I only just managed to go through my mail backlog and read Simson Garfinkel's original Mercury News article. I was appalled by FV's double standards in evaluating security risks. Both First Virtual and real-time transaction models (without encryption, or with it e.g. Netscape) require that the recipient not be compromised. FV relies on e-mail (domain names); Netscape relies on IP addresses. IP addresses are much harder to intercept than domain names (which can be hijacked - see my earlier posts). This essentially means that while e-mail can be mis-routed, IP packets can't. Additionally, plaintext e-mail as well as IP traffic can often be sniffed along the way. FV demonstrated, through it's "card sharp" or whatever, that real-time transactions are vulnerable to sniffers on the recipient's own machine. Of course. We all knew that. But the mistake is to assume that FV isn't _equally_ vulnerable to that threat. If you can write a trojan that will somehow get privileged access to my machine, trap my keystrokes, and identify my credit card number, you can certainly write one that will, sitting on my machine: "intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply" (to quote from Simson's article). Simson further quotes FV's Lee Stein: "A single user can be targeted, Stein said, but ''it is very difficult. . . . There are too many packets moving . . . to too many different machines.''" - which is of course equally true for real-time Netscape transactions. Simply put, if there's a program sitting on your computer with privileged access, it can read your mail, hide it from you, and reply, as easily as it can read your keystrokes. Even simpler: if there's a privileged program on your machine, NOTHING IS SECURE - not SSL, not FV, not plaintext credit cards, not PGP, NOTHING. This is old hat, and FV has shown nothing new with its one-sided stunt; the only reason there has been little hype recently about card-sniffing trojans is that trojans and viruses and the rest of their ilk have being dying of exposure in the media, ever since the Internet Worm grabbed headlines years ago. Rishab