TBTF for 2/2/98: Lie down with trains

Keith Dawson (dawson@world.std.com)
Mon, 2 Feb 1998 20:32:29 -0600

-----BEGIN PGP SIGNED MESSAGE-----

TBTF for 2/2/98: Lie down with trains

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/02-02-98.html >
________________________________________________________________________

C o n t e n t s

US Government green paper on domain names
Can freed software make a profit?
Sizing Linux
Microsoft (in)security news
Communicator 4 is not browser-safe
CyberSitter's tricks
The Four Horsemen invade Europe
No mere urban legend
A downside to recycling railroad right-of-way
________________________________________________________________________

..US Government green paper on domain names

The plan by Ira Magaziner's committee pleases some, frosts many

The Commerce Department's long-awaited domain name plan is available
[1]. It proposes transitioning authority to oversee domain naming,
the assignment of IP addresses, the registration of Internet pro-
tocol and port numbers, and the management of root servers from
their current stewards (IANA and NSI) to a new, US-based not-for-
profit corporation with an international board of directors, over a
period lasting from 6 to 30 months. The government contract with NSI
under which that corporation acts as both registrar and registry for
the existing global top-level domains (the proposal separates these
functions) will end on 9/30/98, after a 6-month extension permitted
in the contract. NSI must hand over control of the root domain name
server at a "date certain" to be negotiated.

The plan suggests that 5 new registries be selected and chartered as
soon as possible by the Internet Assigned Numbers Authority. Each
new registry would be granted exclusive control over one new TLD.
The report solicits comments on what limitations might be placed on
the pool of applicants, if any. Applying registries would have to
meet technical, managerial, and legal criteria outlined in append-
ices to the report -- in particular they would need to define res-
olution processes in case of trademark disputes. Registries would be
required to offer equal and open access to all registrars worldwide.

Three other notable facets of the plan:

- NSI gets to keep control of .com, .net, and .org. They have to
split off and "firewall" their registrar function for these
TLDs, and open up registrar access to them to others; but NSI
still emerges as the owner of the registry for these three ori-
ginal TLDs. (The green paper states that responsibility for
.edu will be transferred to another not-for-profit ortanization;
rumors have circulated that this will be Educom.)

- As of 4/1/98 the government would stop collecting $30 of each
new NSI registrant's fee. (Of the $46M collected so far in the
Internet Intellectual Infrastructure Fund, half has been al-
located to the Internet II project and half is under dispute
in Federal court.) The report does not require NSI to drop its
initial registration fee from $100 to $70 after April 1, but
in my view the company is well advised to do so.

- The underused .us TLD should be reexamined for possible commer-
cial use; perhaps .mil and .gov should be moved under it.

The existing process for reforming domain naming, CORE [2], is not
specifically mentioned in the government report, though many of the
green paper's ideas came from CORE; in fact CORE is among the big-
gest losers. The 88 entities around the world who each paid $10K to
become CORE registrars seem to be out of luck, as do the individuals
and companies who pre-registered names with the CORE registrars for
the seven new TLDs whose future is now clouded. Emergent, the con-
tractor with which CORE is working to build a registry database,
would also seem to be a loser under the government plan, though
presumably they have been paid for their work so far. Under the
green paper plan, CORE and Emergent could apply to become a regis-
try, but could only submit one of their proposed seven TLDs for
consideration. All in all, the government gives greater credence to
the companies that have lobbied to run registries for particular
new TLDs, such as Image Online Design for .web and Iperdome for
.per. But the green paper squelches the ambitions of those who
favor a free-for-all marketplace in which anyone could create new
TLDs.

I asked Dave Crocker, one of the original members of the Interna-
tional Ad Hoc Committee that led to the gTLD-MOU and thence to CORE,
to comment on the government green paper; his comments [3] are post-
ed on the TBTF archive by permission.

The plan is being attacked as too US-centric [4] by European ob-
servers, who are especially invested in the Geneva-based CORE
process. TechWeb [5] quotes David Maher, chair of CORE's policy
oversight committee, as saying the Clinton proposal is "too pro-
tective of NSI and other US interests." Maher said, "If this
is treated as a US solution to US problems, people outside the
US are not going to be happy. I think that's a very severe lim-
itation on the viability of the [proposal]."

