FV Demonstrates Fatal Flaw in Software Encryption of Credit
Paul M. Cardon
pmarc at fnbc.com
Tue Jan 30 05:08:44 PST 1996
My mailer insists that Nathaniel Borenstein wrote:
> Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich
> Salz at osf.org (255)
>
> > >There are many ways to spread it besides a virus. Zillions of
> > >'em. And
>
> > There are zillions (what, more than one thousand?) ways to get
> > someone to run a random piece of software that will capture their
> > keystrokes?
>
> Yes, zillions, although I'm not using that as a technical term.
>
> > I don't believe you. Name six.
>
> Sure thing, always glad to clarify my claims.
>
> 1. (my current favorite) post it to MSN. There, Microsoft has made
> getting infected with a Trojan Horse as easy as clicking on an icon
> embedded in a mail or news message. (You want to try convincing the
> average consumer that it isn't safe, if Microsoft makes it that
> easy?)
>
> 2. Get the sources to a public domain image viewer. Change them
> slightly. Claim that you've improved it by 13.7%. Post your
> improved (and infected) image viewer to the net.
>
> 3. Ditto for an audio viewer, a mail reader, a news reader,....
> (zillions right there alone)
I count numbers 1, 2 and 3 as one way (Trojan Horse).
> 4. Imitate the IBM Christmas exec. Break into someone's site and
> steal their mail aliases file. Now send mail to everyone on their
> alias list, pretending to be them, offering them a cute animation
> program they can install. The animation will happen, but it will
> also send mail to all THEIR aliases (like the Christmas exec) and
> (unlike that) install our malicious snooping software.
If you can break in that far, I can think of much more imaginative
things to do with the access.
> 5. Write a genuinely useful program (or a game) of your own, but
> embed your attack in it.
Again, 4 and 5 are the same as 1,2 and 3. (I thought I smelled
horse biscuits.)
> (Caution: Being the real author will
> increase your traceability.)
Insultingly obvious.
> 6. Write a pornographic screen saver. Not only will zillions of
> people download it, but they will EXPECT the code to watch
> keystrokes.
YATH (Yet Another Trojan Horse)
> 7. [*maybe*] Spread it by Java applet. This is a maybe because the
> level of Java security seems to be browser-discretionary. Even a
> relatively conservative let-the-user-choose approach like
> Netscape's, however, can be defeated with a little social
> engineering, as in "this is a really cool Java applet to do XYZ,
> but you'll have to set Netscape's Java security level to minimum to
> run it....."
Yes. Trojan Horse. Whinny. Neigh.
> 8. Internet-based breakin/installations, e.g. to NT or anything
> else that runs incoming services.
Ahh, finally something other than a Trojan Horse attack, but it
only affects sites with poor security. In that case, this attack is
the least of their problems.
> 9. Traditional virus techniques.
>
> Oh, you only asked for 6, sorry..... Feel free to ignore a few.
Wow, a whole three different attacks and most of them much more
useful for things other than gathering credit card numbers.
It's sad to think that a lot of people may actually believe this
crap. Let's just hope that enough technical users provide rebuttals
in the other fora where this stuff appears.
---
Paul M. Cardon -- I speak for myself. 'nuff said.
MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e
More information about the cypherpunks-legacy
mailing list