[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: C'mon, How Hard is it to Write a Virus or Trojan Horse? (was Re: Apology and clarification)
Nathaniel Borenstein wrote:
>
> Excerpts from mail.cypherpunks: 30-Jan-96 Re: Apology and clarification
> Jamie Zawinski@netscape. (4170*)
>
> > Nathaniel Borenstein wrote:
> > >
> > > What we at FV have done is to demonstrate how easy it is to develop an
> > > FULLY AUTOMATED attack that undermines the security of all
> > > software-based credit card commerce schemes.
>
> > You have done no such thing. You have written *one component* of that
> > attack, and the easiest part of it at that.
>
> > Combine it with a virus, or self-replicating worm, and demonstrate that
> > it is immune to all known virus checkers, and *then* you will have
> > spoken the truth when you say you have "demonstrated" anything.
>
> This is a particularly fascinating reaction, Jamie. As I see it, we
> have implemented every part of the attack that we can implement without
> doing anything that is either unethical or illegal. Is it your position
> that no systematic flaw in your security is real until someone has
> actually broken it?
>
> Actually, that position would in fact be quite consistent with your
> company's earlier implicit assertion that 40-bit encryption was
> sufficient (for international consumers) until somebody actually broke
> it, even though everyone who understood cryptography already knew
> otherwise.
Actually that position would in fact be quite inconsistent with our
more recent actions. For example we have implemented blinding code to
protect against Paul Kocher's timing attack, even though it has
not been demonstrated against any real world system. I think that you
are misinterpreting the intent of Jamie's posting, but I will let
him defend himself. I just wanted to say that the company takes
security problems very seriously, even if there has not been an
active exploit.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.