From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Tue, 12 Dec 1995 06:48:59 +0800
To: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: More FUD from First Virtual
In-Reply-To: <199512110750.XAA11161@ix2.ix.netcom.com>
Message-ID: <0kn1Q6CMc50e02irtU@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


Excerpts from mail.limbo: 10-Dec-95 Re: More FUD from First Vir.. Bill
Stewart@ix.netcom.c (1289*)

> At 08:51 AM 12/10/95 -0500, Nathaniel Borenstein <nsb@fv.com> (Tense Hot
> Alien In Barn) wrote:

> >In any event, I could write a virus that sits in
> >front of the e-cash program and steals your keys when next you run the
> >e-cash program.  Software's just too easy to fool.  That's why I regard
> >the risk of catastrophe as being fairly large in software-based e-cash
> >schemes.

> How is this different for an ecash program vs. a First Virtual email
> acknowledgement program, where either a (really hairy) virus, or, 
> more practically, an active email interloper could fake FV acks?  

It's fundamentally different because FV (unlike all the other systems,
to my knowledge) is a "closed loop" financial instrument.  By this I
mean that it doesn't depend on a one-way passage of some kind of
credentials to consummate a transaction.  It would be almost equally
easy to write a keyboard virus that intercepted your FV-ID as it would
be to write one that intercepted your e-cash keys, but then there would
be a pretty significant additional layer for the seamless interception
and response to the confirmation email.  (Note the "seamless" here.  If
you do it in such a way that it interferes with the user's normal mail,
it will be caught pretty quickly.)  Also, the "almost equally easy"
refers to the fact that FV-ID's are free-form text, a very deliberate
design decision that makes them far harder to sniff, even at the
keyboard level,  than credit card numbers (which are self-identifying),
although a good e-cash system will share this quality for its pass
phrases.

> While hardware may be the best encryption solution for the average user
> (as you say, and I think I agree with you), it needs to have some password
> interface such as a small keypad on the front of the smartcard, to prevent
> its usability after theft.

Right, absolutely.  But in this case, a virus still can't fake what's on
the hardware.

> Of course, there are problems with digicash as well; my Digicash play-money
> account thinks it's empty (in spite of having half a dozen coin-looking files),
> and doesn't recognize any of the half-dozen passwords I've guessed I might have
> used with it, so I'm not able to use Sameer's digicash-powered remailer.

And you're a *sophisticated* user, right Bill?  This just underscores
some other comments I've made in the past about Joe Sixpack.  I think
there will be serious usability problems.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com>       | (Tense Hot Alien In Barn)
Chief Scientist, First Virtual Holdings | VIRTUAL YELLOW RIBBON:
FAQ & PGP key: nsb+faq@nsb.fv.com       | http://www.netresponse.com/zldf