FV's blatant double standards

John Pettitt jpp at software.net
Mon Feb 5 14:22:28 PST 1996


At 09:26 AM 2/4/96 -0500, Simson L. Garfinkel wrote:
>At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
>>FV demonstrated, through it's "card sharp" or whatever, that
>>real-time transactions are vulnerable to sniffers on the recipient's
>>own machine. Of course. We all knew that. But the mistake is to
>>assume that FV isn't _equally_ vulnerable to that threat. If you
>>can write a trojan that will somehow get privileged access to my
>>machine, trap my keystrokes, and identify my credit card number,
>>you can certainly write one that will, sitting on my machine:
>>    "intercept the user's electronic mail, read the confirmation
>>    message from First Virtual's computers, and send out a fraudulent
>>    reply"
>>(to quote from Simson's article). Simson further quotes FV's Lee
>>Stein: "A single user can be targeted, Stein said, but ''it is very
>>difficult. . . . There are too many packets moving . . . to too many
>>different machines.''" - which is of course equally true for real-time
>>Netscape transactions.
>
>Oh, I think that such a program can be written. However, it would be much
>harder to get right, considering all of the different ways that people read
>e-mail.
>
>
The code looks something like this:

1) hook into the winsock and look for an FV message in the web data stream,
save the ID.

2) now look for an approve/deny/fraud, when you see one you know that the
user uses 
an IP connection for mail and web.

3) Forward the ID to an anon box.

4) Look for outbound FV messages with 'fraud' or 'deny' and change to 'approve'.

Clearly this will miss AOL, CI$ etc al but thats not important.

The issue is not FV noticing the error, they will, it's how long it takes
 and how much you can steal in the interim.

There is a Helen Keller quote I'm rather fond of which starts:
 "Security is mostly a superstition ..."

  *If the machine is not secure all bets are off*

The most likly failure vector for this attack is that so few people use FV :-)







John Pettitt, jpp at software.net
VP Engineering, CyberSource Corporation, 415 473 3065
 "Technology is a way of organizing the universe so that man
  doesn't have to experience it." - Max Frisch







More information about the cypherpunks-legacy mailing list