[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Offending Stronghold posts...




Robert Hettinga <[email protected]> writes:
> Would someone (besides <spit!> Dr. Vulis of course, or my kill-file eat
> it...) please forward me the Stronghold article by Dimitri and all replies
> thereto, so I can at least see what the fuss was all about? I might as well
> include them in the e$pam feed for posterity.

My archive is patchy at the time, as I subscribed to cp and cp-flames,
and only switched to cp-unedited when it became apparent that I would
be missing some posts by not being on cp-unedited.

However, these are the posts that I have obtained from list members,
the posts from Tim were forwarded to me by Tim himself (on request --
he offered in a post to do so), Dimitri's post was forwarded to me by
Peter Hendrickson and confirmed by Toto, and Igor.  Tim declined to
confirm or deny when I forwarded him Dimitri's post due to the legal
threats.  I do think that this is Dimitri's original post.  You will
observe that the post it isn't flamish.

There are many, many other posts which go to confirm the list of
events.  There may be other replies, but this should keep you going.

[0] Dimitri
[1, 2, 3, 4] Tim's followups (forwarded to me by Tim)
[5] Tim on the legal threats

I would appreciate confirmations of which of the lists 

	[email protected] (moderated list)
	[email protected]
	[email protected]

these 5 posts went to, and confirmations that others on
cypherpunks-unedited received them as quoted below.  

I would also be interested to know which lists my recent potted
history went to, this was the posting starting:

: Date: Sun, 16 Feb 1997 23:49:09 GMT
: From: Adam Back <[email protected]>
: To: [email protected]
: Subject: Moderation experiment and moderator liability
: 
: 
: There appears to be a bit of a hush up surrounding the circumstances
: of the pause in the moderation experiment and subsequent change of
: moderation policy.
...

Thanks,

Adam

[0]
======================================================================
From: [email protected] (Dr.Dimitri Vulis KOTM)
Subject: Security alert!!!
To: [email protected]
Date: Thu, 30 Jan 97 16:15:21 EST
Message-Id: <[email protected]>

WARNING: There's a rogue trojan horse out there on the internet known as the
"stronghold web server".  It's actually a hacked-up version of Apache with a
backdoor, which allows hackers (or whoever knows the backdoor) to steal credit
card numbers and other confidentil information on the Internet.

Be careful! Always use encryption. Do not send confidential information 9such
as passwords and credit card numbers) to any site running the trojan horse
"stronghold".

In general, beware of "snake oil" security products and hacked-up versions of
free software.

Please repost this warning to all relevant computer security forums.

---

<a href="mailto:[email protected]">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps

[1]
======================================================================
Date: Fri, 7 Feb 1997 13:46:39 -0800
To: Against Moderation <[email protected]>
From: "Timothy C. May" <[email protected]>
Subject: Is Sandy really censoring criticisms of Stronghold, his product?
Cc: [email protected]

At 9:19 AM +0000 2/7/97, Against Moderation wrote:
>"Timothy C. May" <[email protected]> writes:
>
>> Well, I only subscribe to the Flames list--there is no doubt about this.
>>
>> In any case, what is the meaning of a message going only to the "Unedited"
>> list?  A message that goes to the Unedited list but _not_ to the Flames
>> list must surely go to the Main list, right?
>>
>> That is,
>>
>> MAIN list + FLAMES list = UNEDITED list
>
>No, this is not the case.  At this point the unedited list does
>definitely get everything that gets mailed to cypherpunks.  However,
>Vulis did apparently send a couple of [obnoxious, flamey and blatantly
>untrue] posts about security holes in Stronghold.  Sandy deleted that
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>message and did not send to the mail or flames lists.
>
>Could have been an accident, or could be because Vulis and Sandy hate
>each other...


Whether true or not, it is not the role of Sandy the Censor to decide on
the truth of various claims in people's posts. Even by his own (vague and
changing) standards, deciding on the _truthfulness_ of articles was never
a criterion.

This is a serious charge. Can you send to the list, with a copy to me, the
articles which cited security holes in Stronghold?

