Indeed. Anybody paying for exploits or vulnerabilities is also paying for exclusivity. Even the vendor bug bounty programs, which constitute the moral high ground in disclosing security problems, don't pay out unless you keep it quiet until they issue a patch.
Apple never really considered the Razr to be a competitor of iPhone, though. It's an entire product category that is (mostly) supplanting an older category. We're long past the point where any smartphone vendor spends any resources trying to convince people that smartphones are preferable to feature phones.
You might still call that competition, but it's not what I meant.
Much less so at that time. iPhone came out with a much better browser than BlackBerry, but in 2007 websites still often poorly displayed on all mobile devices. Sites started optimizing better for small screens after than point, and only then did it start to matter that BB had a browser written in Java that performed extremely poorly if you navigated to any site that used JavaScript.
And touchscreens are only really compelling for two use cases: games and browsing. There weren't many games on phones back then either. It made for a cooler UI but the keyboard was still more practical for most of what people did on smartphones in 2007 (i.e. texting, IM, email).
Look at RIM's revenue numbers from 2006 to 2010 if you don't believe that they were successful in the consumer market during that time period. By the end of 2006 they pretty much had dominated the entire enterprise market. Growth after that was almost entirely on the consumer side.
Windows Mobile should have been RIM's wake-up call: UX was pretty dismal; but it was a more or less architecturally successful implementation of 'well, just build the computer smaller!' school of mobile design. Once Apple came along and dealt with the UX problem... Game over man, game over.
I've wondered about this part a little bit. Windows Mobile was a disaster in the market, and Microsoft stopped seriously investing in mobile phones until after the iPhone took off and they suddenly realized a huge missed opportunity. But if you go back 7-8 years ago, when there were lots of Palm and generic hardware phones running Windows Mobile, Microsoft boosters claimed that they would beat BlackBerry "because of the third party applications", which actually seemed somewhat plausible at the time. People were writing more Windows Mobile apps because they knew the Win32 API.
But it didn't pan out that way. RIM under-invested in building a 3rd party developer community -- which did exist, in spite of major frustrations with the platform -- for years. It didn't matter, and by the end of 2006 RIM was essentially the only player in the game. When the iPhone was released in 2007 it didn't even allow 3rd party applications. I speculate that RIM's historical success despite a weak app ecosystem caused them to downplay its significance, meaning when Android and iPhone put out good developer tools with rich, familiar APIs, with a large consumer market hungry for apps, RIM was flat-footed and struggled much too late to catch up.
The ability to run 3rd party native code was a huge sticking point between RIM and major game developers. BlackBerry wasn't architected for that, and the game companies insisted they needed it for performance fine tuning. RIM was working on building that capability, but shelved the effort when it became clear that they were moving to QNX in 2010 (because who would invest in creating titles for a proprietary operating system that was close to end of life?).
Unfortunately, QNX-based BlackBerry models are not yet to market, and history marches on...
This is pretty far off base. RIM was working hard to try to create a consumer smartphone market starting from around 2004. Their first attempt at a 'candy bar' form factor smartphone was crap (7100 series), but the Pearl (8100 series) released in mid-2006 was quite solid for the day and a good design for trying to wean people off of traditional 'feature' phones, which were cheaper but much less capable. The consumer market didn't really take off until the first iPhone was released in June 2007, and RIM's consumer offerings did crazy well at that point (mostly the Pearl and the Curve, which were much cheaper than the iPhone and were perfectly fine if you didn't care about the web browser or the touch screen). By 2010 more than 80% of RIM's sales were to end consumers rather than businesses.
RIM's real problem was that they were building on top of a proprietary operating system, originally designed to run nothing other than a JVM. This made it really hard to build it into a compelling platform for apps and games which have become vital for the smartphone category in the last 2-3 years. This is why they did a complete overhaul by deciding to switch to QNX, but apparently much too late and with poor execution.
So the ability to play games, browse a better web, and do non-business things too really made alternatives more attractive.
Several years ago I first heard the argument that BlackBerry was getting its brand poisoned a bit because IT administrators were disabling most of the features that shipped on the phones (for security reasons, or whatever). So a large percentage of users didn't even know you could load third party apps or browse the web on it (though the web browser sucked until BB 6 shipped in 2010), and so the phones seemed much less compelling to get for personal use. Of course that's not the whole story of BlackBerry's decline, but it's an interesting point nonetheless.
