Finjan's Corporate Claptrap is Thoroughly Rebutted


Path: mindspring!hydrant.mindspring.com!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!howland.erols.net!newsfeed.internetmci.com!164.67.42.145!awabi.library.ucla.edu!137.82.194.1!unixg.ubc.ca!unruh
From: unruh@physics.ubc.ca (Bill Unruh)
Newsgroups: comp.lang.java.security,comp.lang.java.misc,comp.lang.java.programmer,comp.security.misc,comp.security.firewall,alt.security,de.comp.security
Subject: Re: Finjan Software Response to Mark D. LaDue
Date: 9 Nov 1997 20:28:23 GMT
Organization: The University of British Columbia
Lines: 164
Message-ID: <6456d7$p16$1@nntp.ucs.ubc.ca>
References: <3465a7f3.19487691@news.netvision.net.il>
NNTP-Posting-Host: black-hole.physics.ubc.ca
X-Newsreader: NN version 6.5.0 CURRENT #3
Xref: mindspring comp.lang.java.security:6663 comp.lang.java.misc:22219 comp.lang.java.programmer:108384 comp.security.misc:44538 alt.security:49310 de.comp.security:11404


Since you felt called upon to post this to the world, comments from the
world were obvioulsly expected, so here they are:
Your words have been edited so as not to clog up the net with repeat
posting.

In <3465a7f3.19487691@news.netvision.net.il> ron@finjan.com (Ron Moritz) writes:

>Finjan Softwares response to Mark D. LaDues article "Drowning in the
>Surf:  A Review of Finjan Softwares SurfinShield 2.0."


>Summary:  Mark D. LaDue's review of Finjan Software SurfinShield 2.0
>for Unix, published October 3, 1997, was an evaluation of an out-dated
>and unsupported version of Finjan's desktop product software.  The
>Unix SurfinShield product evaluated by LaDue reached its scheduled
>"end of life" following its release in February, 1997.  Finjans
>desktop product team has since been focused on improving and enhancing
>SurfinShield for Windows.

I wonder why a copy which is apparently that reviewed by him is still on
your ftp site.  I downloaded it this week. At least the readme file still
lists exactly the same
errors which Marc listed, and which you claim have since been corrected.
From your defense here, I am totally unwilling to run it to determine
which version it actually is, never mind test it.
It would seem that despite your protestations that this is "outdated
software" you are still offering it as your latest offering for Unix
systems.


...
>Although Georgia Institute of Technology not only removed LaDues
>article but erased the entire site which hosted it, Finjan is still
>waiting for a published apology from LaDue as to the baseless
>accusations regarding pornography and pirated software.

But he never mde any allegations that you were involved in pornography
or pirated software EXCEPT to say that your security and permissions on
your ftp site were extremely weak and that they opened you up to acting
as the host to pornography and pirated software without your knowing it.
This has happened to numerous organisations with lax security on their
ftp software setups (including my own). His point as I read it, was that your apparent
lack of knowledge of such ftp security issues made your claim to
expertise in the field of security suspect. I note that you appear to
have fixed some of these problems on you ftp server since that time.
...

>LaDue did not contact or attempt to confirm his research with Finjan
>prior to releasing his paper.

Reviewers rarely have their reviews OKed by the company publishing the
software. 
...
>  
>Finjan was not afforded an opportunity to comment on LaDues findings.

You are apparently doing so. Although it might be politeness of a
reviewer to approach the publisher, since the publisher has released the
product for use to the general public, it must stand on its own. He
apparently used what you were (are?) offereing on your ftp site as the latest
version. If it was defective and not to be used, why did you not
withdraw it?
...

>LaDue opines:  "[Finjans tools] can make matters worse."  

