[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The FV Problem = A Press Problem



        Mr. Bornenstein's press release ("FV's position on Merc article")
was egregiously self-serving and embarrassingly over-inflated.

        Yet, First Virtual's CC-focused keyboard sniffer ("...a program
which completely undermines the security of every known credit card
encryption mechanism for Internet commerce") and his postulated widespread
stealth attack on unprotected consumer PCs highlighted an obvious -- but
oft forgotten, at least in non-CompSec circles -- vulnerability.

        An encrypted link is only as secure as the CPUs at either end.  Not
an unimportant consideration as we plunge into Internet commerce; and
surely a valid point for one vendor to make, if it suggests unrecognized
risks in a competitor's scheme for consumer purchases and payments.

        Borenstein is handling his inevitable mugging in C'punks with zest
and considerable aplomb; even including an apology for submitting his
sensationalistic attack on crypto-based competitors to this List.  Before
folks leap from FV's text to damning the San Jose Mercury New's articles by
Simson Garfinkel, however, they should pause and read or maybe re-read
Garfinkel's three articles. <http://www.sjmercury.com/clips/>

        Mr. Garfinkel is probably the single most technically-literate
journalist writing about computer security for mainstream (or trade press)
media.  His Mercury News article is precisely focused on FV's initiative in
developing this demo program (a trojan screen saver) and the campaign by
the Southern California company to use the demo to illustrate a relatively
unguarded aspect of Netscape's SSL-protected credit card transactions,
which have been widely touted as the be-all of Network Commerce.

        It was, as Garfinkel bluntly put it: "a direct attack against the
security promised by Netscape Communication Corp.'s popular Netscape
Navigator..."

        Mr. Borenstein later expressed his regret that Garfinkel had cast
the story as a competitive attack, but IMNSHO Garfinkle was right on
target: the FV campaign was a targeted bombardment of their most prominent
competitor.  And a campaign it was -- well deserving media attention.

        FV apparently carted their demo code and attack model back and
forth across the country. FV gave presentations to NIST, NSA, the US
Treasury, and the White House, according to Garfinkel.

        The only silly comment in Garfinkel's article was a direct quote
from FV's Bornenstein: "One of the things we've heard from people inside
government were comments along the line, 'We thought only NSA knew how to
do this....'"

        (And if a world-class CompSec/UNIX expert like Garkinkel wasn't
chuckling when he wrote that -- and expecting knowledgeable readers to
giggle and grin when they read it --  I'll stew and eat my beaver hat!)

        The Merc's quotes from independent security experts -- commenting
on FV's attack model -- were notably dry and balanced.  Yes, the attack and
threat vectors were real -- but, noted the American Banker's Association's
Kawika Daguio: "It is a classic attack."

        "I've seen it, and I've seen things like it before," said Mr.
Daguio.  Nothing new. Matt Bishop, the UC prof, also sounded less than awed
by FV's creativity: "There is no reason why one could not write a program
to monitor keystrokes, look for numbers which look like credit card
numbers, and sent them out over the Internet," in an unobtrusive way, to a
thief elsewhere.

        (Prof. Bishop might have had more to say, had he been told it took
a FV programmer a _month_ to write a keyboard sniffer optimized for credit
card data;-)

        As a newcomer to this List, I have the impression that C'punks are
a little jaded when it comes to mass-market CompSec and ComSec threats --
and perhaps a little rabid when it comes to anyone rash enough to suggest
that the first mass-market crypto product (in the hands of naive consumers,
with unprotected PCs and poor CompSec habits) may have dangerous procedural
vulnerabilities.   A little perspective, guys!

        Crypto from an insecure base has risks that deserve to be
highlighted; and credit cards numbers are uniquely negotiable passwords.
FV is scare-mongering, sure -- but that's combat marketing.  Mr.
Borenstein's press release posted in C'punks was chumming with raw bloody
beef -- and that was just dumb -- but it was striking how blithely many
folks here acknowledged (and immediately dismissed) the threat he
described.

        Nothing wrong with FV trying to slow the bandwagon of a major
competitor by drawing attention to vulnerabilities or potential
vulnerabilities of their technology in a mass market.    This happens a lot
-- although most corporate perpetrators try to hide their hand a lot more
than FV did, and they generally sound a lot less self-righteous  -- but a
little brawling is not a bad thing, particularly in IS security.  (Some
markets, like firewalls, desperately need a little more competitive
clarity.)

        On the other hand, Mr. Borenstein's hyper-inflated presentation of
First Virtual's case all but begged for the C'punk lynch mob that has
followed him down through several threads on this List.  If he didn't
expect the reception he got, he should fire his PR advisor and get someone
who knows how to write without the purple prose and napham.

        Simson Garfinkel and the Mercury News are getting a bad rap from
folks caught up in the mob chasing Mr. Borenstein.  Read the three
articles.  The on-line version has a headline that is a bit overwrought
("Program shows ease of stealing credit information") but overall, it's a
credible, savvy, and amusing piece of journalism about FV.   Quite
professional, I'd say.

        Suerte,

                        _Vin

    Vin McLellan +The Privacy Guild+ <[email protected]>
 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                <*><*><*><*><*><*><*><*><*>