Amen. That Blackberry is automatically competing against everyone's personal cellphone. A job I had several years ago they provided their tech staff with Blackberries, but I refused to use/carry it. Why? I already had a cell phone, which I still needed to carry since the rest of the world uses it to call me, and it was smaller (the Blackberry had a permanent keyboard making too big to fit in the pocket), and did more. So I changed my contact info to my personal cell phone.
When a product is sufficiently uncompelling that you don't want to use it even when they give it to you free, that product has a long term problem.
That's a silly argument. Smartphones haven't really been competing against traditional cell phones since around 2005. You're argument (viz. people just need to talk on their phones, and smaller is better) could equally be applied to the entire smartphone category, which most certainly does not have "a long term problem".
In reality, RIM's business was soaring until about 2 years ago. That's when the real problem started to catch up with them: a vastly inferior 3rd party app ecosystem.
"It's just a way to make the federal government feel justified in paying CISSPs $1000 an hour for pen testing."
Even if it's not credible, it doesn't mean it's okay to leave networks unsecured. Having consultants do security analysis is probably a good idea (although I don't personally know to what extent the federal government deliberately gets ripped off by those consultants, as you contend).
The threat of cyberterrorism has more to do with whether we should spend money analyzing threats to electronic infrastructure, and planning responses to potential attacks on it. Not the sort of thing you hire pen-testers for.
"Aren't all patents for a 'obvious' ideas once one reads them?"
You have to keep in mind what patents are for. They are intended to promote investment in innovation and technology. The problem is that if you invest time and money into inventing something new, you may actually put yourself at a competitive disadvantage once you finish. Your competitors can now make the same product and sell it at a lower price, since they did not make such an investment. Patents are intended to solve this problem by guaranteeing a monopoly on the product for a limited time, so you can make a reasonable return on your investment.
Now the reason the patent system is broken is the huge number of patents covering ideas that did not require investment to come up with. How much time and money did Amazon.com put into 'inventing' one-click shopping? If they hadn't 'invented' it, would one-click shopping not exist?
How much did Thomas Campana invest in 'inventing' push e-mail over a wireless network? Would our world be worse off had he not 'invented' it? Would push e-mail not exist without someone having spent money to come up with it?
It becomes quite literally an extortion game, where some guy predicts obvious future developments in a given field, patents key concepts before the companies in that field do, and then demands royalties when the companies want to roll out products. This is what is happening with NTP and RIM.
It's pretty sad that they're actually wasting brain cycles thinking about threats like this. No, the risk of infection isn't zero. But it's damn close to zero. It isn't zero if you 'secure' SETI systems, either. It isn't even zero if you dismantle the SETI telescopes.
But money spent on this is money better spent elsewhere, practically no matter where else you spend it. This should have been in the 'It's Funny, Laugh' topic.
(Prediction: this will appear on Schneier's blog by end of day tomorrow)
Windows lanman hashes are notoriously weak, tools like rainbowcrack take advantage of that fact to crack the passwords in ridiculously short periods of time (IIRC, weak passwords fall in seconds). Among other issues, the 14 characters are split into two 7-character strings, which are hashed separately. This means finding a long password is equivalent to finding two short passwords: additive complexity rather than multiplicative complexity.
But brute forcing passwords and brute forcing random encryption keys are two totally different balls of wax. When you break passwords, you rely on the fact that there are a limited number of passwords users will use. If you consider how many 8 character passwords you can construct using upper case letters, lower case letters, and numbers, you'll see there are only around 2^48. If you only use English words than the number is far, far lower (less than 2^20). Those are crackable.
If, on the other hand, you use a random 256-bit AES key that is not derived from a password (meaning you have to store it somewhere securely), nobody is going to be able to brute force it.
Usually, Triple DES uses only two keys. In series: you encrypt with Key 1, decrypt with Key 2, then encrypt with Key 1 again. The key length then is 112 bits. This is because adding a third key doesn't gain that much security; three key Triple DES has 168-bit actual key length but still only 112-bit effective key length, due to the meet-in-the-middle attack.
That should be the tip-off for the uninitiated, in any case. Triple DES has an effective key length of 112 bits. I'm sure they meant 256-bit AES, but it's a good clue that the author has no idea what he's talking about.
Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years. Think about the number 2^256 for a second, and consider the computing power required to do that many operations.
What may be possible in 90 days is brute forcing passwords, which is practical if the perp uses password-based keys. The article doesn't mention that.
It's also possible that the authorities are just exaggerating their capabilities so as to deter pedophiles and what-not. If you can't read people's mail, it's sometimes effective to pretend to be reading people's mail.
Wouldn't it be trivial to modify existing worms or viruses to take advantage of the exact same concept, hiding themselves from virus scanners?
Sort of. Good ones already employ techniques to try to hide themselves. The difficult part is getting into the kernel, as the Sony DRM software does when you install it.
Virus writers might at this point decide to start using file and process names that start with $sys$, in which case anybody who has installed the Sony DRM app (in particular, WoW cheaters) will be especially vulnerable. I doubt that's a large enough population for the technique to be considered useful, though.
Mostly this is useful for hiding things from prying eyes on your own machine. It is remarkably effective. To prevent malicious apps from taking advantage of it, you might hack the Sony DRM software so it uses, say, $-q8f790vpae-$ as the 'hiding' tag instead of $sys$.
Just watch what you're doing, because as Mark Russinovich points out in the original article, it's not hard to nuke your box by accident in messing with the Sony/First4Internet drivers.
Re:"security applications and systems" only??
on
Security and Usability
·
· Score: 4, Informative
Good point. Designing security into general applications that does not interfere with the user experience is a far more interesting problem than designing usable security systems.
The adage that security is the opposite of usability is false, of course. The problem is that people aren't very good at making intelligent design decisions when faced with both sets of requirements.
There is a great paper on this subject by Ka-Ping Yee here (PDF link).
The company writting the code should be responsible for organizing such things.
You got it right. Producing good code is a complicated process, not something one person can do. You need controls. You need reviews. You need methodical testing.
Why blame the developer who wrote the buggy code, and not the tester who missed the bug? What about the designer who produces a complicated bug-prone design?
Good software is a collaborative effort. You need a lot of people who know what they're doing working within a good process. Singling one person out in the system is misguided.
Which was then and is now grossly misunderstood. The Church, at no point, ever condemned heliocentrism.
While you may be right in that it never took an official position, it spent a great deal of time suppressing it in the 17th century, and heliocentrism was the subject of Galileo's heresy trial. The Church promoted the Tychonian system as an alternative to heliocentrism when geocentrism became untenable, with the Jesuits in particular supporting it heavily.
Well, what the Archbishop was trying to say is that many people took JPII's statement on evolution as saying more than it did. That somehow he was allowing 'random' evolution, not evolution as planned before time began by God to provide what we have now.
That is true. JPII's comments have been misinterpreted.
Actually the Catholic Church has generally stayed away from confrontations with scientific theory ever since getting egg on its face around the Galileo fiasco and heliocentrism.
A nineteenth century pope (Leo the somethingth, I think) went so far as to lay out sensible boundaries for religion and science, essentially asserting that science has no business telling people what to believe about God, and the Church has no business entering into debates over empirical study.
Accordingly, the Church has never actually opposed most of Darwinism, and has tacitly accepted it, with the critical caveats that Catholics cannot believe in the process being 'random', as whatever happened has to be part of God's plan. (Also, Catholics have to believe that humans exclusively have souls.)
This position won't change any time soon, notwithstanding the odd vocal Archbishop.
"I'm going to have to disagree with you on this one. "Most"? 90% of the Christians I personally know tell me that the Bible is the literal word of God, and evolution is one of Satan's attempts to derail good Christians and keep them from the kingdom of Heaven... I know a lot of Christians."
Those you know are probably not a good statistical sample. I will counter anecdotally that I also know a lot of Christians, and I don't think I personally know anyone who believes in literal interpretation.
But then, I'm Catholic. And Catholic doctrine does not oppose evolution -- our position is essentially that as long as you believe God is behind it all, you can believe anything you want about the origin of life. Even Pope JP2 is famously quoted as saying "we have to accept that evolution is more than just a theory."
Correct me if I'm wrong, but I think Catholics represent most Christians, on a global scale.
In any case, no matter what Liz Frulla is saying to appease the lobby groups, if the legislation sticks to the proposed plan there should be no problem.
