1996-01-30 - Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: pmarc@fnbc.com
Message Hash: dfa35df73db7648a12159e96404d738a64a685daac75fdb394c397c0ea3f27af
Message ID: <gl3WkoKMc50e1Ir_08@nsb.fv.com>
Reply To: <9601292111.AA23738@toad.com>
UTC Datetime: 1996-01-30 15:45:13 UTC
Raw Date: Tue, 30 Jan 1996 23:45:13 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Tue, 30 Jan 1996 23:45:13 +0800
To: pmarc@fnbc.com
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
In-Reply-To: <9601292111.AA23738@toad.com>
Message-ID: <gl3WkoKMc50e1Ir_08@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. "Paul M.
Cardon"@fnbc.co (986*)

> Any useful information in your anouncement is already well-known.   
> The rest of it is alarmist and self-serving.  There have been  
> several excellent posts pointing out the flaws in your arguments.

No, they've pointed out flaws in the claim that FV has just invented
keyboard sniffers.  That's not our argument at all, it's a strawman.

> Until I actually see an advisory from CERT, I'll just have to  
> assume they told FV to go take a flying leap.  I certainly hope they  
> have enough integrity to ignore this.

I would never speak for the people at CERT, but if they had told us the
threat wasn't real, we certainly wouldn't be claiming that it was.  We
went to CERT first for two reasons:  to be responsible with the new
threat we had uncovered, and to do a sanity check on its importance.

Having said that, I'm quite sure that you won't see a CERT advisory,
because we haven't released the program, it doesn't threaten anyone, and
there aren't any patches you can download to fix the problem.  It's not
something within their mandate to issue advisories about.  -- Nathaniel
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com