NYT (online only?) article on DigiCash Chapt. 11

1998-11-30 Thread Robert Hettinga 

...Wherein I get quoted in the NYT using "bummed out".

Oh, well. At least they spelled my name right... :-).

Cheers,
Robert Hettinga

--- begin forwarded text


Mime-Version: 1.0
X-Sender: [EMAIL PROTECTED]
Date: Mon, 30 Nov 1998 20:35:32 -0500
To: Digital Bearer Settlement List <[EMAIL PROTECTED]>
From: Robert Hettinga <[EMAIL PROTECTED]>
Subject: Electronic Cash for the Net Fails to Catch On
Sender: <[EMAIL PROTECTED]>
Precedence: Bulk
List-Subscribe: 
X-Web-Archive: http://www.philodox.com/dbs-archive/


--- begin forwarded text


Date: Mon, 30 Nov 1998 20:28:03 -0500
From: "Robert A. Hettinga" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Electronic Cash for the Net Fails to Catch On

http://www.nytimes.com/library/tech/98/11/cyber/articles/28cash.html




November 28, 1998


Electronic Cash for the Net Fails to Catch On

By PETER WAYNER

 here are two conflicting epigrams that rule the computer industry. The
first is that the pioneer gets all of the gold, and the second is that the
pioneer gets all of the arrows in the back. Several recent high-profile
failures in the electronic payment industry suggest that efforts to develop
versions of electronic cash for the Internet are so far reaping more arrows
than riches.



Christine M. Thompson


The most recent signal came as
Digicash, a
closely watched electronic payment company based in Palo Alto, Calif.,
filed for bankruptcy protection. The company was known for a collection of
tools that made it possible for people to spend small amounts of money over
the Internet using what is known as a digital wallet, software that handles
transactions in a manner similar to cash. One advantage of the Digicash
system is that, unlike credit cards, it allowed consumers to make purchases
anonymously.

While several major banks expressed interest in the Digicash system and a
few actually began offering accounts, the company was unable to generate
enough mass interest among merchants or consumers. Consumers were reluctant
to use Digicash because there weren't many merchants who accepted it, and
merchants didn't sign up to participate because consumers weren't demanding
it as a payment option.

Other companies that have tried to develop digital cash systems haven't
fared much better. Last August, another pioneer, First Virtual, shut down
its system for processing electronic cash transactions and began to focus
on a new business, interactive messaging, according to a company
spokeswoman, Cindy Alvarez. Another company, CyberCash,
still offers a system called CyberCoin, but most of the company's revenue
comes from processing credit card transactions.

Industry observers suggest that one reason electronic payment systems
haven't taken off is that consumers have become more comfortable using
credit cards to make purchases online.

Bill Curry, a spokesman for Amazon.com,
said credit cards are used for "the overwhelming majority" of transactions
on the company's site. "I think the reason is that we do have an encrypted
secure server, and we guarantee the transaction. If there are unauthorized
charges on your account as a result of shopping at Amazon.com, we'll pay
the $50 that's not covered by your credit-card issuers."

Bill Trevor, director of customer service at CDNow, said
most of CDNow's customers enter their credit-card numbers on the site. "Our
experience is showing that in the month of October, roughly four fifths of
our customers felt secure enough to put their credit card in our online
form. Almost all of the rest are checks or money order. There are a couple
of percentage points for people who call us, fax us or e-mail their
credit-card number, but it's less than 3 percent."

Companies that process credit card transactions have found more success
than the wallet-based businesses.


CDNow allows customers to send a separate e-mail message with the credit
card number encrypted with PGP, a significantly higher-grade of encryption
than is normally used to protect most browser-based transactions.

Companies that process credit card transactions for e-commerce Web sites
have found more success than the wallet-based businesses, like Digicash.
Keith Miller is an executive vice president of Ibill, a
company that processes credit card transactions for Web merchants. "We
looked into that whole thing when we started a couple of years ago," he
said, referring to companies that were building separate software packages
for processing payments. "Back then, our biggest competitors were the
wallet companies. We went after the market saying, why do we need to
reinvent something when we have something that works and is simple, easy
and quick?"

In the end, Ibill chose to make it simple for people to buy something
online by typing a credit card number into a browser. The browser uses a
security method known as SSL (Secure Soc

Re: Is a serial cable as good as thin air?

1998-11-30 Thread Missouri FreeNet Administration 

Why not keep the "ThinAir" concept, and use an optically-isolated link?
A one-way connection: just like your floppies...

