Re: Cybank breaks new ground; rejects public-key encryption
C Matthew Curtin (cmcurtin@megasoft.com) wrote:
People need to learn that the sort of snake oil that is being sold as "secure" just won't cut it. Your concern for the customers of Cybank is valid, however, so I propose something along these lines:
Announce, very publicly, such that every Cybanlk customer would hear about it in time, that you have cracked their hokey little non-crypto scheme, and that you intend to publish your work in a full-disclosure paper to be published on Month Day, Year. [...]
I chuckled when this whole Cybank thing started. Only a month or so ago, they had some funky bug in their mail system such that all their internal email was being cc'd to the First Virtual users' mailing list (and also to one poor individual). They were helpless and completely unable to figure it out, as we watched their (not very happy) internal messages float unrequested into our mailboxes. Seth --------------------------------------------------------------------------- Seth I. Rich - seth@hygnet.com "Info-Puritan elitist crapola!!" Systems Administrator / Webmaster, HYGNet (pbeilard@direct.ca) Rabbits on walls, no problem.
Thu, 18 Jul 1996, Seth I. Rich wrote:
scheme, and that you intend to publish your work in a full-disclosure paper to be published on Month Day, Year. [...]
ago, they had some funky bug in their mail system such that all their internal email was being cc'd to the First Virtual users' mailing list
There must be something wrong with bank people all over the world. One local bank that now is offering payments using their WWW server here in Estonia, and every time I publicly announce some security flaw in their system, I have to convince them this bug really exists, they never want to believe me. Also those bank persons are saying they will believe me only when I really break into their system and transfer money from somewhere else's account. It just seems the reward they are offering me is not enough for my work. What might be a good reward for hacking into an Internet bank and showing I can steal their money? Jüri Kaljundi AS Stallion jk@stallion.ee
=?ISO-8859-1?Q?J=FCri_Kaljundi?= writes:
There must be something wrong with bank people all over the world. One local bank that now is offering payments using their WWW server here in Estonia, and every time I publicly announce some security flaw in their system, I have to convince them this bug really exists, they never want to believe me.
I would suggest a much simpler technique. Explain to them the next time you point out a flaw, that you will be explaining these flaws by publishing exploits in the local newspaper, and that all future flaws will be explained in the newspapers until such time as they begin to take you seriously.
What might be a good reward for hacking into an Internet bank and showing I can steal their money?
Don't bother. Just describe the flaws in public enough, and then you have no risk because you are not committing a crime, and you have a gain because you get an increase in your reputation for supplying accurate information. Perry
At 12:05 PM -0400 7/18/96, Perry E. Metzger wrote:
I would suggest a much simpler technique.
Explain to them the next time you point out a flaw, that you will be explaining these flaws by publishing exploits in the local newspaper, and that all future flaws will be explained in the newspapers until such time as they begin to take you seriously.
Frankly, newspapers sound like too much work. Just post them here. That should get their attention. It worked for Ian. :-). Sort of like the old Alaskan bumper sticker: "Eat caribou. 10,000 wolves can't be wrong." Well, maybe it's a non-sequitur. But, I did think "1,000 Cypherpunks" before remembering said bumpersticker from my childhood. Which is close enough, I figure... :-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "'Bart Bucks' are not legal tender." -- Punishment, 100 times on a chalkboard, for Bart Simpson The e$ Home Page: http://www.vmeng.com/rah/
else's account. It just seems the reward they are offering me is not enough for my work. What might be a good reward for hacking into an Internet bank and showing I can steal their money? Getting to keep the money :-)
-----BEGIN PGP SIGNED MESSAGE----- jk@stallion.ee writes:
There must be something wrong with bank people all over the world. One local bank that now is offering payments using their WWW server here in Estonia, and every time I publicly announce some security flaw in their system, I have to convince them this bug really exists, they never want to believe me. Also those bank persons are saying they will believe me only when I really break into their system and transfer money from somewhere else's account. It just seems the reward they are offering me is not enough for my work. What might be a good reward for hacking into an Internet bank and showing I can steal their money?
Probably not as high as the reward for hacking into a bank and not showing them that you can steal their money. Regards, pjm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMe6vumAA81GB0e9dAQHrFgf+N1hMc+4/L3v9kBZAa2+IvoaoW4nqOXhW 8vRxzXFbJZXH0AGQzptIsoHS2o3Pp66qG6cKdI87taDuO8qaGmP4mxiCrK89jmo+ fsy1OUJf+7531tvahrNe984F5UAUw0pNFx728PzCwOeYaI57zhq4UhkSdtbHoI9h WOWV1649x2AIp1odYiZ7y4+54KSkQf4e846pEMNujil6+BMdFOI1XZgYU0jX0rqS Wq0qh6QtXMoQ3oF3sHmnR0BISGrIPwZEASVRxiKBvu26gAzH620uBOBLKtY6i/yr G7O2C+fit5aHAoOJxIC8O9RhyrUOAqUe5peYfzzMVWGO5wMOdOu/7Q== =/xyE -----END PGP SIGNATURE-----
participants (7)
-
Jüri Kaljundi -
Patrick May -
Paul Foley -
Perry E. Metzger -
Robert Hettinga -
Seth I. Rich -
virgo@nob.tiac.net