From: "Sameer R. Manek" <seawolf@challenger.atc.fhda.edu>
Date: Thu, 17 Aug 95 23:46:33 PDT
To: John Pettitt <jpp@software.net>
Subject: Re: SSL challenge -- broken !
In-Reply-To: <Pine.3.89.9508171031.E16021-0100000@www2.software.net>
Message-ID: <Pine.SGI.3.90.950817233856.10351A-100000@challenger.atc.fhda.edu>
MIME-Version: 1.0
Content-Type: text/plain



On Thu, 17 Aug 1995, John Pettitt wrote:
> On Wed, 16 Aug 1995, Damien Doligez wrote:
> > SSL challenge -- broken
> >               It fails on the second count.  Don't trust your credit
> >   card number to this protocol.
> 
> Huh?  So you run on 120 workstations worth how much?  to steal a credit
> card number worth how much?  Get real - there are hundreds of ways
> to get credit card numbers that cost less.  The idea is to make
> breaking SSL less attractive than dumpster diving not to make it
> impossible.   I'll lay odds that I could get the credit card number
> of *any* individual in the US in less elapsed time and with nothing
> more than a $1000 windoze machinei, a telephone and a modem.
> 
I think the point here is that its not safe to send credit cards
over the net and just like in rl, you got protect yourself by keeping
a close eye on your credit card transactions. And to prove to
our governments that RSA40 isn't a 'good enough' any more.

On the other hand getting access to 120 workstations should'nt be to
difficult for any system admin. Take my school for example, I could
run the program on some 100 odd SGI Indy workstations, 2 SGI challenge S's
and a challenger DM (2cpus) along with 2 DEC Alphas

As long as I set it to a have high nice value, nobody would notice, or even
mind. 

________________________________________________________________________
Sameer Manek                Seawolf@challenger.atc.fhda.edu         
________________________________________________________________________