TBTF for 8/18/97: Know when to hold 'em

Keith Dawson (dawson@world.std.com)
Sun, 17 Aug 1997 22:15:39 -0500


-----BEGIN PGP SIGNED MESSAGE-----

TBTF for 8/18/97: Know when to hold 'em

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/08-18-97.html >
_________________________________________________________________________

C o n t e n t s

Crack-a-Mac Challenge broken
PGP 5.0 legally escapes US export restrictions
Dispatches from IETF Munich
Show me the money
Lasing the blues
Tasty bits at lunchtime
Bluffers
_________________________________________________________________________

..Crack-a-Mac Challenge broken

Joakim Jardenberg <joakim@infinit.se> opened a challenge to all the
world's hackers called "Crack-a-Mac, the Next Generation" [1] on
July 4. (A previous Crack-a-Mac challenge had gone unbroken [2].) On
Sunday 8/17 he declared: "The challenge is off due to what looks
like a perfectly successful crack" by an Australian hacker called
Starfire <Starfire@bellair.net>. Jardenberg is not releasing details
of the crack, which do not affect either the MacOS or the WebSTAR
server, because no fix is available. Apple's Chuq Von Rospach
<chuqui@plaidworks.com>, who knows details of the attack, called it
"subtle, non-obvious, and a real gem." Jardenberg and Von Rospach
said that the crack is dependent on site configuration and would af-
fect comparitively few sites. Jardenberg writes on the challenge's
top page, "Puhhh, what a lousy way to wake up..." Here is his email.

> From: Joakim Jardenberg <joakim@infinit.se>
> Subject: Yes! Crack a Mac is cracked!

> Howdy Folks!

> Bad news. Around 07.30 (GMT+0200) this sunday morning the
> Crack a Mac challenge was cracked. At this time we can not
> reveal the method that was used, as there is no fix for the
> problem yet!

> We will return with more public info as soon as there is a
> solution.

> Worried Mac webmasters with a setup that is similar to the one
> used at the Crack a Mac server can send a private mail to
> jokim@infinit.se with brief information about their setup and
> if they are in the "danger-zone" they will receive a mail with
> an outline of the problem.

> Hope you understand that it is for everyone's safety that we
> are careful about this info...

> The Cracker is a wise and friendly guy from Australia, who
> really deserves the 100.000 kronor.

> The cracked page is available from the server:
> http://hacke.infinit.se/

> Best regards

> /Jocke

Here is the message that Starfire added to the challenge's home page
to claim the 100,000-kroner prize:

> Ogle This:

> This has been quite a challenge.

> But then what would you expect from a Mac. The OS is Rock Solid
> and enthroned on a pretty funky system.

> I will hopefully own one very soon....

> Once the appropriate considerations have been addressed by the
> administrators of this site, I hope they will continue the quest.
> They have every reason to be confident...

> Perhaps APPLE will take the hint and support people like Joakim.
> He and his current sponsors richly deserve a pat on the back.
> Few people have the guts to pull it off...

> ps: You know I can't answer the obvious, so please, don't ask.

> Cheers,

> STARFIRE

[1] http://hacke.infinit.se/
[2] http://hacke.infinit.se/old/resumeng.html
________________

..PGP 5.0 legally escapes US export restrictions

The US crypto export policy, which has lately been looking more and
more like a Swiss cheese, last week took on the semblance of an
aerogel [3]. On 8/11 at Hacking in Progress 97 [4], a hackers' gath-
ering convened on a campground near Amsterdam, European hackers
completed the first phase of the PGP 5.0i project: they posted a
perfect copy of PGP 5.0 source code on the Net [5]. (This is the
Unix command-line version -- Windows and Macintosh variants will be
completed in the coming weeks.) The source code was exported from
the US legally, in the form of a 6,000-page book -- US restrictions
on crypto export exempt material in printed form. Stale Schumacher
<stale@hypnotech.com>, maintainer of the International PGP Home Page
in Oslo, Norway, coordinated a team of offshore workers who scanned,
proofread, and compiled the code. The story has been picked up by
ZDNet [6] and by InfoWorld [7]. Bruce Schneier, author of Applied
Cryptography, said of the exploit: "Inherently you can't protect
data with a national boundary. Export systems do not work -- encryp-
tion software has been out in the public domain for a long time."