Here are other comments [6] by CORE on the green paper. Trademark
holders are not happy [7]; they fear they will have to spend money
to deal with numerous disparate registrars in order to protect
their names.

A mostly sound summary of the user impacts of the green paper can
be found on the igoldrush site [8].

The plan is open for comments (send to dns@ntia.dot.gov) until at
least the first week in March. The closing date for comments will
be determined when the paper is posted to the Federal Register this
week.

[1] http://www.ntia.doc.gov/ntiahome/domainname/dnsdrft.htm
[2] http://www.gtld-mou.org/
[3] http://www.tbtf.com/resource/dcrocker-gp.html
[4] http://www.techweb.com/wire/story/domnam/TWB19980130S0009
[5] http://www.techweb.com/wire/story/domnam/TWB19980130S0011
[6] http://real.NewsHub.com/0198/30_06.htm
[7] http://www.techweb.com/wire/story/domnam/TWB19980130S0006
[8] http://www.igoldrush.com/feat9.htm
________________

..Can freed software make a profit?

If you love your software, set it free

Wired muses [9] on the grand experiment in "freed software" on
which Netscape embarked last week [10]. It's an open question
whether Netscape can engage developers enough to halt Navigator's
slide in the browser standings, let alone whether the company will
be successful in "herding the cats" on such a scale. (The ques-
tion of whether Netscape will ever make money, albeit indirectly,
from the giveaway is even more tenuous.) Advice should be easy to
come by; I'm sure the central figures in the Linux, perl, and
Apache worlds would be happy to offer guidance if asked. If fact
Netscape has requested the councel of Eric S. Raymond <esr@snark.-
thyrsus.com>, author of the influential paper The Cathedral and the
Bazaar [11], on licensing terms, development models, developer re-
lations, and so on. (Raymond hints that he has been asked to meet
with other Silicon Valley CEOs on the same trip.)

[9] http://www.wired.com/news/news/technology/story/9966.html
[10] http://www.tbtf.com/archive/01-29-98.html#s03
[11] http://www.ccil.org/~esr/writings/cathedral.html
________________

..Sizing Linux

Trying to put numbers on an amorphous market

The free software phenomenon is big and growing fast. It's inher-
ently difficult to estimate the size of the Linux market because
there is no central body controlling its distribution, and because
the software is available for free download from numerous sites
around the world.

First some recent numbers on the commercial competition. A new IDC
study [12] indicates that Windows NT shipments outpaced commercial
Unix in 1997. Windows NT grew at 78% year-on-year, while Unix grew
at 15%. The numbers below presumably refer to installations of NT
Server, though the news.com article does not make a distinction
with NT Workstation.

OS thousands

NT Server 1300
NetWare 900
Comm'l. Unix 717
OS/2 226

In a SunWorld Online article [13] on Linux support by Red Hat, one
of the Linux resellers, an IDG analyst estimated 1997 Linux instal-
lations at 2 to 6 million, putting Linux on a par with the Macintosh:

OS millions

NT Workstation 7+
Linux 2 - 6
MacOS 3.8
OS/2 1.2

(Another SunWorld article profiles Linux use in the business world
[14]. Note especially the sidebar case study of a system administra-
tor who runs 72 print stations worldwide on Linux.)

An often-quoted source of Linux numbers is a year-old white paper
[15] by Bob Young, CEO of Red Hat. Young notes surveys by Unix maga-
zines that point to anywhere from 10% to 34% of their readers using
Linux. Here are Young's estimates of the number of Linux systems
extant through 1996:

End of
year millions

1993 0.1
1994 0.5
1995 1.5
1996 3 - 5

In the SunWorld Online piece [13] Red Hat's PR director estimates
that in 1997 there were between 5 and 7 million Linux systems
operating.

Let's work our way to a new estimate of the 1997 Linux population by
other means. At a talk last week by Red Hat staffers at Softpro [16],
Donnie Barnes estimated that 400K Red Hat CDs will be sold in 1998.
In another context he mentioned that each major release has sold
roughly twice as many copies as its predecessor. Taken together
these factoids lead to a rough guess of 200K CDs sold in 1997. Fig-
ures from Softpro indicate that for 1997 the sales of all other
Linux CDs combined added up to about 25% of Red Hat sales. Softpro
doesn't carry all the avaliable CDs; in particular some brands that
are big sellers in Europe are not represented. So let us hazard an
estimate of 300K Linux CDs sold worldwide in 1997.

