12/8/97: Prometheus suspected of arson

Keith Dawson (dawson@world.std.com)
Mon, 8 Dec 1997 08:28:06 -0600


-----BEGIN PGP SIGNED MESSAGE-----

TBTF for 12/8/97: Prometheus suspected of arson

T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t

Timely news of the bellwethers in computer and communications
technology that will affect electronic commerce -- since 1994

Your Host: Keith Dawson

This issue: < http://www.tbtf.com/archive/12-8-97.html >
________________________________________________________________________

C o n t e n t s

McAfee buys PGP, Inc.
Is FBI director Louis Freeh on the way out?
Microsoft releases Internet Explorer 4.01
Microsoft invites Java developers, then cancels
English court rules against domain-name hoarders
First level of Certicom Challenge falls
E-money: a reality check
Followup: sites that don't welcome Netscape
Essential Tools: Bobby
________________________________________________________________________

..McAfee buys PGP, Inc.

Phil Zimmermann sells out to a key recovery company. What next,
Prometheus suspected of arson?

Last Monday the news broke [1] that security software pioneer PGP,
Inc. was being acquired by McAfee Associates, a company mostly
known for its anti-virus products. McAfee was just completing a
$1.3B merger with Network General, a company specializing in net-
work management products, with the merged entity to be called
Network Associates (NASDAQ: NETA [2]).

Immediately a backlash [3] began against Phil Zimmermann, PGP hero
and winner of the Norbert Weiner award. McAfee, as it turns out,
was a member of the Key Recovery Alliance [4]; and Zimmermann was
the man who once testified before the Senate that key recovery
could "strengthen the hand of a police state."

Hiawatha Bray's column in the Boston Globe on 12/4 [5] quoted PGP's
chief scientist, Jon Callas:

> [Callas] said yesterday that he would find the person at Net-
> work Associates who was responsible for the firm's membership
> in the Key Recovery Alliance, and persuade this person that
> the firm should resign. "That's my task for today," Callas
> said.

When I read this on Thursday morning I wished Callas luck, but held
out little hope. But it has come to pass [6]. Network Associates re-
signed from the Key Recovery Alliance on Friday 12/5.

[1] http://www.news.com/News/Item/Textonly/0,25,16903,00.html?pfv
[2] http://www.dbc.com/cgi-bin/htx.exe/squote?source=blq/cnet&ticker=NETA
[3] http://www.wired.com/news/news/politics/story/8906.html
[4] http://www.kra.org/
[5] http://www.boston.com/dailyglobe/globehtml/340/Encryption_hero_runs_afoul_of_on_li.htm
[6] http://www.pgp.com/newsroom/na-kra.cgi
________________

..Is FBI director Louis Freeh on the way out?

Encryption policy is only one of the areas in which Freeh rankles
the White House

The lawman that every privacy advocate and first-amendment booster
loves to hate may be on his way out. Freeh has been at odds with
White House views on a number of issues, and on 12/4 the presiden-
tial press secretary sent him in public a less-than-subtly-encrypted
signal that he may not have the full confidence of the president [7]
(edited soundbites here [8] -- 736K wav file). Freeh's outspoken
stance against efforts in Congress to liberalize crypto export have
been at odds with the administration's policy, as publicly articu-
lated by White House aide Ira Magaziner and Vice President Al Gore.
But not to overstress the importance of this technical issue in the
world of Washington politics, let it be noted that Freeh's most re-
cent sin was to favor the appointment of a special prosecutor to
investigate campaign fundraising by the President and Vice President.
Attorney General Janet Reno decided against such an appointment on
12/2. Thanks to Gregory Alan Bolcer <gbolcer@gambetta.ics.uci.edu>
for tipping this story.

[7] http://allpolitics.com/1997/12/04/mccurry/
[8] http://allpolitics.com/1997/12/04/mccurry/mccurry.wav
________________

..Microsoft releases Internet Explorer 4.01

It fixes bugs, it provides accessibility, it munches disk

The 4.01 upgrade [9] reportedly fixes all of the IE 4.0 security
bugs, and in addition returns to IE some of the features for people
with disabilities that had been present in 3.0 but didn't make it
back into 4.0 [10]. News.com reports [11] that many users are un-
happy with the size of the download, which comes in three flavors:
13, 16, or 25 MB. Once installed these packages eat disk to the
tune of 56, 72, and 98 MB. Another unhappy constituency is the
Windows NT 4.0 Server population [12] -- these users are required
to download Internet Explorer 4.01 before they are able to access
upgraded Option Pack components. Coming as it did in the week of
Microsoft's date with a judge on antitrust charges [15], this cross-
product requirement placed on NT 4.0 users had to be a bit embaras-
sing for the company. Asked about this unfortunate confluence, vice
president Steve Ballmer said: "We just don't need any more drumbeat-
ing where people are wondering whether we are these Machiavellian
uber thinkers who can plan out this weirdness." Try to remain calm,
Steve.

