> ..Hackers shut down microsoft.com?
> www.microsoft.com was unavailable sporadically for two days be-
> ginning Thursday 6/19. Microsoft originally said the outage was
> a result of a number of factors occurring together: unusually
> high demand,
Unusually high demand on a Thursday morning?
> the consolidation of two data centers, and a bug
> in its network software.
Bugs in Microsoft software? Never!
> Some news wires picked up this version
> of the story. It now develops that the outage was caused by a
> new kind of denial-of-service attack on NT servers running In-
> ternet Information Server . The attack, which can be launched
> from across the Internet from any Netscape Navigator 3.0 browser
> running Java 1.0.2, disables IIS but does not crash the NT server
> completely. Microsoft has now found and fixed the bug and posted
> patches  on its site along with an explanation . I had dif-
> ficulty getting to the Microsoft site on Saturday -- I hope the
> server is just busy this time --
I had difficulty getting there on Saturday, too. Actually, also today.
> so here is an alternate source
>  for Microsoft's explanation. It reads in part:
> > The issue requires a very special URL to be generated for each
> > server being attacked. There is no one URL that can bring
> > every server down. The URL varies by server and by the current
> > state of the server (current memory, current load -- both of
> > which constantly change). A malicious hacker could write a
> > program to find the exact character sequence. A hacker simply
> > can't publish a URL that would bring down an IIS server. After
> > sending continuous requests to a server for a period of time,
> > a program might find the right URL sequence and cause the web
> > server to stop running.
> The fix includes a provision for logging the IP address of any ma-
> chine attempting this attack on a patched server.
> The bug's discoverer, Todd Fast <firstname.lastname@example.org>, expresses on his
> Web page  extreme skepticism that this bug, exploited by hack-
> ers unknown, could be responsible for Microsoft's recent service
Agreed, they were looking for a Patsy.
> This is bug #11 on the TBTF Microsoft Exploit list .
>  <URL:http://www.news.com/News/Item/0,4,11775,00.html>
>  <URL:ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/iis-fix/>
>  <URL:http://www.microsoft.com/misc/upgrademessage2.htm>
>  <URL:http://xp8.dejanews.com/getdoc.xp?recnum=8236488&server=db97p3&CONTEXT=866906925.6797&hitnum=0>
>  <URL:http://www.eden.com/~tfast/jihad.html>
>  <URL:http://www.tbtf.com/resource/ms-sec-exploits.html>
FWIW, this  is very nicely done.
> ..DES cracked
> On 6/18/97, for the first time in history (as far as anyone in
> the non-secret world knows), a message encrypted with 56-bit
> DES was successfully decrypted.
> The crack was an informal ef-
> fort coordinated over the Net by a group called DESCHALL (DES
> challenge) . The press release is here . The group was
> responding to RSA Data Security's challenge , which carries
> a $10,000 reward. Over 78,000 computers participated in the
> challenge since it opened on January 29, mostly contributing
> "spare" cycles.
Yeah, I think I involuntarily forked over a few of those cycles
> Over the final weekend more than 14,000 machines
> were at work. Peter Trei <email@example.com> has estimated that
> the calculation consumed 457,000 MIP-years -- 100 times more CPU
> effort than the distributed crack of RSA-129 . He posits the
> DES crack may have been the largest calculation ever undertaken
> by the human race, though this assertion has been challenged on
> the Ctyptography list.
> The secret message read:
> "Strong cryptography makes the world a safer place."
The spooks couldn't come up with anything better?
Squeamish ossifrage was at least something I couldn't guess...
> The group got lucky: they found the secret key after checking
> not quite 25% of the 72 trillion possible keys.
This is lucky?
> Here are four graphs  that give a good idea of the scope of
> the effort. This graph generator  lets you explore the space
> of challenge participants. I discovered that MIT, with several
> hundred hosts participating, was consistently in the top 10 most
> productive domains in numbers of keys checked -- until the last
> four days of the challenge, when a new port of the key-ckecking
> code for the 64-bit UltraSPARC catapulted Sun's contribution to
> the top of the list.
