From: Eli Brandt <eli@cs.cmu.edu>
Date: Thu, 1 Feb 1996 21:43:29 +0800
To: cypherpunks@toad.com
Subject: Re: Apology and clarification
In-Reply-To: <+cmu.andrew.internet.cyclists+0l3TCU200UfA00z5cl@andrew.cmu.edu>
Message-ID: <DM0o6t.n0K.1@cs.cmu.edu>
MIME-Version: 1.0
Content-Type: text/plain


In a nutshell: FUD Virtual's press release glosses over the hard part
of the attack -- distribution and collection.  Yes, the credit-card
system is broken as designed, but that's already reflected in its cost
structure.  The proposed attack will never make up a significant
fraction of credit-card fraud.

You know, FV should put out a press release warning that all
encryption-based payment systems are insecure, due to the threat of
the proposed "Chinese-lottery virus".  Bet you could get the Times to
print it...

In article <+cmu.andrew.internet.cyclists+0l3TCU200UfA00z5cl@andrew.cmu.edu>,
Nathaniel Borenstein  <nsb@nsb.fv.com> wrote:
>When you put all four of these together, you have an attack that IS new,
>in the sense that nobody we know of has ever mentioned it before,

Who would bother?  Ask yourself if you'd have been quite so excited
about this "new attack" if you were just Nat Borenstein, private
citizen, with no financial interest in a competing technology.

>and which could in fact be used by a single criminal, with only a few
>weeks of programming, to tracelessly steal MILLIONS of credit cards,
>if software-encrypted credit-card schemes ever caught on.

You wave your hands and say that "consumer machines are insecure", but
I don't think you have any conception of what it would take to get
your trojan onto "MILLIONS" of machines.  There is no historical
precedent for such an attack (no, Ping-Pong and Stoned don't make the
cut).  Your suggestions of such things as rogue GIF viewers aren't
even in the ballpark.  What fraction of the victims will expose their
credit card numbers?  what fraction will notice your trojan and warn
against it?  The ratio has to be very, very large.

>and get them back to the program's author by non-traceable
>mechanisms.

I didn't see the part where you explain how this works, either.

>If not, I think it's worth noting that this fact was previously
>completely unknown to the bankers and businessmen who are putting
>large sums of money at risk on the net.  The only way to get the
>message to those communities is with a very visible public
>announcement of the kind you saw yesterday.

You wouldn't have shot your reputation so badly if you weren't so
damned disingenuous about the whole thing.  Paragraphs like the above
really irritate me.

--
   Eli Brandt
   eli+@cs.cmu.edu