[3] http://www.lbl.gov/Science-Articles/Archive/aerogel-insulation.html
[4] http://192.215.107.71/wire/news/aug/0812hip.html
[5] http://www.ifi.uio.no/pgp/download.shtml
[6] http://www5.zdnet.com/zdnn/content/zdnn/0812/zdnn0006.html
[7] http://www.infoworld.com/cgi-bin/displayStory.pl?970814.wcrypto.htm
________________

..Dispatches from IETF Munich

Rodney Thayer <rodney@sabletech.com>, security consultant and stal-
wart of the Digital Commerce Society of Boston, was in Munich [8]
last week at the thrice-yearly meeting of the Internet Engineering
Task Force [9]. By special arrangement TBTF carried his dispatches
from that front each day. The conference began breaking down its
systems at noon on Friday so Thayer's final dispatch hasn't arrived
as this issue wraps; it will appear soon as a Tasty Bit of the Day.
The entire week's reporting on the folks who define the Net resides
on the TBTF archive [10] by permission.

Day 0: The scene
Day 1: The games begin
Day 2: Are you in possession of Digital Identity Hash?
Day 3: Ssh. People are watching the network!
Day 4: Them vs. us -- or, strange bedfellows
Day 5: (not yet)

[8] http://www.city.net/countries/germany/munich/
[9] http://www.ietf.org/meetings/Munich.html
[10] http://www.tbtf.com/resource/ietf-munich-rt.html/
________________

..Show me the money

Quick, who's making the most money selling software? I'll bet the
first companies to mind were Microsoft and Oracle, in that order.
They are actually numbers two and five on the list. Only three pure-
play software companies (the other is Novell) make the top ten.
They're outgunned in the software market by companies offering their
customers enterprise-scale services and integration, and in some
cases iron as well.

>>From Edupage (8/14/97):

> The ten leading companies in software revenue last year were
> (in descending order): IBM, Microsoft, Hitachi, Computer
> Associates, Oracle, Fujitsu, SAP, Bull HN Information Systems,
> Digital Equipment Corporation, and Novell. And of the top
> thirty companies, 37% are in California, 13% in Massachusetts,
> 10% in Pennsylvania, 7% in New York, and 33% in other states,
> provinces, and countries. (Investor's Business Daily 13 Aug 97)
________________

..Lasing the blues

Most commercial lasers you encounter day-to-day (those in CD-ROM
readers, for example) radiate in the infrared. For more than three
decades researchers have pursued the dream of the blue laser -- a
semiconductor that emits continuous pure blue light at room temp-
erature. Blue laser light, higher in frequency and shorter in wave-
length than infrared, could record and read data in smaller areas.
A current-day CD-ROM device constructed with such a laser could
store 2.7 GB, and a DVD device 28 gigs, with no other changes in
the mechanism.

Scientific American reports [11] that a Japanese researcher of al-
most legendary stature among his peers, Shuji Nakamura of Nichia
Chemical Industries, has demonstrated a gallium nitride laser that
produced light for over 100 hours. (Rather a showman, Nakamura used
one of his blue lasers as a pointing device at a scientific confer-
ence.) Nakamura hopes to achieve a commercial-grade laser capable
of 100,000 hours of operation by 1998.

[11] http://www.sciam.com/0997issue/0997techbus2.html
________________

..Tasty bits at lunchtime

This note from Allan Hurst <allanh@supportnet.com> purports to
finger the best restaurants in Silicon Valley for lunchtime in-
telligence gathering. Got any other favorites? (I sense another
TBTF feature in the making.) Remember, the emphasis should be on
a restaurant's industrial espionage potential; other considerations,
such as ambience, good food, or speedy service, are secondary.

> Over the past ten years, I've gotten some of my very best --
> read: "most accurate" -- information having lunch in Cuper-
> tino. Sitting around outside at Erik's DeliCafe on Stevens
> Creek in Cupertino, having a leisurely solo lunch while read-
> ing a newspaper, can be MOST informative. Chili's and Uno's
> down the street aren't bad for information gathering, either.
> Ditto Fresh Choice (at Vallco Fashion Park) and The Pepper-
> mill (on DeAnza).

> Companies oft-overheard in the Cupertino area include Apple,
> Tandem, HP, Microsoft, and Symantec. Chip-level hardware in-
> formation (e.g., Intel, NatSemi, Cirrus, etc.) can often be
> overheard at the McDonald's on Lawrence Expressway or the
> Carl's Jr. on Bowers, both in Santa Clara. Very occasion-
> ally, interesting corporate level tidbits can be overheard in
> the evening at Chef Chu's, in Los Altos.