Given that Sandy works for a company, Community Connection/C2NET, which
_sells_ Stronghold, it would be serious indeed if Sandy is using his role
as List.Censor to keep such articles from the main list, and even more
serious (much more serious), if Sandy is discarding such articles
completely.

Given the extremely serious implications of this charge, I would like to
see some evidence before believing it.

By the way, this again raises the issue of the danger of filtering out
posts merely because _somewhere_ in the post insulting words are used.
(Recall that my long essay was almost scrapped by Sandy, by his own
admission, because one small paragraph said unflattering things about some
people. Jeesh. Is this what Cypherpunks has become?)

It would be far better, and more honest (in a warped way), if Sandy were
to leave in the substantive sections of all posts and merely mark
offending sections as "***** C E N S O R E D *****." Then people could
read the various claims made in posts and still have the "naughty bits"
blacked out, so as not to offend their sensibilities. It's the honest way
to censor.

--Tim May

[2]
======================================================================
Date: Fri, 7 Feb 1997 13:59:23 -0800
To: [email protected]
From: "Timothy C. May" <[email protected]>
Subject: More on the Stronghold Charge
Cc: [email protected] (Dr.Dimitri Vulis KOTM)

Vulis has sent me private mail, which I won't quote here because of the
usual netiquette standards that private mail not be quoted (though it's
legal to do so). He asserts that a few weeks ago he sent criticisms of
Stronghold out to the Cypherpunks list, and the criticisms did not appear
on any of the distributed lists.

He claims he then received communications from C2Net of a legal nature,
threatening him with legal action. I'll let Vulis elaborate if he wishes,
as I don't know the situation. And I encourage him to do so, for more than
one reason.

As I just replied to "Against Moderation" on, I would like to see these
articles which were suppressed. Please repost them to the list, and copy
me to ensure that I get them.

If this claim is true, that Sandy blocked criticism of Stronghold from
reaching either the Main list (bad enough), or from even going out at all
on the Flames list (reprehensible), then this is an extremely serious
charge.

If the claim is true that Sandy used articles sent to the Cypherpunks
list, but never distributed to the list, as the basis by the company which
employs him of legal threats of any kind, then this is even more than just
"extremely serious."

I would like to hear more from Vulis, and copies of any such articles, and
of course would like to hear Sandy's version of things.

This is too serious a charge not to resolve.

--Tim May

[3]
======================================================================
Date: Fri, 7 Feb 1997 15:03:02 -0800
To: Against Moderation <[email protected]>
From: "Timothy C. May" <[email protected]>
Subject: Re: Is Sandy really censoring criticisms of Stronghold, his product?
Cc: [email protected]

At 10:07 PM +0000 2/7/97, Against Moderation wrote:
>Okay, I went through my old mail, and I'm fairly sure this is the
>message.  I'm convinced it never went to the flames list, and now that
>I've found out I'm on the -unedited list after all, I think it
>probably didn't go to the regular cypherpunks list either.  Can people
>on the various lists confirm this for me?

I checked the archive site (http://infinity.nus.sg/cypherpunks) for the
"main" (censored) list, and do not see it there, either by title or by
author.

I only recently subscribed to the Flames list, so I cannot check to see if
it went there. Anyone else check the Flames list?

As I said in my last messages, if this message went to neither the Main
list nor the Flames list, then a very serious problem has been exposed.

Further, if the post, while not being sent to either of the nominal lists
which filtered stuff is supposed to go to, was used as the basis of legal
threats by the employer of Sandy, the list's censor, then dramatically
more serious implications seem evident. I await Sandy's views with great
anticipation.

The message itself does not look flamish to me. It makes charges, but so
do a zillion other posts. It cannot be the job of a censor to decide on
what is true and what is not true.

>Given the total lack of technical content, the flamey nature of the

It's not "flamey." Nobody is called a cocksucker, nobody is called  a
faggot, etc. Yes, it claims a product has a trojan horse, but this is a
claim comparable to other claims routinely made on list and newsgroups.

