TBTF for 7/21/97: Tune's my own invention

Keith Dawson (dawson@world.std.com)
Sat, 19 Jul 1997 21:47:40 -0400


TBTF for 7/21/97: Tune's my own invention

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/07-21-97.html >

C o n t e n t s

Disturbances in the Force
Corrupted root name databases
Of backbones and backhoes
SYN flooding attacks on Macintosh sites
Domain naming straws in the wind
.usa.to registry
Hijacking the InterNIC
Set free .org and .net
Microsoft meets the hackers
Trellix: specialized for hypertext
Followup: IAHC is not on hold
Followup: more comprehensive applet security
Name games with Microsoft

..Disturbances in the Force

The week just ended has been a particularly trying one for the In-
ternet. Numerous problems were caused by operator errors, mishaps
with heavy equipment [1], and denial-of-service attacks. This page
[2] collects links to press coverage of Internet outages. There
were four reports in April of this year, three in May, and two in
June. In the last two days at least 15 have appeared. (Note: some
of the listed links are already stale because they pointed to
topical stories in online newspapers. The stories are now either
offline or have been moved to long-term URLs.)

1. Corrupted root name databases

At 2:30 am Eastern time on Thursday morning an operator at NSI
ignored automated warnings and published corrupt databases for
the domains .com (142 MB) and .net (10 MB). Some of the eight
other root nameservers, which copy the master NSI data on a
staggered schedule, also became corrupted over the next four
hours before NSI discovered and fixed the error. (You might
well wonder what happened to that overnight operator. "We're
still talking to that individual," an NSI business manager said
later on Thursday. "He is being dealt with very appropriately.")

The NY Times has the most thorough and technically accurate cover-
age [3] of the incident and its aftermath. Additional detail is at
[4], which descends to a level so geeky as to list the nine root-
level name servers and to explain the software particulars behind
the spottiness and randomness of the incident's effects. Even the
Good Grey Times makes a few small errors -- [4] erroneously states
that NSI began charging to register domain names in 1996 (it was
1995), and [3] misstates the number of root nameservers, a factoid
cited correctly in [4].

Most of the press coverage is more confused. A common conflation
(see for example this San Jose Mercury-News [5] story) was associ-
ating the root-name problem with the previous weekend's AlterNIC
hack against the InterNIC servers (see story below). Anyone who
knows how the network works would quickly dismiss a link between
these incidents.

2. Of backbones and backhoes

See [6] for a sketch of four separate recent instances of circuit
loss, two involving backhoes [1] cutting fiber bundles. The back-
bone carriers had to route around the breaks until they were fixed
some hours later. WorldCon was the provider most affected by these

3. SYN flooding attacks on Macintosh sites

Macintosh users had a particularly hard week. In addition to the
above-mentioned network disruptions, they had to contend with de-
nial-of-service attacks mounted against the Web servers of a number
of popular Macintosh destinations: Macintouch, WebCentral, and Web-
intosh [7]. The SYN flooding attacks [8] followed a similar barrage
directed against the "Crack-a-Mac" contest site [9] the week be-
fore, leading to speculation that the attackers may want to dent
the Mac's reputation as the least vulnerable Web server platform.

[1] http://www.jcb.co.uk/backhoe.gif
[2] http://www.clark.net/pub/rbenn/outages.html
[3] http://www.nytimes.com/library/cyber/week/071897network.html
[4] http://www.nytimes.com/library/cyber/week/071897dns.html
[5] http://www.sjmercury.com/news/netglitch071797.htm
[6] http://www.mmp.co.uk/mmp/informer/netnews/HTM/718n1k.htm
[7] http://www.internetnews.com:80/isp-news/1997/07/1702-syn.html
[8] http://www.tbtf.com/archive/09-23-96.html
[9] http://hacke.infinit.se/

..Domain naming straws in the wind

On 7/15, three developments crossed my screen that are indicative of
the unsettled state of domain naming on the Net.

1. .usa.to registry

An enterprising Netizen has taken advantage of the Tonga registry
[10] to set up an exclusive dealership in .usa.to addresses [11].
(Warning: this site dispenses cookies with abandon.) Aaron Brew-
ster, president of Code:NET, Inc., seems to think that customers
will be so delighted to be able to get mcdonalds.usa.to, that they
won't think to acquire mcdonalds.to instead. Or in fact to acquire
biz.to, with a plan to subdivide it and go head-to-head with

2. Hijacking the InterNIC

On a shadier note, a proponent of alternate top-level domains has
produced a hack that promises to dramatically increase the portion
of the Web that recognizes his AlterNIC naming scheme [12]. Eugene
Kashpureff sends an artfully malformed response to a standard DNS
query from another name server, and the result is hard to disting-
uish from a virus. Kashpureff is able to spread recognition of his
names -- some would say to spread contagion -- to other name ser-
vers on the Net in the everyday course of business, and could po-
tentially do so surruptitiously. And there's worse. Over the week-
end of 7/12 Kashpureff somehow caused NSI's traffic to be redir-
ected to AlterNIC [13] (he's not saying how he accomplished this)
as a protest against NSI's claim to ownership of the .com domain.
One poster on a network-operations mailing list opined, "Mr. Kash-
pureff is in deep doggy doo."

