TEK THOTS


Electronic Newsletter



+-+-+-+ +-+-+-+-+-+
    |T|e|k| |T|h|o|t|s|
+-+-+-+ +-+-+-+-+-+


TEK THOTS
Volume 2, Number 3
February 24, 1997
Published irregularly by Scott C. Holstad

=============================================================
Copyright Notice
Copyright (C) 1997  Scott C. Holstad
All enclosed material may be used for non-commercial purposes.
=============================================================

************************************************************************
DISCLAIMER
The views and analysis expressed in Tek Thots are the author's own, and 
do not in any way reflect the views of EarthLink Network, Inc., the 
author's employer.
************************************************************************


CONTENTS

-- News/Editorial
-- PC Thots
-- Mac Thots
-- Web Development Thots
-- This Issue's Plug-in
-- This Issue's ActiveX Control
-- Stock Thots
-- Game Thots
-- Newbie Thot
-- Privacy/Security Thots


=============================================================

News/Editorial
------------------

*	Welcome to another issue of Tek Thots.  Since the last issue, we've 
added subscribing readers from two new countries: Belgium and New Zealand 
-- Welcome!  I've also been going over the Web logs for the Tek Thots 
archive page, and I'm fairly amazed at everyone who's been dropping by.  
[I'm going on a long country list now, so if such things disinterest you, 
skip to the next section.]  So far, we've had US visitors with the 
following TLDs (Top Level Domains): "net," "com," "edu," "mil," "gov," 
"us," "org," and even the old style "arpa." The rest of you have come 
from the following locations (although there have been 902 "unknown" IP 
address visitors this month...): Sweden, UK, Israel, Canada, Australia, 
Germany, Chile, Finland, New Zealand, Italy, Norway, South Korea, 
Denmark, Iceland, Poland, Switzerland, France, Netherlands, Belgium, 
Singapore, South Africa, Russia, Spain, Thailand, Portugal, Japan, 
Romania, and Greece!  So, welcome!  Let me know what sorts of things 
you're interested in seeing, the provision being that the topic should be 
technical in nature.


*	It seems there have been so many rumors, hoaxes, etc., floating around 
the Net for the last year, that ya almost get happy to get any other sort 
of email... Well, I often address such hoaxes in Tek Thots, but my 
bi-weekly efforts seem to be moving to tri-weekly, so I've decided to 
post info on major hoaxes making the rounds on the Tek Thots archive page 
(http://www.well.com/user/sch/tekthots.html).  You might want to check it 
out every now and then, especially if you get those messages begging you 
to spam someone for some odd humanitarian reason.


*	So, Bob Massey, Compuserve's CEO and Head Honcho called it quits.  Word 
has it H&R Block told him to not let the door hit him on the way out -- 
not too many people are crying.  Let's see, what has he done?  Allowed an 
IDIOTIC experiment called WOW! to surface for a horrid eight months, 
plunking down 8 mil to keep it afloat.  (What the hell were they thinking 
over there!?!)  Added 200,000 foreign customers as AOL added 3 million 
total.  Produced a clever ad campaign targeting disaffected AOL end 
users, after announcing an intention to focus upon business users, 
oversaw a stock which plummeted in value, and a company which lost $58 
million in its last quarter (as well as 500 employees). 

And, if things work out the way they usually do in Corporate La La Land, 
he probably got a massive severance package for his service.  Watch now, 
as the Compuserve board begins its executive search.  I wouldn't be 
surprised if they looked up former GEnie or E-World execs....


*	Those of you relying upon a Uunet backbone will be pleased with 
WorldCom's stated intention to plow some $300 million into backbone 
upgrades (can we say ATM?) for Uunet.  Not only will this aid Uunet's 
customers, but ultimately Microsoft's, EarthLink's, The Well's, etc., 
will all benefit too.  Good news, eh?


*	After all the bitching about Netscape charging for Navigator while 
Microsoft gives away Internet Explorer, now ... Marc Andreessen is having 
to explain an INCREASE in price.  The next browser suite version -- 
Communicator -- is going to go for $59, a $10 increase over the current 
browser.  On one hand, I can understand the motive, but won't this simply 
give Microsoft more PR fodder, let alone more customers...?


