At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:

FV demonstrated, through it's "card sharp" or whatever, that real-time transactions are vulnerable to sniffers on the recipient's own machine. Of course. We all knew that. But the mistake is to assume that FV isn't _equally_ vulnerable to that threat. If you can write a trojan that will somehow get privileged access to my machine, trap my keystrokes, and identify my credit card number, you can certainly write one that will, sitting on my machine: "intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply" (to quote from Simson's article). Simson further quotes FV's Lee Stein: "A single user can be targeted, Stein said, but ''it is very difficult. . . . There are too many packets moving . . . to too many different machines.''" - which is of course equally true for real-time Netscape transactions.

Oh, I think that such a program can be written. However, it would be much harder to get right, considering all of the different ways that people read e-mail. ============= Simson's Schedule: Feb 2 - Feb 5 - Cambridge: Conference on Freely Redistributable Software Feb 7 - Feb 13 - Baltimore: American Association for the Advancement of Science. Feb. 28 - March 1 - Seybold, Boston. March 23 - NYC. MacFair. March 27 - March 30: Cambridge. Computers, Freedom and Privacy.