On Sun, 29 Nov 1998, Dianelos Georgoudis wrote:

:Date: Sun, 29 Nov 1998 22:20:29 -0600
:From: Dianelos Georgoudis <[EMAIL PROTECTED]>
:To: [EMAIL PROTECTED]
:Subject: Is a serial cable as good as thin air?  
:
:
:We are installing home banking systems where the Internet Server
:is separated from the bank's computer center by air. Data is moved
:periodically back and forth using low tech but dependable floppy
:disks that carry only encrypted data (the principle of red/black
:separation is implemented by loading only encrypted data on the
:server). This "air-wall" is an effective way to stop hackers from
:penetrating the bank's computer center using its Internet
:services. This works quite well with services such as users'
:credit-card queries.
:
:Now, we have a potential client insisting on on-line transaction
:capability. One possible solution is to connect the Internet
:server with a PC on the bank's private network using a serial
:cable. We would write our own transmission protocol. The PC
:working on the bank's network would run a memory resident program
:that services the serial port and will discard any blocks that do
:not decrypt properly or have an invalid structure (only blocks
:that decrypt into the correct data structure would be processed at
:all). Here is the question: Is this as good as thin air? Can you
:see any way a hacker could use such a connection to penetrate the
:bank's network?
:
:
:Dianelos Georgoudis
:email: [EMAIL PROTECTED]
:http://www.tecapro.com
:
:

Yours, 
J.A. Terranson
[EMAIL PROTECTED]
[EMAIL PROTECTED]

--
If the Government wants us to behave,  
they should set a better example!

Canadian crypto archive moved

1998-11-30 Thread M Taylor 


You can find the contents of my old archive now at
 ftp://ftp.privacy.nb.ca/pub/crypto/

It includes a mirror of SSLeay (and related libeay, libdes), Peter
Gutmann's cryptlib toolkit, PGPi, ssh, Ben Laurie's Apache-SSL patches,
and some Canadian implementations of cryptographic algorithms.


--
M Taylor   mctaylor@  /  glyphmetrics.ca | privacy.nb.ca

RE: Is a serial cable as good as thin air?

1998-11-30 Thread Russell Nelson 

Brown, R Ken writes:
 > If I was a bank I would be very wary of  proposals like "We would write our
 > own transmission protocol. " That seems to introduce yet more complexity,
 > not to mention maintenance effort and undiscovered bugs. It would seem safer
 > (more conservative a bank might say) to use off-the-shelf code which had
 > been tried and tested (& for which source code was available if you really
 > cared about security)

Use xmodem.  Only provide the receive code and the transmission code
on the respective sides.  That will be as safe as sneakernet.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.

RE: Is a serial cable as good as thin air?

1998-11-30 Thread Brown, R Ken 

> Dianelos Georgoudis[SMTP:[EMAIL PROTECTED]] described a security system
> and then asked:
> 
> Here is the question: Is this as good as thin air? 

The answer has to be "no" because you are introducing extra complexity.
There is more to go wrong.

> Can yousee any way a hacker could use such a connection
> to penetrate thebank's network?

No, but that doesn't mean *they* can't :-)  Presumably you are talking about
a situation where instructions posted on the web server from home users
cause changes to be made in their accounts? In whioch case if the web server
is compromised it could in principle be used to issue false instructions
that conform to the expected format, however they were transmitted serial
cable or floppy disk.

If I was a bank I would be very wary of  proposals like "We would write our
own transmission protocol. " That seems to introduce yet more complexity,
not to mention maintenance effort and undiscovered bugs. It would seem safer
(more conservative a bank might say) to use off-the-shelf code which had
been tried and tested (& for which source code was available if you really
cared about security)

Is a serial cable as good as thin air?

1998-11-30 Thread Dianelos Georgoudis 


We are installing home banking systems where the Internet Server
is separated from the bank's computer center by air. Data is moved
periodically back and forth using low tech but dependable floppy
disks that carry only encrypted data (the principle of red/black
separation is implemented by loading only encrypted data on the
server). This "air-wall" is an effective way to stop hackers from
penetrating the bank's computer center using its Internet
services. This works quite well with services such as users'
credit-card queries.

Now, we have a potential client insisting on on-line transaction
capability. One possible solution is to connect the Internet
server with a PC on the bank's private network using a serial
cable. We would write our own transmission protocol. The PC
working on the bank's network would run a memory resident program
that services the serial port and will discard any blocks that do
not decrypt properly or have an invalid structure (only blocks
that decrypt into the correct data structure would be processed at
all). Here is the question: Is this as good as thin air? Can you
see any way a hacker could use such a connection to penetrate the
bank's network?


Dianelos Georgoudis
email: [EMAIL PROTECTED]
http://www.tecapro.com