*	GeoCities went out recently and got a $9 million VC cash infusion.  
Nice.  After all, their "neighborhood" model is pretty attractive -- I 
have to admit, I like a lot of the sites I find in GeoCities' 
neighborhoods.  I only have one request -- please, please sink the nine 
big ones into infrastructure growth!  GeoCities is probably the only 
place in the world more difficult to access than AOL.  I feel darn lucky 
if I can EVER call up a GeoCities Web site!


*	USR wins the Tek Thots Hype Award, or should it be the Lamer Award.  A 
half year after the announced X2 56k modem, where is it?  Nowhere -- it's 
been delayed and delayed and delayed.  Now, I get as annoyed as anyone 
else when buggy products are released before they're ready, so I'm glad 
USR is (presumably) working on some last minute bug fixes.  But, why the 
damn hyped promises eons before delivery?  Please, these marketing 
departments should be led to some accountability....


*	Those of you who read the January issue of Boardwatch may have seen a 
letter (tho it read like a press release) to the editor in which the 
writer asked, "Is Yahoo going down the tubes," essentially because 
they're not listing everything being submitted to them.  This person 
seemed to be writing from a complete web marketing perspective, and seems 
to one of those who charges to get Web sites listed.  (I'm making that 
assumption anyway, based upon the fact that this person works for 
"News-Media Services".)

The attitude in the letter ticked me off so much, I did something I 
shouldn't have and flamed the writer.  She responded to me, and we 
engaged in a few decent emails.  I normally wouldn't do this, but as she 
saw fit to have her name and email address printed in Boardwatch, I 
assume she won't mind seeing it here.


>---------- Forwarded message ----------
>Date: Fri, 24 Jan 1997 10:06:32 -1000
>From: Mary Jane 
>To: Scott Holstad 
>Subject: Yahoo is inadequate and fraudulent
>
>Hi Scott
>
>Thanks for your response to my comments.
>
>If the invisible cowards at Yahoo exercise some unmentioned and
>undescribed editing control over the submissions to their directory,
>what real good is Yahoo?


Quality vs. quantity...?

>
>A person who is searching - myself, at any rate - wishes to use 
>keywords to find a complete list of relevant materials on the web.
>
>So, if Yahoo is not presenting a complete list, what good is it?

Valid point, but why don't you just use a different one anyway?

>
>What criteria do they use to list one site and not another?  I mean,
>suppose the decision-maker is in a snit or on the rag that day?
>

Again, a valid point.

>Personally, I think Yahoo sucks, both as a lister and as a searcher, and

>the comments I have received from others (besides yours) indicate that
>the consensus is tending in my direction.  The only good thing about
>Yahoo is their marketing effort, ads in Wired, etc.  Keep the name in
>the public eye and sell shares.  Forget providing a service.
>
>Alta Vista, on the other hand, accepts all listings and puts out a very
>complete search list.  In fact, from a web-promoter's point of view, one

>(carefully executed ) study showed that Alta Vista listings are
>responsible for 30% of all hits.  Yahoo didn't even register.
>
>My opinion, for what it's worth
>
>Mary Jane Colombo
>maryjane@news-media.com
>

Hi Mary Jane,

Thanks for writing back.  I'm sorry if I sound like a lecturing idiot -- 
it's not my intention.  Look, I completely agree with you on one of your 
assertions, and I completely disagree on another.  You state that Yahoo 
is not as good as Alta Vista and some of the others when it comes to 
performing substantial searches.  In this you are very right.  I've 
longed relied upon Alta Vista, Excite, Infoseek and the others for 
substantive searches.

However, I disagree when you say Yahoo is fraudulent.  I think this 
hinges upon a misunderstanding, on your part, of what Yahoo is.  Maybe 
you think this is merely semantics, but I can assure you this makes a 
difference.  Yahoo is not a search engine; rather, it's a "guide," 
"directory," or "index."  This means that they index whatever they want, 
not everything submitted to them.  Not only does this imply that they're 
NOT fraudulent, but further, how could they possibly be?  I don't recall 
ever seeing anything on their site claiming to be the world's greatest 
search engine or claiming to list the most sites, etc.... How are they 
misleading people?  I don't think people are being misled; rather, people 
such as yourself, are misunderstanding their intent.... Please check out 
some of the info I include below our prior communication.  Some of this 
is from the Yahoo site and other pieces are from other sites, essentially 
agreeing with my assertion.  