And what the article summary appears to have missed is that one of the things in the plan is to close the loophole that probably makes unauthorized downloading of copyrighted music legal in Canada.
This should go hand-in-hand with repealing the blank media levy, since it is supposed to be linked to the legalization of 'private copying', but no word on that yet.
Not that I'd expect it, though, the government has never met a tax dollar it didn't like.
On his homepage, the author claims RFC 4042 was implemented on a TOPS-20, which IIRC is something like 30 years old. The guy appears to be into machines with 36-bit words. I can respect that. He probably wrote the RFC because he actually wanted a 9-bit encoding, and then gave it to the IETF so everyone could scratch their heads at his strange hobby.
Slashdot Mirror
Indeed. Anybody paying for exploits or vulnerabilities is also paying for exclusivity. Even the vendor bug bounty programs, which constitute the moral high ground in disclosing security problems, don't pay out unless you keep it quiet until they issue a patch.
Apple never really considered the Razr to be a competitor of iPhone, though. It's an entire product category that is (mostly) supplanting an older category. We're long past the point where any smartphone vendor spends any resources trying to convince people that smartphones are preferable to feature phones.
You might still call that competition, but it's not what I meant.
Much less so at that time. iPhone came out with a much better browser than BlackBerry, but in 2007 websites still often poorly displayed on all mobile devices. Sites started optimizing better for small screens after than point, and only then did it start to matter that BB had a browser written in Java that performed extremely poorly if you navigated to any site that used JavaScript.
And touchscreens are only really compelling for two use cases: games and browsing. There weren't many games on phones back then either. It made for a cooler UI but the keyboard was still more practical for most of what people did on smartphones in 2007 (i.e. texting, IM, email).
Look at RIM's revenue numbers from 2006 to 2010 if you don't believe that they were successful in the consumer market during that time period. By the end of 2006 they pretty much had dominated the entire enterprise market. Growth after that was almost entirely on the consumer side.
Windows Mobile should have been RIM's wake-up call: UX was pretty dismal; but it was a more or less architecturally successful implementation of 'well, just build the computer smaller!' school of mobile design. Once Apple came along and dealt with the UX problem... Game over man, game over.
I've wondered about this part a little bit. Windows Mobile was a disaster in the market, and Microsoft stopped seriously investing in mobile phones until after the iPhone took off and they suddenly realized a huge missed opportunity. But if you go back 7-8 years ago, when there were lots of Palm and generic hardware phones running Windows Mobile, Microsoft boosters claimed that they would beat BlackBerry "because of the third party applications", which actually seemed somewhat plausible at the time. People were writing more Windows Mobile apps because they knew the Win32 API.
But it didn't pan out that way. RIM under-invested in building a 3rd party developer community -- which did exist, in spite of major frustrations with the platform -- for years. It didn't matter, and by the end of 2006 RIM was essentially the only player in the game. When the iPhone was released in 2007 it didn't even allow 3rd party applications. I speculate that RIM's historical success despite a weak app ecosystem caused them to downplay its significance, meaning when Android and iPhone put out good developer tools with rich, familiar APIs, with a large consumer market hungry for apps, RIM was flat-footed and struggled much too late to catch up.
The ability to run 3rd party native code was a huge sticking point between RIM and major game developers. BlackBerry wasn't architected for that, and the game companies insisted they needed it for performance fine tuning. RIM was working on building that capability, but shelved the effort when it became clear that they were moving to QNX in 2010 (because who would invest in creating titles for a proprietary operating system that was close to end of life?).
Unfortunately, QNX-based BlackBerry models are not yet to market, and history marches on...
This is pretty far off base. RIM was working hard to try to create a consumer smartphone market starting from around 2004. Their first attempt at a 'candy bar' form factor smartphone was crap (7100 series), but the Pearl (8100 series) released in mid-2006 was quite solid for the day and a good design for trying to wean people off of traditional 'feature' phones, which were cheaper but much less capable. The consumer market didn't really take off until the first iPhone was released in June 2007, and RIM's consumer offerings did crazy well at that point (mostly the Pearl and the Curve, which were much cheaper than the iPhone and were perfectly fine if you didn't care about the web browser or the touch screen). By 2010 more than 80% of RIM's sales were to end consumers rather than businesses.
