[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HUGE denial of service attack against any ecash customer!!!
Ian Goldberg seems to be on a roll. First he figured out how to find out
how anyone can determine anyone else's ecash mint balances, and now he does
this.
The man's a genius. If you don't believe it, ask me, I'll tell you. ;-).
Cheers,
Bob Hettinga
--- begin forwarded text
To: [email protected]
Path: not-for-mail
From: [email protected] (Ian Goldberg)
Newsgroups: isaac.lists.ecash
Subject: HUGE denial of service attack against any ecash customer!!!
Date: 15 May 1996 16:09:29 -0700
Organization: ISAAC Group, UC Berkeley
Lines: 42
Sender: [email protected]
Precedence: bulk
-----BEGIN PGP SIGNED MESSAGE-----
(Again Cc:'d to ecash-feedback, hoping for a security prize. I wonder
who's keeping track... Also Cc:'d to cypherpunks, for fun...)
So I had some more free time... (Dave cringes when I say that.)
Here's a cute one:
Give me an account number, and I can prevent it from being used until
an arbitrary time in the future (of my choosing).
How? Simple.
Send a deposit message with 0 coins (well, any message will work, I think, but
this is one of the simplest messages there is) with a timestamp of some future
time.
Messages stamped prior to that (such as everything coming from the
actual user for that account, until the time comes) will be politely
discarded. (Actually, I think the last reply to a withdrawal request
is continually resent, but I'm not exactly sure of this.) In any case,
the actual user will be unable to withdraw money from his mint until
the time sent in the denial-of-service message. (Unless he forward-dates
his computer's clock, or something...)
I've tested this against myself and Sameer (with his cooperation, of course).
Anyone else want to be locked out for an hour? (Actually, I could pretty
effectively lock out _everyone_ for an arbitrarily long time, it seems...)
- Ian "Right. I want the sources to the client and the server
released. Now." :-)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMZpj3kZRiTErSPb1AQF0SAQAmOEZJTg0v3utWFodDXZ4iv4xa7I+QbNQ
Nlsbkug8dtkdf+Jboe+vBtrs5IWSSff8bWntGwfODckct26NwzpVM9bUIXohVoRQ
jOkRT9a8m/X00jUAoFOTq5O5Rz87a3Uw8MGFugP5Y4DCk+UqnTA70cuozyOCgb8m
8oke89V9Q0E=
=ARMe
-----END PGP SIGNATURE-----
--- end forwarded text
-----------------
Robert Hettinga ([email protected])
e$, 44 Farquhar Street, Boston, MA 02131 USA
"If they could 'just pass a few more laws',
we would all be criminals." --Vinnie Moscaritolo
The e$ Home Page: http://thumper.vmeng.com/pub/rah/