TBTF for 8/25/97: Ants go marching
T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t
Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994
Your Host: Keith Dawson
This issue: < http://www.tbtf.com/archive/08-25-97.html >
_________________________________________________________________________
C o n t e n t s
Bring me a rock
Two crypto challenges
Crack a Mac Challenge reopened
Win a million
Comments on domain naming
The market is rejecting ActiveX
Final dispatch from IETF Munich
Myrmidon
_________________________________________________________________________
..Bring me a rock
The Commerce Department is circulating for comment proposed changes to
the rules that govern the export of cryptography. The changes mostly
fine-tune the mechanics of key recovery, but one whopper lurks in the
dense thicket of governmentese [1]. This is the proposal that anyone
in the US running a Web site from which crypto products can be down-
loaded might have to submit to a review by the Bureau of Export Affairs.
A NY Times story on the proposal is mirrored here [2]. If such a rule
goes into effect, companies such as Netscape, PGP, and Microsoft will
get to play the game of "bring me a rock" with government bureaucrats.
The game is beloved of Dilbertesque managers everywhere. The victim,
left to guess at the criteria for success, winds up carrying numerous
rocks upstairs to be judged wanting. Netscape's Peter Harter observes
that the proposed policy violates the spirit of Vice President Gore's
public stance toward regulating online commerce: the principle of "do
no harm." "I'm not aware of any procedure that would require retail
stores such as Fry's or Egghead to apply to the Commerce Department,"
Harter said.
[1] http://jya.com/bxa-ei-rule.htm
[2] http://jya.com/bxa-nyt.htm
________________
..Two crypto challenges
1. Crack a Mac Challenge reopened
The Crack a Mac Challenge [3], which was broken Sunday [4], was reinstated
24 hours later after a Macintosh development company, Blue World Com-
munications, worked around the clock to fix the bug in their CGI pro-
duct that allowed the crack. Below is the note from Joakim Jardenberg
<joakim@infinit.se> announcing the reopening of the challenge.
> Crack a Mac is back again! It's true!!!
> The crack that was made possible due to a combination of
> different functions on the server has now been blocked by a
> patch for Lasso.
> Blue World did an amazing effort and released a patch for
> Lasso in less then 24 hours, and on a Sunday as well. The
> patch is recommended for all Lasso users running both versions
> 1.2 and 2.0 and can be found here [5].
> Blue World also proves what a great company it is by
> sponsoring the reward to Starfire, who found out how this
> combination could be exploited.
> More details on the combination will be posted soon.
> So the bottom line is -- Crack a Mac is back, we all have
> learned a lot, and we now have an even more secure server
> to trust.
> Best regards
> /Jocke
Apple's Chuq Von Rospach <chuqui@plaidworks.com> sent the follow-
ing details of the cracker's method.
> The site ran two third-party CGIs -- SiteEdit and Lasso. The
> first is, as you might think, a way to edit and update a web
> site through a CGI instead of FTP. Think of it as Netscape's
> file upload on steroids. Rather nice product. Lasso is a CGI
> database interface to FileMaker Pro.
> The latter was used to implement a guestbook on the site.
> Lasso... [leaves] a pointer to its "error" html file in the
> html available to the user. [The cracker] noticed that, and
> rewrote the form so that the error file field now pointed to
> the filename of the password file for SiteEdit. Then he quer-
> ied a non-existant file, and Lasso happily sent him the pass-
> word file.
> Oops. SiteEdit kept everything cleartext. Because obviously,
> there's no need to protect it: WebStar has a special MacOS
> signature byte which says "never download this, period." So
> there was no way to get the file without cracking the machine,
> so... Except Lasso didn't sanity-check its filenames and
> didn't honor the "no download" file restriction.
> So this crack has nothing to do with MacOS or Webstar. It's a
> problem in Lasso that takes advantage of something SiteEdit
> did. Lasso's patch is already on Blue World's website.
> Nice hack. A bunch of CGI authors need to go rethink their
> security. If Lasso does this, I'm sure others will too, and
> people will go snooping now that someone's thought of it. And
> it's another great reminder that passwords ought never to be
> cleartext, even if you keep them in your shorts.
