TBTF for 1999-09-11: Here's how it works

Keith Dawson (dawson@world.std.com)
Sat, 11 Sep 1999 19:55:41 -0400


TBTF for 1999-09-11: Here's how it works

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

ISSN: 1524-9948

This issue: < http://tbtf.com/archive/1999-09-11.html >

B e n e f a c t o r s

TBTF is free. If you get value from this publication, please visit
the TBTF Benefactors page < http://tbtf.com/the-benefactors.html >
and consider contributing to its upkeep.

C o n t e n t s

EU moving rapidly to open export of strong crypto
Sweden: general license for 128-bit crypto
Germany deregulates crypto exports
Sorting out the Microsoft _NSAkey flap
US Army moves from NT to Macintosh Web server
Swedish teen on trial for linking to music files
Robot misbehavior
Log-file pollution
Cost transfer
Smart dust
Dark matter annihilation at the galaxy's core
The partial eclipse at the duomo
Here's how it works

..EU moving rapidly to open export of strong crypto

Ahead of European Parliament discussions of accusations of US in-
dustrial espionage raised by the IC2000 report [1], EU countries are
moving one-by-one to liberalize their encryption laws. They aim to
inoculate the EU against the threat of organized and unaccountable
spying posed by the US-lead Echelon system. This movement toward the
free export of 128-bit crypto will put further pressure on an ever-
more-isolated US policy of export control. This Nando Times article
[2] gives a good brief overview of worldwide concerns over Echelon.

(Note: turn off graphics before following [1]. The text alone down-
loads 332K and the graphics add little to the report.)

[1] http://www.iptvreports.mcmail.com/interception_capabilities_2000.htm
[2] http://www.nandotimes.com/technology/story/body/0,1634,89923-142316-981920-0,00.html

..Sweden: general license for 128-bit crypto

Sten Linnarsson <sten at cajal dot mbb dot ki dot se> of the Karolin-
ska Institute published this note to the EUcrypto mailing list.

I finally managed to confirm that the decision taken on June
23rd [3] [this link is in Swedish -- kd] to liberalize crypto
export takes the form of a general export license which allows
you to export 128-bit mass-market crypto to a list of approved

The EU is not considered "export," you can distribute any
crypto you like within it. The general license extends to
about 60 countries, including USA, most of South America,
China, Japan, Israel, Egypt, India, the Baltic states, Rus-
sia, Indonesia, and Mexico. Absent are, among others: Serbia,
Libya, Afghanistan, Colombia, most African countries, and
some Central American countries.

"Mass-market" has the same definition as in Wassenaar (sold
in mass-market channels, accessible to the public, crypto not
modifiable, installable without support).

With Germany and France already moving, this probably means
that most EU countries will move toward free strong crypto.

The general license can be found in Tullverkets Forfattnings-
samling TFS 1999:40, July 1st 1999.

[3] http://www.ud.se/pressinf/pressmed/1999/juni/990623_5.htm

..Germany deregulates crypto exports

A German technology magazine published a brief piece [4] (in German)
stating that the German government intends to remove most of the red
tape from the export of commercial crypto products. Here is a rough
translation of the article, courtesy of TBTF Irregulars [5] Justin
Mason <jm at netnoteinc dot com> and Mark Kraml <kraml at ibm dot

German encryption software to be freely exportable. The
Federal Republic eases the export of encoding technique.
Exporters of [crypto products], which can be qualified as
mass-market goods, will no longer need individual permits
starting September 1st for third country markets. "There
are no limits based on any specific key lengths" said sec-
retary of state for the economy [Siegmar Mosdorf] on Friday
in Berlin. Rather, for mass-market products a basic export
control requirement will be defined in the future, this
however is reduced to the absolute minimum necessary.

The new regulation applies to all but a few countries world-
wide, if goods are not intended for "a sensitive use as in
military work or for weapons of mass destruction." [Export-
ers] must decide in the future whether their products qualify
for the exemption and maintain documentation to that effect.
There is no longer a general requirement to register.

