Well, the mis-conceptions are flying fast and furious. 1. I didn't write the program. 2. It has nothing to do with viruses. No current virus protection program will ever detect this thing, and if you write a program that detects one instantiation of the attack, the program can be easily changed to require a new "detector" program. This means you can only protect against the last attack, not the next one.
I readily admit that there is a larger issue about viruses and being able to trust your software, but the presentation from FV of this announcement as a "fatal flaw" in internet commerce is remarkably disingenuous. They are really saying, "We have the only safe approach" quietly between the lines.
You're twisting our words. We believe it is a truly fatal flaw in those internet commerce schemes that are based on software encryption of credit card numbers. There are several schemes for Internet commerce that are unaffected: -- First Virtual (of course) -- Hardware encryption (e.g. consumer card-swipe machines) -- Smart cards -- Digital cash (unless the tokens are made too easy to recognize) We say this VERY EXPLICITLY in our web pages. We are NOT saying we have the only safe approach. We have one of four safe approaches that we know of. But software encryption of credit card numbers is so easy to circumvent that it is, in practice, useless. (The only threat it really protects against is network-based sniffers, which are harder to write and more traceable than the attack we have just outlined.)
And before pm. says it, this has very little to do with cryptography.
Agreed 100%. I never claimed otherwise. It does, however, emphasize the *limits* to the security provided by cryptography, something that cypherpunks are well aware of but that the general public is not aware of. -- Nathaniel