I'm also neither stupid nor disingenuous. I realize full well that Vulis
probably made the claim because he knows Sandy works for the seller of
Stronghold. Be that as it may, it is not proper for a censor employed by
the seller of a product to decide that criticisms of his product are
flamish. Would the list have countenanced censorship of criticisms of an
RSADSI product if the list were being censored by an employee of RSADSI?
And by letting Vulis make such a claim, and then having it quickly
rebutted by other employees of C2Net, for example, Vulis would be shown to
be spreading disinformation and his reputation capital would decline still
further.

If in fact the Vulis claim never made it either of the two lists to which
all filtered messages are supposed to be sorted, then deception has
occurred. And a conflict of interest.

Again, I await Sandy's response.

>A lot of people out there are subscribing to the cypherpunks-flames
>and cypherpunks lists thinking that they will see everything that gets
>rejected (albeit with a substantial delay).  If this is not the case,
>it should be made clear.  Otherwise, it's not moderation, but
>dishonesty.

Indeed.

--Tim May

[4]
======================================================================
Date: Fri, 7 Feb 1997 21:46:10 -0800
To: Against Moderation <[email protected]>, [email protected]
From: "Timothy C. May" <[email protected]>
Subject: Re: The Frightening Dangers of Moderation
Cc: [email protected]

At 4:31 AM +0000 2/8/97, Against Moderation wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Well, folks, tonight I have witnessed the frightening dangers of
>moderation and censorship first-hand, and would like to tell you what
>has happened.  I think there is an important lesson to be learned from
>these incidents.

(long account of getting legal threats for quoting a message about
CENSORED elided)

This is indeed an important incident. I hope we can discuss it. Many
issues central to Cypherpunks are involved. To name a few:

* the moderation/censorship issue itself (though we have probably beaten
this one to death in the last few weeks).

* the "libel" issue, especially as it involves Sandy, his company, and the
machine the list is hosted from. The introduction of a censor has, as many
of us predicted, raised serious libel and liability issues. (This is the
best reason I can think of it to move to an "alt.cypherpunks" system,
where bypassing of liability, libel, copyright violation, etc.,  laws is
naturally handled by the globally decentralized and uncontrolled nature of
Usenet.)

* conflicts of interest issues. Apparently Sandy feels information
deleterious to C2Net, having to do with a claimed CENSORED in the software
product CENSORED, cannot be passed by him to _either_ of the two lists to
which articles are supposed to be sent. (Sadly, he did not tell us of this
meta-censorship when it happened. This made what he did deceptive as well
as wrong.)

* chilling of discussion. As "Against Moderation" notes, merely _quoting_
the article of another caused Sandy to not only reject his article, but
also to contact him and raise the threat of legal action. (This even
though Against Moderation added all sorts of "obviously false" comments to
what Vulis had written.)

* even more threats. At the request of CENSORED today, I called CENSORED
and had a verbal communication with him (a nice guy, by the way) about
this situation. He averred that "you don't want to be pulled into this,"
and suggested that if I post certain things, even quoting the reports that
a CENSORED exists in CENSORED, I could well be sued by the lawyers of his
company!

These are issues which remailers, decentralized servers, anonymity, data
havens, and other Cypherpunks technologies make important issues for us to
discuss.


When did Cypherpunks start thinking about libel? (Obvious answer: when
_their_ companies were the targets of criticism, lies, libel, whatever.)
It's not as if insulting or even "libelous" (I'm not a lawyer) comments
have not been made routinely on the list. Insulting companies and other
institutions has been standard Cypherpunks fare since the beginning.
Mykotronx has been accused of high crimes, RSADSI has been declared to be
placing backdoors in code, Phil Zimmermann has been declared to be an NSA
plant ("only trust the versions of PGP before he cut the deal to get his
freedom"), and so on. Think about it. Just about any company with any
product related to crypto has at one time or another had their motives
questioned, their products slammed, etc.

Unfortunately, our Late Censor is an employee of one of the companies so
slammed, and he has reacted by rejecting one or more of these slams
without bothering to tell the list that he has to do so. (Were it me, I
would have "recused" myself from the decision, or at least told the list
in general terms what was going on, or, more likely, resigned as censor.
But then I would never have been a list.censor in the first place.)