[4] http://www.heise.de/newsticker/data/cp-27.08.99-003/
[5] http://tbtf.com/the-irregulars.html

..Sorting out the Microsoft _NSAkey flap

Did Microsoft build a back door into Windows for the NSA?
I'm doubting it

By now you've heard all about the extra signing key found in Micro-
soft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the
posting by Andrew Fernandes that started all the fuss [6]. The BBC
has an annotated screen shot [7] of a debugger session showing the
variable named, portentously, _NSAkey. Microsoft's official re-
sponse [8] to the flap makes a whole lot more sense than assuming
that the National Security Agency had somehow weakened Microsoft's
crypto and tagged the fix "_NSAkey." To put a few authoritative
nails in this coffin, read the thoughts of Russ Cooper [9], propri-
etor of NTBugTraq, and of the noted cryptographer Bruce Schneier

The investigations of Fernandes (building on work last year by Nicko
van Someren and Adi Shamir) have publicized a way to disable crypto
export control in Windows. Anyone outside the US can replace _NSAkey
with their own key, and use that key to sign a crypto module of any
strength, and then use that strong crypto under the auspices of Win-
dows. But note that this impotence of Microsoft's CryptoAPI to con-
trol what crypto gets run is not new news. Bruce Schneier pointed
out this Windows weakness in his CRYPTO-GRAM newsletter last April
[11], before anybody discovered the name of the replaceable second

Over the weekend Brian Gladman <gladman at seven77 dot demon dot co
dot uk> posted a note [12] to the UK Crypto list demonstrating that
the Microsoft CryptoAPI had been a serious political issue in Bri-
tain 3-1/2 years ago. He worked with British authorities to make
sure that Microsoft UK was able to sign cryptographic modules sep-
arately from the US authority.

The _NSAkey fiasco raises four separate issues, and little of the
commentary I've read makes much effort to disentangle them. The is-
sues are:

1. Did Microsoft collude with the NSA? (Answer: who knows? Prob-
ably not.)

2. Will Microsoft's actions allow the NSA to penetrate the compu-
ters of Windows users? (Answer: almost certainly not.)

3. Did the US government, represented by the NSA, work with Mi-
crosoft to assure that only weak crypto is exportable in the
Windows framework? (Answer: absolutely.)

4. Does Microsoft's CryptoAPI implementation allow anyone to cir-
cumvent the restrictions imposed by US crypto export rules?
(Answer: yes, demonstrably.)

What will be the fallout of this tangle? Even more people will be
made aware that Microsoft security is porous. Even more people will
learn of the utter inability of US controls to stop the export of
technology which truly escaped a decade ago. And even fewer people
will believe what Microsoft says, even though in the matter of the
_NSAkey the company is probably telling the truth. A few years back
Nicholas Petreley, the IDG pundit, summed up the common perception
this way:

If you threw Microsoft into a room with truth, you'd risk a
matter / anti-matter explosion.

[6] http://www.cryptonym.com/hottopics/msft-nsa.html
[7] http://news.bbc.co.uk/olmedia/435000/images/_437967_nsa300.gif
[8] http://www.microsoft.com/security/bulletins/backdoor.asp
[9] http://ntbugtraq.ntadvice.com/_nsakey.asp
[10] http://www.deja.com/getdoc.xp?AN=520853963
[11] http://www.counterpane.com/crypto-gram-9904.html#certificates
[12] http://jya.com/msnsa-not.htm

..US Army moves from NT to Macintosh Web server

They picked your locks? Then put up a brick wall

After the hacker group Global Hell defaced the US Army's Web site
[13] (note: link may deactivate after 1999-09-15), the Army investi-
gated ways to secure their Web presence. One action they took was
to shut down their public-facing Windows NT server and replace it
with a Macintosh [14] running the WebStar server. As one poster
noted in the Slashdot discussion [15], one factor that renders MacOS
secure is its "quaint" (his word) native reliance on the AppleTalk
protocol over TCP/IP. An out-of-the-box Macintosh on the Net pre-
sents no open ports through which attackers may enter, just port
80 to the Web server. Two years ago the Crack-a-Mac Challenge [16]
survived thousands of break-in attempts over 6 weeks before suc-
coming to a hole (immediately fixed) in a 3rd-party add-on to the
WebStar server.

The White House server was also cracked by Global Hell, which may
motivate this Federal Times story's claim [17] (note: this looks
like a temporary URL) that the executive is studying how best to
diversify the government's infrastructure away from reliance on
Microsoft in favor of open source systems.

Look for a marked dip in Windows sales to the US government and,
over time, to other organizations with high security needs. The
introduction of Windows 2000, with its reportedly immense learning
curve, might make a natural break-point.