3. Set free .org and .net

An InterNIC official is urging regulators to let people apply for
.org and .net domain names [14] in commercial contexts, relaxing
the once hard-and-fast limitations on the use of these TLDs.

[10] http://www.tbtf.com/archive/06-23-97.html
[11] http://www.usa.to/default.htm
[12] http://www.wired.com/news/news/culture/story/4715.html
[13] http://www.news.com/News/Item/0,4,12382,00.html
[14] http://www5.zdnet.com/zdnn/content/ylio/0715/ylio0001.html

..Microsoft meets the hackers

Last week DefCon 5, the hacker convention, happened to Las Vegas.
For the local color -- and there was quite a bit of it -- see Declan
McCullagh's writeup [15]. An excerpt will convey the flavor:

> By the time the conference began, the hotel's antiquated phone
> system had been penetrated and instructions distributed on how
> to call long distance for free. The hotel's radio frequencies
> quickly appeared on the DefCon mailing list. And someone was
> carrying around a door to a GTE truck -- I never found out why.

Microsoft attended its first Black Hat Briefing [16] and heard from
the inventors about the latest improvements [17] to security hole #8
(see [18] for earlier coverage and [19] for the collected Microsoft
security exploits). L0phtcrack is a tool for delivering plaintext
passwords for NT and LANMAN networks; in theory it allows one to
obtain NT passwords without administrator privileges given network
access between a client and the server under attack. The program
comes with unusual license terms: it is $50 shareware to government
and commercial users and freeware to all others

Microsoft systems, and NT in particular, are now being subjected to
the tough love of hacker scrutiny that once focused on Unix (and to
a lesser extent on Novell). The company has squared its shoulders
and resolved to work with the hackers with what good grace it can
muster. A spokesman said, "The hackers do a service. We're listening
and we're learning."

[15] http://www.cnn.com/TECH/9707/16/netly.news/index.html
[16] http://www.techweb.com/se/directlink.cgi?EET19970714S0021
[17] http://www.l0pht.com/advisories/l0phtcrack15.txt
[18] http://www.tbtf.com/archive/04-04-97.html
[19] http://www.tbtf.com/resource/ms-sec-exploits.html

..Trellix: specialized for hypertext

The wraps are coming off Dan Bricklin's new company (see TBTF for
7/2/96 [20]) and its product, Trellix 1.0, is bold indeed. (Full
disclosure: I know a good many of the people at Trellix, having
worked with them in past lives, and I participated in the com-
pany's market research and First Look programs.) In an era when
not even Microsoft can buck the Web's dominance with impunity,
Bricklin, co-inventor of Visicalc, looks anew at the problems of
writing, reading, navigating, and printing hypertexts. Trellix
1.0 is a Win-32 environment designed from the ground up to excel
at these tasks in a business environment. It's the first appli-
cation to use the ActiveX Hyperlinking Protocols -- in fact the
product is made up of ActiveX controls, which are themselves con-
tainers for each other. Its files are OLE-native structured storage
files. Its import and export functions, including of course to and
from HTML, are written in Visual Basic and are open to extension
by VARs and corporate developers. The Trellix 1.0 environment fea-
tures a freeform visual map of document structure; the author can
easily define canned "tours" through the hypertext content, which
the reader is free to follow or to depart from. The map will appeal
instantly to anyone who has struggled to visualize a hypertext un-
der development, or who has gotten lost in hyperspace because
browser navigation is linear and single-threaded. When Trellix 1.0
exports a hypertext to HTML, the visual map is preserved as a Java
applet keyed to the HTML pages. And Trellix 1.0 is smart about
printing -- it can follow through links, tours, and sequences to
print an entire hypertext document complete with table of contents.

On Monday 7/21 the Trellix site [21] will open for free downloads.
I urge everyone who runs Windows 95 or Windows NT to give Trellix
1.0 a close look.