FTP downloads outnumber Linux CD sales, according to an ongoing
survey at the Linux Counter [17] site. These data stretch back to
1994 and so obscure the increasing popularity of the Linux CD pro-
ducts. If we assume that FTP downloads outnumbered CD sales by 3
to 1 in 1997, we arrive at about 1.2 million Linux media kits. CDs
typically get used for more than one installation, either by the
purchaser or by someone she passes it to (there being no restric-
tion on multiple use, of course). In the extreme case a system
administrator might install scores of Linux machines from a single
CD or FTP download [14]. If we assume the multiple-use multiplier
is 5 or more, we're in the realm of Red Hat's estimate of 5 to 7
million total Linux systems in 1997.

[12] http://www.news.com/News/Item/Textonly/0%2C25%2C18542%2C00.html?pfv
[13] http://www.sun.com/sunworldonline/swol-01-1998/swol-01-eyeoncomp.html#2
[14] http://www.sun.com/sunworldonline/swol-01-1998/swol-01-linux.html
[15] http://www.redhat.com/redhat/linuxmarket.html
[16] http://www.tbtf.com/archive/01-12-98.html#s07
[17] http://counter.li.org/reports/machines.html
________________

..Microsoft (in)security news

The company responds, though not officially, to a claim of basic
security weaknesses

Microsoft has issued a reply [18] to the Peter Gutmann article [19],
[20] claiming basic weaknesses in Microsoft's handling and storage
of cryptographic keys. It clears up some possible misunderstandings
by Gutmann about which technologies are implemented in which Micro-
soft products, but to my reading does not address the basic vulner-
abilities he outlines. The defence consists of assertions that real
users wouldn't leave exported keys lying around on their hard disk
(uh huh), that security is constantly being improved in Microsoft
products (true but not helpful now), that the weaknesses apply only
to Microsoft's "base" crypto implementations and not to any third-
party package (so?), and that users shouldn't run an unknown applet
that could mount these attacks in the first place. Microsoft's re-
buttal correctly points out that security is as much a matter of
policy and follow-through as of technology. But it's not too much
to ask that the base crypto technology, which will end up being used
out-of-the-box by the vast majority of Microsoft's customers, pro-
vide meaningful assistance to less knowledgable users in following
sound security policies. For example the software shouldn't accept
an easily-guessed password that can trivially be broken in a dic-
tionary attack.

In other news, Microsoft has posted a patch [21] to fix the mk://
vulnerability reported in TBTF for 1/19/98 [22].

[18] http://www.tbtf.com/resource/moft-reply-gutmann.txt
[19] http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt
[20] http://www.tbtf.com/archive/01-26-98.html#s05
[21] http://www.microsoft.com/ie/security/mk.htm
[22] http://www.tbtf.com/archive/01-19-98.html#s05
________________

..Communicator 4 is not browser-safe

What used to be good advice about cross-platform color no longer
works

This story is not news to those engaged in building cross-platform,
cross-browser Web sites. The so-called "browser-safe palette" [23],
a set of 216 colors which since the days of Netscape Navigator 2
has offered the best chance to get Web pages looking the same in
Netscape and IE browsers, on Windows, Unix, and Macintosh, no longer
works reliably in Communicator 4. For reasons unknown Netscape has
changed the browser's dithering algorithms. The results are spelled
out in all their unpretty detail on this site [24], whose princi-
pals have had no luck at all in getting Netscape to take this prob-
lem seriously.

[23] http://www.tbtf.com/archive/02-27-96.html#cpcc
[24] http://www.artware.de/nc4petition/
________________

..CyberSitter's tricks

This censorware is not only overbroad, it's also certifiably
brain-dead

In TBTF for 12/24/97 we looked at the broad-brush way Cyber Patrol
blanks out large (and usually innocuous) swaths of the Internet.
Now here's a look at CyberSitter which, besides being similarly
overbroad, works its protective magic in a singularly deranged
fashion.

