FV, Netscape and security as a product

NSB's messages have suggested, amongst the fear-mongering, that the real target of the card-shark publicity campaign is not Joe Consumer but bankers, investors, and other "big money" folks; people who care about the large-scale fraud rate of credit card use. (Yes, the rate of fraud affects all consumers, but most people experience it as a relatively small and unavoidable cost lost in the noise of other small costs.) NSB/FV used the Murky News to reach those people the way that some people will rent a freeway-visible billboard to propose marriage to a single commuter. The trouble and expense that the sender was willing to suffer to send the message are intended to cause the reader to take the message more seriously. The rest of us who see the message on C-punks or drive past and wonder "Who is Bonnie, and why is Clyde proposing marriage to her on the freeway?" aren't an important part of the process. But I don't see FV's tactics as being especially different from folks at IBM writing a virus which affects Windows but not OS/2, and quietly shopping it around to scare Microsoft customers, or Ford underwriting an NBC news program which shows Chevy pickups blowing up. (both are hypotheticals.) Sure, it can be done, and perhaps it's not dishonest, and perhaps they can wear the hat of "Consumer Protector Man", but I think it'd come across as less offensive if it weren't presented as a discussion about security. Statements which can be boiled down to "We think our product is superior to our competitor's product" don't mix well with quotes from academics and a "Chief Scientist" signature block. While, as Vin McLellan points out, Simson Garfinkel's articles were technically accurate (modulo the quote from Daguio, where he's quoted as suggesting an "out of hand" transaction, which is likely either a typo or a misunderstanding - dollars to donuts he said "out of band"), they also appeared as part of a marketing process. Netscape and FV have both taken a "security is a product" stance, which is a gross misrepresentation. FV and NSB's materials have done a good job of critiquing Netscape's "security is a product / don't worry, just look for the cute blue key" approach, but would replace it with their own "security is a product / trust the phone but not the net" approach. Both suggestions (and the implication of the Murky News articles, that one can be trusted but not the other) are wrong. Security is never a product. (Not a firewall, not a fancy browser, not PGP, not a gun, not the Club, not an airbag.) FV has tried to productize their approach (out-of-band transfer of credit card number + long clearing time for sellers + negligible per-unit cost for goods sold) but it won't work any better for FV consumers than it does for anyone else who tries to buy something which can't be sold. It's a shame that Garfinkel didn't spend more time/column space on suggestions or observations from the independent people he interviewed and less time on the "hot news - Netscape security broken by a competitor" angle. Are there really any "big money" people left who don't have formal or informal access to someone computer/Internet savvy enough who could have pointed out that the cardshark attack is nothing new? Yes, bad things happen if you run bad software. A two-way link between your computer and the rest of the world means it's possible for bad software to send your data to other people. It's the "Prodigy reads your hard disk/Microsoft Registration Wizard reads your hard disk" scare all over again, with "Prodigy" replaced by "evil untraceable criminals" and "hard disk" replaced by "keystrokes". Duh. We should, however, learn from what FV did right - they wrote software which (apparently) had or can have a real political effect. (It seems to have worked on Garfinkel, anyway). Cypherpunks write code? FV wrote code and got some attention for their otherwise unexciting message. (It seems to be a combination of working code and good user interface - witness the cooing over the icon indicating which type of credit card you're using and the fact that it uninstalls itself.) It's a shame that they won't use their powers for good instead of evil. -- "The anchored mind screwed into me by the psycho- | Greg Broiles lubricious thrust of heaven is the one that thinks | gbroiles@netbox.com every temptation, every desire, every inhibition." | -- Antonin Artaud |

Greg Broiles wrote:
Netscape and FV have both taken a "security is a product" stance, which is a gross misrepresentation.
We are definitely moving away from the "security is a product" stance that you mention. It was definitely overdone in the early days of the product, but after the security bugs of the summer I and others were able to convince marketing that they should back off. I want it to be clear what our product can and can not do. For example, SSL can only protect data in transit between two machines. If either machine is compromised then the data can be stolen at that end. Our product does not attempt to secure the user's machine, and can not operate securely on an insecure machine. Expect to see warnings and disclaimers of this nature from us in the future. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.

Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi.. Jeff Weinstein@netscape. (985*)
Netscape and FV have both taken a "security is a product" stance, which is a gross misrepresentation.
We are definitely moving away from the "security is a product" stance that you mention. It was definitely overdone in the early days of the product, but after the security bugs of the summer I and others were able to convince marketing that they should back off. I want it to be clear what our product can and can not do. For example, SSL can only protect data in transit between two machines. If either machine is compromised then the data can be stolen at that end. Our product does not attempt to secure the user's machine, and can not operate securely on an insecure machine. Expect to see warnings and disclaimers of this nature from us in the future.
I applaud this clear, sensible, and correct statement. Nicely put, Jeff. I don't think it's fair for Greg to characterize our approach as "security is a product". Quite the contrary, we keep talking about security as a *process*. It's made up of multiple layers, which may include digital signatures, encryption, hard-to-sniff identifiers, out-of-band mechanisms, confirmation loops, vigorous investigation of attempted fraud, and probably many other things, not to mention more "traditional" aspects of server-level security. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
participants (3)
-
Greg Broiles
-
Jeff Weinstein
-
Nathaniel Borenstein