[13] http://www.washingtonpost.com/wp-srv/feed/articles/a656-1999sep1.htm
[14] http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html
[15] http://slashdot.org/comments.pl?sid=99%2F09%2F10%2F1034202&threshold=4&mode=thread&commentsort=3
[16] http://tbtf.com/archive/1997-08-18.html#s01
[17] http://www.federaltimes.com/topstory.html

..Swedish teen on trial for linking to music files

Digital technology is the universal solvent of intellectual
property rights

Is it piracy to put up a page of links to music files? Tommy Ols-
son is waiting to hear a Swedish court's ruling on that question
[18]. Olsson didn't create any music files, copy them, or send them
to anyone. The case is the first to go to trial of some 1000 Web
sites challenged over the last two years by the Swedish branch of
the International Federation of the Phonographic Industry, which
represents record companies. If convicted Olsson could be fined a
few hundred dollars, which is about how much he made from ads on
his Web site. But a conviction could leave him liable for damages.
Thanks to TBTF Irregular [5] Chuck Bury <cbury at softhome dot
net> for the tipoff. And thanks, indirectly, to Tom Parmenter
<tompar at world dot std dot com> for the subtitle -- it's been
his tag line on the now-revived Desperado mailing list since the
early 1980s. (Send the message "subscribe" to desperado-request@-
world.std.com. Drop the quotes.)

[18] http://www.mercurycenter.com/svtech/news/breaking/merc/docs/043449.htm

..Robot misbehavior

In recent days I've seen two instances of the effect a runaway robot
can have on a Web site. The first was close to home: for eight days
beginning on 1999-08-27, up to a third of the bytes in my log file
were failed attempts by someone inside Microsoft's firewall to use
my site as a proxy for a content channel at real.com. This was mere-
ly annoying and inconvenient. The second instance was potentially
more serious: a commercial Web site was discovered transferring its
costs onto an uninvolved Netizen. The current informal standard gov-
erning how robots act on a site, the robots.txt file, is silent on
these sorts of abuses.

..Log-file pollution

Someone at Microsoft was polluting my Web log file. Every minute of
every day, at 18 seconds after the minute, someone at Microsoft was
depositing the following 339-character string into my Web log (near-
ly 1/2 MB per day). I've broken it into 60-character chunks for

tide78.microsoft.com - - [01/Sep/1999:23:59:18 -0500] "GET h
n-US, en, *&LID=1033&ch=70+132+0+0+programs=intro,52,33,50&c
+0+0&ch=98+24+0+0+0 HTTP/1.0" 403 220 -

"tide78" is one of Microsoft's gateways; traffic from such an ad-
dress means that someone at microsoft.com is calling. The "403"
near the end means that my server refused the proxy request. So
this impolite behavior gained its perpetrator not a fig. TBTF's
host ISP wrote to Microsoft asking them to locate and stop this
logfile polluter, but got back only a form letter.

My guess is that someone with a channel-enabled browser (IE5?)
happened to be looking at tbtf.com when setting up a channel re-
quest, and somehow ended up proxying the once-a-minute request
through my site.

I posted my dilemma as a Tasty Bit of the Day with the title
"Please make it stop" and implored any reader within Microsoft
to forward it to the IS department. Three readers wrote in with
helpful comments; one had forwarded my problem to the appropri-
ate Microsoft group. The barrage ceased 20 hours later. (The
power of the press belongs to him as owns one.)

..Cost transfer

After I posted the above, a reader sent in the following note
that Linus Gelber <linus at panix dot com> had posted to a local
list. It is excerpted here by permission.

So I'm browsing our logs from the Home Office Records site
[19] yesterday and I note that our Gigometer page of local
concert listings is being downloaded every 15 minutes by a
certain netmind.com, which turns out to be a service that
alerts customers when web pages of their choice have been

Our stats for the first four days of September show that
netmind.com made 501 file requests from our site before we
blocked them, for a total of nearly 5 megs of transfer (it
appears that we caught them very early). Had this gone un-
checked, they would ultimately have been downloading 120 to
150 megs a month for their commercial service, for which of
course we would be footing the bill. I've written them con-
cerning theft of services and general inappropriate behavior.

