[879] in WWW Security List Archive
Re: Java and trojans: any last words before Netscape 2.0 is out?
daemon@ATHENA.MIT.EDU (David Orchard)
Wed Sep 20 17:52:40 1995
Date: Wed, 20 Sep 95 11:29:58 PDT
From: orchard@mda.ca (David Orchard)
To: cmcmanis@scndprsn.Eng.Sun.COM
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From cmcmanis@scndprsn.Eng.Sun.COM Wed Sep 20 10:45:56 1995
> Date: Wed, 20 Sep 1995 10:43:20 -0700
> From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
> To: orchard@mda.ca
> Subject: Re: Java and trojans: any last words before Netscape 2.0 is out?
> Cc: www-security@ns2.rutgers.edu
> X-Sun-Charset: US-ASCII
>
> Dave wrote:
> ... it would be easier to root through garbage and collect receipts.
> Plus the rooter would get a sample of the signature.
>
> This argument is specious. The difference is that if you live in the
> San Francisco Bay Area _maybe_ you can find my home address and _maybe_
> you can find a credit card receipt in it. If I'm using the Internet to
> buy things with my credit card you can literally be anywhere in the
> world and find it. Further, if the attack is simply to steal any
> credit card numbers that is one thing, but if you wanted to steal
> Bill Gates' credit card number you probably couldn't get anywhere
> near his garbage can, but you can see his packets on the Internet.
Good points, but you alude to the quandry of internet security, which is
what information are you protecting from who. The possibilities you and
I have come up with are:
o a specific person - joe hacker - stealing an unknown person's credit
card number
o a specific person - joe hacker - stealing another specific person's
- Bill Gates - credit card number
I think we're agreed that if you want to steal a credit card number from
anybody, the net is probably more secure. As to stealing Bill Gates'
credit card # on the Net, it's still pretty hard to "see his packets on the
Internet". If Wild Bill orders a pizza from pizza hut, it might go through
5 routers to get to Pizza hut. You'd have to know which routers, and have
access to the packets going through the routers, a not insignificant problem.
Then there is the sifting of the packets, followed by the decoding. All these
are possible, but not very easy. You can't be "literally anywhere in the
world", as packets from Bill to Pizza Hut don't go everywhere in the world.
That's from the point of view of a single person - joe hacker - wanting
another specific person's credit card. However, if the specific person -
Bill "buy windows95" Gates - wants to prevent anybody and everybody
from being able to use their credit card number, the fact that they give it out
renders it impossible for them to keep it secret! My point was that because
you give your credit card # to merchants every time you use your card, there's
a far higher chance of merchant fraud or other kinds of credit card fraud than
somebody stealing your credit card # off the Net.
I think all this concern about security is a result of the standard Print media
backlash against the new electronic media, where they'd like the world to think
that the net is full of hackers stealing credit card numbers to use to
order Porn to give to underage kids.
cheers, dave