My point is, yes, Alta Vista is better -- you're right.  Yahoo isn't the 
greatest thing out there.  But, how are the defrauding people?  They make 
no massive, large scale claims, and on top of that, they're not even a 
search engine -- they're a directory/guide/index, etc.


Supporting points:

From the Yahoo site

- What is Yahoo? 
          Yahoo! is a hierarchical subject-oriented guide for the World 
Wide Web and Internet. Yahoo! lists sites and categorizes them into 
appropriate subject categories.


- What is Yahoo? 

Yahoo! is a searchable, browsable hierarchical index of the Internet. 


- How are links gathered for the Yahoo! database? 
          There are two ways in which Yahoo! gets its links. First, it's 
through user submissions. This is done by clicking on the "Add URL" 
function in the menubar. Currently submissions comprise almost all of our 
entries.

          The second way Yahoo! get its links is through automated search 
robots that look for new announcements at various places. 


Also, at http://www.yahoo.com/docs/info/addfaq.html#detail, they use 
phrases such as "We will review the site and your new category proposal," 
and "Again, entries might not be added to all requested categories.."


- The following URL, http://www.bubl.bath.ac.uk/BUBL/IWinship.html, has a 
discussion on the merits of search engines such as Lycos, as compared 
with "subject collections with a search facility" such as Yahoo.


- The following URL, http://sunsite.berkeley.edu/Help/searchdetails.html, 
"has a discussions about the following search tools: 

SUBJECT DIRECTORY: | Yahoo |

 SEARCH ENGINES: | Alta Vista | Excite | HotBot | Infoseek Ultra | Lycos 
| Open Text Web Index |

Also, note the quote from this page:  "SEARCH TIP: Yahoo! is a subject 
directory, which means it will not list many pages that search engines 
will typically retrieve (such as Joe Schmoe's page of hot links)."



- http://www.internetworld.com/1996/05/showdown.html
We set out to test the seven major Web search engines available for free 
on the Internet: Alta Vista, Excite, InfoSeek Guide, Lycos, Open Text, 
Web Crawler, and WWW Worm. Each of these systems offers essentially the 
same service: You log onto the page with a browser, type a query into a 
text box, and within seconds the program returns a list of clickable 
links. No special software is needed. 

These seven sites are quite different from Net directories like Yahoo and 
Magellan, which are essentially registries of Web sites based on 
descriptions submitted by Webmasters or written by the directory's 
staffs. 



More:

>Hi Scott
>
>Thanks for your response.
>
>I will be (a little) more careful using an actionable term like
>"fraudulent", however if the directory or index is incomplete, what good

>is it?  

It's free?  I guess my point is, they're all incomplete.  That's why you 
cross-reference, I s'pose.  That is, until something better comes along.

>
>You say "quality vs quantity", however quality is in the eye of the
>beholder, what?


Well, you're right about that.  Those are subjective terms.  I guess my 
personal differentiation would be in that standard search engines 
typically catalog anything they come across or which is submitted to 
them, whereas Yahoo would be more discerning, hopefully weeding a lot of 
the junk out?  I'm not sure if that's as true now as it would have been a 
year and a half ago.  You're right, in that they've gotten bogged down.

>
>I don't think I suffer any misapprehensions about what Yahoo is.  It's a

>business designed to make money for its owners.


But that's not how it started.  It originally was just a list of favorite 
bookmarks that these two Stanford grad students released on the Web.  It 
grew exponentially until, yeah, they got the big bucks.  But, that 
doesn't necessarily translate into immediate corporate success, in the 
traditional sense -- they simply don't come from that background, and 
don't necessarily have that corporate knowledge to fall back on.  Now 
that they have the cash, I assume they've brought such people in, but 
it's still been a reasonably short period of time, so maybe they still 
have a ways to go....

>
>All that promotion serves to sell shares and to make people think that
>Yahoo will continue to grow along with other internet related firms, and

>all the spread of "other yahoos" reminds me just a bit of AOL.   Not to
>say that they won't be successful, just that I will spend my time more
>profitably than surfing Yahoo.
>


I completely concur.  Here's what I do, and this has been helpful for me.  
I start out a search at Yahoo.  If I don't come up with much, at the 
bottom of the screen, is the following interface:

Other Search Engines

Alta Vista - WebCrawler - HotBot - Lycos - Infoseek - Excite -- Image 
Surfer - DejaNews - More...