[9] http://www.microsoft.com/ie/ie40/download/
[10] http://www.tbtf.com/archive/10-20-97.html#s02
[11] http://www.news.com/News/Item/Textonly/0,25,16932,00.html?pfv
[12] http://www.news.com/News/Item/Textonly/0,25,17058,00.html?pfv
________________

..Microsoft invites Java developers, then cancels

Didn't they know in November about Internet World?

Late last month Microsoft invited 100 key "Java influentials" to
come to Redmond, all expenses paid, to hear the company's spin on
the future of Java technology. (Microsoft had convened a similar
gathering a year ago.) The confab was scheduled for 12/5 and 12/6.
Two days before its opening Microsoft abruptly canceled the arrange-
ments [13], [14]. The company claimed that too many invitees were
complaining of schedule conflicts with the Internet World show
opening the following week in New York. The president of the Java
Lobby, Rick Ross, said, "I wonder whether this is a signal that
Microsoft themselves are in some disarray about their handling of
Java. It certainly doesn't look very organized." One invitee won-
dered whether the coincidental timing of a hearing in federal court
[15] might have been a factor in the cancellation.

[13] http://www.infoworld.com/cgi-bin/displayStory.pl?97123.ecancel.htm
[14] http://www.zdnet.com/intweek/daily/971204f.html
[15] http://www8.zdnet.com/pcweek/news/1201/05edoj.html
________________

..English court rules against domain-name hoarders

No, you can't hold buckinghampalace.co.uk

The business of Internet domain-name homesteading may be at an end
in England. Two men who registered names such as "burgerking.co.uk"
and "spice-girls.net" were ordered by a British court [16] to pay
BP 60,000 in legal fees and to hand over the domain names. The court
found in favor of five companies, including British Telecom and
Ladbrokes, who had brought the action. The judge said: "Any person
who deliberately registers a domain name on account of its similar-
ity to the name, brand name, or trademark of an unconnected commer-
cial organization must expect to find himself on the receiving end
of an injunction".

[16] http://news.bbc.co.uk/hi/english/sci/tech/newsid%5F35000/35458.stm
________________

..First level of Certicom Challenge falls

The first shot is fired in an elliptic-curve challenge

Certicom is a maker of elliptic-curve encryption software. ECC al-
gorithms are drawing considerable interest and study because they
hold out the possibility of offering security comparable to the RSA
algorithms using smaller keys, therefore requiring less computation.
This possibility is not yet considered verified by most of the math-
ematics and cryptosystems research community.

The assumption that ECC encryption can use smaller keys is the as-
sumption that no subexponential-time solution exists for the mathe-
matical problem (the elliptic curve discrete logarithm problem) on
which ECC is based. The only solution to ECDLP known to exist takes
fully exponential time. In contrast, both of the other well-studied
mathematical problems that underly modern cryptosystems -- the in-
teger factorization problem (e.g., RSA) and the discrete logarithm
problem (e.g., Diffie-Hellman) -- have solutions that require only
subexponential time.

In order to gain exposure and to jumpstart the expert scrutiny that
ECC will need if it is to be widely trusted, Certicom is sponsoring
a crypto crack contest (they call it a challenge) [17]. The chal-
lenge comes in three parts: a series of "warmup exercises" followed
by Level 1 and Level 2 problems [18]. A total of $625,000 in prize
money is offered.

Yesterday Robery Harley <Robert.Harley@inria.fr> announced [19] that
he and Wayne Baisley had cracked one of two first-level warmup exer-
cises, a 79-bit problem [20] designated ECCp-79. At this writing he
has had no reply and the Certicom status page [21] has not been up-
dated, so it is possible (but unlikely) that Harley's claim will
prove not to be the first. If it is, he will receive as a prize a
copy of the Handbook of Applied Cryptography (though somehow I sus-
pect he's already read it) and a Maple V encryption package from
Certicom.

Certicom estimates the difficulty of the warmup exercises thus:

> Using a network of 3000 computers, it is expected that the
> 79-bit exercise could be solved in a matter of hours, the
> 89-bit in a matter of days, and the 97-bit in a matter of
> weeks.

Harley and Baisley applied 6 computers to ECCp-79 and solved it in
a bit under 10 days, which would have amounted to less than half an
hour had they had 3000 machines to throw at the problem.

Harley takes the opportunity presented by his winning claim [19] to
tweak Certicom for their membership in the Key Recovery Alliance [22].
If the company replies to him substantively on this point, I'll post
their response on the TBTF archive.

[17] http://www.certicom.com/chal/index.htm
[18] http://www.certicom.com/chal/ch4.htm
[19] http://www.tbtf.com/resource/certicom1.html
[20] http://www.certicom.com/chal/curves.htm
[21] http://www.certicom.com/chal/ch_52.htm
[22] http://www.kra.org/roster.html
________________

..E-money: a reality check

An anchor to windward for some of the more high-flying e-pundits

Writing in Salon, Scott Rosenberg pours sand into the vision of
a friction-free economy [23]. His piece, though too dismissive of
the power to Net technology to transform industries, does add
some needed detail to the Economist's argument outlined in TBTF
for 5/22/97 [24]. The various forms of micropayments and electronic
cash are in their infancy, while online consumers have embraced a
payment system with which they're already familiar: credit cards.
Rosenberg quotes Elinor Harris Solomon book "Virtual Money" to
illuminate where the real e-money is in the US economy (figures
are from 1995).