A note on a mailing list for PerForce, a code source control pro-
duct, reported a strange problem. When viewed from a particular NT
machine, and only from there, two lines of code that should read:

#define one 1 /* foo menu */
#define two 2 /* bar baz */

were always corrupted so as to read:

#define one 1 /* foo me */
# fine two 2 /* bar baz */

It turns out that CyberSitter had been installed on that one NT
machine. CyberSitter apparently works by patching the TCP drivers
and watching the data flow over every IP connection, filtering out
bad words. In the code fragment above, CyberSitter detected the
word "nude" -- never mind the punctuation characters and the end-
of-line -- and removed it from the stream.

This site [25] reproduces what it claims is the entire censor file
for CyberSitter, reverse engineered from the product. Thanks to Dan
Kohn <dan@teledesic.com> and Keith Bostic <nev@bostic.com> for news
on this piece of bad software -- and social -- engineering.

[25] http://www.moebius.com.au/CSlist.html
________________

..The Four Horsemen invade Europe

Infocalypse now

Lawmen's use of the spectres of international terrorism, money
laundering, drug dealing, and child pornography to curb the
freedoms of the Net is an old story in the USA. Now it seems
that such lawmen are getting to European politicians as well
[29]. A meeting of EU ministers in Birmingham, UK concluded that
law enforcement should be given new powers to tap into email and
electronic messaging. With appropriate safeguards, or course,
dear boy. Britain is using its rotation in the EU presidency
to push the establishment of a pan-European police force to be
called Europol, and this body would serve as a fine clearing-
point for intercepted cross-border messages.

[29] http://www.wired.com/news/news/politics/story/9962.html
________________

..No mere urban legend

The storied "RSA in four lines of perl" tattoo, in the flesh

It was the summer of 1995 when TBTF first noted [30] the urban
legend of the RSA tattoo that would render its wearer deporta-
tion-proof. Now Keith Bostic <nev@bostic.com> forwards this photo
[31] of Richard White's bio-munition which, if photographs are to
be believed, gives new meaning to the phrase "arms race." Though
perhaps the perl should have been rendered in barcode to make it
machine readable.

[30] http://www.tbtf.com/archive/06-07-95.html
[31] http://www.dcs.ex.ac.uk/~aba/rsa/tattoo.html
________________

..A downside to recycling railroad right-of-way

Lie down with trains, wake up with fiber cuts

A flurry of messages flew across the NANOG mailing list -- a ve-
hicle by which North American network operators keep the Inter-
net running -- yesterday evening: a massive fiber cut had dropped
Europe out of sight from many east coast US locations. The explan-
ation came in due course:

> FYI a train derailment between Newark NJ and NY cut many fiber
> bundles, and completely isolated Worldcom Switch #14 as well
> as affecting several other carriers very severely.

Unlike last year's Summer of the Backhoe [26], [27], this outage
resulted directly from the long-haul carriers' propensity [28]
for laying fiber in railroad trackbeds.

[26] http://www.tbtf.com/archive/07-21-97.html#s01
[27] http://www.tbtf.com/archive/08-04-97.html#s07
[28] http://www.tbtf.com/archive/10-31-96.html#s09
________________________________________________________________________

N o t e s

> Have you visited Siliconia [32] lately? The Net's premier collection
of "Silicon Whatever" appelations now features 43 Siliconia asso-
ciated with 55 locations around the world. And the page sports
new, bespoke Siliconia artwork, courtesy of the talented CobraBoy
<tbyars@earthlink.net>.

> Did you know? The Details page [33] lists all manner of fascinating
minutiae about TBTF, including privacy and anti-spam policies,
trends, emendations, credits, some history, and the tools I use
to develop and maintain the site.

[32] http://www.tbtf.com/siliconia.html
[33] http://www.tbtf.com/details.html
________________________________________________________________________

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html .
________________________________________________________________________

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, < dawson@world.std.com >.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
_______________________________________________
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5

iQCVAwUBNNZ7YmAMawgf2iXRAQEnoQQA1s440qKnzGh2WgVrbbIeZDX/th4zw6Ja
tMFySaORBdShe5S6jK8JuPeRL0JJbx5RHtqVh/peatucwZAfEiAvLTrDl1h+wrCn
lQgRIoSNF5dK3Y8K5Fn8J4zfI76cGG7YQbjIcwbmeLTMwyy9agdXoV35ohZmZL9/
N09JSKk0iME=
=jh2z
-----END PGP SIGNATURE-----