1996-01-30 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: Rich Salz <rsalz@osf.org>
Message Hash: 87538dfcdbd0029540ec821fa24630f5ebe58bae5e95fbadafd1b2e9dcd17e5f
Message ID: <8l3TrJ2Mc50eAWY4IF@nsb.fv.com>
Reply To: <9601300015.AA15891@sulphur.osf.org>
UTC Datetime: 1996-01-30 11:42:59 UTC
Raw Date: Tue, 30 Jan 1996 19:42:59 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Tue, 30 Jan 1996 19:42:59 +0800
To: Rich Salz <rsalz@osf.org>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601300015.AA15891@sulphur.osf.org>
Message-ID: <8l3TrJ2Mc50eAWY4IF@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich
Salz@osf.org (255)

> >There are many ways to spread it besides a virus.  Zillions of 'em.  And

> There are zillions (what, more than one thousand?) ways to get someone
> to run a random piece of software that will capture their keystrokes?

Yes, zillions, although I'm not using that as a technical term.

> I don't believe you.  Name six.

Sure thing, always glad to clarify my claims.

1. (my current favorite) post it to MSN.  There, Microsoft has made
getting infected with a Trojan Horse as easy as clicking on an icon
embedded in a mail or news message.  (You want to try convincing the
average consumer that it isn't safe, if Microsoft makes it that easy?)

2.  Get the sources to a public domain image viewer.  Change them
slightly.  Claim that you've improved it by 13.7%.  Post your improved
(and infected) image viewer to the net.

3.  Ditto for an audio viewer, a mail reader, a news reader,.... 
(zillions right there alone)

4.  Imitate the IBM Christmas exec.  Break into someone's site and steal
their mail aliases file.  Now send mail to everyone on their alias list,
pretending to be them, offering them a cute animation program they can
install.  The animation will happen, but it will also send mail to all
THEIR aliases (like the Christmas exec) and (unlike that) install our
malicious snooping software.

5.  Write a genuinely useful program (or a game) of your own, but embed
your attack in it.  (Caution:  Being the real author will increase your

6.  Write a pornographic screen saver.  Not only will zillions of people
download it, but they will EXPECT the code to watch keystrokes.

7.  [*maybe*] Spread it by Java applet.  This is a maybe because the
level of Java security seems to be browser-discretionary.  Even a
relatively conservative let-the-user-choose approach like Netscape's,
however, can be defeated with a little social engineering, as in "this
is a really cool Java applet to do XYZ, but you'll have to set
Netscape's Java security level to minimum to run it....."

8.  Internet-based breakin/installations, e.g. to NT or anything else
that runs incoming services.

9.  Traditional virus techniques.

Oh, you only asked for 6, sorry.....  Feel free to ignore a few.
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com