You can click on any of these hyperlinks, and the search is automatically 
executed and results given for these other tools.  That way, you don't 
have to re-type your search request at all of these other places.  
Forgive me if you already know this; you'd be surprised how many people 
do not.  Anyway, I find this to be a helpful search process.

Incidentally, you may want to note the following.  The "other" searches 
engines all use independent "search engines."  For instance, Alta Vista 
is a DEC-powered search engine.  There is no Yahoo search engine, 
however.  Their default search engine IS Alta Vista,  It searches through 
the Yahoo directory, and if nothing is found, defaults to Alta Vista 
listings.




So, what do the Tek Thots readers think?  Is Yahoo! a search engine or a 
directory?  Does it even matter?


=============================================================

PC Thots
-----------

*	I ordered a new PC this week: a P200MMX (32MB -- 60n -- , 3.1G, Diamond 
w/ 4MB, SB64, 16x CDROM, etc.).  I'm looking forward to doing some 
personal benchmarking with the P55C chip.  I hope to report the results 
in Tek Thots.


*	Speaking of Pentiums sporting MMX, Intel announced the new "official" 
name for Klamath (their  next P Pro chip).  Shockingly ;) it's to be 
called the Pentium II.  Basically, it's going to be a Pentium Pro with 
MMX and 32K primary cache.  It's supposed to debut in the second quarter 
at an expected 266Mhz clock speed.


=============================================================

Mac Thots
-------------

*	I keep talking to exuberant Mac enthusiasts who are real happy about 
Steve Jobs' return, as well as the expectations surrounding (allegedly) 
speedy new Motorola chips.  However, I remain unconvinced.  Following on 
the heels of just about everyone else, COO Marco Landi split.  Can't say 
I blame the guy too much, after Gil knocked him down a few pegs.  Word 
is, Ellen Hancock's out the door too, as soon as a severance package is 
settled.  She, of course, is denying the rumor, as is Apple.

So, why the continued chaos?  Two words: Steve Jobs.  Evidently, he's 
gotten his NeXt cronies into the highest levels of leadership over there, 
and he won't stop until the company resembles his outlook.  I know people 
will disagree with me, but this scares me.  Jobs is a proven idea man, 
but an equally proven leadership failure.  Apple, first incarnation -- he 
alienates everyone and is basically driven out.  NeXt -- great concept 
which does jack squat commercially.  Jobs will, if it's even possible, 
drive Apple lower into even greater insignificance.  I've said this 
before, and I'll say it again: I'm not huge Apple fan, but a healthy 
Apple is necessary to ensure some competition for Bill.  Unfortunately, 
for the life of me, I don't see it happening anytime in the near future.


=============================================================

Web Development Thots
-------------------------------

*	Newfire has put out a new 3D player called Heat, set for release as a 
plug-in for Navigator and soon after as an ActiveX Control for IE.  
Newfire promises rendering speeds of four to six times faster than other 
VRML browsers, which isn't too shabby.  Evidently, Heat achieves its 
higher frame-update rate by utilizing a something called "Visible Scene 
Management" (VSM).  VSM basically filters 3D content and sends only the 
visible elements of a scene to the rendering engine for processing, thus 
eliminating unseen polygons, and increasing speed and, ultimately, 
performance.  I'm looking forward to it because I do think VRML is cool, 
but I also think many of the viewers haven't progressed as rapidly as 
their HTML brethren.


*	Speaking of vermel, DimensionX claims to have the first VRML tool for 
non-programmers: Liquid Reality Composer 
(http://www.dimensionx.com/products/lr/) allows people to drop 3D models 
inside a scene and add special effects (such as sound, texture, lighting, 
animation, etc.).


*	Marimba's releasing a Castanet SDK called PublishNow.  They're doing 
this in conjunction with the announcement of a series of new partners 
(Intel, IBM, Fedex, etc.) set to introduce a bunch of new channels.  This 
is good, cause as cool as the Castanet technology is, the content has 
really seemed lacking to me.


