Finjan is Strongly Rebuked


Path: mindspring!hydrant.mindspring.com!news-dc-9.sprintlink.net!news-dc-2.sprintlink.net!news-east.sprintlink.net!news-dc-26.sprintlink.net!news-peer.sprintlink.net!news.sprintlink.net!Sprint!howland.erols.net!recycled.news.erols.com!nntp.news.xara.net!xara.net!dispose.news.demon.net!demon!news-peer.bt.net!btnet!baron.netcom.net.uk!netcom.net.uk!knife.netcom.net.uk!netcom.net.uk!not-for-mail
From: Adrian.Challinor@osiris.co.uk (Adrian P Challinor)
Newsgroups: comp.security.firewalls
Subject: Re: Finjan's Response to Mark D. LaDue [Was "E pur si muove" - And yet it does move]
Date: Sun, 09 Nov 1997 15:37:55 GMT
Organization: Osiris Consultants Ltd
Message-ID: <346dd8b5.349863246@nntp.netcomuk.co.uk>
References: <3464CCEE.EE5F3A71@mindspring.com> <3464CD2A.C0E55618@mindspring.com>  <3465a395.18369393@news.netvision.net.il>
NNTP-Posting-Host: dialup-11-32.netcomuk.co.uk
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: taliesin.netcom.net.uk 879089912 9286 194.42.230.224 (9 Nov 1997 15:38:32 GMT)
X-Complaints-To: abuse@corp.netcom.net.uk
X-Newsreader: Forte Agent 1.5/32.452
Lines: 118

On Sun, 09 Nov 1997 11:54:41 GMT, ron@finjan.com (Ron Moritz) wrote:

[SNIP ]

>
>LaDue accused Finjan of hosting offensive and illegal material.  He
>wrote that he found "a number of directories at ftp.finjan.com … named
>'warez' and several oddly named directories containing JPEG and GIF
>images" and concluded that the site "may have been as a repository for
>pornography and pirated software."  
>
>Finjan:  Suggesting that Finjan is a repository and publisher of
>pornographic materials and "pirated software" is nothing short of
>slander, a defamation of Finjan's character and, without any evidence.
>Finjan's own internal investigation found no basis for LaDue's
>unfortunate comment.  LaDue could have easily checked his questions by
>contacting Finjan regarding the particular files he located in the
>Finjan FTP server.  While Finjan acknowledges and respects LaDue's
>First Amendment freedoms, we believe that his article goes much
>further than "protected speech" and have requested LaDue issue a
>formal apology.
>

Forgive me from butting in, but in the English I use (Thats England,
hey this is one language we did invent!0 there is a real difference
between ""may have been" and "is a". One implies that an event could
or could not have taken place, and if it did that the object of the
action need not have been aware that a subject had perpetrated the
act. That's what laDue wrote. 

Finjan translates this as "is a", thus that the act took place with
their full and open knowledge and conivence. 

Thats not what was said at all. In England, this misreprestentation of
the original article could be deemed malicious and slanderous. 

Is or is it not tru that at the time of writing the article, laDue
detected one or more 'warez' named directores and is or is it not true
that at this time it was possible to post items in to the Finjan FTP
directory? If it is true, then LaDue has valid gounds for his
statement. he is acusing Finjan of not securing their site, nothing
more, nothing less. 


[SNIP]


>Finjan:  The reviewer violated SurfinShield's License Agreement to the
>extent that he downloaded and used the software for purposes other
>than his own personal use.  By publishing and advocating a method to
>avoid paying for the use of this software and other software published
>by Finjan, ("It is all too easy to hack SurfinShield and install one's
>own perpetual license," writes LaDue), LaDue is in violation of US
>Copyright laws and local theft statutes.
>

What LaDue is stating is that your licensing code is reverse
enineerable by anyone with a Java development kit. The tools to do
what he states are public domian. I know from bitter experience that
license protection is vital, and its not done in tools that can be
easily reverse engineered. I think LaDue has done you a good service
by pointing out, very early in the products life cycle, how flawed
your licensing code is. 

This is normally something you would expect to pay a very hefty price
to find out. Rather than critise LaDue, would it not make more sense
to commend him for telling you this and seek his advise on making it
more secure. There are ways of doing this, but all the ones I know of
are substantially more complex than they way you are reported to have
adopted. 

Whats really scary about this is that if you take so little time and
trouble to secure your own license revenue, how could any user be sure
that you have taken due dilligence to have protected the system on to
which your software is loaded from being attacked? 

[SNIP]
>
>On Sun, 9 Nov 1997 02:56:59 -0500, Todd Graham Lewis
> wrote:
>
>>Ron,
>>
>>Wow, Mark's reports were pretty scathing.  Would you care to come into
>>comp.security.firewalls and defend yourself against this?  Does your
>>script really run "xhost +" on installed machines?  Did your lawyers
>>really make these claims?  Or is the whole thing an exagerration?
>>

Does or does not the version of Finjan that LaDue downloaded contain
the alleged xhost command? 

Is this in the current version unammended, or has some positive action
been taken by Finjan to resolve this? 

--------------------------------------------
Adrian Challinor                       Tel: 0181-852-1605
Osiris Consultants Ltd              Mobile: 0860-290-883
The Database Archival Specialists
e-mail: adrian.challinor@osiris.co.uk
web: http://www.osiris.co.uk