RIM's real problem was that they were building on top of a proprietary operating system, originally designed to run nothing other than a JVM. This made it really hard to build it into a compelling platform for apps and games which have become vital for the smartphone category in the last 2-3 years. This is why they did a complete overhaul by deciding to switch to QNX, but apparently much too late and with poor execution.
So the ability to play games, browse a better web, and do non-business things too really made alternatives more attractive.
Several years ago I first heard the argument that BlackBerry was getting its brand poisoned a bit because IT administrators were disabling most of the features that shipped on the phones (for security reasons, or whatever). So a large percentage of users didn't even know you could load third party apps or browse the web on it (though the web browser sucked until BB 6 shipped in 2010), and so the phones seemed much less compelling to get for personal use. Of course that's not the whole story of BlackBerry's decline, but it's an interesting point nonetheless.
Amen. That Blackberry is automatically competing against everyone's personal cellphone. A job I had several years ago they provided their tech staff with Blackberries, but I refused to use/carry it. Why? I already had a cell phone, which I still needed to carry since the rest of the world uses it to call me, and it was smaller (the Blackberry had a permanent keyboard making too big to fit in the pocket), and did more. So I changed my contact info to my personal cell phone.
When a product is sufficiently uncompelling that you don't want to use it even when they give it to you free, that product has a long term problem.
That's a silly argument. Smartphones haven't really been competing against traditional cell phones since around 2005. You're argument (viz. people just need to talk on their phones, and smaller is better) could equally be applied to the entire smartphone category, which most certainly does not have "a long term problem".
In reality, RIM's business was soaring until about 2 years ago. That's when the real problem started to catch up with them: a vastly inferior 3rd party app ecosystem.
Even if it's not credible, it doesn't mean it's okay to leave networks unsecured. Having consultants do security analysis is probably a good idea (although I don't personally know to what extent the federal government deliberately gets ripped off by those consultants, as you contend).
The threat of cyberterrorism has more to do with whether we should spend money analyzing threats to electronic infrastructure, and planning responses to potential attacks on it. Not the sort of thing you hire pen-testers for.
You have to keep in mind what patents are for. They are intended to promote investment in innovation and technology. The problem is that if you invest time and money into inventing something new, you may actually put yourself at a competitive disadvantage once you finish. Your competitors can now make the same product and sell it at a lower price, since they did not make such an investment. Patents are intended to solve this problem by guaranteeing a monopoly on the product for a limited time, so you can make a reasonable return on your investment.
Now the reason the patent system is broken is the huge number of patents covering ideas that did not require investment to come up with. How much time and money did Amazon.com put into 'inventing' one-click shopping? If they hadn't 'invented' it, would one-click shopping not exist?
How much did Thomas Campana invest in 'inventing' push e-mail over a wireless network? Would our world be worse off had he not 'invented' it? Would push e-mail not exist without someone having spent money to come up with it?
It becomes quite literally an extortion game, where some guy predicts obvious future developments in a given field, patents key concepts before the companies in that field do, and then demands royalties when the companies want to roll out products. This is what is happening with NTP and RIM.
It's pretty sad that they're actually wasting brain cycles thinking about threats like this. No, the risk of infection isn't zero. But it's damn close to zero. It isn't zero if you 'secure' SETI systems, either. It isn't even zero if you dismantle the SETI telescopes.
But money spent on this is money better spent elsewhere, practically no matter where else you spend it. This should have been in the 'It's Funny, Laugh' topic.
(Prediction: this will appear on Schneier's blog by end of day tomorrow)
But brute forcing passwords and brute forcing random encryption keys are two totally different balls of wax. When you break passwords, you rely on the fact that there are a limited number of passwords users will use. If you consider how many 8 character passwords you can construct using upper case letters, lower case letters, and numbers, you'll see there are only around 2^48. If you only use English words than the number is far, far lower (less than 2^20). Those are crackable.
If, on the other hand, you use a random 256-bit AES key that is not derived from a password (meaning you have to store it somewhere securely), nobody is going to be able to brute force it.
I'm sure they meant 256-bit AES.
Seriously, nobody, including name-your-favourite-government-agency, is brute forcing a 256-bit AES key. Not in 90 days. Not in 90 years. Think about the number 2^256 for a second, and consider the computing power required to do that many operations.
What may be possible in 90 days is brute forcing passwords, which is practical if the perp uses password-based keys. The article doesn't mention that.