=============================================================

This Issue's Plug-in
------------------------

*	This issue's plug-in is Autodesk's WHIP! 
(http://www.autodesk.com/products/autocad/whip/whip.htm), a 
Win95-specific viewer for AutoCAD DWF (Drawing Web Format) format files.  
WHIP! offers pan, zoom, and embedded URL capabilities, and might be a 
look at the future of AutoCAD....


=============================================================

This Issue's ActiveX Control
-----------------------------------

*	NCompass Labs has come out with a new ActiveX Control suite called 
CaptiveX (http://www.ncompasslabs.com/captivex/index.htm).  There are six 
components developers can implement, several of which seem potentially 
cool.  They include billboards and 3D rotating cubes which can display 
various images and messages, etc., as well as something called 
"MessageMorph," which "manipulates text making mesmerizing medleys of 
morphing messages" (they love that alliteration, eh?).  Might be worth a 
look-see.


=============================================================

Stock Thots
--------------

*	After months of rumors, EarthLink went public last month.  They opened 
at $13, peaked a week later at $22, and have been hovering in the $17 
range since.  With projected growth potential in sight, this stock will 
be interesting to watch (for a variety of reasons;) ).


*	Lucent is jamming!  For the first quarter ended Dec. 31, earnings rose 
to $859 million, or $1.35 a share, from $830 million, or $1.30, on a pro 
forma basis.  Sales rose 6.9% to $7.94 billion from $7.43 billion.  They 
also expect something along the lines of an 11% growth for '97.


=============================================================

Game Thots
--------------

* 	Eugene Ridneour, EarthLink's Gamemaster, again gives us his picks of 
the issue:


PC Game of the Week: MDK   (http://www2.shiny.com/shiny/)

In 1999, you'll find the universe has been connected by large electrical 
tubes that amount to one giant, interplanetary highway. On these 
"streams," as they're called, the evil Gunter Glut is planning a massive 
attack on Earth. Two humans who have been stuck in orbit for five years, 
Dr. Fluke Hawkins and Kurt Hectic, are the heroes who have to save the 
day. You play Kurt Hectic and go on the attack in 60 arenas spread out 
among 6 futuristic cities. 
                                                                                

                                                                                                                                  


Mac Game of the Issue: Leisure Suit Larry, Love For Sail   
(http://www.sierra.com/entertainment/lsl7/)

The funniest Leisure Suit Larry yet, Love For Sail! puts our hapless 
hero, Larry Laffer, aboard the world's gaudiest cruise ship, run by its 
gorgeous skipper, Captain Thygh. Imagine a shipload of beautiful women, 
imagine skimpy swimsuits!  Then imagine what Al Lowe will make you do 
with the Scratch-'n'-Sniff smells included with every game! And imagine 
your own voice, your very own face, right there on screen!  (No, don't 
ask us about this, you'll just have to wait and see!)


=============================================================

Newbie Thot
----------------

*	I know many newbies are slammed with acronyms, and it gets frustrating.  
One usually bandied about quite a bit is TCP/IP.  Yet, aside from hearing 
you need to use it to get on the Internet, is it really ever explained to 
you?  Well, if you're curious about what each of the major protocols 
within TCP/IP really does, you may wish to check out a piece I recently 
wrote on the topic -- TCP/IP: The Backbone of the Internet, located at 
http://www.earthlink.net/daily/tuesday/tcpip/.  In it, you'll learn how 
TCP/IP came about, and how each of the four major parts of the protocol 
act.


=============================================================

Privacy/Security Thots
---------------------------

*	Remember the recent spate of Good Times Virus hoax scares making the 
rounds for the umpteenth time (mentioned in Tek Thots 1.1)?  Well, the 
Cult of the Dead Cow (a group of hackers, for those who don't know) is 
claiming responsibility for it, as an effort to show Internet gullibility 
(as if anyone needs to do that???) re self-proclaimed experts.  
Personally, I'm not too impressed.  It seems to me that there may be more 
effective ways to express irritation with Internet idiots.  Then again, 
they were pretty successful.... Here's part of their press release, for 
those interested.



                                                        FOR IMMEDIATE 
RELEASE
FOR MORE INFORMATION, CONTACT: sratte@mindvox.com

              CDC IS NEW FALLEN SNOW ON A BLEAK DESERT LANDSCAPE

cDc communications is tittering with joy on the birth of this shiny new 
year to make two announcements.  We are the proud parents of ten bouncing 
new articles in the continuing saga of the CULT OF THE DEAD COW 
publication. These feisty little rugrats will put a smile on the face and 
a Brussels sprout in the stomach with their hearty blend of entertainment 
and information.  We also can now make public our "Good Times" virus 
hoax.