Go, sparky, go!
> The day before the crack succeeded, Senators John McCain and Bob
> Kerrey introduced legislation (see story below) that would codify
> the current 56-bit limit on exportable crypto products (besides
> its main purpose of mandating government access to private keys).
Nice timing, as always.
> DESCHALL has demonstrated unambiguously that 56 bits is no longer
>  <URL:http://www.frii.com/~rcv/deschall.htm>
>  <URL:http://www.frii.com/~rcv/despr4.txt>
>  <URL:http://www.rsa.com/rsalabs/97challenge/>
>  <URL:ftp://ftp.ox.ac.uk/pub/math/rsa129/rsa129.ps.gz>
>  <URL:http://www.cis.ohio-state.edu/~dolske/des97/deschall.html>
>  <URL:http://www.cis.ohio-state.edu/~dolske/des97/graph.html>
> ..Micropayments: an informal survey
> TBTF for 5/22/97  reflected on the Economist's survey on elec-
> tronic commerce, the initial premise of which is that the experts
> who predicted a frictionless future of disintermediated commerce
> lubricated by micropayments got it fundamentally wrong -- so far.
> (The survey is no longer available online as the Economist has
> gone over to access by paid subscription only.)
This sucks, by the way.
> Here's Phil Agre
> <firstname.lastname@example.org>, proprietor of the Red Rock Eater News Service,
> grousing from a similar point of view:
> > I'm a little disappointed with certain Internet people who
> > envision all sorts of futuristic electronic commerce scen-
> > arios in which everyone pays for everything incrementally
> > using micropayment systems -- what Vinny Mosco called "the
> > pay-per society" -- but who then turn around and resist
> > that same principle when it applies to their own use of
> > the Internet. These folks want a la carte for everyone
> > else, but the buffet for themselves.
Exactly!! Gimme the 24-hour-a-day buffet and a nice window seat.
> I'll admit to a continuing fascination with the technologies of
> electronic cash and anonymous trust; and in that spirit I vol-
> unteered TBTF to beta test Digital's Millicent payment system 
> this summer.
Yipes. Say it ain't so!
> Subscribers, please send me a note with your reactions to the idea
> that parts of the TBTF site might one day be available on a "pay-
> per" basis. Would you pay a nickel for the convenience of reading
> TBTF on the Web where the links are live? A penny? A tenth of a
> cent? Would you just read the email and grumble? Or would you
> flame me and unsubscribe in disgust? (Note that the beta test
> will almost certainly be conducted using scrip of no value.)
Ugh. I don't mind nickel and diming as long as they can figure out a
way to not let it be wasting my time.
> I'll publish your collected remarks in a future Tasty Bit of the
> Day. Let me know if you prefer anonymity.
>  <URL:http://www.tbtf.com/archive/05-22-97.html>
>  <URL:http://millicent.digital.com/>
Ah, millicent, how I wish I could believe in thee.
> ..Obvious, useful, cool
> Here are two high-quality sources of Net information that might
> interest TBTF readers: Stating the Obvious and That's Useful, This
> is Cool. Michael Sippey's Stating the Obvious  is, like TBTF,
> a daily-updated Web page and a weekly mailing. (It is from Sippey
> that I picked up the term "retro-push".) The man must spend even
> more time online than I do, though I don't know how one could; and
> he has sufficient personal bandwidth left to think about the online
> life and to write about it, sensibly and winningly. Lynn Siprelle's
> TUTIC  brings you two links per weekday: one useful, one cool,
> with a paragraph describing each. (Unlike TBTF, TUTIC takes the
> weekends off.) You can pull them from the Web or have TUTIC push
> them by email. A simple concept, nicely executed.
>  <URL:http://www.theobvious.com/>
>  <URL:http://www.simplecool.com/>
I read both of these regularly, too. They're usually pretty darned
[Insert multi-culti expletive of choice], when are you going to get it
straight that the bits only flow one way in this relationship?
-- Rohit Khare