trillions of trillions
medium transactions of dollars
---------- ------------ ----------
cash 550 2.2

checks 62 73

electronic 19 544
transfer

[23] http://www.salon1999.com/21st/feature/1997/10/cov_30emoney.html
[24] http://www.tbtf.com/archive/05-22-97.html#s05
________________

..Followup: the TBTF Exclusionary Sites Hall of Shame

Yes, the Star Trek site is as unfriendly as reported. Here are two
others that don't welcome Netscape

TBTF for 11/24/97 [25] reported a Star Trek site [26] carried on the
Microsoft Network that welcomes only visitors running IE on Windows.
A number of people wrote with elaborations and results from other
platforms, and I posted an emendation softening the claims in the
original article. Now that all the facts are in I'm convinced that
the site behaves as badly as first described.

Here are some other MSIE-only sites that readers wrote in about.

The Microsoft Gaming Zone [27] tells you this when you visit using
Navigator.

> We're sorry. For technincal reasons, the Zone doesn't yet
> support Navigator 3.0 or higher. We're working to add this
> support and we apologize for the inconvenience. If you think
> this message was sent to you in error, please report it to
> the Zone as a bug.In the meantime, we invite you to download
> Microsoft Internet Explorer for free.

The English supermarket chain Tesco offers an Internet Shopping page
[28] that says this to a Netscape browser.

> The Tesco Internet Superstore uses the latest Internet
> Technologies. We Have detected that the browser you are
> using does not support either ActiveX controls or VBScript.
> Both of these technologies are required to use the Internet
> Superstore.

[25] http://www.tbtf.com/archive/11-24-97.html#s11
[26] http://startrek.msn.com/
[27] http://www.zone.com/
[28] http://www.tesco.co.uk/superstore/tis.asp
________________

..Essential Tools: Bobby

How accessible are your Web pages to people with limited sight?

This tool [29], from CAST (the Center for Applied Special Tech-
nology), tells you about obstacles your Web site may be presenting
to visitors using text-to-speech screen readers. I assumed TBTF's
pages to be fairly accessible, but a visit to Bobby gave me some
tips to improve them. For example, did you know it's a good idea to
separate links with something more than whitespace, else screen
readers can get confused about which text goes with which link? Once
the service rates your page 4 stars or better you can download and
affix the "Bobby Approved" logo [30].

Bobby also offers an unusually comprehensive suite of HTML compli-
ance tools. You can check your pages against W3C HTML 2.0 or 3.2,
four flavors of Netscape Navigator, two of Internet Explorer, four
of AOL's browser, three of Lynx, and even WebTV 1.0. Bobby informed
me about irregularities inside TBTF's META tags, a detail far below
the notice of most other verifiers.

Finally, source code for Bobby is offered freely. You can download
the Perl source [31] and run your own copy of Bobby locally on any
Unix computer. CAST is working on a Java version.

I learned about this TBTF Essential Tool for Website Development
[32] from David Weinberger's <self@evident.com> Journal of the
Hyperlinked Organization [33], a new corporate-focused newsletter
with plenty of attitude. Weinberger notes that JOHO's tone is hum-
orous, sometimes even on purpose. Check it out.

[29] http://www.cast.org/bobby/
[30] http://www.cast.org/bobby/images/approved.gif
[31] http://www.cast.org/bobby/getsource.html
[32] http://www.tbtf.com/essential-tools.html
[33] http://www.hyperorg.com/
________________________________________________________________________

N o t e s

> I'll be at Internet World in New York from 12/10 to 12/12. If
you're at the show, drop by the Sitara Networks booth (#135)
and look me up. Sitara's new Web site has launched [34]; it
offers a free download of the beta SpeedSeeker client soft-
ware for Windows 95 or NT. SpeedSeeker lets you view Sitara-
enabled Web sites an average of three times faster, with
enhanced reliability. At the show we'll be announcing some
of the SpeedServer beta sites.

[34] http://www.sitara.net/
________________________________________________________________________

S o u r c e s

> For a complete list of TBTF's (mostly email) sources, see
< http://www.tbtf.com/sources.html >.
________________________________________________________________________

TBTF home and archive at < http://www.tbtf.com/ >. To subscribe
send the message "subscribe" to tbtf-request@world.std.com. TBTF
is Copyright 1994-1997 by Keith Dawson, < dawson@world.std.com >.
Commercial use prohibited. For non-commercial purposes please
forward, post, and link as you see fit.
_______________________________________________
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNIwDQmAMawgf2iXRAQE1IgQAjxrZVeeB/HKyiff2ZfVR6Cy4pvt1eLxw
5iQAB3hoUxvoh+FREEtAg0JRkUx085i9ozTorE+Xe94Uk5aBcOsKA4tcr6mnOtxB
t8L0R/jwUFksX5rmzopO8m/u9NdjeSgT3eU6mHENcCKtJlojA/pAjWGjhjPbl1yK
4JH7hZqdOvg=
=PAop
-----END PGP SIGNATURE-----