From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Tue, 30 Jan 1996 23:45:13 +0800
To: pmarc@fnbc.com
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601292111.AA23738@toad.com>
Message-ID: <gl3WkoKMc50e1Ir_08@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. "Paul M.
Cardon"@fnbc.co (986*)

> Any useful information in your anouncement is already well-known.   
> The rest of it is alarmist and self-serving.  There have been  
> several excellent posts pointing out the flaws in your arguments.

No, they've pointed out flaws in the claim that FV has just invented
keyboard sniffers.  That's not our argument at all, it's a strawman.

> Until I actually see an advisory from CERT, I'll just have to  
> assume they told FV to go take a flying leap.  I certainly hope they  
> have enough integrity to ignore this.

I would never speak for the people at CERT, but if they had told us the
threat wasn't real, we certainly wouldn't be claiming that it was.  We
went to CERT first for two reasons:  to be responsible with the new
threat we had uncovered, and to do a sanity check on its importance.

Having said that, I'm quite sure that you won't see a CERT advisory,
because we haven't released the program, it doesn't threaten anyone, and
there aren't any patches you can download to fix the problem.  It's not
something within their mandate to issue advisories about.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com