The Good Times meme was launched by cDc to prove the gullibility of 
self-proclaimed "experts" on the Internet.

Any chickenhead would see through the Good Times virus message as the 
merest wisp of smoke that it is, while the so-called experts ran around 
in circles, beside themselves in self-induced panic.

Therefore, CULT OF THE DEAD COW claims FULL responsibility for the waves 
of
nausea and unrest that have spread from AOL to CompuServe to Prodigy by 
the actions of egotistical 'experts' who roam the Information 
Superhighway like squeegee men, seeking to wring a buck or two from the 
poor souls they confront at every intersection and stoplight on the 
infobahn.

We have far worse to unleash upon you, should you insist upon 
pontificating and spreading obvious falsehoods.


*	By now, most people know about UC Berkeley grad student Ian Goldberg, 
and his (relatively) easy crack of RSA 40-bit crypto.  I was going to 
write about it in the last issue, but simply didn't have the room.  Three 
and a half hours, folks.  That's not a lot of time. Granted, he needed 
250 workstations to do it, and the likelihood of you or I doing it is 
slim to none, but there are an awful lot of governments/organizations 
with a vested interest in seeing their competitor's communications.  And, 
they have the money/resources it takes.  

This simply reinforces the assertion that  current US crypto regulations 
are inadequate/unrealistic/uncompetitve. Moreover, this calls the crypto 
issue into greater focus, perhaps creating even greater urgency.  EPIC 
(http://www.epic.org/) is a good place to keep abreast of such issues; I 
advise you to check it out. 


*	Just came across an excellent Web site on TEMPEST, the set of standards 
for limiting electric or electromagnetic radiation emanations from 
electronic equipment.  TEMPEST, of course, was designed to limit 
radiation emanation monitoring, and while much info about it remains 
fairly classified, you can learn a lot at:  
http://www.eskimo.com/~joelm/tempest.html.  


*	ITT Avionics and Northrop Grumman (Electronic Sensors and Systems 
Division) just won a joint $100+ million contract from the South Koreans 
to provide  the AN/ALQ-165 Airborne Self-Protection Jammer (hardware and 
software) for their (new) F-16s gradually replacing their F-4s and F-5s.  
This follows on the heels of their buying AH-1 Cobra attack helicopter 
and UH-60 Blackhawk helicopter flight simulators ($34 million contract to 
Reflectone Inc) for their new aviation training center. 


*	From Federal Computer Week:


FEBRUARY 17, 1997 


SECURITY

DOD sinks the Clipper

BY COLLEEN O'HARA (ohara@fcw.com) AND HEATHER HARRELD 
(heather_harreld@fcw.com)

The Defense Department plans to remove the government key escrow software 
from its Fortezza cards used on the Defense Message System, a move that 
signals the death of the Clinton administration's controversial Clipper 
initiative and one that should encourage civilian use of the 
cryptographic cards. 

A DOD spokeswoman confirmed the decision to remove the key escrow but 
would not provide further details. 

The DOD decision, which will be formalized in a policy expected out 
shortly, is in response to the administration's decision last October to 
support key recovery technology instead of the controversial Clipper 
initiative. Each agency must decide how it will implement the 
government's policy internally. A technical advisory committee will 
develop standards for a federal key management infrastructure. 

The so-called Clipper initiative proposed a nationwide standard for 
encryption hardware that would have used a classified algorithm with 
built-in law enforcement access. It is this built-in access - which law 
enforcement agencies claimed was vital to their jobs - that will be 
removed from the cards. It most likely will be replaced by emerging 
commercial key recovery technology that does not have the same built-in 
access. 

DOD has for years pressured civilian agencies to use government escrow 
technology, but the agencies were wary of the law enforcement access. 
Stephen Walker, president and chief executive officer of Trusted 
Information Systems Inc. (TIS), said the policy will remove the last 
remnants of the Clipper and serve as an official endorsement of key 
recovery technology. 

