1996-02-01 - Re: C’mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)
Header Data
From: Jamie Zawinski <jwz@netscape.com>
To: cypherpunks@toad.com
Message Hash: 6f083e2dae78b03dbd39b2b2a3d3629e2b1947c0a4b299b9612c86c344000d36
Message ID: <31109E96.4276446A@netscape.com>
Reply To: <310E0EBE.30FD3BCC@netscape.com>
UTC Datetime: 1996-02-01 11:38:09 UTC
Raw Date: Thu, 1 Feb 1996 19:38:09 +0800
Raw message
From: Jamie Zawinski <jwz@netscape.com>
Date: Thu, 1 Feb 1996 19:38:09 +0800
To: cypherpunks@toad.com
Subject: Re: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)
In-Reply-To: <310E0EBE.30FD3BCC@netscape.com>
Message-ID: <31109E96.4276446A@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain
Jeff Weinstein wrote:
>
> I think that you are misinterpreting the intent of Jamie's posting,
> but I will let him defend himself.
Well I'm not particularly interested in arguing about this further
(and I suspect this is true of most people reading this too :-))
but my point was: Nathaniel and crew have implemented the easy part
(a tiny fraction) of a program which would successfully capture some
large number of credit card numbers. Nathaniel thinks that what I'm
characterizing as a tiny fraction of the work (the keyboard sniffer and
pattern recogniser) is *most* of the work, and "demonstrates" the
attack. I said that they have demonstrated nothing without some proof
that combining this with an infection vector would yield the desired
result, because I don't think that infecting some vast number of
credit-card-using computers is any small task; whereas, Nathaniel says
(or at least strongly implies) that it's trivial (or so close to trivial
that it can be taken as a given.)
Nathaniel said:
> As I see it, we have implemented every part of the attack that we can
> implement without doing anything that is either unethical or illegal.
It's far from clear that you need to do something unethical or illegal
to prove that coupling it with an infection vector would be effective.
For example, you would no doubt agree that evesdropping on some
unsuspecting user's transaction on an exportably-crippled SSL connection
would be immoral. But it wasn't necessary to do anything immoral to
demonstrate conclusively that such an attack was possible. It just
required a little creativity, and a lack of handwaving.
> Is it your position that no systematic flaw in your security is real
> until someone has actually broken it?
Of course not. You don't have to actually break it to show that it's
possible.
Of course, you *do* have to show the likelyhood of success and effort
required to pull it off as well before it's interesting at all, whether
it's theoretically possible or not.
== Jamie
Thread
- Return to January 1996
Return to February 1996
- Return to “Jamie Zawinski <jwz@netscape.com>”
- Return to “Jeff Weinstein <jsw@netscape.com>”
Return to “Nathaniel Borenstein <nsb@nsb.fv.com>”
- 1996-01-31 (Wed, 31 Jan 1996 23:50:43 +0800) - Apology and clarification - Nathaniel Borenstein <nsb@nsb.fv.com>
- 1996-01-30 (Wed, 31 Jan 1996 04:12:16 +0800) - Re: Apology and clarification - Jamie Zawinski <jwz@netscape.com>
- 1996-02-01 (Thu, 1 Feb 1996 19:38:09 +0800) - Re: C’mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) - Jamie Zawinski <jwz@netscape.com>
- 1996-02-01 (Thu, 1 Feb 1996 22:36:17 +0800) - Re: C’mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) - Jeff Weinstein <jsw@netscape.com>
- 1996-02-03 (Sun, 4 Feb 1996 05:11:38 +0800) - Re: C’mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) - Nathaniel Borenstein <nsb@nsb.fv.com>
- 1996-02-02 (Fri, 2 Feb 1996 12:45:36 +0800) - C’mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification) - Nathaniel Borenstein <nsb@nsb.fv.com>
- 1996-01-30 (Wed, 31 Jan 1996 04:12:16 +0800) - Re: Apology and clarification - Jamie Zawinski <jwz@netscape.com>