From: simsong@vineyard.net (Simson L. Garfinkel)
Date: Mon, 5 Feb 1996 10:56:33 +0800
To: nit@chron.com
Subject: Re: FV's blatant double standards
Message-ID: <v02130506ad3a7327a3d1@[204.17.195.43]>
MIME-Version: 1.0
Content-Type: text/plain


At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
>FV demonstrated, through it's "card sharp" or whatever, that
>real-time transactions are vulnerable to sniffers on the recipient's
>own machine. Of course. We all knew that. But the mistake is to
>assume that FV isn't _equally_ vulnerable to that threat. If you
>can write a trojan that will somehow get privileged access to my
>machine, trap my keystrokes, and identify my credit card number,
>you can certainly write one that will, sitting on my machine:
>    "intercept the user's electronic mail, read the confirmation
>    message from First Virtual's computers, and send out a fraudulent
>    reply"
>(to quote from Simson's article). Simson further quotes FV's Lee
>Stein: "A single user can be targeted, Stein said, but ''it is very
>difficult. . . . There are too many packets moving . . . to too many
>different machines.''" - which is of course equally true for real-time
>Netscape transactions.

Oh, I think that such a program can be written. However, it would be much
harder to get right, considering all of the different ways that people read
e-mail.


=============
Simson's Schedule:

Feb 2 - Feb 5 - Cambridge: Conference on Freely Redistributable Software
Feb 7 - Feb 13 - Baltimore: American Association for the Advancement of
Science.
Feb. 28 - March 1 - Seybold, Boston.
March 23 - NYC. MacFair.
March 27 - March 30: Cambridge. Computers, Freedom and Privacy.