[20] http://www.tbtf.com/archive/07-02-96.html
[21] http://www.trellix.com/

..Followup: IAHC is not on hold

Dave Crocker <dcrocker@brandenburg.com>, a member of the original
International Ad Hoc Committee and now of the ongoing working group,
sent the following clarifications to the article "Justice Department
to investigate Network Solutions" published in TBTF for 7/14/97 [22].
I reproduce his comments as received and invite interested readers
to visit the gtld-mou site [23] for their perspective.

> The plan worked out by the International Ad Hoc Committee to
> introduce competition to domain naming is on hold [8].

This assessment is incorrect. The IAHC is not on hold. It is
very much proceeding. We are taking a bit longer to get the
application form and second MoU (the ones the registrars must
sign) out but we are within days of finishing it and starting
to accept applications.

> on 7/10 an industry group called the Association for
> Interactive Media convened an "Open Internet Congress" in
> Washington [9], ostensibly to assure that business has a say
> in the governance of the Net.

Attendance was a whopping 48. They have no specific, constructive
alternatives to the IAHC and, instead, seem only interested in
stopping the IAHC work.

Your use of explicit citations underscores the rather troubling
pattern of press coverage on this topic. Anyone who speaks out
seems to be taken as credible, no matter how outrageous or
factually incorrect their statements. The various AIM press
releases are probably the most extreme example of this.

In reality, the list of supporting signatories for the gTLD MoU
continues to grow and I encourage anyone who is interested to
visit <http://www.gtld-mou.org> for details, including the
most current version of the signatory list.

[22] http://www.tbtf.com/archive/07-14-97.html#s03
[23] http://www.gtld-mou.org/

..Followup: more comprehensive applet security

Andrew Herbert <ajh@digitivity.com> sent the following note in
response to the article "Wash that Trojan horse's mouth out with
soap" in TBTF for 7/14/97 [24]. Digitivity's CAGE scheme does in-
deed seem architected to provide stronger applet security than
approaches like those of Finjan or McAfee, particularly for cor-
porate intranets firewalled from the Internet. See the comparison
table about two-thirds of the way down [25]. Herbert writes:

For an alternative to FinJan's filtering approach, have a look
at my company's product which lets you run Java without having
it cross your firewall.

Filtering approaches are either too severe, and stop you running
anything at all, or else they run the risk of letting a hostile
through. We solve the problem by running Java in a physically
reinforced sandbox.

With the rate at which bugs in browser sandboxes turn up,
keeping Java out of your intranet is the safest way.

Supplementary to the stuff described on [25] we plan to add a
filter that removes Javascript and ActiveX to our AppRouter.
We will just trash them rather than Cage them at this time.

[24] http://www.tbtf.com/archive/07-14-97.html#s05
[25] http://www.digitivity.com/html/text/products.html

..Name games with Microsoft

Last month news.com carried the story [26] of Danny Khoshnood, of
Los Angeles, who registered the domain name microsoftnetwork.com
and then began a spree of registering embarassing names to this
fictitious entity. Some suggesting racy content, others were uncom-
fortably close to actual Microsoft product names. (The story was
spread far and wide by NetSurfer Digest [27].) More recently word
has begun circulating of "interesting" domain names registered to
the bona-fide Microsoft Corporation of Redmond, WA: names such as
bill-is-lord.com, resistance-is-futile.com, and weshallprevail.com.
These turn out to be copycat hoaxes. On 7/12 CobraBoy
<tbyars@earthlink.net> coerced the Domain Name Service into divul-
ging all names then registered to any entity containing the string
"microsoft" and posted the raw data on a private mailing list. See
[28] for the snapshot as of that date. The box score was:

100 apparently bona-fide names registered to Microsoft Corp.

10 names registered to other apparently legitimate entities

61 names registered to Danny Khoshnood, Los Angeles, CA

6 "copycat" hoaxes, or other names registered to people outside
of Microsoft, and not served by Microsoft name servers

5 apparently personal names registered to Microsoft employees (?)

[26] http://www.news.com/News/Item/0,4,11080,00.html
[27] http://cogsci.soton.ac.uk/~cjc/NSD/nsd0318.html#OC2
[28] http://www.tbtf.com/resource/moft-names.html

N o t e s

> This week's TBTF title comes from Lewis Carroll, whose White Knight
[29] has nearly as much fun with names, and pointers to names, as
the Net has had this week.

[29] http://www.cs.toronto.edu/~chechik/courses/csc324/white.html

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

> NetSurfer Digest -- mail nsdigest-request@netsurf.com without subject
and with message:subscribe nsdigest-html . Web home at

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: 2.6.2, by FileCrypt 1.0