1996-01-30 - Re: FV’s Borenstein discovers keystroke capture programs! (pictures at 11!)

Header Data

From: roy@sendai.cybrspc.mn.org (Roy M. Silvernail)
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Message Hash: 3c46f03c0147f06749ab71af137993ada7de05b7a2baaea1354bcff40d1726c6
Message ID: <960130.064105.1H2.rnr.w165w@sendai.cybrspc.mn.org>
Reply To: <Ul3HuJ2Mc50e4WYAA4@nsb.fv.com>
UTC Datetime: 1996-01-30 14:47:48 UTC
Raw Date: Tue, 30 Jan 1996 22:47:48 +0800

Raw message

From: roy@sendai.cybrspc.mn.org (Roy M. Silvernail)
Date: Tue, 30 Jan 1996 22:47:48 +0800
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Subject: Re: FV's Borenstein discovers keystroke capture programs! (pictures at 11!)
In-Reply-To: <Ul3HuJ2Mc50e4WYAA4@nsb.fv.com>
Message-ID: <960130.064105.1H2.rnr.w165w@sendai.cybrspc.mn.org>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In list.cypherpunks, nsb@nsb.fv.com writes:

> Well, the mis-conceptions are flying fast and furious.

And not just from the rest of us.  Your model is a malicious program
that is installed on a user's machine (through whatever method, be it
viral, trojan horse, black bag job, whatever).  Fine, let's explore it a
bit.

> There are several schemes for Internet commerce
> that are unaffected:
>
>         -- First Virtual (of course)

If all my malicious program does is sniff keystrokes, FV accounts are
less vulnerable.  So I'll make my malicious program not only sniff
keystrokes, but I'll hook your Winsock stack and intercept the POP3
queries.  That way, I can catch the FV verification messages and confirm
them.  You'll never see anything happen.

>         -- Hardware encryption (e.g. consumer card-swipe machines)

So I'll get my malicious program to look for blocks of seemingly random
data from the keyboard (where many swipe systems wedge in) or the com
ports not used by mouse and modem.  (on a PC platform, that's not likely
since heroic measures are needed to run more than 2 com ports)  Unless
seeded by the transaction, these blocks should be vulnerable to a replay
attack.

>         -- Smart cards

Smart cards may not be vulnerable to replay attacks, so you may be
correct here.

>         -- Digital cash (unless the tokens are made too easy to recognize)

Or the site initiating the transaction is recognizable, prompting the
malicious program to take notice.  And since I've hooked all your net
services, I can steal your coins easily... the transactions you send
will never reach their destination.

The "fatal flaw" here is that you haven't extended your threat model to
its logical conclusion.  If you assume a malicious program with access
to the keyboard at the hardware level, that program could also access
and manipulate the TCP/IP stack, as well as data flowing to/from
networked applications of all sorts.

> We say this VERY EXPLICITLY in our web pages. We are NOT saying we have
> the only safe approach.  We have one of four safe approaches that we
> know of.

I only see one approach that's safe from local eavesdropping, and FV
isn't it.
- -- 
           Roy M. Silvernail     [ ]      roy@cybrspc.mn.org
PGP Public Key fingerprint =  31 86 EC B9 DB 76 A7 54  13 0B 6A 6B CC 09 18 B6
                Key available from pubkey@cybrspc.mn.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMQ4Vihvikii9febJAQH6QgP/UaIlgQEmRgfS27DoOtr30BpTtR3H24bL
6fQRV1c99S7hPCAo3LPK28JH5HLC5WgoLZZBnNfu9eE4YcaSdOgC2Ok4Un3uSI2i
ZFOGP+OPN7BQRE/7iLF9nLT9NmktGiZ0mFffCzqIKGWP/PH87/YJtJzJwlqdTNp4
BCJsnFlX04w=
=osLe
-----END PGP SIGNATURE-----





Thread