Path: mindspring!firehose.mindspring.com!news-dc-9.sprintlink.net!news-dc-2.sprintlink.net!news-east.sprintlink.net!news-dc-26.sprintlink.net!news-peer.sprintlink.net!news.sprintlink.net!Sprint!howland.erols.net!newspump.sol.net!sol.net!wnfeed!worldnet.att.net!207.22.81.9!europa.clark.net!209.70.91.68!news.clark.net!not-for-mail
From: proberts@clark.net (Paul D. Robertson)
Newsgroups: comp.security.firewalls
Subject: Re: Finjan's Response to Mark D. LaDue [Was "E pur si muove" - And yet it does move]
Date: 15 Nov 1997 04:13:03 GMT
Organization: Clark Internet Services, Inc., Ellicott City, MD USA
Lines: 183
Message-ID: <64j7gf$93p@clarknet.clark.net>
References: <3464CCEE.EE5F3A71@mindspring.com> <3464CD2A.C0E55618@mindspring.com> <3465a395.18369393@news.netvision.net.il>
NNTP-Posting-Host: explorer.clark.net
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: TIN [UNIX 1.3 950726BETA PL0]
Ron Moritz (ron@finjan.com) is rumored to have uttered :
: Finjan Software’s response to Mark D. LaDue’s article "Drowning in the
: Surf: A Review of Finjan Software’s SurfinShield 2.0."
:
:
: Summary: Mark D. LaDue's review of Finjan Software SurfinShield 2.0
: for Unix, published October 3, 1997, was an evaluation of an out-dated
: and unsupported version of Finjan's desktop product software. The
: Unix SurfinShield product evaluated by LaDue reached its scheduled
: "end of life" following its release in February, 1997. Finjan’s
: desktop product team has since been focused on improving and enhancing
: SurfinShield for Windows™.
So, what you're saying is that there is no way for an end-user who's
downloaded your product to know if a version is outdated?
:
: Finjan has released a minimum of nine revisions to this program that
: address all of the purported deficiencies noted by LaDue. In fact,
If they address the deficiencies, then they're not 'purported', if they
aren't real, then they need not be addressed. Care to pick one?
: most of the issues raised by LaDue were disclosed by Finjan in the
: SurfinShield product release notes. Of the eight bugs listed in the
: "known bugs" list released by Finjan with SurfinShield Version 2.0
: Revision 11, seven were fixed in the current Windows version and the
: eighth is addressed in a release scheduled in Q4 1997. Had LaDue
: reviewed SurfinShield 3.0, his experience would have been
: significantly different. Further, had LaDue simply contacted Finjan
: prior to the publication of his article, many of the erroneous and
: defamatory statements would not have been made.
Any review is a snapshot of a product at the time it was written. If your
product contained half the problems noted, shame on you for releasing it
at such an immature stage in its lifecycle.
:
: LaDue’s purported review of Finjan software contains inappropriate
: comments, defamatory statements and shows a breach of the license
: agreement whereby LaDue obtained copies of the Finjan software.
: Finjan requested that LaDue remove this article from the Web – LaDue
: and Georgia Institute of Technology agreed to this request – and
: publish a retraction of the article's defamatory statements.
: Simultaneously, Finjan has offered to provide LaDue with the most up
: to date revision of the software and assist him in a fair review of
: the program's viability.
:
: Finjan is, in fact, the leading provider of software solutions for
: Java and ActiveX security. Like any young company, we appreciate
: input and review of our products in that these reviews lead to better
: solutions. We have organized a Technical Advisory Board of known and
: respected security experts to help guide and improve our technology.
: And, we invite all academicians and researchers to work with us in the
: future and would be pleased to make early beta versions of our code
: available based on a common interest in creating secure downloadable
: computing environments.
Does that secure environment still include 'xhost +'?
: Although Georgia Institute of Technology not only removed LaDue’s
: article but erased the entire site which hosted it, Finjan is still
: waiting for a published apology from LaDue as to the baseless
: accusations regarding pornography and pirated software.
It wasn't an accusation when I read it, it was an observation.
If they are baseless, perhaps you can explain what the directories
contained for us?
: LaDue did not contact or attempt to confirm his research with Finjan
: prior to releasing his paper.
