Ian Goldberg seems to be on a roll. First he figured out how to find out how anyone can determine anyone else's ecash mint balances, and now he does this. The man's a genius. If you don't believe it, ask me, I'll tell you. ;-). Cheers, Bob Hettinga --- begin forwarded text To: ecash@digicash.com Path: not-for-mail From: iang@cs.berkeley.edu (Ian Goldberg) Newsgroups: isaac.lists.ecash Subject: HUGE denial of service attack against any ecash customer!!! Date: 15 May 1996 16:09:29 -0700 Organization: ISAAC Group, UC Berkeley Lines: 42 Sender: owner-ecash@digicash.com Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- (Again Cc:'d to ecash-feedback, hoping for a security prize. I wonder who's keeping track... Also Cc:'d to cypherpunks, for fun...) So I had some more free time... (Dave cringes when I say that.) Here's a cute one: Give me an account number, and I can prevent it from being used until an arbitrary time in the future (of my choosing). How? Simple. Send a deposit message with 0 coins (well, any message will work, I think, but this is one of the simplest messages there is) with a timestamp of some future time. Messages stamped prior to that (such as everything coming from the actual user for that account, until the time comes) will be politely discarded. (Actually, I think the last reply to a withdrawal request is continually resent, but I'm not exactly sure of this.) In any case, the actual user will be unable to withdraw money from his mint until the time sent in the denial-of-service message. (Unless he forward-dates his computer's clock, or something...) I've tested this against myself and Sameer (with his cooperation, of course). Anyone else want to be locked out for an hour? (Actually, I could pretty effectively lock out _everyone_ for an arbitrarily long time, it seems...) - Ian "Right. I want the sources to the client and the server released. Now." :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMZpj3kZRiTErSPb1AQF0SAQAmOEZJTg0v3utWFodDXZ4iv4xa7I+QbNQ Nlsbkug8dtkdf+Jboe+vBtrs5IWSSff8bWntGwfODckct26NwzpVM9bUIXohVoRQ jOkRT9a8m/X00jUAoFOTq5O5Rz87a3Uw8MGFugP5Y4DCk+UqnTA70cuozyOCgb8m 8oke89V9Q0E= =ARMe -----END PGP SIGNATURE----- --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://thumper.vmeng.com/pub/rah/