> ..Hackers shut down microsoft.com?
>
> www.microsoft.com was unavailable sporadically for two days be-
> ginning Thursday 6/19. Microsoft originally said the outage was
> a result of a number of factors occurring together: unusually
> high demand,
Unusually high demand on a Thursday morning?
> the consolidation of two data centers, and a bug
> in its network software.
Bugs in Microsoft software? Never!
> Some news wires picked up this version
> of the story. It now develops that the outage was caused by a
> new kind of denial-of-service attack on NT servers running In-
> ternet Information Server [1]. The attack, which can be launched
> from across the Internet from any Netscape Navigator 3.0 browser
> running Java 1.0.2, disables IIS but does not crash the NT server
> completely. Microsoft has now found and fixed the bug and posted
> patches [2] on its site along with an explanation [3]. I had dif-
> ficulty getting to the Microsoft site on Saturday -- I hope the
> server is just busy this time --
I had difficulty getting there on Saturday, too. Actually, also today.
> so here is an alternate source
> [4] for Microsoft's explanation. It reads in part:
>
> > The issue requires a very special URL to be generated for each
> > server being attacked. There is no one URL that can bring
> > every server down. The URL varies by server and by the current
> > state of the server (current memory, current load -- both of
> > which constantly change). A malicious hacker could write a
> > program to find the exact character sequence. A hacker simply
> > can't publish a URL that would bring down an IIS server. After
> > sending continuous requests to a server for a period of time,
> > a program might find the right URL sequence and cause the web
> > server to stop running.
Nice.
> The fix includes a provision for logging the IP address of any ma-
> chine attempting this attack on a patched server.
>
> The bug's discoverer, Todd Fast <tfast@eden.com>, expresses on his
> Web page [5] extreme skepticism that this bug, exploited by hack-
> ers unknown, could be responsible for Microsoft's recent service
> problems.
Agreed, they were looking for a Patsy.
> This is bug #11 on the TBTF Microsoft Exploit list [6].
>
> [1] <URL:http://www.news.com/News/Item/0,4,11775,00.html>
> [2] <URL:ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/iis-fix/>
> [3] <URL:http://www.microsoft.com/misc/upgrademessage2.htm>
> [4] <URL:http://xp8.dejanews.com/getdoc.xp?recnum=8236488&server=db97p3&CONTEXT=866906925.6797&hitnum=0>
> [5] <URL:http://www.eden.com/~tfast/jihad.html>
> [6] <URL:http://www.tbtf.com/resource/ms-sec-exploits.html>
FWIW, this [6] is very nicely done.
> ..DES cracked
>
> On 6/18/97, for the first time in history (as far as anyone in
> the non-secret world knows), a message encrypted with 56-bit
> DES was successfully decrypted.
Nice!
> The crack was an informal ef-
> fort coordinated over the Net by a group called DESCHALL (DES
> challenge) [7]. The press release is here [8]. The group was
> responding to RSA Data Security's challenge [9], which carries
> a $10,000 reward. Over 78,000 computers participated in the
> challenge since it opened on January 29, mostly contributing
> "spare" cycles.
Yeah, I think I involuntarily forked over a few of those cycles
myself...
> Over the final weekend more than 14,000 machines
> were at work. Peter Trei <trei@process.com> has estimated that
> the calculation consumed 457,000 MIP-years -- 100 times more CPU
> effort than the distributed crack of RSA-129 [10]. He posits the
> DES crack may have been the largest calculation ever undertaken
> by the human race, though this assertion has been challenged on
> the Ctyptography list.
>
> The secret message read:
>
> "Strong cryptography makes the world a safer place."
The spooks couldn't come up with anything better?
Squeamish ossifrage was at least something I couldn't guess...
> The group got lucky: they found the secret key after checking
> not quite 25% of the 72 trillion possible keys.
This is lucky?
> Here are four graphs [11] that give a good idea of the scope of
> the effort. This graph generator [12] lets you explore the space
> of challenge participants. I discovered that MIT, with several
> hundred hosts participating, was consistently in the top 10 most
> productive domains in numbers of keys checked -- until the last
> four days of the challenge, when a new port of the key-ckecking
> code for the 64-bit UltraSPARC catapulted Sun's contribution to
> the top of the list.