"This is the end of Clipper,'' Walker said. "This is a very positive move 
because it puts the Defense Department in a posture of using commercial 
products instead of Defense Department products. If the Defense 
Department is moving away from key escrow, no one else is going to feel 
obligated to have key escrow either." 

Civilian Agency Appeal?
Removing government key escrow from Fortezza cards, which are designed to 
provide authentication, integrity and confidentiality to DMS users, could 
prompt civilian agencies to deploy the cards to secure electronic mail or 
other communications, said Santish Chok-hani, CEO of Cygnacom Solutions, 
a security consulting company. 

"If you take out the key escrow from Fortezza, that would mean a broader 
set of civilian agencies and commercial folks could use the technology 
without worrying that someone is copying their keys," he said. 

The main difference in government key escrow - now in place in Fortezza 
cards - and key recovery technologies is the ability of law enforcement 
agencies to secretly decrypt encrypted files after obtaining a warrant. 

There is a private key (needed to decrypt data) embedded in each Fortezza 
card chip. When the Fortezza chip is manufactured, the private key is 
split; one half goes to the National Institute of Standards and 
Technology and the other to the Treasury Department. 

If a law enforcement agent obtains permission from a court to decrypt 
information of a Fortezza card user, he can obtain both parts of the 
private key from the two federal agencies and decrypt the data without 
the knowledge of the user. 

Key recovery is a technology that allows for the recovery of a private 
encryption key if it is lost or damaged. This private key, however, is 
kept by the user or user's organization, not by government agencies. Law 
enforcement agencies still can obtain a warrant for a user's private key, 
but they could not secretly decrypt the information without the user's 
knowledge. 

Sources said DOD's move was targeted to increase the appeal of the 
Fortezza card to users outside DOD. 

Bruce McConnell, chief of information policy at the Office of Management 
and Budget, said the move would make Fortezza cards more attractive, but 
he cited different reasons. "It does encourage people to use it because 
it moves toward the commercial approach that's being taken," he said. 


*	Remember when I wrote about Solid Oak and their CyberSitter software 
blocking sites they disagreed with politically?  Well, a friend of mine 
wrote them a highly responsible note, stating that she felt they were 
doing their customers a disservice in blocking more than porn and the 
like -- that by blocking NOW, student activists, and basically any site 
which has LINKS to sites they deem inappropriate, they may be going above 
and beyond the call of duty (my perspective).  Check out their evil 
response:

Date: Fri, 7 Feb 1997 11:42:27 -0800
Mime-Version: 1.0
To: sholstad@earthlink.net
From: akwal@earthlink.net (Andrea Kowalski)
Subject: Re: Solid Oak Policy

>Can you believe these guys!? How cocky--"the Terminator."
My email was hardly harassing or offensive! So much for
professional decorum or courtesy!


From: terminator@solidoak.com (The Terminator)
>To: Andrea Kowalski 
>Organization: Solid Oak Software, Inc.
>Subject:  Re: Solid Oak Policy
>Date: Fri, 7 Feb 1997 11:22:35 -0800
>
>
>Dear Sender,
>
>Unfortunately, we do not accept unsolicited e-mail that is intended to 
be
>harassing, is politically motivated, or in any way offensive to the
>employees at Solid Oak Software.
>
>Therefor, we will appreciate your cooperation in not contacting this
>company again regarding these issues.
>
>What we can tell you is that CYBERsitter has absolutely no "hidden
>political agenda", regardless of what our critics might claim.
>
>The site in question is blocked by CYBERsitter simply because it 
publishes
>or maintains links to other sites that publish information describing 
how
>to defeat our software and render it ineffective as a parental control
>product.
>
>When a customer purchases our product, they have every right to expect 
and
>demand that reasonable efforts be expended on our part to insure that 
once
>CYBERsitter is installed, its operation be as secure as possible.
>
>Any site that publishes information that lessens the value of our 
product
>to our customers, or makes an overt effort to subvert parental rights to

>supervise and control the on-line activities of their minor children, 
will
>be blocked.
>
>Thank-you


The Terminator indeed.  What a jerk!  Seems to me that it's pretty likely 
that every ISP in the world probably has pages somewhere with links to 
sites Solid Oak would not approve of.  If this is the case, they should 
be blocking EVERY ISP in the world.  Indeed, I'm not sure why they're 
even bothering with the Internet at all....


