1996-01-31 - I gave FV the idea for the keyboard sniffer

Header Data

From: Bryce <wilcoxb@nag.cs.colorado.edu>
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Message Hash: 4c116519584a856544c7a5a8149b8e62c34be706033efd14721aa72cbd4a5ac1
Message ID: <199601310135.SAA28397@nag.cs.colorado.edu>
Reply To: <Ql3UHiOMc50e5Ir1sa@nsb.fv.com>
UTC Datetime: 1996-01-31 04:09:44 UTC
Raw Date: Wed, 31 Jan 1996 12:09:44 +0800

Raw message

From: Bryce <wilcoxb@nag.cs.colorado.edu>
Date: Wed, 31 Jan 1996 12:09:44 +0800
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: I gave FV the idea for the keyboard sniffer
In-Reply-To: <Ql3UHiOMc50e5Ir1sa@nsb.fv.com>
Message-ID: <199601310135.SAA28397@nag.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain


 An entity claiming to be Nathaniel Borenstein <nsb@nsb.fv.com> 
 is alleged to have written:
> I have not yet heard anything that makes me think that my 
> claim is untrue.  We have revealed the first known strategy 
> for an Internet-based large-scale automated attack on the 
> credit card system.  I think that's a real threat.

I know that you are being swamped by hate mail from cypherpunks,
so I'll try to keep my comments brief.  First, I commend you for
forging ahead with research and business as you see fit, despite
the regular barrages of venomous condemnation that you are 
subjected to.  "I think that's a real threat", too.  I believe 
that you have valuable insights into Internet commerce security 
which the typical cypherpunk lacks, and I'm glad that you are 
"getting the word out" both to the cpunks and to larger 

(Having said that, and having decided to Cc: this message to
cpunks and e$, I shall elaborate:)

The ideas that you espouse that the typical cpunk lacks fall
into two broad categories which have something in common.
First, the overwhelming importance of user interface and dealing
with technically clueless users.  Second, the importance of
evaluating risks from a cost/benefit perspective, and trusting
in a system once it is "secure enough".  

What these ideas have in common is simply that they are 
*practical*.  And that's important.  If First Virtual uses
simple techniques which are crackable, but so unprofitable to 
crack that no-one will ever do so, and if First Virtual uses 
this technique and allows everyday users to do transactions over 
the Internet, then that is a net.commerce success story.  
Furthermore, it's a *cryptographic* success story.

Much more so than "CYpherPunk Agent X" who writes a black-market
implementation of Chaumian electronic cash which no-one will 
ever use.  He has accomplished little more than entertaining and 
educating himself.  This is the cypherpunk fallacy which is
enshrined in the Manifesto when it says "code can never be
destroyed".  Yes it can.  Or it can be ignored which has the 
same effect.  The important thing is when code and users meet.

(Of course, I still think First Virtual is marketing an ugly
klooge that doesn't stand a chance against better technologies
in the next couple of years, but I digress...)

But despite all of the above, Nathaniel, I must protest your
claim to have "revealed" the "first known strategy".  That
strategy has been common knowledge since probably before you
were born.  In fact just a couple of weeks ago *I* posted
articles to cypherpunks and the "ecash" list saying that 
I thought the most viable attack on DigiCash Ecash would be a
virus/Trojan horse which attacked the computer on the user's

Did you read these articles of mine?  Is it possible that that
is where you got the idea for your experiment?

As an aside you recently said that you didn't see any reason to
PGP-sign list traffic.  Here is a good example of its
usefulness:  I can prove that I authored the aforementioned
messages, and when.  (Also it has already been more or less 
proven to people who use PGP on their cpunks traffic that the 
author of the aforementioned messages was also the author of 
hundreds of other messages including this one both in cpunks 
and in other forums over the last six months.)

Now I didn't mention in my articles that such an attack would be
as viable (more so, actually) against a credit card scheme as it
would against Ecash, for two reasons 1:  It was already common
knowledge, and 2:  I consider credit card schemes to be hopeless
anachronisms that will soon be eliminated in the evolutionary
race of modern currency.

Anyway, keep up the good work, and consider the merits of being
a little more circumspect in your press releases.



P.S.  Okay I admit that the Subject: line was a little bit
inflammatory.  If I had named my message "Re: FV demonstrates
fatal flaw" then nobody would have read it...

                 "Toys, Tools and Technologies"
  the Niche 
        New Signal Consulting -- C++, Java, HTML, Ecash
PGP sig follows

Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01