-----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Nathaniel Borenstein <nsb@nsb.fv.com> is alleged to have written:
I have not yet heard anything that makes me think that my claim is untrue. We have revealed the first known strategy for an Internet-based large-scale automated attack on the credit card system. I think that's a real threat.
I know that you are being swamped by hate mail from cypherpunks, so I'll try to keep my comments brief. First, I commend you for forging ahead with research and business as you see fit, despite the regular barrages of venomous condemnation that you are subjected to. "I think that's a real threat", too. I believe that you have valuable insights into Internet commerce security which the typical cypherpunk lacks, and I'm glad that you are "getting the word out" both to the cpunks and to larger communities. (Having said that, and having decided to Cc: this message to cpunks and e$, I shall elaborate:) The ideas that you espouse that the typical cpunk lacks fall into two broad categories which have something in common. First, the overwhelming importance of user interface and dealing with technically clueless users. Second, the importance of evaluating risks from a cost/benefit perspective, and trusting in a system once it is "secure enough". What these ideas have in common is simply that they are *practical*. And that's important. If First Virtual uses simple techniques which are crackable, but so unprofitable to crack that no-one will ever do so, and if First Virtual uses this technique and allows everyday users to do transactions over the Internet, then that is a net.commerce success story. Furthermore, it's a *cryptographic* success story. Much more so than "CYpherPunk Agent X" who writes a black-market implementation of Chaumian electronic cash which no-one will ever use. He has accomplished little more than entertaining and educating himself. This is the cypherpunk fallacy which is enshrined in the Manifesto when it says "code can never be destroyed". Yes it can. Or it can be ignored which has the same effect. The important thing is when code and users meet. (Of course, I still think First Virtual is marketing an ugly klooge that doesn't stand a chance against better technologies in the next couple of years, but I digress...) But despite all of the above, Nathaniel, I must protest your claim to have "revealed" the "first known strategy". That strategy has been common knowledge since probably before you were born. In fact just a couple of weeks ago *I* posted articles to cypherpunks and the "ecash" list saying that I thought the most viable attack on DigiCash Ecash would be a virus/Trojan horse which attacked the computer on the user's end. Did you read these articles of mine? Is it possible that that is where you got the idea for your experiment? As an aside you recently said that you didn't see any reason to PGP-sign list traffic. Here is a good example of its usefulness: I can prove that I authored the aforementioned messages, and when. (Also it has already been more or less proven to people who use PGP on their cpunks traffic that the author of the aforementioned messages was also the author of hundreds of other messages including this one both in cpunks and in other forums over the last six months.) Now I didn't mention in my articles that such an attack would be as viable (more so, actually) against a credit card scheme as it would against Ecash, for two reasons 1: It was already common knowledge, and 2: I consider credit card schemes to be hopeless anachronisms that will soon be eliminated in the evolutionary race of modern currency. Anyway, keep up the good work, and consider the merits of being a little more circumspect in your press releases. Regards, Bryce P.S. Okay I admit that the Subject: line was a little bit inflammatory. If I had named my message "Re: FV demonstrates fatal flaw" then nobody would have read it... "Toys, Tools and Technologies" the Niche New Signal Consulting -- C++, Java, HTML, Ecash Bryce PGP sig follows -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMQ7HVPWZSllhfG25AQGBQQQAin5OYD+yq+1FXlYEocJHrTm3muPmaIRs tYRMxv5JckjqplAImJZywFDxrKqWTojGC6c290nTFCHly/YfZ6ziBpuKEN+ULF4y Gf9EKrYABkm2I7yn4sUU0Bhw/GTQj7CXnmaSH3G/zDGCYZFnQHB6AaptYOsKwE+m 5No3AqyULa8= =/v0Q -----END PGP SIGNATURE-----