My First Response to Finjan


Date: Wed, 05 Nov 1997 18:09:46 -0600
From: " Mark D. LaDue" 
X-Mailer: Mozilla 4.02 [en] (X11; I; SunOS 5.5 sun4m)
MIME-Version: 1.0
To: Ron Moritz 
Subject: Re: Finjan Official Response to Mark LaDue
References: <3.0.32.19971105225322.009a5860@mail.finjan.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi Ron,

Sorry to say, we have become adversaries of late.  Even given the scathing
review that I published of SurfinShield 2.0, that need not have become the
case.  The main reason for that now is that your lawyer misrepresented what
I wrote in his letter to the Georgia Tech School of Mathematics, and being
an alumnus living 1000 miles away, I was not there to defend it as a decision
was made.  Once Fred Andrew, the associate director of the School of
Mathematics, had decided it best to avoid wasting time on a senseless dispute
by throwing in the towel, he let me know.  As I always have done at Georgia
Tech, I complied with his decision and removed myself from the School of
Math network.  Unfortunately, alumni receiving free benefits have no rights
to complain about losing those benefits.  Had I still been a graduate
student there, you can bet that things would have been settled in an
entirely different manner, just as all of the complaints about hostile applets
had been.

What's wrong your lawyer's case are items like these:

1. Though I certainly published a method of subverting the demo license,
I also added

"Of course the author does not recommend doing this for the same
reason that he does not recommend swimming with a ship's anchor
attached to your neck."

That hardly qualifies me as one who "advocates a method to avoid paying for
the use of this software and other software published by Finjan which
constitutes a violation of US Copyright laws and local theft statutes."
Furthermore, using software for the purposes of writing a review is considered
fair use, and recent court decisions have even held that reverse engineering
of software for educational and business purposes is legal, provided that
source code is not available and that one uses it only for the sake of
understanding.  Thus the second paragraph of your lawyer's letter is
completely refuted, and accusations in the third paragraph of "violations of
law" are entirely spurious.

2. An equally blatant misrepresentation occurs in the third paragraph of your
lawyer's missive.  By no means did I write that "Finjan is a repository
and publisher of pornographic materials and of 'pirated software.'"
After pointing out the presence of directories owned and writable by user
"ftp," including oddly named ones with images and ones named "warez," I
suggested that ftp.finjan.com "may have been serving as a repository for
pornography and pirated software."  There's a big difference between "is a
repository and publisher" and "may have been serving as a repository" at
the time I downloaded the software.  The observations that I reported are
most certainly true, and I see that your lawyer wasn't hardy enough to deny
them.  Your lawyer should read page 493 of Spafford and Garfinkel's "Practical
UNIX and Internet Security" to see that what I wrote is correct, and
I think I could have justified saying "probably was" instead of "may
have been."  Since I have reported factual observations and a well supported
interpretation of those observations, it is false and absurd to accuse me
of making "defamatory comments."  To quote your lawyer once again,
"Nothing could be further from the truth!"

It's clear from this that your lawyer's intent was most likely to set up
a combination strawman and bogeyman to knock down in the eyes of officials
at Georgia Tech on the calculation that they'll run for cover and do the
wrong thing without ever bothering to read or understand what was written.

I'm pleased to hear that Finjan no longer supports the product that I
reviewed.  If the problems that I described several months ago in my review
have been corrected, then that's very good news.  (Indeed, that was the
only thing in your lawyer's letter that even stands a chance of being true.)
Nevertheless, since what I wrote truly and accurately portrayed both Finjan's
product and ftp server, and since exposing blatant security problems is in
everyone's best interest, I do not plan to retract what I've written, and I
do not believe it should be removed from wherever it happens to appear.
Moreover, since your lawyer's charges are entirely without merit, I see
no reason why an apology is necessary.  Is Finjan a person who will cry and
lose sleep over imaginary affronts?  I think not.  And besides, conceded
apologies, even when court ordered, are worth nothing and simply lead to
statements like Galileo's celebrated dictum, "E pur si muove" ("And yet
it does move").

The way I see it, this whole incident reflects rather poorly on Finjan's
business, far more poorly than any impolite review I could ever write.
Instead of squandering corporate resources on lawyers who make false
allegations for the sake of bullying people into silence, Finjan's
executives should develop a sense of humor, learn from their company's
mistakes, and take criticism in stride.  May I use myself as an example
here?  Your public response to "Drowning in the Surf," which you sent to
me and which presumably is available on your web site and in your PR
literature, uncritically repeats your lawyer's scurrilous charges and
adds several falsehoods about myself and the history of my web pages.
Instead of hiring lawyers to try and bully you into removing it from
wherever you post it, I'm willing to laugh at its foolishness and let
it go.  I certainly won't repeatedly insist on a public apology for
something that's not worth the trouble.  Perhaps Finjan's future would be
better served if its executives adopted a simliar view of things.

Mark