Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
It's considerably more than that. Please read on.
No, Nathaniel, it is not. You watch keystrokes and record the ones you're interested in. This technique has interesting possibilities, but all your PR screaming won't make it anything more than what it is. How interesting are these possibilities? It's hard to say. Don't run software you don't trust. Well, most of the people on this list probably already know that. I betcha a good-sized portion of the computer-using populace knows this, but actively (or passively) defers the choice to someone else. You must trust something. You folks trust the telephone (never gets tapped, right) the postal service (of course mail never gets stolen) banks or credit card companies (which never have problems). And then, on top of that foundation of sand you build a commerce system with MIME and SMTP (sendmail is the most bugfree program ever written). I used to think you were aggressive techies, now you're just greedy bastards who will seemingly stop at nothing; Stef's blatant attempts to ensure MIME's use in IETF-PAY was not an exception, but the first salvo. You make me sorry I invented safe-tcl and made FV possible. /r$
Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Jamie Zawinski@netscape. (473*)
I'll bet they could get a patent on it... There's probably some money to be made with that approach.
Actually, I'm pretty sure it was Eric Hughes who said something like (apologies if I'm misquoting or misremembering) "The most profitable course of action, for a person who discovers a security hole, is almost always to keep quiet about it." It's very easy to see how a criminal can make money with this approach, but it's much harder to see how a legitimate business could do so. We did what we thought was the responsible thing, and tried to describe it in terms that were also in our business interest. Now, if I figure out how to really *solve* this problem, that would be worth patenting.... :-) -- NB -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
Rich Salz wrote:
It's considerably more than that. Please read on.
No, Nathaniel, it is not. You watch keystrokes and record the ones you're interested in. This technique has interesting possibilities, but all your PR screaming won't make it anything more than what it is.
How interesting are these possibilities? It's hard to say.
I'll bet they could get a patent on it... There's probably some money to be made with that approach. == Jamie
It's considerably more than that. Please read on.
No, Nathaniel, it is not. You watch keystrokes and record the ones you're interested in. This technique has interesting possibilities, but all your PR screaming won't make it anything more than what it is.
How interesting are these possibilities? It's hard to say.
I'll bet they could get a patent on it... There's probably some money to be made with that approach.
Oh, shit. Don't give them any ideas ;) -- Ed Carp, N7EKG Ed.Carp@linux.org, ecarp@netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp@netcom.com for PGP 2.5 public key an88744@anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes
Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz@osf.org (1188)
You must trust something. You folks trust the telephone (never gets tapped, right) the postal service (of course mail never gets stolen) banks or credit card companies (which never have problems). And then, on top of that foundation of sand you build a commerce system with MIME and SMTP (sendmail is the most bugfree program ever written).
I certainly don't trust the telephone not to be tapped on an individual basis. I used to trust the telephone not to be tapped in a selective way based on keyword recognition, but in recent years, with the improvement in voice recognition technology, I have stopped trusting it that way, and I know plenty of other people have too -- if you say "NSA" into a cellular call, you are probably inviting an eavesdropper. The Internet environment is EVEN LESS trustable. Installing the kind of general phone tap I just mentioned is very hard to do, and requires a level of access that is almost impossible unless you're the phone company or the government. The level of software needed to recognize spoken keywords is quite sophisticated. On the Internet, almost anyone can tap data streams, and almost anyone can install keyboard sniffers on user machines, and the level of software needed to recognize keywords in ASCII is very simple. The risk models are very different. Similarly, we trust the postal service and certain uses of email not to be free of any insecurities, but to be hard to defeat in a large scale automated way. That kind of statistical risk is the foundation of the security of the credit card system -- not perfect security, but bounding of individual risks and preclusion of large-scale attacks.
Stef's blatant attempts to ensure MIME's use in IETF-PAY was not an exception, but the first salvo.
I have no idea what you're talking about here.
You make me sorry I invented safe-tcl and made FV possible.
I *really* have no idea what you're talking about here. There are two ideas here that strike me as delusional: that you invented safe-tcl and that safe-tcl made FV possible. To the best of my knowledge, neither of these is true. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
participants (4)
-
Ed Carp, KHIJOL SysAdmin -
Jamie Zawinski -
Nathaniel Borenstein -
Rich Salz