1996-01-30 - Re: Apology and clarification

Header Data

From: Jamie Zawinski <jwz@netscape.com>
To: cypherpunks@toad.com
Message Hash: c14c1249b5e980194446a0a373e6dec6345a758a791fc7f4d4b54cfdf37b668e
Message ID: <310E0EBE.30FD3BCC@netscape.com>
Reply To: <cl3ShvGMc50eEWY1pL@nsb.fv.com>
UTC Datetime: 1996-01-30 20:12:16 UTC
Raw Date: Wed, 31 Jan 1996 04:12:16 +0800

Raw message

From: Jamie Zawinski <jwz@netscape.com>
Date: Wed, 31 Jan 1996 04:12:16 +0800
To: cypherpunks@toad.com
Subject: Re: Apology and clarification
In-Reply-To: <cl3ShvGMc50eEWY1pL@nsb.fv.com>
Message-ID: <310E0EBE.30FD3BCC@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Nathaniel Borenstein wrote:
> 
> What we at FV have done is to demonstrate how easy it is to develop an
> FULLY AUTOMATED attack that undermines the security of all
> software-based credit card commerce schemes.

You have done no such thing.  You have written *one component* of that
attack, and the easiest part of it at that.

Combine it with a virus, or self-replicating worm, and demonstrate that
it is immune to all known virus checkers, and *then* you will have
spoken the truth when you say you have "demonstrated" anything.

Heck, combine it with a screensaver as a trojan horse *and* collect a
few hundred credit card numbers and *then* you will have demonstrated
something.

You've demonstrated nothing but your ability to write press releases,
and print out some messages when fully-cooperating users submit to your
"test."

You may think this is nitpicking, but the fact is, you're assuming that
the implicit cooperation of some vast number of users in running your
program is easy to obtain.  I disagree with this assumption.  If this
assumption were true, then viruses would be a much bigger problem than
the mere annoyance that they are today.

> It is the automated aspect that separates it from all of the
> "dumpster-diving" attacks on credit card numbers which have previously
> been widely discussed, because it provides a path to large-scale fraud
> that has never been publicly discussed before, to my knowledge.  The
> key "invention" in our approach is to integrate several techniques
> that are already well-known (in this community) into an automated
> attack that we consider to be devastating to commerce systems based on
> software-encrypted credit cards.

This is the same kind of vaccuous reasoning that leads to things like
the "concryption" patent.  You have invented nothing.  You've combined
the painfully obvious and written a fearmongering rant about it.

*Computers* provide a path to large-scale fraud.  So does the printing
press.  So does the telephone, and the postal system.  So what.  You
still haven't proven that it's easy.

> This is a very real threat.  If you think we're just re-hashing keyboard
> sniffers, you haven't yet understood what we're demonstrating.  The real
> threat is the traceless theft of millions of credit card numbers by a
> single easily mounted automated attack.

With as much work as you've put into this, someone could write a
Microsoft Word document which when opened, would start dumping the
contents of your hard disk into the mail.  

The knee-jerk moral to *that* is to never store non-public information
on a computer that has a network connected to it.

However, reasonable people assess that risk, and decide to do it anyway,
because the benefits outweigh the risk.

> So here's the factual claim, to be proven or disproven:  One good
> programmer, in less than a month, can write a program

Come now, right off the bat you know that no assertion taking that form
can be *dis*proven.

> that will spread itself around the net, collect an unlimited number
> of credit card numbers, and get them back to the program's author by
> non-traceable mechanisms.  Does anyone on this list doubt that this 
> is true?

It's not a matter of possibility.  It's a matter of probability, and
risk management.  It's unlikely enough that I'm not afraid of using my
credit card on the net.  Tell me my credit card number, and I'll change
my mind.

> If not, I think it's worth noting that this fact was previously
> completely unknown to the bankers and businessmen who are putting
> large sums of money at risk on the net.  The only way to get the
> message to those communities is with a very visible public
> announcement of the kind you saw yesterday.

All a banker needs to know is the amount of risk associated with the
thing in which they are investing; they don't need to know how keyboard
sniffers work.  I don't believe you've demonstrated anything that
changes the risk model that they have presumably already gotten from
their flock of experts who they no doubt employed before investing in
the net (experts who also no doubt know all about how viruses work,
thank you very much.)

	== Jamie





Thread