C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)

[Nathaniel Borenstein]

Excerpts from mail.cypherpunks: 30-Jan-96 Re: Apology and clarification
Jamie Zawinski at netscape. (4170*)

> Nathaniel Borenstein wrote:
> > 
> > What we at FV have done is to demonstrate how easy it is to develop an
> > FULLY AUTOMATED attack that undermines the security of all
> > software-based credit card commerce schemes.

> You have done no such thing.  You have written *one component* of that
> attack, and the easiest part of it at that.

> Combine it with a virus, or self-replicating worm, and demonstrate that
> it is immune to all known virus checkers, and *then* you will have
> spoken the truth when you say you have "demonstrated" anything.

This is a particularly fascinating reaction, Jamie.  As I see it, we
have implemented every part of the attack that we can implement without
doing anything that is either unethical or illegal.  Is it your position
that no systematic flaw in your security is real until someone has
actually broken it?  

Actually, that position would in fact be quite consistent with your
company's earlier implicit assertion that 40-bit encryption was
sufficient (for international consumers) until somebody actually broke
it, even though everyone who understood cryptography already knew
otherwise.

> You may think this is nitpicking, but the fact is, you're assuming that
> the implicit cooperation of some vast number of users in running your
> program is easy to obtain.  I disagree with this assumption.  If this
> assumption were true, then viruses would be a much bigger problem than
> the mere annoyance that they are today.

Nearly everyone with a computer has either been infected with a virus or
knows somebody who has.

There has never been a serious financial incentive for virus writers in
the past, so they haven't ever been, for example, bankrolled by
organized crime.  They've been written by sociopathic hobbyists in the
past.  Your commerce mechanism gives them an incentive to turn pro.

The average sophistication of Internet users is dropping every day, as
the net continues to explode, and the ease of spreading malicious
software is going up accordingly.

Having said all that, I do agree with you 100% that the hardest part of
the devastating, automated attack that we have outlined is in fact the
infection vector.  You are absolutely right about that.  What we have
shown is that the HARDEST part of stealing an unbounded number of credit
cards transmitted using your company's preferred commerce mechanism is,
in fact, the deployment of a virus or Trojan Horse.  Unfortunately, as
most personal computer users have long since realized, that just isn't
that uncommon or hard to do.

> *Computers* provide a path to large-scale fraud.  So does the printing
> press.  So does the telephone, and the postal system.  So what.  You
> still haven't proven that it's easy.

I suspect that the world's financial institutions will, by and large, be
grateful that First Virtual doesn't share your belief that one has to
wait for a criminal to break a system to be convinced that it is
insecure. 

Show me an automated way to break the postal system in a large-scale way
without getting caught, and then I'll be worried about it, too.

> With as much work as you've put into this, someone could write a
> Microsoft Word document which when opened, would start dumping the
> contents of your hard disk into the mail.  

Ooh, good point.  We could probably use MS Word macros as the infection
vector for our program.  I like that idea.  I'll add it to our list of
potential ways this program could spread itself.

However, the entire contents of your hard disk aren't of direct economic
value.  They're also hard to digest, and they're big enough to be likely
to be noticed in transit (e.g. they can easily fill up mail spools if
you mail 'em out).  I'd much rather sift through your hard disk looking
for credit card numbers, and then spirit them quietly off your machine. 
But I'd also install a keystroke sniffer if I suspected the user might
be using your preferred mechanism to send out his credit card number.

> It's not a matter of possibility.  It's a matter of probability, and
> risk management.  It's unlikely enough that I'm not afraid of using my
> credit card on the net.  Tell me my credit card number, and I'll change
> my mind.

Hey, you're a smart guy.  That probably means your machine is relatively
hard to infect.  A criminal would skip you and instead target the
millions of consumers who were more easily infected.  I didn't describe
a scheme that could target one individual's credit card.  I described a
scheme that could steal millions of them indiscriminately.

> All a banker needs to know is the amount of risk associated with the
> thing in which they are investing; they don't need to know how keyboard
sniffers work.

The "trust us, we're experts" approach to security is only as good as
the experts you trust, as you've just amply demonstrated.  For my part,
I'm happy to let the bankers hire independent experts study the attack
we've outlined and reach their own conclusions.  -- Nathaniel
--------
Nathaniel Borenstein <nsb at fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com