Mr. Bornenstein's press release ("FV's position on Merc article") was egregiously self-serving and embarrassingly over-inflated. Yet, First Virtual's CC-focused keyboard sniffer ("...a program which completely undermines the security of every known credit card encryption mechanism for Internet commerce") and his postulated widespread stealth attack on unprotected consumer PCs highlighted an obvious -- but oft forgotten, at least in non-CompSec circles -- vulnerability. An encrypted link is only as secure as the CPUs at either end. Not an unimportant consideration as we plunge into Internet commerce; and surely a valid point for one vendor to make, if it suggests unrecognized risks in a competitor's scheme for consumer purchases and payments. Borenstein is handling his inevitable mugging in C'punks with zest and considerable aplomb; even including an apology for submitting his sensationalistic attack on crypto-based competitors to this List. Before folks leap from FV's text to damning the San Jose Mercury New's articles by Simson Garfinkel, however, they should pause and read or maybe re-read Garfinkel's three articles. <http://www.sjmercury.com/clips/> Mr. Garfinkel is probably the single most technically-literate journalist writing about computer security for mainstream (or trade press) media. His Mercury News article is precisely focused on FV's initiative in developing this demo program (a trojan screen saver) and the campaign by the Southern California company to use the demo to illustrate a relatively unguarded aspect of Netscape's SSL-protected credit card transactions, which have been widely touted as the be-all of Network Commerce. It was, as Garfinkel bluntly put it: "a direct attack against the security promised by Netscape Communication Corp.'s popular Netscape Navigator..." Mr. Borenstein later expressed his regret that Garfinkel had cast the story as a competitive attack, but IMNSHO Garfinkle was right on target: the FV campaign was a targeted bombardment of their most prominent competitor. And a campaign it was -- well deserving media attention. FV apparently carted their demo code and attack model back and forth across the country. FV gave presentations to NIST, NSA, the US Treasury, and the White House, according to Garfinkel. The only silly comment in Garfinkel's article was a direct quote from FV's Bornenstein: "One of the things we've heard from people inside government were comments along the line, 'We thought only NSA knew how to do this....'" (And if a world-class CompSec/UNIX expert like Garkinkel wasn't chuckling when he wrote that -- and expecting knowledgeable readers to giggle and grin when they read it -- I'll stew and eat my beaver hat!) The Merc's quotes from independent security experts -- commenting on FV's attack model -- were notably dry and balanced. Yes, the attack and threat vectors were real -- but, noted the American Banker's Association's Kawika Daguio: "It is a classic attack." "I've seen it, and I've seen things like it before," said Mr. Daguio. Nothing new. Matt Bishop, the UC prof, also sounded less than awed by FV's creativity: "There is no reason why one could not write a program to monitor keystrokes, look for numbers which look like credit card numbers, and sent them out over the Internet," in an unobtrusive way, to a thief elsewhere. (Prof. Bishop might have had more to say, had he been told it took a FV programmer a _month_ to write a keyboard sniffer optimized for credit card data;-) As a newcomer to this List, I have the impression that C'punks are a little jaded when it comes to mass-market CompSec and ComSec threats -- and perhaps a little rabid when it comes to anyone rash enough to suggest that the first mass-market crypto product (in the hands of naive consumers, with unprotected PCs and poor CompSec habits) may have dangerous procedural vulnerabilities. A little perspective, guys! Crypto from an insecure base has risks that deserve to be highlighted; and credit cards numbers are uniquely negotiable passwords. FV is scare-mongering, sure -- but that's combat marketing. Mr. Borenstein's press release posted in C'punks was chumming with raw bloody beef -- and that was just dumb -- but it was striking how blithely many folks here acknowledged (and immediately dismissed) the threat he described. Nothing wrong with FV trying to slow the bandwagon of a major competitor by drawing attention to vulnerabilities or potential vulnerabilities of their technology in a mass market. This happens a lot -- although most corporate perpetrators try to hide their hand a lot more than FV did, and they generally sound a lot less self-righteous -- but a little brawling is not a bad thing, particularly in IS security. (Some markets, like firewalls, desperately need a little more competitive clarity.) On the other hand, Mr. Borenstein's hyper-inflated presentation of First Virtual's case all but begged for the C'punk lynch mob that has followed him down through several threads on this List. If he didn't expect the reception he got, he should fire his PR advisor and get someone who knows how to write without the purple prose and napham. Simson Garfinkel and the Mercury News are getting a bad rap from folks caught up in the mob chasing Mr. Borenstein. Read the three articles. The on-line version has a headline that is a bit overwrought ("Program shows ease of stealing credit information") but overall, it's a credible, savvy, and amusing piece of journalism about FV. Quite professional, I'd say. Suerte, _Vin Vin McLellan +The Privacy Guild+ <vin@shore.net> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*>