1996-05-18 - HUGE denial of service attack against any ecash customer!!!

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@toad.com
Message Hash: 59d0152627541824e637fec6f32c2d2af66a7e9c6a50fdf79461e2e3655e870f
Message ID: <v03006626adc0d911a83a@[199.0.65.105]>
Reply To: N/A
UTC Datetime: 1996-05-18 09:58:20 UTC
Raw Date: Sat, 18 May 1996 17:58:20 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Sat, 18 May 1996 17:58:20 +0800
To: cypherpunks@toad.com
Subject: HUGE denial of service attack against any ecash customer!!!
Message-ID: <v03006626adc0d911a83a@[199.0.65.105]>
MIME-Version: 1.0
Content-Type: text/plain


Ian Goldberg seems to be on a roll. First he figured out how to find out
how anyone can determine anyone else's ecash mint balances, and now he does
this.

The man's a genius. If you don't believe it, ask me, I'll tell you. ;-).

Cheers,
Bob Hettinga



--- begin forwarded text


To: ecash@digicash.com
Path: not-for-mail
From: iang@cs.berkeley.edu (Ian Goldberg)
Newsgroups: isaac.lists.ecash
Subject: HUGE denial of service attack against any ecash customer!!!
Date: 15 May 1996 16:09:29 -0700
Organization: ISAAC Group, UC Berkeley
Lines: 42
Sender: owner-ecash@digicash.com
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

(Again Cc:'d to ecash-feedback, hoping for a security prize.  I wonder
 who's keeping track...  Also Cc:'d to cypherpunks, for fun...)

So I had some more free time... (Dave cringes when I say that.)

Here's a cute one:

Give me an account number, and I can prevent it from being used until
an arbitrary time in the future (of my choosing).

How?  Simple.

Send a deposit message with 0 coins (well, any message will work, I think, but
this is one of the simplest messages there is) with a timestamp of some future
time.

Messages stamped prior to that (such as everything coming from the
actual user for that account, until the time comes) will be politely
discarded.  (Actually, I think the last reply to a withdrawal request
is continually resent, but I'm not exactly sure of this.)  In any case,
the actual user will be unable to withdraw money from his mint until
the time sent in the denial-of-service message.  (Unless he forward-dates
his computer's clock, or something...)

I've tested this against myself and Sameer (with his cooperation, of course).
Anyone else want to be locked out for an hour?  (Actually, I could pretty
effectively lock out _everyone_ for an arbitrarily long time, it seems...)

   - Ian "Right.  I want the sources to the client and the server
          released.  Now."  :-)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMZpj3kZRiTErSPb1AQF0SAQAmOEZJTg0v3utWFodDXZ4iv4xa7I+QbNQ
Nlsbkug8dtkdf+Jboe+vBtrs5IWSSff8bWntGwfODckct26NwzpVM9bUIXohVoRQ
jOkRT9a8m/X00jUAoFOTq5O5Rz87a3Uw8MGFugP5Y4DCk+UqnTA70cuozyOCgb8m
8oke89V9Q0E=
=ARMe
-----END PGP SIGNATURE-----

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"If they could 'just pass a few more laws',
  we would all be criminals."    --Vinnie Moscaritolo
The e$ Home Page: http://thumper.vmeng.com/pub/rah/








Thread