> P.S. -- For years, the McDonald's on Lawrence was hysterical
> during lunchtime. Their french-fry timing computer had an
> electronic beeping tone that sounded so much like a Motorola
> pager that multiple people in line could be see grabbing at
> their beepers every time a new batch of fries was ready.
> They've long since changed out the french fry timing computer
> for a new automated fry-robot which is comparatively silent.
> What they lost in audio atmosphere they gained in geeky spec-
> tatorship, as customers in line stare at the fry-bot, utterly
> mesmerized by its movements. The interaction of people and
> technology never ceases to fascinate me.
________________

..Bluffers

One cultural innovation from England that deserves to spread more
widely is a series of diminuitive books called the Bluffer's Guides.
They run about 60 pages and 3 pounds Sterling. You won't find them
in most local bookstores in the US. (My local bookstore stocks the
Guides [12], but then my home is on the Net.) W.H.Smith or Water-
stones may carry them in the physical world. (Smith is still working
on their Web site [13], while Waterstones' is well developed [14].)
Each slim volume in the Bluffer's Guides series -- there are over 50
of them -- attempts to convey enough of the buzzwords and context
of its particular topic to allow the reader to pass as an expert in
casual conversation. Topics range from Advertising, Antiques, and
Ballet through Skiing, University, and Wine. The booklets are con-
structed to a simple formula. Each section begins with an admirably
pithy definition of its term and then proceeds to skewer and slather
its subject in robust post-Python style. If you were to read only the
opening paragraph of each section, you would discover embedded with-
in each Guide an even smaller tract that illuminates its subject
thoroughly and concisely. Consider these examples from "Bluff your
way on the Internet" [12].

>> Understanding URLs:

> URLs contain similar cryptic sequences of letters to e-mail
> adresses (.kwiknet.co.uk etc.) but are easy to tell apart. An
> e-mail adress always has the @ symbol in the middle and no /
> marks. A URL never has an @ and, apart possibly from the home
> page, will be full of / marks. Indeed, a URL can sprawl over
> several lines: the computer where the site resides may store
> hundreds of thousands of files, and the / marks help it to
> sort the files into groups.

>> Using Newsgroups:

> On screen, a newsgroup looks like a catalog of titles. You
> click on one which looks interesting to view the text of that
> particular posting. Successive postings in reaction to each
> other can result in a discussion straying somewhat from the
> original topic. Titles such as "Re: Lewd acts with vegetables
> (was: Recommendations please for best CD of Mahler's Fifth)"
> are common.

The people responsible for the Bluffer's Guides reserved the name
bluffers.com a year ago but have not put up a Web page. After pub-
lishing [12] I don't see how they could.

[12] http://www.amazon.com/exec/obidos/expert-query/8732-3862527-659408
[13] http://www.whsmith.com/
[14] http://waterstones.com/
_________________________________________________________________________

N o t e s

> Today's TBTF title comes from a Kenny Rogers song about poker, a
game singularly in tune with the American character, and the
natural habitat of the bluffer. Tonight the Internet let me
down (as another country/western title has it): I could not
locate the song's author or title on the Web and had to fall
back on good old-fashioned telephonic friendware. (Thanks, Greg
and Val.) The song is called The Gambler [15] and it's from a
1974 movie [16] of the same name.

[15] http://www.lyrics.ch/cgi-bin/get.pl?s=37474
[16] http://us.imdb.com/M/title-exact?Gambler%2C+The+(1974)

> Going to a technical conference or trade show that would interest
TBTF readers? Email me before you leave if you're willing to
write daily dispatches for this newsletter.

> I dislike spam as much as you do, and I don't want to make it easy
for the spammers' address-hoovering tools to collect victims' con-
tact information from the TBTF home and archive. (Note that no
reader has complained about this to date.) On the other hand, I
want to make it possible for members of the TBTF community priv-
ately to contact people mentioned in the articles, should they
want to. For these reasons I've started a new convention on the
Web site when referencing the email addresses of correspondents,
informants, or participants in the stories that appear in this
newsletter: I add plausible obfuscation to each such address, ex-
cept for my own. (This doesn't affect the retro-push edition.) It
works like this:

Email address as it ap-
pears on the TBTF Web site: <tb#doyle@cs.und.edu#tf>

Actual email address: <doyle@cs.und.edu>

In other words, before sending email to anyone mentioned on the
TBTF site, remove "tb#" from before the address as published and
"#tf" from after it

Thanks to Tad Staley <tstaley@msn.com> for this suggestion, and
more generally for pointing out the very existence of "the TBTF
community." Hmm. Consequences will flow from this insight.
_________________________________________________________________________

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.

> Edupage -- mail listproc@educom.unc.edu without subject and with
message: subscribe edupage Your Name . Web home at
<URL:http://www.educom.edu/>.
_________________________________________________________________________

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, <dawson@world.std.com>.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
_______________________________________________
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2, by FileCrypt 1.0

iQCVAwUBM/e2oGAMawgf2iXRAQE1lgP/QRpNgywA2JrsJI0HqKSC5uMNqKovpna6
HwfMf4b4rU5wuQ562IsC3mptpMO0mVnJH9CqcAaesj0OaSlk7ivIZ6kLcaKWNGCN
LeGNwxFtm0QRjMOqUzYQsWBneFyy+UH5dPErb+lK47T1otrxd0F6069e4VK5zKk+
55C2ULTUwe0=
=t9kP
-----END PGP SIGNATURE-----