I understand that Sandy is stepping down as our Moderator. The Censor is
Dead, Long Live Sandy! I expect to harbor no continuing resentment toward
Sandy (though I expect things will be strained for a while, as might be
expected).

The issues raised are ugly ones. Here's what scares me: the "precedent"
may irretrievably be established that companies offended by words on the
list will threaten legal action to recover their good name. I can imagine
Mykotronx or even First Virtual citing the actions of C2Net as a precedent
(a cultural precedent, to the extent there is such a thing) for their own
legal letters.

As with the terrible precedent set by the "even Cypherpunks had to censor
themselves" experiment, these companies may be able to say "But even a
Cypherpunk-oriented company realized that the antidote for damaging speech
was not rebutting speech. No, these Cypherpunks realized that some
threatening letters and pulling the plug on the speaker was a better
approach."

And we won't be able to easily argue that Mykotronx has no right to do
this while C2Net does.

Sandy, in his message a few hours ago to Against Moderation, even made the
claim (and Sandy _is_ a lawyer, or at least once was) that John Gilmore
could be held liable for speech on the Cypherpunks list. (I don't doubt
the "could," but I hate like hell to see a Cypherpunkish company leading
the charge.)

Perhaps this is true. But the Censorship experiment, and the resulting
threats of legal action by C2Net to stop mention of the alleged CENSORED
in their product CENSORED, fuel the fire. Instead of denigrating such
legal moves--as I'm sure most Cypherpunks would have done a few years ago
if RSADSI were to try to sue people for making outrageous claims--we have
a major company consisting of several leading Cypherpunks making just such
threats.

I'm not a legal scholar, but is it really the case that merely _alluding_
to the allegedly libelous comments of another is itself a libel? Is a
reporter who writes that "Person X has alleged that Product Y has a Flaw
Z" thus committing a libel? (I don't think so, as reporters frequently
report such things. If merely quoting an alleged libel is also libel, then
presumably a lot of reporters, and even court clerks reporting on cases,
are libelers.)

(ObLisp reference: quoting an expression ought to have a different return
value than evaluating an expression! That's what quotes are for.)

My comments this past week have not been motivated by animosity toward
Sandy, and certainly my comments today are not motivated by any animosity
about C2Net or any of its employees (including CENSORED, whom I spoke with
today).

My comments started out as being a summary of why I had left Cypherpunks
when the Great Hijacking was announced. Since last Sunday, when I issued
my "Moderation" post, I've only responded to messages I was CC:ed on, or
to messages on the Flames list, which I subscribed to temporarily to
better see what Sandy was calling flames. The discovery that certain posts
were not appearing on either the Main list or the Flames list triggered
today's comments about Sandy and the alleged CENSOREDCENSOREDCENSORED
(blah blah blah).

I hope we can declare this Censorship experiment a failure and move on.
However,  it is almost certain that as a result of attempts to suppress
certain views, that the move back to an unfiltered state will mean that
some will use anonymous remailers and nym servers to post even _more_
claims, however outrageous.

This is a predictable effect. Cf. Psychology 101 for an explanation.
Kicking Vulis off the list predictably produced a flood of Vulis
workarounds, and a surge in insults via anonymous remailers. Instituting
censorship of the list triggered a flood of comments critical of the
experiment, and a predictable "testing" of the censorship limits. And,
finally, now that C2Net is threatening legal action to stop
discussion--even in quotes!!--of alleged CENSORED in CENSORED, expect a
lot of repetition of these claims via remailers. And, I predict, claims
about CENSORED will even be spread more widely, e.g., on the Usenet.

(Sadly, I half expect a letter from some lawyers or lawyer larvae saying I
am "suborning libel," or somesuch nonsense. As Sandy would say, "piffle."
Lawyers, take your best shot.)

