CONTEST: Name That Program!
As you may have read in my previous message, First Virtual has developed and demonstrated a program that completely undermines all known schemes for using software-encrypted credit cards on the Internet. More details are avialable at http://www.fv.com/ccdanger. That was the easy part. The hard part, it turns out, is deciding what to call this program. We've kicked around a variety of names: -- Card Shark (because we call the general kind of program a "shark") -- Four Solutions (because we believe that FV is one of four known approaches to Internet commerce which avoid this attack) -- Predator (because a program like this is scary to think about!) -- Pickpocket (because that's vaguely analogous to what it does) -- Snoopy (because we thought it was cute) -- CyberCrash (no special reason, it just had a nice ring to it) In the end, we just couldn't decide. But we knew it needed a name, so we've decided to leave it up to the citizens of the Internet. For that reason, we're sponsoring a contest. We invite you to send your vote "nameit@fv.com". First Virtual will have sole discretion in selecting a winning name. If we select a name that is submitted by someone on the net, the FIRST person to submit it will be the winner. If we select one of the names given above, we will select at random from all the people who "vote" for that name. The winner will receive $1000 (US). Yes, we're really paying $1000 for the winning name! (If you have or want a First Virtual seller's account, we'll pay you through First Virtual, otherwise we'll mail you a check.) Twenty-five runners-up will be selected to receive First Virtual sweatshirts and other memorabilia. CONTEST RULES: All entries must be received by email to nameit@fv.com, on or before February 14, 1996. Please include all of the following: -- Your suggested name for our program. -- Your own name and postal mailing address -- Your shirt size (in case you're a runner-up) CONTEST DEADLINE: February 14, 1996 -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
OBKI - Overhyped Boring Keystroke Interceptor? PROGRAM - Public Relations Optimised Grabber of Really Accessible Material? MINTATE - Mail Is Not The Answer To Everything? :-)
As you may have read in my previous message, First Virtual has developed and demonstrated a program that completely undermines all known schemes for using software-encrypted credit cards on the Internet. More details are avialable at http://www.fv.com/ccdanger.
That was the easy part.
***ROFL*** This "pre-encryption" program is not a virus. It attaches to the keyboard driver and captures keystrokes from the keyboard as they are typed -- BEFORE they can be encrypted by the application encryption software. First Virtual scientists note that credit a check-digit. A greater danger is that passwords are also as easily captured. ***ROFL*** This has got to be the no-brainer of the century. REad teh rest of their press release at: http://www.fv.com:80/ccdanger/announce.html You'd think they had discovered the cure for aids or something. =) Christopher
Excerpts from mail: 30-Jan-96 Re: CONTEST: Name That Pro.. David Mazieres@amsterdam (1274)
You are a liar.
And you have terrible manners.
Your program does not undermine all known schemes for transmitting software-encrypted credit cards on the internet. You have no way of obtaining my credit card number, because I will not run your software.
Guess what? I don't care whether or not I can get onto your machine, because I undermine the overall scheme statistically. That's because if I were a criminal, I would be perfectly sanguine about the fact that the average consumer doesn't have a clue how to protect himself from untrusted programs such as this. In fact, I'd settle for getting onto 10% of the machines, although I suspect I could get onto more like 80% without raising a sweat. Yes, David, your personal credit card is safe, because you're a cypherpunk wizard. For that matter, mine is safe too. But Grandma's isn't.
Furthermore, because I use a Unix-like operating system (specifically OpenBSD) which I re-build from source code every week or so, you would need to hack my compiler to keep mis-compiling itself and compromise my kernel or netstat, ps, etc, for which you would need to be root.
Case closed. Your argument would hold a lot more weight if you could convince me that the average Internet consumer was going to rebuild his UNIX kernel every few weeks. Internet commerce is targeting the masses of people for whom "cut and paste" is still a technical term.
The first virtual protocol seems to have some real weeknesses. However, I do not feel like wading through all the pages of text to figure out what is going on. I challenge you to post a concise description of the protocol, using syntax such as:
A -> B: {ID, xxx, ...}_Ks
With short descriptions where necessary. If you do, I'm sure we can rip your protocol to shreds (which is why you won't).
This is one of the most outrageous statements I can imagine. Our protocols have been published, both in summary and in excruciating detail, for over a year. They've been scrutinized by all sorts of people in the financial industry, most of whom immediately turned around and asked if we were looking for investors. Just because you're too lazy to read them (or probably even to go to our web site to look at them), you assume that you can rip them to shreds. I'm very impressed. Here's an equally meaningful counterclaim: "I've never met you in person and have no idea what you look like, but I'm sure that I'm better looking than you are." (And for the record, because our security isn't based on mathematical/cryptographic assurances, but rather on systemic checks and balances, mathematical notation is pretty darned useless.) But anyway, there's no need for you to stop being lazy in order to "rip them to shreds". We are happy to tell you (in http://www.fv.com/pubdocs/fv-austin.txt) EXACTLY how to break our security, and why the kind of attack to which we are vulnerable doesn't matter nearly as much as the vulnerability we've exposed in the software encryption of credit cards. What we're trying to do, with our most recent announcements, is hold the competing systems to the same standard of full-disclosure-of-risks that we've held ourselves to all along. - - Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
In article <sl3GafqMc50eQWYD0N@nsb.fv.com> Nathaniel Borenstein <nsb@nsb.fv.com> writes:
As you may have read in my previous message, First Virtual has developed and demonstrated a program that completely undermines all known schemes for using software-encrypted credit cards on the Internet. More details are avialable at http://www.fv.com/ccdanger.
You are a liar. Your program does not undermine all known schemes for transmitting software-encrypted credit cards on the internet. You have no way of obtaining my credit card number, because I will not run your software. Furthermore, because I use a Unix-like operating system (specifically OpenBSD) which I re-build from source code every week or so, you would need to hack my compiler to keep mis-compiling itself and compromise my kernel or netstat, ps, etc, for which you would need to be root. The first virtual protocol seems to have some real weeknesses. However, I do not feel like wading through all the pages of text to figure out what is going on. I challenge you to post a concise description of the protocol, using syntax such as: A -> B: {ID, xxx, ...}_Ks With short descriptions where necessary. If you do, I'm sure we can rip your protocol to shreds (which is why you won't). David
participants (4)
-
cjs@netcom.com -
David Mazieres -
Nathaniel Borenstein -
Simon Spero