Jeff Weinstein wrote:
I think that you are misinterpreting the intent of Jamie's posting, but I will let him defend himself.
Well I'm not particularly interested in arguing about this further (and I suspect this is true of most people reading this too :-)) but my point was: Nathaniel and crew have implemented the easy part (a tiny fraction) of a program which would successfully capture some large number of credit card numbers. Nathaniel thinks that what I'm characterizing as a tiny fraction of the work (the keyboard sniffer and pattern recogniser) is *most* of the work, and "demonstrates" the attack. I said that they have demonstrated nothing without some proof that combining this with an infection vector would yield the desired result, because I don't think that infecting some vast number of credit-card-using computers is any small task; whereas, Nathaniel says (or at least strongly implies) that it's trivial (or so close to trivial that it can be taken as a given.) Nathaniel said:
As I see it, we have implemented every part of the attack that we can implement without doing anything that is either unethical or illegal.
It's far from clear that you need to do something unethical or illegal to prove that coupling it with an infection vector would be effective. For example, you would no doubt agree that evesdropping on some unsuspecting user's transaction on an exportably-crippled SSL connection would be immoral. But it wasn't necessary to do anything immoral to demonstrate conclusively that such an attack was possible. It just required a little creativity, and a lack of handwaving.
Is it your position that no systematic flaw in your security is real until someone has actually broken it?
Of course not. You don't have to actually break it to show that it's possible. Of course, you *do* have to show the likelyhood of success and effort required to pull it off as well before it's interesting at all, whether it's theoretically possible or not. == Jamie