Microsoft crashes, DES cracks, and Micropayments stink.

I Find Karma (
Mon, 23 Jun 97 01:57:20 PDT

Tasty bits from the Technology Front was very tasty.
Figured I'd share a little...

> ..Hackers shut down
> was unavailable sporadically for two days be-
> ginning Thursday 6/19. Microsoft originally said the outage was
> a result of a number of factors occurring together: unusually
> high demand,

Unusually high demand on a Thursday morning?

> the consolidation of two data centers, and a bug
> in its network software.

Bugs in Microsoft software? Never!

> Some news wires picked up this version
> of the story. It now develops that the outage was caused by a
> new kind of denial-of-service attack on NT servers running In-
> ternet Information Server [1]. The attack, which can be launched
> from across the Internet from any Netscape Navigator 3.0 browser
> running Java 1.0.2, disables IIS but does not crash the NT server
> completely. Microsoft has now found and fixed the bug and posted
> patches [2] on its site along with an explanation [3]. I had dif-
> ficulty getting to the Microsoft site on Saturday -- I hope the
> server is just busy this time --

I had difficulty getting there on Saturday, too. Actually, also today.

> so here is an alternate source
> [4] for Microsoft's explanation. It reads in part:
> > The issue requires a very special URL to be generated for each
> > server being attacked. There is no one URL that can bring
> > every server down. The URL varies by server and by the current
> > state of the server (current memory, current load -- both of
> > which constantly change). A malicious hacker could write a
> > program to find the exact character sequence. A hacker simply
> > can't publish a URL that would bring down an IIS server. After
> > sending continuous requests to a server for a period of time,
> > a program might find the right URL sequence and cause the web
> > server to stop running.


> The fix includes a provision for logging the IP address of any ma-
> chine attempting this attack on a patched server.
> The bug's discoverer, Todd Fast <>, expresses on his
> Web page [5] extreme skepticism that this bug, exploited by hack-
> ers unknown, could be responsible for Microsoft's recent service
> problems.

Agreed, they were looking for a Patsy.

> This is bug #11 on the TBTF Microsoft Exploit list [6].
> [1] <URL:,4,11775,00.html>
> [2] <URL:>
> [3] <URL:>
> [4] <URL:>
> [5] <URL:>
> [6] <URL:>

FWIW, this [6] is very nicely done.

> ..DES cracked
> On 6/18/97, for the first time in history (as far as anyone in
> the non-secret world knows), a message encrypted with 56-bit
> DES was successfully decrypted.


> The crack was an informal ef-
> fort coordinated over the Net by a group called DESCHALL (DES
> challenge) [7]. The press release is here [8]. The group was
> responding to RSA Data Security's challenge [9], which carries
> a $10,000 reward. Over 78,000 computers participated in the
> challenge since it opened on January 29, mostly contributing
> "spare" cycles.

Yeah, I think I involuntarily forked over a few of those cycles

> Over the final weekend more than 14,000 machines
> were at work. Peter Trei <> has estimated that
> the calculation consumed 457,000 MIP-years -- 100 times more CPU
> effort than the distributed crack of RSA-129 [10]. He posits the
> DES crack may have been the largest calculation ever undertaken
> by the human race, though this assertion has been challenged on
> the Ctyptography list.
> The secret message read:
> "Strong cryptography makes the world a safer place."

The spooks couldn't come up with anything better?
Squeamish ossifrage was at least something I couldn't guess...

> The group got lucky: they found the secret key after checking
> not quite 25% of the 72 trillion possible keys.

This is lucky?

> Here are four graphs [11] that give a good idea of the scope of
> the effort. This graph generator [12] lets you explore the space
> of challenge participants. I discovered that MIT, with several
> hundred hosts participating, was consistently in the top 10 most
> productive domains in numbers of keys checked -- until the last
> four days of the challenge, when a new port of the key-ckecking
> code for the 64-bit UltraSPARC catapulted Sun's contribution to
> the top of the list.

Go, sparky, go!

> The day before the crack succeeded, Senators John McCain and Bob
> Kerrey introduced legislation (see story below) that would codify
> the current 56-bit limit on exportable crypto products (besides
> its main purpose of mandating government access to private keys).

Nice timing, as always.

> DESCHALL has demonstrated unambiguously that 56 bits is no longer
> enough.
> [7] <URL:>
> [8] <URL:>
> [9] <URL:>
> [10] <URL:>
> [11] <URL:>
> [12] <URL:>
> ..Micropayments: an informal survey
> TBTF for 5/22/97 [26] reflected on the Economist's survey on elec-
> tronic commerce, the initial premise of which is that the experts
> who predicted a frictionless future of disintermediated commerce
> lubricated by micropayments got it fundamentally wrong -- so far.


> (The survey is no longer available online as the Economist has
> gone over to access by paid subscription only.)

This sucks, by the way.

> Here's Phil Agre
> <>, proprietor of the Red Rock Eater News Service,
> grousing from a similar point of view:
> > I'm a little disappointed with certain Internet people who
> > envision all sorts of futuristic electronic commerce scen-
> > arios in which everyone pays for everything incrementally
> > using micropayment systems -- what Vinny Mosco called "the
> > pay-per society" -- but who then turn around and resist
> > that same principle when it applies to their own use of
> > the Internet. These folks want a la carte for everyone
> > else, but the buffet for themselves.

Exactly!! Gimme the 24-hour-a-day buffet and a nice window seat.

> I'll admit to a continuing fascination with the technologies of
> electronic cash and anonymous trust; and in that spirit I vol-
> unteered TBTF to beta test Digital's Millicent payment system [27]
> this summer.

Yipes. Say it ain't so!

> Subscribers, please send me a note with your reactions to the idea
> that parts of the TBTF site might one day be available on a "pay-
> per" basis. Would you pay a nickel for the convenience of reading
> TBTF on the Web where the links are live? A penny? A tenth of a
> cent? Would you just read the email and grumble? Or would you
> flame me and unsubscribe in disgust? (Note that the beta test
> will almost certainly be conducted using scrip of no value.)

Ugh. I don't mind nickel and diming as long as they can figure out a
way to not let it be wasting my time.

> I'll publish your collected remarks in a future Tasty Bit of the
> Day. Let me know if you prefer anonymity.
> [26] <URL:>
> [27] <URL:>

Ah, millicent, how I wish I could believe in thee.

> ..Obvious, useful, cool
> Here are two high-quality sources of Net information that might
> interest TBTF readers: Stating the Obvious and That's Useful, This
> is Cool. Michael Sippey's Stating the Obvious [28] is, like TBTF,
> a daily-updated Web page and a weekly mailing. (It is from Sippey
> that I picked up the term "retro-push".) The man must spend even
> more time online than I do, though I don't know how one could; and
> he has sufficient personal bandwidth left to think about the online
> life and to write about it, sensibly and winningly. Lynn Siprelle's
> TUTIC [29] brings you two links per weekday: one useful, one cool,
> with a paragraph describing each. (Unlike TBTF, TUTIC takes the
> weekends off.) You can pull them from the Web or have TUTIC push
> them by email. A simple concept, nicely executed.
> [28] <URL:>
> [29] <URL:>

I read both of these regularly, too. They're usually pretty darned


[Insert multi-culti expletive of choice], when are you going to get it
straight that the bits only flow one way in this relationship?
-- Rohit Khare