FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards

Tue Jan 30 08:59:01 PST 1996

At 9:29 PM 01/29/96, zinc wrote:
[...]
>the point is not that this can be done, the point is that users need
>tools that would check for programs like this running on their
>system.  is fv making a 'fix' available?  i would imagine a  'fix'
>would be a program that would look for tsr type programs (or inits on
>a mac) that do this sort of thing.

At first I was going to say there was no way to do this--a program can't be
written to look at an arbitrary program as intput and determine if it does
a certain semantic action (steals your key strokes).    And I think this is
true.
However, on the MacOS at least, I believe that a key-capturing program
would have probably have to patch a particular point (or one of a set of
particular points) in the OS, and a program could probbably look at the OS
in RAM (or wherever patches happen; in RAM I think) and make sure it hasn't
been patched--it's the way MacOS 7.5.X looks straight out of the
shrinkwrap, nothings been done to it.  Or report that, indeed, that portion
of the OS has been patched, and some program might be logging your keys.
[Of course, some legitimate programs might patch these portions of the OS
too--so you'd have to be careful not to have a hacked version of those
legitimate programs that also captured your keys.  zinc's next point is
relevant here, of course.]

Can anyone tell me for sure if this would indeed be feasible?

>this is the sort of thing that crypto can help with.  there should be
>a site that PGP signs the programs available from their site.  these
>signed programs will have been testing on the appropriate system and
>verified to be free of small malicious programs such as the one you
>describe.  alternatively, the author themselves could PGP sign the app
>(this is already done) and this would be what users should d/l.

True.  But, remember, you've still got to trust the _author_ of the
program. Commercial programs generally dont' have source available, so I'm
basically trusting Steve Dorner not to have Eudora send a copy of all my
messages to the NSA.  Even if the sources were available, most people
aren't going to want to (or be capable of) going through the source, so
they're trusting other third parties who have said "yep, I looked at the
source, and it's okay."  And, while there are plenty of third party types
to look at a program like PGP (although, actually, I can't identify any
reliable third party crypto type, not on the PGP developement team, who I
know has looked at the PGP source and pronounced it okay. Doesn't mean it
hasn't happened, but it means realistically, users _don't_ rely on third
party guarantees of security in the source. Or at least I don't, but how
many of you out there know a reliable third party source that has given a
seal of approval to PGP, and specifically rely on that knowledge to give
you confidence in using PGP?)... umm, while there are plenty of third party
types to look at PGP, there are surely millions of lines of commercial
software produced every year,  and I'm not sure where all these reliable
third party types to look at the code are going to come from.  In theory,
having source available is good.  In practice, you still end up trusting
the designer not to do anything bad to you.