:
: Finjan was not afforded an opportunity to comment on LaDue’s findings.
:
: LaDue opines: "[Finjan’s tools] can make matters worse."
:
: Finjan: Even if the only security services provided by SurfinShield
: were monitoring and termination of active applets, the solution would
: add value by providing the user with additional control over the
: downloadable programs that run on his/her desktop. In fact,
: SurfinShield provides many more security services including resource
: usage thresholds; the ability to respond to and shut down active
: executable content that does not conform with the specified security
: policy; tracking the arrival of applets and controls and monitoring
: their behavior during execution; tracking applets and controls after
: the user has moved to a new Web site; and terminating processes
: started by controls outside the browser.
:
: LaDue writes: "Finjan Software, the self-touted ‘Leader in Java and
: ActiveX Security’ …"
:
: Finjan: LaDue does not acknowledge the facts that Finjan (a) defined
: the Java and ActiveX security field; (b) was the first third-party
Funny, I thought that Sun defined the Java security field.
[snip]
: LaDue writes: "Probing and testing from a hacker’s point of view then
: revealed that SurfinShield has enough holes in it to sink a
: battleship."
:
: Finjan: LaDue’s discussion of the findings is simply a regurgitation
: of Finjan’s own extensive "Known Bugs of This Revision" list included
: with the release. In fact, LaDue reviewed an old product,
Was 'xhost +' a "known bug?"
: LaDue suggests that the problems listed are common to all developers
: building applications using the Java language.
:
: Finjan: We agree with LaDue’s observation that Java lacks the
: maturity of other object oriented languages. Although the version of
: the product reviewed by LaDue was, in fact, written in Java, the
: current version of SurfinShield is a mix of Java and C++.
:
: LaDue accused Finjan of hosting offensive and illegal material. He
: wrote that he found "a number of directories at ftp.finjan.com … named
: ‘warez’ and several oddly named directories containing JPEG and GIF
: images" and concluded that the site "may have been as a repository for
: pornography and pirated software."
:
: Finjan: Suggesting that Finjan is a repository and publisher of
: pornographic materials and "pirated software" is nothing short of
: slander, a defamation of Finjan’s character and, without any evidence.
: Finjan’s own internal investigation found no basis for LaDue’s
: unfortunate comment. LaDue could have easily checked his questions by
: contacting Finjan regarding the particular files he located in the
: Finjan FTP server. While Finjan acknowledges and respects LaDue's
: First Amendment freedoms, we believe that his article goes much
: further than "protected speech" and have requested LaDue issue a
: formal apology.
So, are you in fact refuting the claim that said directories existed at
the time of Dr. LaDue's visit, or not? What does "found no basis" mean?
That you looked recently and the files aren't there, or that you pulled
back-up tapes for the indicated time period and the files weren't there?
: LaDue concludes that "SurfinShield’s ‘prevent downloading of
: suspicious applets’ feature offers no protection against attacks from
: even known hostile applets."
:
: Finjan has long been aware that URL is not be the best key for
"Not be the best?" How about "Downright stupid."
: tracking applets. In fact, Finjan has used a 128-bit applet signature
: technology in its gateway database since introducing the SurfinGate
: server in January, 1997. SurfinShield 3.0 no longer relies on the URL
^^^^^^^^^
Then the review is valid of the originally released product?
: than his own personal use. By publishing and advocating a method to
His review did not advocate it, for someone complaining about defamatory
statements, you're crossing the line pretty quickly.
: Most of LaDue’s other "lessons" have already been resolved by the
Then the review was valid of the product version reviewed?
: product. For example, all Finjan software released after March 1997
: is protected by obfuscation techniques from easy decompilation
We all know how wonderfully well obfuscation works by looking at the NT
password scheme.
: >What I've seen to date is enough, prima facie, to leave Finjan on my list
: >of all-time horrible vendors, a reaction which might be shared by others
: >in this newsgroup. Either you or someone in your PR department might
This "defense" pretty much leaves them on the same list, only further
down in my mind. Trying to attack a reviewer's credibility while
rebutting the review with "we've fixed that now" and trumpeting the fact
that a school removed an alumni's Web page under legal threat hardly
qualifies them for company of the year.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@clark.net which may have no basis whatsoever in fact."
PSB#9280