>Finjan:  Even if the only security services provided by SurfinShield
>were monitoring and termination of active applets, the solution would
>add value by providing the user with additional control over the
>downloadable programs that run on his/her desktop.  In fact,
>SurfinShield provides many more security services including resource
>usage thresholds; the ability to respond to and shut down active
>executable content that does not conform with the specified security
>policy; tracking the arrival of applets and controls and monitoring
>their behavior during execution; tracking applets and controls after
>the user has moved to a new Web site; and terminating processes
>started by controls outside the browser.

It is well known axiom in security that the use of tools which claim to
provide a level of security which they in fact to do not are worse than
nothing because the user is lulled into a false sense of security and
ceases to be vigilant. 
...
>Finjan:  LaDues discussion of the findings is simply a regurgitation
>of Finjans own extensive "Known Bugs of This Revision" list included
>with the release.  In fact, LaDue reviewed an old product,
>SurfinShield Version 2.0 Revision 11 for Unix.  Subsequent to the
>release of this product in February, 1997, Finjan (a) fixed 90% of the
>bugs reported in the release note included with the Unix product; (b)

Have you fixed those bugs in the Unix software which you are still
offering on your ftp site? If so, why does the README still list them?
...

>LaDue accused Finjan of hosting offensive and illegal material.  He
>wrote that he found "a number of directories at ftp.finjan.com  named
>warez and several oddly named directories containing JPEG and GIF
>images" and concluded that the site "may have been as a repository for
>pornography and pirated software."  

He also found that your ftp security was lax. In such a case an ftp
server can serve as the repository of such software entirley without the
knowledge of the people running the server. The implication I drew from
his comments was not that you were the willing host for such software,
but that you might be the unwilling host because of your lax security.
He also clearly states why he felt you might in fact actually be such a
unwilling host by the types of files he found there. He however did not
say that you actually were such a host.
...
>Finjan:  Suggesting that Finjan is a repository and publisher of
>pornographic materials and "pirated software" is nothing short of
>slander, a defamation of Finjans character and, without any evidence.
>Finjans own internal investigation found no basis for LaDues
>unfortunate comment.  LaDue could have easily checked his questions by
>contacting Finjan regarding the particular files he located in the
>Finjan FTP server.  While Finjan acknowledges and respects LaDue's
>First Amendment freedoms, we believe that his article goes much
>further than "protected speech" and have requested LaDue issue a
>formal apology.

I personally do not see why, since he to me clearly stated the reasons
for his argument, and he never said that you were such a host or
publisher, only that your security level could have made you one, by
implication an unwitting one.

...

>Finjan:  The reviewer violated SurfinShields License Agreement to the
>extent that he downloaded and used the software for purposes other
>than his own personal use.  By publishing and advocating a method to
>avoid paying for the use of this software and other software published
>by Finjan, ("It is all too easy to hack SurfinShield and install ones
>own perpetual license," writes LaDue), LaDue is in violation of US
>Copyright laws and local theft statutes.

You claim to be a security concious organisation, out to protect the
consumer, the purchaser for money of your software. Surely a measure of
your competence in such matters is your ability to protect your own
interests. How can a customer trust you to protect their interests if
you cannot or will not protect your own? Surely you do not simply regard
the existence of a piece of writing (either your license or your
advertising claims) as a sufficient level of protection. While
I don;t particularly agree with his publishing the detailed methods used
to break you software, his attempts to do so were within his duty as a
reviewer of security software in my opinion. That a nasty applet could
disable your software is not irrelevant.

...

>LaDue offers several "Lessons From SurfinShield" including the
>following statement:  "It is all too easy for hostile code, even an
>attack applet, to modify SurfinShield and throw a system wide open to
>further abuse."  

>Finjan:  SurfinShield 3.0 deploys technology that creates a
>demilitarized zone between the browser and the operating system.  This

He reviewed 2.0 which you are apparently still offereing for use. If you
are herby stating that you will refund every user of your previous
version of the software a refund or a free upgrade to 3.0 (does that
even exist for Unix?) then your mentioning 3.0 might be relevant. As it
is it is a complete red herring. 
...