Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz@osf.org (255)
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Yes, zillions, although I'm not using that as a technical term.
I don't believe you. Name six.
Sure thing, always glad to clarify my claims. 1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?) 2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net. 3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone) 4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software. 5. Write a genuinely useful program (or a game) of your own, but embed your attack in it. (Caution: Being the real author will increase your traceability.) 6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes. 7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....." 8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services. 9. Traditional virus techniques. Oh, you only asked for 6, sorry..... Feel free to ignore a few. -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com