It's also possible that the authorities are just exaggerating their capabilities so as to deter pedophiles and what-not. If you can't read people's mail, it's sometimes effective to pretend to be reading people's mail.
Sort of. Good ones already employ techniques to try to hide themselves. The difficult part is getting into the kernel, as the Sony DRM software does when you install it.
Virus writers might at this point decide to start using file and process names that start with $sys$, in which case anybody who has installed the Sony DRM app (in particular, WoW cheaters) will be especially vulnerable. I doubt that's a large enough population for the technique to be considered useful, though.
Mostly this is useful for hiding things from prying eyes on your own machine. It is remarkably effective. To prevent malicious apps from taking advantage of it, you might hack the Sony DRM software so it uses, say, $-q8f790vpae-$ as the 'hiding' tag instead of $sys$.
Just watch what you're doing, because as Mark Russinovich points out in the original article, it's not hard to nuke your box by accident in messing with the Sony/First4Internet drivers.
The adage that security is the opposite of usability is false, of course. The problem is that people aren't very good at making intelligent design decisions when faced with both sets of requirements.
There is a great paper on this subject by Ka-Ping Yee here (PDF link).
You got it right. Producing good code is a complicated process, not something one person can do. You need controls. You need reviews. You need methodical testing.
Why blame the developer who wrote the buggy code, and not the tester who missed the bug? What about the designer who produces a complicated bug-prone design?
Good software is a collaborative effort. You need a lot of people who know what they're doing working within a good process. Singling one person out in the system is misguided.
I myself am a bit wary of investing in a company whose business plan consists of collecting lots of cash and taking off to Mars with it.
While you may be right in that it never took an official position, it spent a great deal of time suppressing it in the 17th century, and heliocentrism was the subject of Galileo's heresy trial. The Church promoted the Tychonian system as an alternative to heliocentrism when geocentrism became untenable, with the Jesuits in particular supporting it heavily.
Well, what the Archbishop was trying to say is that many people took JPII's statement on evolution as saying more than it did. That somehow he was allowing 'random' evolution, not evolution as planned before time began by God to provide what we have now.
That is true. JPII's comments have been misinterpreted.
A nineteenth century pope (Leo the somethingth, I think) went so far as to lay out sensible boundaries for religion and science, essentially asserting that science has no business telling people what to believe about God, and the Church has no business entering into debates over empirical study.
Accordingly, the Church has never actually opposed most of Darwinism, and has tacitly accepted it, with the critical caveats that Catholics cannot believe in the process being 'random', as whatever happened has to be part of God's plan. (Also, Catholics have to believe that humans exclusively have souls.)
This position won't change any time soon, notwithstanding the odd vocal Archbishop.
I'm waiting for creditcards.google.com.
You type in somebody's name and it returns a complete list of their credit card numbers with expiry dates.
Or alternatively, you type in a large number, and click I'm Feeling Lucky, and it returns you a card with that number as the limit.
They might need an I'm Feeling VERY Lucky button for credit cards with 6 figure limits.
Those you know are probably not a good statistical sample. I will counter anecdotally that I also know a lot of Christians, and I don't think I personally know anyone who believes in literal interpretation.
But then, I'm Catholic. And Catholic doctrine does not oppose evolution -- our position is essentially that as long as you believe God is behind it all, you can believe anything you want about the origin of life. Even Pope JP2 is famously quoted as saying "we have to accept that evolution is more than just a theory."
Correct me if I'm wrong, but I think Catholics represent most Christians, on a global scale.
Yes. From the article:
Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
In any case, no matter what Liz Frulla is saying to appease the lobby groups, if the legislation sticks to the proposed plan there should be no problem.
And what the article summary appears to have missed is that one of the things in the plan is to close the loophole that probably makes unauthorized downloading of copyrighted music legal in Canada.
This should go hand-in-hand with repealing the blank media levy, since it is supposed to be linked to the legalization of 'private copying', but no word on that yet.
Not that I'd expect it, though, the government has never met a tax dollar it didn't like.
On his homepage, the author claims RFC 4042 was implemented on a TOPS-20, which IIRC is something like 30 years old. The guy appears to be into machines with 36-bit words. I can respect that. He probably wrote the RFC because he actually wanted a 9-bit encoding, and then gave it to the IETF so everyone could scratch their heads at his strange hobby.