Links to Articles and Documents
Links to Articles and Documents
When I recently published my candid review of Finjan Software's SurfinShield 2.0 on the Hostile Applets Home page, Finjan's attorney misrepresented its contents and made false allegations about me to Georgia Tech in a feeble attempt to suppress it. This is the tale of that tawdry attempt and the ensuing battle. You will see that after coming on strong in the second round of the fight, Finjan was forced to retreat, was knocked for a loop, and was left bruised, battered, and bloodied - slumped over the ropes.
These are the highlights of the battle. Kieron Murphy has also written a good account of it for Developer.com.
On September 25, 1997 I made available a candid review of Finjan Software's SurfinShield 2.0 for UNIX.
On October 10 Finjan's attorney sent a letter to the Georgia Tech School of Mathematics accusing me of criminal activity and insisting that my candid review of their software be suppressed. The letter sat unopened for several weeks, but eventually it was read. On October 29 Georgia Tech decided to suppress my work by cancelling my account in the School of Mathematics.
Reliable Software Technologies was gracious enough to provide a new home for my Hostile Applets Home Page, and so my scathing review of SurfinShield will remain available for all to read.
On November 5 Finjan's Ron Moritz, most likely unaware that the Hostile Applets Home Page already had a new home, wrote a letter to me. Under the guise of an "olive branch, engineer to engineer" was a warning that my article "in its original form, will not reappear on the Web." Also included in that letter was a copy of Finjan's official PR on the matter. My reply exposed Finjan's stratagem for what it was. Finjan soon learned that my Hostile Applets Home page had a new home.
On November 6 Moritz wrote a flattering letter in which he "implored" me to remove my review from its new home. Failing that, he asked that I "consider revising the article should your intent to repost it to the Web be inflexible." This appeared to be a retreat, and I paused to consider its implications. Since I did not respond so promptly, I received a second letter that day. This one was merely a "request" that I remove my article "from the Web. Should you reject this request, I trust that in the interest of presenting an objective academic dialogue you will agree to place a link from your article to Finjan's response. If you agree I will forward to you an HTML version of the response I sent to you yesterday." In the course of several days Finjan had gone from trying to suppress my review to asking me to play fairly and provide links to Finjan's response to their corporate crisis - quite a retreat. My response was surely not what they had expected.
On November 8 I posted to various security newsgroups information on Finjan's attack and retreat as well as my two blunt responses to the overtures from Finjan's Moritz. Readers were quick to understand the truth contained in my review and to call for answers from Finjan. When Moritz posted Finjan's canned reponse on November 9, the PR material to which he had asked me to provide a link from my review, astute individuals quickly refuted it. Among the best responses and rebuttals were those of
Thus Finjan was caught once again with trousers down and Duke exposed.Apparently dazed from the beating, Finjan's Moritz sent me a series of three increasingly bizarre letters. In the first one he said he would "raise the issues you've forwarded at our next management meeting on Monday," as if I were some sort of close business associate.
The second one was a feeble attempt to explain away the unsecure state in which I had observed ftp.finjan.com. After questioning "two former Finjan webmasters," Moritz arrived at the following story:
"[W]hen Finjan's FTP site was hosted by a local (Israel based) ISP, Netvision (netvision.net.il), it was, in fact, possible to 'move up' one directory and have access to all Netvision-hosted public FTP sites. Among the list of available directories was, in fact, Warez. Security at this host was beyond the scope of Finjan's control and the lack of adequate security services at this FTP site was discussed with the ISP. This particular security hole has not been active since we switched host to UUnet (June, 1997)."
This is one of the most absurd excuses one could imagine, and it has nothing to do with the observations of ftp.finjan.com that I reported in my review. And even if it were true, it would be in addition to those observations.
The third letter was almost beyond belief. After falsely accusing me of criminal activity and trying to suppress my review, Finjan and Moritz had decided that "it makes good sense to invite you to join Finjan's Technical Advisory Board. The purpose of the TAB, which I chair, is to help steer research and development of Finjan products, to provide technical evaluations of Finjan products, feedback on processes, products and approaches, analysis of high-level design documents, and analysis of future market trends and technical issues." Perhaps it made good sense to them, given the beating they were taking, but not to me.
My final response on November 9 was the coup de grace. Finjan was left bruised, battered, and bloodied - slumped over the ropes. My postscript was, of course, rather rude, but it was the most civilized gesture of which I was capable under the circumstances.
My original review certainly gave ample grounds to doubt the effectiveness of Finjan's products, but their handling of that review raises many more questions than it answers. Among the questions that readers should ask are these:
Based upon my recent experience with Finjan Software and its corporate representatives, I strongly urge all who have to deal with Finjan, both the company and its products, to do so with a critical and skeptical mind. As we have seen, many, many of their claims wither when exposed to sunlight.
Links to Articles and Documents