Go, sparky, go!
> The day before the crack succeeded, Senators John McCain and Bob
> Kerrey introduced legislation (see story below) that would codify
> the current 56-bit limit on exportable crypto products (besides
> its main purpose of mandating government access to private keys).
Nice timing, as always.
> DESCHALL has demonstrated unambiguously that 56 bits is no longer
> enough.
>
> [7] <URL:http://www.frii.com/~rcv/deschall.htm>
> [8] <URL:http://www.frii.com/~rcv/despr4.txt>
> [9] <URL:http://www.rsa.com/rsalabs/97challenge/>
> [10] <URL:ftp://ftp.ox.ac.uk/pub/math/rsa129/rsa129.ps.gz>
> [11] <URL:http://www.cis.ohio-state.edu/~dolske/des97/deschall.html>
> [12] <URL:http://www.cis.ohio-state.edu/~dolske/des97/graph.html>
>
> ..Micropayments: an informal survey
>
> TBTF for 5/22/97 [26] reflected on the Economist's survey on elec-
> tronic commerce, the initial premise of which is that the experts
> who predicted a frictionless future of disintermediated commerce
> lubricated by micropayments got it fundamentally wrong -- so far.
Feh.
> (The survey is no longer available online as the Economist has
> gone over to access by paid subscription only.)
This sucks, by the way.
> Here's Phil Agre
> <pagre@ucsd.edu>, proprietor of the Red Rock Eater News Service,
> grousing from a similar point of view:
>
> > I'm a little disappointed with certain Internet people who
> > envision all sorts of futuristic electronic commerce scen-
> > arios in which everyone pays for everything incrementally
> > using micropayment systems -- what Vinny Mosco called "the
> > pay-per society" -- but who then turn around and resist
> > that same principle when it applies to their own use of
> > the Internet. These folks want a la carte for everyone
> > else, but the buffet for themselves.
Exactly!! Gimme the 24-hour-a-day buffet and a nice window seat.
> I'll admit to a continuing fascination with the technologies of
> electronic cash and anonymous trust; and in that spirit I vol-
> unteered TBTF to beta test Digital's Millicent payment system [27]
> this summer.
Yipes. Say it ain't so!
> Subscribers, please send me a note with your reactions to the idea
> that parts of the TBTF site might one day be available on a "pay-
> per" basis. Would you pay a nickel for the convenience of reading
> TBTF on the Web where the links are live? A penny? A tenth of a
> cent? Would you just read the email and grumble? Or would you
> flame me and unsubscribe in disgust? (Note that the beta test
> will almost certainly be conducted using scrip of no value.)
Ugh. I don't mind nickel and diming as long as they can figure out a
way to not let it be wasting my time.
> I'll publish your collected remarks in a future Tasty Bit of the
> Day. Let me know if you prefer anonymity.
>
> [26] <URL:http://www.tbtf.com/archive/05-22-97.html>
> [27] <URL:http://millicent.digital.com/>
Ah, millicent, how I wish I could believe in thee.
> ..Obvious, useful, cool
>
> Here are two high-quality sources of Net information that might
> interest TBTF readers: Stating the Obvious and That's Useful, This
> is Cool. Michael Sippey's Stating the Obvious [28] is, like TBTF,
> a daily-updated Web page and a weekly mailing. (It is from Sippey
> that I picked up the term "retro-push".) The man must spend even
> more time online than I do, though I don't know how one could; and
> he has sufficient personal bandwidth left to think about the online
> life and to write about it, sensibly and winningly. Lynn Siprelle's
> TUTIC [29] brings you two links per weekday: one useful, one cool,
> with a paragraph describing each. (Unlike TBTF, TUTIC takes the
> weekends off.) You can pull them from the Web or have TUTIC push
> them by email. A simple concept, nicely executed.
>
> [28] <URL:http://www.theobvious.com/>
> [29] <URL:http://www.simplecool.com/>
I read both of these regularly, too. They're usually pretty darned
good.
----
adam@cs.caltech.edu
[Insert multi-culti expletive of choice], when are you going to get it
straight that the bits only flow one way in this relationship?
-- Rohit Khare