======================================================================
Date: Sun, 16 Feb 1997 19:14:04 -0800
From: [email protected] (Tim May)
To: [email protected]
Subject: Threats of Legal Action and C2Net/Stronghold Issue
Newsgroups: alt.cypherpunks,alt.privacy,comp.org.eff.talk
References: <[email protected]> <[email protected]> <[email protected]>

(A copy of this message has also been posted to the following newsgroups:
alt.cypherpunks,  alt.privacy, comp.org.eff.talk)


At 6:07 PM -0800 2/16/97, Sandy Sandfort wrote:

>Curiously, in a subsequent telephone conversation, Tim May 
>proposed almost that exact suggestion as an alternative form of
>moderation that he said would have been acceptable to him.  Go
>figure.

The only phone conversation I had was with Doug Barnes, at the request of
Doug that I urgently phone either him or Sameer. I called Doug as soon as I
got the message. (Doug also said he was the only one in the room at the
time, and that the call was *not* being recorded, so I have to surmise that
Sandy got his version of things via a recap by Doug.)

 
>> 21. Tim received a warning from C2Net's lawyers that if he did not
>> desist from mentioning that Dimitri had posted an article criticising
>> a C2Net product that he would be sued!
>
>Absolutely false.
> 

What Doug told me was that Dimitri Vulis had already been served with a
legal notice about his warnings about a security flaw in Stronghold, and
that any repetition of Dimitri's claims by me or anyone else would result
in similar legal action.

Doug said that any repetition of the claims, even as part of a quote, would
be seen as actionable by C2Net. "We'll vigorously defend our rights." (as
best I can recall) He said he thought my messages, to the extent they
merely _alluded_ to the claims were probably OK and that they would
certainly go through to the list, as Sandy has already resigned from his
role as moderator.

(For the record, these messages DID NOT GO THROUGH, and have not gone
through as of tonight, 8-9 days later. However, I have forwarded them to
several people who requested them.)

(I also did not have a recorder running, so I can't claim this is a
verbatim summary of what was said. As to what I said about how the
moderation thing might have been done differently, Doug and I chatted for a
while about various alternatives. I raised the point I've made before, that
having a "members only" policy, with some special provision for some amount
of remailed messages, would probably best suit the notion of keeping the
"community" running. What I told Doug was that my main objection was having
Sandy sit in judgement to essays folks might have spent a long time
composing, and I cited physical parties, where a host invites those he
wants in attendance, but does not micromanage or screen conversations being
held at the party. My sense was that Doug agreed, and agreed that the whole
thing had been handled in a bad way...but Doug should comment to tell his
view of things.)

The next day, at the physical Cyperpunks meeting at Stanford, I briefly
talked to Greg Broiles, working as a legal aide at C2Net. I told Greg he
could "take his best shot," in terms of filing suit against me about my
messages, as I'm prepared to fight C2Net in court on this matter, and have
the financial resources to hire some pretty good lawyers. (I don't recall
if Greg replied, or what his reply was.)

In a message to Cypherpunks, I outlined my understanding of the Vulis
report on security flaws in Stronghold, and put the claims  in the context
of messages not appearing on either of the two main lists,  but none of my
messages were sent to either the Main list or the Flames list. 

(I also had communication with several members of the list, some known to
me and some only pseudonyms. I have taken the precaution of erasing these
messages and copying files to the disk on which they resided to head off
any attempts by C2Net seize my computer and disks as part of some
"discovery" process.)

I find it unfortunate that C2Net is behaving in such a manner, and their
actions are generating far more publicity about the claimed security flaws
in Stronghold than the original Vulis message ever would have generated. 

Sunlight is the best disinfectant, as a Supreme Court justice averred. And
suppression is a breeding ground for all sorts of bacteria, fungi, and ugly
growth, as a less articulate person said.

Reporters interested in this story have already contacted me. They're
interested in the situation surrounding the claims of a flaw. I told one
reporter I had no expertise in Stronghold, SSL, etc., and could not say,
but that I suspected strongly that the claim was made just as a "tweak" of
C2Net. 

"Truth is an absolute defence against libel claims."

(P.S. To repeat, I doubt there is a flaw in Stronghold, either introduced
by RSA (Republic of South Africa, of course) or by the NSA, or by C2Net, or
by anyone else. I said as much in my messages which never made it to the
list.)

--Tim May