*	Check out Microsoft's response to the Chaos Computer Club's ActiveX 
hack of IE and Quicken (a few weeks ago, the *demonstrated* the illegal 
transfer of funds into fraudulent bank accounts by downloading an ActiveX 
Control designed to transfer access numbers):

>> 
>> From the Office of Brad Silverberg
>> Senior Vice President
>> Microsoft Corporation
>> 1 Microsoft Way
>> Redmond, WA  98052
>> 
>> 
>> Dear Internet Users Everywhere:
>> 
>> You may have heard reports about a malicious
>> software program created and demonstrated recently
>> by the Chaos Computer Club (CCC) in Hamburg,
>> Germany.  I want to personally assure you that
>> Microsoft(R) Internet Explorer 3.0 has the
>> appropriate safeguards to protect against this type
>> of threat.  By using its default security level
>> (High) that comes pre-set, Internet Explorer 3.0
>> will not download and run any "unsigned" control
>> such as the one from the CCC.
>> 
>> The CCC demonstrated its malicious executable code
>> running on Microsoft Internet Explorer 3.0, though
>> they could just as easily have demonstrated a
>> similar attack on any other browser.   While it is
>> unfortunate that hackers have created this harmful
>> program, it does point out the need for users to
>> act cautiously and responsibly on the Internet,
>> just as they do in the physical world.
>> 
>> Malicious code can be written and disguised in many
>> ways - within application macros, Java(tm) applets,
>> ActiveX(tm) controls, Navigator plug-ins, Macintosh(R)
>> applications and more.  For that reason, with
>> Internet Explorer 3.0, Microsoft has initiated
>> efforts to protect users against these threats.
>> Microsoft Authenticode(tm) in Internet Explorer 3.0 is
>> the only commercial technology in use today that
>> identifies who published executable code you might
>> download from the Internet, and verifies that it
>> hasn't been altered since publication.
>> 
>> If users choose to change the default security
>> level from High to Medium, they still have the
>> opportunity to protect themselves from unsigned
>> code.  At a Medium setting, prior to downloading
>> and running executable software on your computer,
>> Microsoft Internet Explorer presents you with a
>> dialog either displaying the publisher's
>> certificate, or informing you that an "unsigned
>> control" can be run on your machine.  At that
>> point, in either case, you are in control and can
>> decide how to proceed.
>> 
>> As you know, Microsoft is committed to giving users
>> a rich computing experience while providing
>> appropriate safeguards.  Most useful and productive
>> applications need a wide range of system services,
>> and would be seriously limited in functionality
>> without access to these services.  This means that
>> many Java applications will have to go "outside the
>> sandbox" to provide users with rich functionality.
>> By signing code, a developer can take advantage of
>> these rich services while giving users the
>> authentication and integrity safeguards they need.
>> Other firms such as Sun and Netscape are following
>> our lead, and have announced that they will also
>> provide code signing for Java applets. Microsoft
>> will also be providing an enhanced Java security
>> model in the future, giving users and developers
>> flexible levels of functionality and security.
>> 
>> Microsoft takes the threat of malicious code very
>> seriously.  It is a problem that affects everyone
>> in our industry.  This issue is not tied to any
>> specific vendor or group of people.  All of us that
>> use computers for work, education, or just plain
>> fun need to be aware of potential risks and use the
>> precautions that can insure we all get the most out
>> of our computers. For this reason, we are committed
>> to providing great safeguards against these types
>> of threats in Internet Explorer.  We expect hackers
>> and virus writers to get increasingly sophisticated
>> but we pledge we'll continue to keep you and us
>> one step ahead of them.
>> 
>> Best regards,
>> 
>> Brad Silverberg
>> 



=============================================================

SUBSCRIPTION INFO

To Subscribe:  Send email to sch@well.com.  In the subject line, write 
"subscribe tek thots."  In the message area, write your email address.

To Unsubscribe: :  Send email to sch@well.com.  In the subject line, 
write "unsubscribe tek thots."  In the message area, write your email 
address.


At this point and until further notice, the email list will be handled 
manually.

=============================================================

Online versions of this electronic newsletter will be archived at: 
http://www.well.com/user/sch/tekthots.html.


Copyright (C) 1997  Scott C. Holstad
ASCII Tek Thots logo courtesy Teri Osato



Click on to return to Tek Thots.