 
            At 09:26 AM 2/4/96 -0500, Simson L. Garfinkel wrote:
At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
FV demonstrated, through it's "card sharp" or whatever, that real-time transactions are vulnerable to sniffers on the recipient's own machine. Of course. We all knew that. But the mistake is to assume that FV isn't _equally_ vulnerable to that threat. If you can write a trojan that will somehow get privileged access to my machine, trap my keystrokes, and identify my credit card number, you can certainly write one that will, sitting on my machine: "intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply" (to quote from Simson's article). Simson further quotes FV's Lee Stein: "A single user can be targeted, Stein said, but ''it is very difficult. . . . There are too many packets moving . . . to too many different machines.''" - which is of course equally true for real-time Netscape transactions.
Oh, I think that such a program can be written. However, it would be much harder to get right, considering all of the different ways that people read e-mail.
The code looks something like this: 1) hook into the winsock and look for an FV message in the web data stream, save the ID. 2) now look for an approve/deny/fraud, when you see one you know that the user uses an IP connection for mail and web. 3) Forward the ID to an anon box. 4) Look for outbound FV messages with 'fraud' or 'deny' and change to 'approve'. Clearly this will miss AOL, CI$ etc al but thats not important. The issue is not FV noticing the error, they will, it's how long it takes and how much you can steal in the interim. There is a Helen Keller quote I'm rather fond of which starts: "Security is mostly a superstition ..." *If the machine is not secure all bets are off* The most likly failure vector for this attack is that so few people use FV :-) John Pettitt, jpp@software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch