Interesting People mailing list archives
Apology and clarification from Borenstein as sent to cyberpunks
From: Dave Farber <farber () central cis upenn edu>
Date: Tue, 30 Jan 1996 05:45:26 -0500
Date: Tue, 30 Jan 1996 04:57:15 -0500 (EST) From: Nathaniel Borenstein <nsb () nsb fv com> First of all, I believe that I owe the cypherpunk community an apology for an error in judgement on my part. The message that I sent out yesterday regarding our demonstrations of a newly-discovered security threat was the exact same text that I sent to a far less technical audience. As such, I understand that many people on this list found the tone of my message to be insulting and offensive. I apologize, and I certainly didn't mean to insult anyone's intelligence. Having said that, please cut me a break. If you read my message as saying "FV has just invented keystroke sniffing" you've completely missed the real attack here. If you really think I'd throw away my reputation on a bogus claim like that, you're insulting *my* intelligence. My (charitable?) take on it is that a lot of people were so put off by the tone of my mass-market message that they leapt to the quick but erroneous conclusion that there was no underlying content. There is. The threat is NOT from keystroke sniffing per se, and we're certainly not claiming to have invented keystroke sniffing. However, we do have to *explain* keystroke sniffing in the public announcement, because it is a *part* of our attack, and most of the public does NOT already know that it's possible. What we at FV have done is to demonstrate how easy it is to develop an FULLY AUTOMATED attack that undermines the security of all software-based credit card commerce schemes. It is the automated aspect that separates it from all of the "dumpster-diving" attacks on credit card numbers which have previously been widely discussed, because it provides a path to large-scale fraud that has never been publicly discussed before, to my knowledge. The key "invention" in our approach is to integrate several techniques that are already well-known (in this community) into an automated attack that we consider to be devastating to commerce systems based on software-encrypted credit cards. Our approach combines the following four known problems into a fatal attack: 1) Consumer machines are insecure and easily compromised. 2) Keyboard sniffers are easy to write. 3) Credit card numbers are self-identifying (they have check digits) and can easily be extracted from a huge stream of input data. 4) Once intercepted, small amounts of information (e.g. a cc #) may be distributed completely tracelessly over the Internet. When you put all four of these together, you have an attack that IS new, in the sense that nobody we know of has ever mentioned it before, and which could in fact be used by a single criminal, with only a few weeks of programming, to tracelessly steal MILLIONS of credit cards, if software-encrypted credit-card schemes ever caught on. This is a very real threat. If you think we're just re-hashing keyboard sniffers, you haven't yet understood what we're demonstrating. The real threat is the traceless theft of millions of credit card numbers by a single easily mounted automated attack. So here's the factual claim, to be proven or disproven: One good programmer, in less than a month, can write a program that will spread itself around the net, collect an unlimited number of credit card numbers, and get them back to the program's author by non-traceable mechanisms. Does anyone on this list doubt that this is true? If so, I'd like to know the flaw in my thinking, -- I am *not* too proud to withdraw any claims that aren't true. If not, I think it's worth noting that this fact was previously completely unknown to the bankers and businessmen who are putting large sums of money at risk on the net. The only way to get the message to those communities is with a very visible public announcement of the kind you saw yesterday. -- Nathaniel -------- Nathaniel Borenstein <nsb () fv com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq () nsb fv com
Current thread:
- Apology and clarification from Borenstein as sent to cyberpunks Dave Farber (Jan 30)