C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)

Jamie Zawinski jwz at netscape.com
Thu Feb 1 03:38:09 PST 1996 

Jeff Weinstein wrote:
> 
> I think that you are misinterpreting the intent of Jamie's posting,
> but I will let him defend himself.

Well I'm not particularly interested in arguing about this further
(and I suspect this is true of most people reading this too :-))
but my point was: Nathaniel and crew have implemented the easy part 
(a tiny fraction) of a program which would successfully capture some
large number of credit card numbers.  Nathaniel thinks that what I'm
characterizing as a tiny fraction of the work (the keyboard sniffer and
pattern recogniser) is *most* of the work, and "demonstrates" the
attack.  I said that they have demonstrated nothing without some proof
that combining this with an infection vector would yield the desired
result, because I don't think that infecting some vast number of
credit-card-using computers is any small task; whereas, Nathaniel says
(or at least strongly implies) that it's trivial (or so close to trivial
that it can be taken as a given.)

Nathaniel said:
> As I see it, we have implemented every part of the attack that we can
> implement without doing anything that is either unethical or illegal. 

It's far from clear that you need to do something unethical or illegal
to prove that coupling it with an infection vector would be effective.

For example, you would no doubt agree that evesdropping on some
unsuspecting user's transaction on an exportably-crippled SSL connection
would be immoral.  But it wasn't necessary to do anything immoral to
demonstrate conclusively that such an attack was possible.  It just
required a little creativity, and a lack of handwaving.

> Is it your position that no systematic flaw in your security is real
> until someone has actually broken it?

Of course not.  You don't have to actually break it to show that it's
possible.

Of course, you *do* have to show the likelyhood of success and effort
required to pull it off as well before it's interesting at all, whether
it's theoretically possible or not.

	== Jamie

More information about the cypherpunks-legacy mailing list