Nathaniel Borenstein wrote:
Excerpts from mail.cypherpunks: 30-Jan-96 Re: Apology and clarification Jamie Zawinski@netscape. (4170*)
Nathaniel Borenstein wrote:
What we at FV have done is to demonstrate how easy it is to develop an FULLY AUTOMATED attack that undermines the security of all software-based credit card commerce schemes.
You have done no such thing. You have written *one component* of that attack, and the easiest part of it at that.
Combine it with a virus, or self-replicating worm, and demonstrate that it is immune to all known virus checkers, and *then* you will have spoken the truth when you say you have "demonstrated" anything.
This is a particularly fascinating reaction, Jamie. As I see it, we have implemented every part of the attack that we can implement without doing anything that is either unethical or illegal. Is it your position that no systematic flaw in your security is real until someone has actually broken it?
Actually, that position would in fact be quite consistent with your company's earlier implicit assertion that 40-bit encryption was sufficient (for international consumers) until somebody actually broke it, even though everyone who understood cryptography already knew otherwise.
Actually that position would in fact be quite inconsistent with our more recent actions. For example we have implemented blinding code to protect against Paul Kocher's timing attack, even though it has not been demonstrated against any real world system. I think that you are misinterpreting the intent of Jamie's posting, but I will let him defend himself. I just wanted to say that the company takes security problems very seriously, even if there has not been an active exploit. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.