From: Greg Broiles <gbroiles@darkwing.uoregon.edu>
Date: Thu, 1 Feb 1996 03:21:50 +0800
To: cypherpunks@toad.com
Subject: FV, Netscape and security as a product
Message-ID: <199601311753.JAA18008@darkwing.uoregon.edu>
MIME-Version: 1.0
Content-Type: text/plain



NSB's messages have suggested, amongst the fear-mongering, that the real
target of the card-shark publicity campaign is not Joe Consumer but bankers,
investors, and other "big money" folks; people who care about the
large-scale fraud rate of credit card use. (Yes, the rate of fraud affects
all consumers, but most people experience it as a relatively small and
unavoidable cost lost in the noise of other small costs.) NSB/FV used the
Murky News to reach those people the way that some people will rent a
freeway-visible billboard to propose marriage to a single commuter. The
trouble and expense that the sender was willing to suffer to send the
message are intended to cause the reader to take the message more seriously.
The rest of us who see the message on C-punks or drive past and wonder "Who
is Bonnie, and why is Clyde proposing marriage to her on the freeway?"
aren't an important part of the process. 

But I don't see FV's tactics as being especially different from folks at IBM
writing a virus which affects Windows but not OS/2, and quietly shopping it
around to scare Microsoft customers, or Ford underwriting an NBC news
program which shows Chevy pickups blowing up. (both are hypotheticals.)
Sure, it can be done, and perhaps it's not dishonest, and perhaps they can
wear the hat of "Consumer Protector Man", but I think it'd come across as
less offensive if it weren't presented as a discussion about security.
Statements which can be boiled down to "We think our product is superior to
our competitor's product" don't mix well with quotes from academics and a
"Chief Scientist" signature block.

While, as Vin McLellan points out, Simson Garfinkel's articles were
technically accurate (modulo the quote from Daguio, where he's quoted as
suggesting an "out of hand" transaction, which is likely either a typo or a
misunderstanding - dollars to donuts he said "out of band"), they also
appeared as part of a marketing process. Netscape and FV have both taken a
"security is a product" stance, which is a gross misrepresentation. FV and
NSB's materials have done a good job of critiquing Netscape's "security is a
product / don't worry, just look for the cute blue key" approach, but would
replace it with their own "security is a product / trust the phone but not
the net" approach. Both suggestions (and the implication of the Murky News
articles, that one can be trusted but not the other) are wrong. Security is
never a product. (Not a firewall, not a fancy browser, not PGP, not a gun,
not the Club, not an airbag.) FV has tried to productize their approach
(out-of-band transfer of credit card number + long clearing time for sellers
+ negligible per-unit cost for goods sold) but it won't work any better for
FV consumers than it does for anyone else who tries to buy something which
can't be sold.

It's a shame that Garfinkel didn't spend more time/column space on
suggestions or observations from the independent people he interviewed and
less time on the "hot news - Netscape security broken by a competitor"
angle. Are there really any "big money" people left who don't have formal or
informal access to someone computer/Internet savvy enough who could have
pointed out that the cardshark attack is nothing new? Yes, bad things happen
if you run bad software. A two-way link between your computer and the rest
of the world means it's possible for bad software to send your data to other
people. It's the "Prodigy reads your hard disk/Microsoft Registration Wizard
reads your hard disk" scare all over again, with "Prodigy" replaced by "evil
untraceable criminals" and "hard disk" replaced by "keystrokes". Duh. 

We should, however, learn from what FV did right - they wrote software which
(apparently) had or can have a real political effect. (It seems to have
worked on Garfinkel, anyway). Cypherpunks write code? FV wrote code and got
some attention for their otherwise unexciting message. (It seems to be a
combination of working code and good user interface - witness the cooing
over the icon indicating which type of credit card you're using and the fact
that it uninstalls itself.) It's a shame that they won't use their powers
for good instead of evil.

--
"The anchored mind screwed into me by the psycho-  | Greg Broiles
lubricious thrust of heaven is the one that thinks | gbroiles@netbox.com
every temptation, every desire, every inhibition." | 
	-- Antonin Artaud		   	   |