More FUD from the Luddites at FV [pt. 2]
People have been dealing with viruses and malicious programs since the dawn of PCs. (Before that even, really.) This is not news. A virus or trojan horse can do something much worse than the (possible) inconvenience of a "bad guy" getting your credit card number. Whether you're a business or an individual, having, say, your hard drive wiped clean by a virus would be several orders of magnitude worse than the relatively minor inconvenience of having to get unauthorized items deleted from your credit card bill. This is just as possible as the credit card scenario FV is painting, and PC owners have been dealing with this kind of threat for over a decade. Rather than focus on something as tame as credit card numbers, let's look at what else a malicious program could do if it had unlimited power over your PC: o Ransack your tax preparation files o Compress and transmit your financial information to your competitors or to Blacknet. o Capture the passwords and logins that you use while telecommuting o Use your dial-up bank-by-computer software to make unauthorized transfers. o Reformat your hard drive. The fact is, malicious programs are a threat that has been in the background for over a decade, and PC users with any experience to speak of are familiar with at least the rudiments of dealing with this class of problem. If anything, they're more familiar with this kind of threat than more network-specific threats. (Look at the huge sales of popular anti-virus products.) Sure, there are clueless people out there, but the solution is to help make them less clueless, not to stampede them in a panic, which is apparently FV's goal here. --doug Ernest Hua writes:
I'm quite amazed at the level of ... well ... how can I characterize it without insulting too many people? ... arrogance? ...
Many of you would be amazed at what motivates the average person to buy or to use a computer. Most people, when asked about security, do not even have a concept, let alone how it applies in a computer environment.
There is far more misinformation and miseducation among the average user than you might think. Not everyone understands why they need a modem in order to get onto the Internet. Not everyone understands why you need to sign up for an account with an ISV in order to get onto the Internet. (You would be amazed at how many people think that just buying a modem is good enough to get onto the Internet.)
The response is typically, "I don't understand all that technobabble!" "Just give me something that works!" "This is too complicated!"
If you think that the dumb user should be left to fight for his/her own survival on the information highway, you are easily condemning 75% to 90% of the current users.
I am not entirely convinced that Borenstein is totally selfless in his (or FV's) announcement. However, the basis of his argument, while it may not apply to the cypherpunk community, has much merit in the real world.
Try helping 100 random people with computers. Bet you 90 of them have trouble getting onto the Internet, period, let alone figuring how to run Netscape. There is a reason why AOL/CompuServe do very well caterring to those who are technically-challenged.
Ern
------ ------ Douglas Barnes "The tighter you close your fist, Governor Tarkin, cman@communities.com the more systems will slip through your fingers." cman@best.com --Princess Leia
-----BEGIN PGP SIGNED MESSAGE----- In article <wl3XYbuMc50e1Ir_Ze@nsb.fv.com>, Nathaniel Borenstein <nsb@nsb.fv.com> wrote:
Excerpts from mail: 29-Jan-96 More FUD from the Luddites .. Douglas Barnes@communiti (3569*)
Whether you're a business or an individual, having, say, your hard drive wiped clean by a virus would be several orders of magnitude worse than the relatively minor inconvenience of having to get unauthorized items deleted from your credit card bill.
For the consumer, absolutely.
For the bank, having millions of credit cards compromised by a single attacker is a more serious risk.
I've read your posts; I believe I understand them, and I believe I understand how First Virtual and other online payment systems work. I do not believe that an attack of this nature *can* yield millions of credit cards -- unless the attacker is Bill Gates or Marc Andreesen (and they have less risky ways of making lots of money). The degree to which the attack you describe is a threat to online commerce depends critically on the degree to which viruses and Trojan horse programs can propagate through their potential base of platforms. Virii *do* propagate, we know, and someone who reads Cypherpunks surely has the information on hand to say how well they propagate, given connectivity on the Internet on the one hand and widespread antivirus software on the other. My guess is that overall, the infection rate even by well-known virii such as Michaelangelo, is pretty low. Only a fraction of infected machines are going to be used for buying things over the Internet. As for Trojan horses, their penetration depends on how widely used they are. If one posted PAMELA ANDERSON STRIP POKER!!!1! to alt.binaries.pictures.erotica, how many copies would be downloaded and installed? How many users would also be online shoppers? The only way millions of credit cards would be at risk would be if the Trojan horse were installed on millions of Internet-connected machines -- it would have to be a very widely used Trojan horse, something as widely used as Win95, or Netscape. I believe that a person who can get that kind of distribution of their software has less risky and more fruitful ways of making money than stealing credit card numbers. In short, I believe that the risk to the credit card business of this attack is *at most* no greater than Xriva Zvgavpx'f (*) hack of 20,000 credit cards from Netcom, and very likely far, far smaller. "Millions" is an absurd and dishonest exaggeration. You should be ashamed of yourself. (*) Overused and overhyped name rot13ed to protect the delicate sensibilities of the Cypherpunks. - -- Alan Bostick | He played the king as if afraid someone else Seeking opportunity to | would play the ace. develop multimedia content. | John Mason Brown, drama critic Finger abostick@netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMQ+8gOVevBgtmhnpAQEuzQL9H8EHegrTdPSAe5nIM9eO9n4+xJR7SUrF Q1EWVIrM1tMILc02zwI5Qe3AoE0Bj+G7kBkuICZyoTjObm5sVAEF+dMhF25joGXI ztKwPUr3XLWRrX2PNj+V9zNWZxRHLJK2 =tX+9 -----END PGP SIGNATURE-----
Excerpts from mail: 29-Jan-96 More FUD from the Luddites .. Douglas Barnes@communiti (3569*)
Whether you're a business or an individual, having, say, your hard drive wiped clean by a virus would be several orders of magnitude worse than the relatively minor inconvenience of having to get unauthorized items deleted from your credit card bill.
For the consumer, absolutely. For the bank, having millions of credit cards compromised by a single attacker is a more serious risk. -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
participants (3)
-
abostick@netcom.com -
cman@communities.com -
Nathaniel Borenstein