Re: Homer on Terrorism

[Tom Weinstein <tomw@netscape.com>]

Tim May wrote:
> 
> At 5:11 PM -0700 6/15/97, Tom Weinstein wrote:
>> Tim May wrote:
> 
>>> (What the Danes offered was a straight buiness deal, albeit made
>>> weirder and more frantic by the constraints of time, publicity, and
>>> worldwide attention. Still a business deal, though. When Collabra
>>> wanted X dollars to be acquired by Netscape, was this also
>>> "terrorism"? The term "terrorist" hardly applies in business
>>> deals.)
>>
>> If it was just a business deal, that would be okay.  We would have a
>> right to not pay him.  It becomes blackmail when he says "If you
>> don't pay me, I will try to damage you."  That's what he did.  He
>> said that if we didn't pay him, he'd time his press announcement to
>> coincide with DevCon in order to cause us the maximum damage, which
>> he did.
> 
> It's still not "terrorism." Just ordinary high-pressure bargaining, as
> when a film star holds out to the last minute on a deal, knowing her
> value increases as the deadline approaches.

It's blackmail.  IANAL, but I believe that blackmail consists of a
demand, and a threat to harm if the demand is not met.

If he had said:
  "I'm going to go to the press on this date.  You can buy the
   information from me before that for X amount of money."

That would be an ordinary business transaction.  Instead, what he said
was something like:
  "Pay me lots of money or I will go to the press in such a way as to
   damage you the most."

That is blackmail.  It's clear that the money is to prevent the damage,
not just for the information.

> Or scads of similar examples, as when Netscape or Microsoft time their
> announcements for maximum impact.
>
> One can imagine people approaching a company with reports of a bug--as
> a certain math professor approached a certain chip company with
> reports of a strange FDIV problem--and being given the polite
> runaround. "Thank you for sharing. We'll have one of our QA engineers
> look into your report and maybe he'll get back to you."
> 
> (I have no idea if Netscape reacted in this way, but I can imagine
> that the flow of bug reports may cause many to linger in the "In"
> baskets without action.)

As a matter of fact, we responded to him very quickly.  The day after
we heard from him we had a phone call where Jeff Weinstein, Jim Roskind
(Java security), and I were present.  We gave it serious attention as
we do with all security holes.

> By reporting the bug to PC Magazine and CNN-FN, the "value" of the bug
> information shot up rather dramatically. The Arrhus team may not have
> gotten any bucks from Netscape--and may not even get a free "Bugs
> Bounty" sweatshirt--but their consulting rates and business have
> probably both gone up.

He reported it to CNN because he was following through on his threat
when we refused to pay him not to.

> Browsers are big business, and high stakes poker. It's not surprising
> to me to see this kind of bluffing and "terorrism" (to quote Homer,
> with his rosy-fingered typing). What's surprising is that it hasn't
> happened more often, or at least hasn't gotten as much publicity.

"Terrorism" probably doesn't apply, since his aim was not political.
(Or doesn't terrorism have to be political?) I think blackmail is a
more appropriate term.

-- 
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | tomw@netscape.com
transcending structure.  -- The Tao of Programming   |