[19] http://www.web-ho.com/

..Smart dust

News from the micro- and nano-scale frontiers

The German publication Telepolis caught the Net's attention with
a story [20], possibly picked up from the New Scientist [21], about
Berkeley researchers and their smart dust [22]. The 5-mm devices
they have constructed can sense local conditions and communicate
using beams of light. Though the devices are far too large to be
called "dust" -- what they are is Micro Electro-Mechanical Systems,
or MEMS -- Slashdot was alive with speculation about invisible FBI
bugs wafting in the open window. One poster quipped:

Hey, I can see a nice combination of borderline schizo-
phrenia and obsessive-compulsive behaviour emerging here:
keep cleaning everything because the FBI may be spying on

Research leading even deeper into Neal Stephenson territory [23] is
being carried out at Boston College. Scientists there have construc-
ted the beginnings of a motor using just 78 atoms [24]. It is powered
by ATP, the molecule that your mitochondria and mine use to power
cells. The same issue of Nature that carried news of the BBC nano-
scale motor also reported on another molecular motor constructed by
German, Dutch, and Japanese scientists [25]. This one runs on light.

[20] http://www.heise.de/tp/english/inhalt/co/5269/1.html
[21] http://www.newscientist.com/ns/19990828/newsstory2.html
[22] http://robotics.eecs.berkeley.edu/~pister/SmartDust/
[23] http://www.amazon.com/exec/obidos/ASIN/0553573314/tbtf/
[24] http://news.bbc.co.uk/hi/english/sci/tech/newsid_441000/441670.stm
[25] http://abcnews.go.com/sections/science/DailyNews/nanomotors990908.html

..Dark matter annihilation at the galaxy's core

Probing a giant black hole, quite indirectly

The center of our galaxy contains, scientists assume, a black hole
several million times as massive as our own sun. Such an object
makes conditions highly interesting for light-years around. Now a
pair of physicists have calculated [26] how the (putative) black
hole would affect the (putative) halo of "dark" matter in its vi-
cinity. They suggest the black hole would sculpt any dark matter
into a dense spike where particle interactions would be more fre-
quent. If hypothetical particles called neutralinos (you read that
right) make up the bulk of the dark matter, as a leading hypothesis
supposes, they would self-annihilate like crazy. The neutralino is
its own antiparticle, you see. I am not making this up. The anni-
hilations would produce, in addition to the expected gamma rays
[27], a soup of energetic particles including neutrinos, which
would be most useful for probing the galactic core. These neutrinos
could be detected in tiny numbers by vast "telescopes" composed of
thousands of gallons of purified water or perhaps dry-cleaning

Do you see why I love this stuff?

[26] http://www.aip.org/enews/physnews/1999/physnews.446.htm
[27] http://www.compart.fi/~flc/right.html

..The partial eclipse at the Duomo

Natural phenomenon meets ancient scientific instrument

Three weeks before last month's solar eclipse, Mark Gingrich <grinch
at rahul dot net> posted a request to several astronomy newsgroups.
Gingrich knew that many central European churches and cathedrals are
set up as giant pinhole cameras -- they feature a tiny hole in the
dome or cupola and an inscribed meridian line somewhere inside. When
the sun's projected image crosses the "noon mark," it's noon local
time. The most famous such arrangement was designed 350 years ago
by the astronomer Gian Domenico Cassini for the Church of San Pet-
ronio in Bologna, Italy. Gingrich asked for photos of the partially
eclipsed sun as it crossed the meridian lines in these historical
scientific instruments. Gingrich's request bore fruit and Franco
Martinelli has put up this page [28] with the results. Many thanks
to TBTF Irregular [5] Mary Ellen Zurko for the pointer.

[28] http://www.nauticoartiglio.lu.it/almanacco/Aa_ecli_13.htm

..Here's how it works

A wake-up call to PR flaks everywhere

Rebecca Eisenberg, net.skink [29] and one of the top 25 women on the
Web [30], wrote up her advice [31] to public relations specialists in
the Internet industry. It is squarely on target.

If you send in paper what obviously should have been sent in
email, I assume that you don't understand your own product.
Then why would I ever take your word for anything? Have you
ever been on line? Here's how it works: you send a message,
it reaches me without bothering me, and I click on the URLs
you include.

I had occasion last week to refer a PR person to this page. Oddly,
she never did get back in touch to thank me.

[29] http://eXaminer.com/skink/
[30] http://www.wired.com/news/print_version/culture/story/17451.html?wnpg=all
[31] http://www.bossanova.com/rebeca/clips/prletter.html

S o u r c e s

> For a complete list of TBTF's email and Web sources, see
http://tbtf.com/sources.html .

TBTF home and archive at http://tbtf.com/ . To (un)subscribe send
the message "(un)subscribe" to tbtf-request@tbtf.com. TBTF is Copy-
right 1994-1999 by Keith Dawson, <dawson@world.std.com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

Version: PGP for Personal Privacy 5.5