [8]. And on 7/10 an industry group called the Association for
Interactive Media convened an "Open Internet Congress" in Washing
ton [9], ostensibly to assure that business has a say in the gover-
nance of the Net.

[7] http://www.yahoo.com/headlines/970708/tech/stories/probe_1.html
[8] http://www.tbtf.com/archive/07-07-97.html

..A large hole in JavaScript

Here's ironic news in the week after the European Computer Manufac-
turers' Association standardized JavaScript [10], and it has taught
me to pay attention when John Robert LoVerso <loverso@osf.org> for-
wards a tip. Last Tuesday LoVerso sent word of a troubling new Java-
Script bug. I decided not to publish it as the next day's Tasty Bit,
and now it's big news [11]. The defect allows a bad guy to capture
the history of your Navigator 3.01 session, in clear text, including
any passwords or PINs that you might type into forms. Here is an ex-
ploit page [12] for the defect. Its discoverer Dan Brumleve
<nothing@aleph2.com> notified CERT, Microsoft, and Netscape of the
problem. CERT recommended that all users immediately disable Java-
Script in their browsers. (Personally, I've run without benefit of
JavaScript since LoVerso won a Netscape Bug Bounty early last year
[13].) Netscape developed a fix and released Navigator 3.02, but a
closely related problem still exists in this version [14].

[10] http://www.news.com/News/Item/0,4,11967,00.html
[11] http://www.news.com/News/Item/0,4,12282,00.html
[12] http://www.aleph2.com/tracker/
[13] http://www.tbtf.com/archive/02-27-96.html
[14] http://www.news.com/News/Item/0,4,12347,00.html

..Wash that Trojan horse's mouth out with soap

This is either the story of an entertaining and mildly malicious
hack, or a brilliant PR sally by McAfee associates. The anti-virus
software company claims that some joker developed an ActiveX control
called CussOut [15]. When you access a page containing the control
and it is downloaded to your Windows machine, CussOut is said to
rifle through your email folders and to send an obscene message to
every address it can find. On Monday, McAfee will introduce a pro-
gram, WebScanX, to screen out such hostile ActiveX controls or Java
applets downloaded from Web sites or received via email. McAfee has
recently been smarting from the attention the tiny Israely company
Finjan [16] has garnered for its SurfinShield and SurfinGate products,
which claim similar prophalactic benefits. I could
not find a URL for any page containing the CussOut control, or an
example of one of its messages, or any discussion of the problem out-
side of the (McAfee-generated) news.com story.

[15] http://www.news.com/News/Item/0,4,12333,00.html
[16] http://www.finjan.com/

..A Silicon Forest wannabe

An article [17] in the Seattle Post-Intelligencer suggests the moni-
ker "Silicon Forest" for the Puget Sound region. However, solid docu-
mentation exists for Portland's pre-existing claim to the name [18].
The Seattle article also makes feints at Silicon Valley North (claimed
by Ottawa) and Telecom Valley (San Diego). It's clear the Post-Intel-
ligencer reporter, Warren Wilson, had never visited TBTF's Siliconia
page [18].

[17] http://nytsyn.com/live/Latest/189_070897_104200_14707.html
[18] http://www.tbtf.com/siliconia.html

..Mars rocks, space rocks, and bugs

Surely you've visited the Sagan Station [19], nee Mars Pathfinder,
on the Web by now. This URL links the 15 US and 8 international
mirror sites, which collectively can handle 120 million hits per
day. The Mars exploration is a mega-event with wide appeal [20].
Consider this news item, forwarded by an old friend with whom I
crossed the continent to be at NASA-Ames for Pioneer 10's rendez-
vous with Saturn, in 1979.

> Sales have taken off for Mattel's Hot Wheels Mars Rover
> Action Pack, which includes a detailed version of the
> rover and its mother ship. Mattel declined to release
> sales figures for the rover toy, but a supply of 1,500
> at JPL's souvenir shop sold out in 20 minutes Tuesday.

Completely overshadowed by the Martian goings-on was the quietly
successful climax of another NASA mission the week before: the
fly-by and photo shoot of the near-earth asteroid Mathilde [21].
The images page [22] is appealing; but unless your browser plugs
directly into the mother of all Net pipes, turn off image loading
before you visit. Read the captions and decide which of the six
pictures you want to see; they range in size from 34K to 117K.

On the fictional side of space, the following timely note comes
from the Preview Release of the Be Operating System. It was for-
warded by Timothy Dion <timd@advis.com> and Keith Bostic

> To celebrate, the Be staff took a few hours off and went to see
> the movie "Men in Black." I won't spoil the plot for those who
> haven't seen it, but the movie makes a point that is somehow
> appropriate -- it is impossible to rid the universe completely
> of bugs, but at least you can drive something fast, arm your-
> self with powerful tools, and look good doing it.

[19] http://mpfwww.jpl.nasa.gov/
[21] http://sd-www.jhuapl.edu/NEAR/Mathilde/
[22] http://sd-www.jhuapl.edu/NEAR/Mathilde/images.html

..Obfuscated C

OK, this one is hackish [23], I admit, but if you can find amuse-
ment in bizarre snippets of C code, do visit the home of The Inter-
national Obfuscated C Code Contest [24]. The contest will next run
in 1998. Here are two examples of past winners [25]. One of them
is a program that approximates pi by computing its own area. (Admit
it: you got lost in the Jargon site, didn't you? You knew that GNU
stands for "GNU's not Unix!" but you hadn't heard the derivation
[26] for the company called CYGNUS, had you?)

[23] http://www.wins.uva.nl/~mes/jargon/h/hackish.html
[24] http://reality.sgi.com/csp/ioccc/
[25] http://www.wins.uva.nl/~mes/jargon/o/ObfuscatedCContest.html
[26] http://www.wins.uva.nl/~mes/jargon/r/recursiveacronym.html

N o t e s

> Starting tomorrow your correspondent takes on full-time responsibility
as Director of Internet Strategy for a startup that will for the moment
remain nameless. When the time comes you'll hear plenty about it, be-
lieve me. My plan is to continue TBTF as before. After a few weeks
there may be some changes as I accommodate a new schedule, but overall
I'm quite happy with the Tasty Bit of the Day format and the predicta-
bility it brings to the retro-push edition. Hope you are too.

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html .

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2, by FileCrypt 1.0