1996-01-30 - Re: FV’s Borenstein discovers keystroke capture programs!

Header Data

From: Jeremy Mineweaser <Jeremym@area1s220.residence.gatech.edu>
To: cypherpunks@toad.com
Message Hash: 7d59a03c4d304bf65e9f860221768614e85be67c32055a357343dabe59512011
Message ID: <2.2.32.19960130163242.0098400c@area1s220.residence.gatech.edu>
Reply To: N/A
UTC Datetime: 1996-01-30 19:05:33 UTC
Raw Date: Wed, 31 Jan 1996 03:05:33 +0800

Raw message

From: Jeremy Mineweaser <Jeremym@area1s220.residence.gatech.edu>
Date: Wed, 31 Jan 1996 03:05:33 +0800
To: cypherpunks@toad.com
Subject: Re: FV's Borenstein discovers keystroke capture programs!
Message-ID: <2.2.32.19960130163242.0098400c@area1s220.residence.gatech.edu>
MIME-Version: 1.0
Content-Type: text/plain


At 09:53 AM 1/30/96 -0500, nsb@nsb.fv.com wrote:

>> ... likely, you store the card numbers on a computer.  And no doubt,
>> someone or something enters those numbers into a database.
>> You have just violated your own cardinal rule.
>
>Nope, afraid not.  We keep the credit card numbers on a non-Internet
>computer.  

Let me restate your cardinal rule, direct from your "alert":

>Quite simply, we believe that this program
>demonstrates a FATAL flaw in one whole approach to Internet commerce,
>and that the use of software to encrypt credit card numbers can NEVER be
>made safe.  For consumers, we recommend the following simple rule:
>
>NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

How about we here it again, just because it's so well thought out:

>NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

Now, the fact that your customer database of credit card numbers
is not directly available via the Internet does not make it cease to
be a computer.  Regardless of its networkability, it is still a computer.
Do you suggest, then, that computers cannot exist without networks?

>As to how the credit card numbers are entered:  they are entered at
>account setup time via a telephone call.  

And just *where* do they get entered?   Into a computer.
And *how* are they entered?  Via a keyboard.

What was that?  You guys enter credit card numbers via the
keyboard?  But YOU CAN'T DO THAT!  IT'S NOT SAFE!

If I can't trust myself to keep my credit card number secure, why
should I trust your minimum-wage data entry employees?

>Believe me, we've thought a LOT about this.

I believe that you thought more about writing your glorified keyboard
sniffer than you did deciding how to announce your discovery to the public.
---
   Jeremy Mineweaser     | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$
 j.mineweaser@ieee.org   | L+>++ E-(---)  W++ N+  !o-- K+>++  w+(++++) O-  M--
                         | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+()
    *ai*vr*vx*crypto*    | tv(+)  b++>+++ DI+(++)  D+  G++ e>+++  h-() r-@ !y-






Thread