> And I'm waiting for the first writer to make the assumption
> that this means the MacOS is insecure.
[3] http://hacke.infinit.se/
[4] http://www.tbtf.com/archive/08-18-97.html#s01
[5] http://www.blueworld.com/lasso/security_update.html
________________
2. Win a million
A couple of years back Elementrix claimed [6] to offer encryption
based on the cryptographers' holy grail, the one-time pad. But the
claim proved hollow [7]. Now a startup called Crypto-Logic Corp.
[8] has the genuine article. It's offering a $1M prize to anyone
who can decipher a simple English challenge message within a year's
time. Sure, why not a million, the encryption technique is provably
unbreakable. Each message is encrypted by a key as long as the mes-
sage itself and the keys are used once only. The software, Ulti-
mate Privacy, runs on Windows 95 and NT. It costs $99 and includes
two software pads, which allow you to encrypt 2000-4000 messages
between yourself and a single recipient. The company sells pads for
use if you exhaust the first pair, or if you wish to encrypt mes-
sages to a second recipient, but I could not find a price on their
Web site.
[6] http://www.tbtf.com/archive/10-03-95.html
[7] http://www.tbtf.com/archive/12-18-95.html
[8] http://www.ultimateprivacy.com
________________
..Comments on domain naming
On 7/1 the Commerce Department's National Telecommunications and In-
formation Administration requested public comments [9] on Internet
domain naming, to be submitted by 8/18/97. Over 300 responses [10]
were filed (32 of them on the deadline date). NTIA doesn't make it
easy to get an overview of the responses: the Web page presents them
sorted by date received, with no index of submitters and no ability
to search. The 18 people and organizations who responded non-elec-
tronically [11] fared better -- they got indexed by name and their
contributions are available by individual URLs, not aggregated with
all the other respondants of the day. Coverage by news.com [12] and
Wired [13] tends to stress the various and flaky nature of the many
contributions, a stark demonstration of why the Internet has evolved
on the basis of "rough concensus." In cyberspace concensus doesn't
come any other way.
Here are highlights from the thoughtful responses of three serious
organizations.
Policy Oversight Committee [14] -- the body carrying forward the
proposals of the International Ad Hoc Committee offered a detailed
response. The document gives some insight into the thought behind
the positions that emerged in the gTLD Memorandum of Understanding.
The POC points out the sheer volume of Internet community input the
IAHC considered and worked into its proposals, implicitly calling
into question the wisdom of the NTIA's decision to start the comment
process all over again.
Computer Professionals for Social Resopnsibility [15] -- CSPR wants
to pull back and allow time for far wider input into the IAHC pro-
cess. "Whatever its merits, the IAHC process was closed, rushed and
unbalanced," the CSPR opines. They believe that there is "no current
crisis" needing immediate resolution.
Electronic Freedom Foundation -- The EFF's position paper had not been
posted at this writing; when it is it will probably appear here [16].
The EFF generally supports the gTLD Memorandum of Understanding, but
is not a signatory to it. EFF's views diverge from the IETF position
over the question of the balance of rights. EFF regards the IAHC pro-
posal as highly skewed toward the rights of the holders of intellec-
tual property, at the expense of other Net stakeholders. The EFF paper
slaps NSI for trying to claim the original top-level domains as their
own property.
[9] http://www.ntia.doc.gov/ntiahome/domainname/dn5notic.htm
[10] http://www.ntia.doc.gov/ntiahome/domainname/domainname.htm
[11] http://www.ntia.doc.gov/ntiahome/domainname/not-emailed/
[12] http://www.news.com/News/Item/0,4,13669,00.html
[13] http://www.wired.com/news/news/politics/story/6297.html
[14] http://www.gtld-mou.org/docs/poc-doc-rfc.html
[15] http://www.cpsr.org/dox/issues/names.html
[16] http://www.eff.org/pub/GII_NII/DNS_control/
________________
..The market is rejecting ActiveX