I Respond to Joe's Second Email

(Does Joe Have a Last Name?)

Wednesday, 20 June 2001

That same Joe-someone from LJSystems who sent Michelle Delio a disingenuous reply to her Wired article (whom I have answered elsewhere), later sent me and Michelle yet another email.

This is my public response.

From: "Joe" <joe@ljsystems.com>
To: <mdelio@nyc.rr.com>, <newsfeedback@wired.com>
Cc: <pchelp@nwi.net>, <ted@ljsystems.com>, <jonle@ljsystems.com>, <joe@ljsystems.com>
Subject: RE: security issues
Date: Mon, 18 Jun 2001 20:31:49 -0700

While I have no problem with your exposing security flaws in websites, ...

It would seem to me that you do have a problem with it, Joe. But I think your 10,000-or-so customers will take a more positive view of my help.

I would like you to consider the following:

I was just discussing the release of confidential information with an attorney friend tonight, ...

That's not really the same as consulting with an attorney, is it?

... and he indicated that it would be illegal to forward the confidential information to someone, or use it for something.

That's an awfully general statement.

Couldn't it be argued that by handing out the address of thousands of confidential records on every invoice you shipped, then having your web server respond to that address with other people's confidential information, you might just be  forwarding confidential information to someone ?

He also said that the fact that a door is open doesn't mean you are allowed to enter - and certainly not take something.

I'm certainly no attorney. (I am by no means sure you've really spoken to one yourself.) But I don't think accessing a publicly-accessible web server with a publicly-accessible Web address YOU gave me even remotely compares to illegal entry.

If it does, then you're my accomplice. I'll rat you out for sure when they get me under the lights.

I haven't read the article in wired yet, ...

I don't believe that for an instant. By the time you wrote this, it had been online at top center on the front page of wired.com for several hours.

... but if at any point PChelp OR Wired USED any of the confidential information, or FORWARDED to someone that used it, this would be a criminal offense.

This sounds a whole lot like a threat to me.

Are you threatening me, Joe? Are you trying to make me fearful of having to contest a criminal complaint?

I hope not. That's one hell of a thing to do to a guy who worked his butt off for much of three days to save your butt and the butts of 10,000 of your customers.

Or would you rather the data of your every transaction continued to be exposed indefinitely?

This would include calling customers with the confidential information on our site.

That's exactly what Michelle did.

Go read the article if you (snort) haven't already, Joe.

As an upstanding citizen, I fear you have no choice now but to report the crime to the authorities. Run along now, and do your duty.

I repeat again, the fact that you could get to it does not make it less confidential.

I am, I assure you, the last to disagree with this statement.

While the site had a security problem for maybe a day

I believe that to be an outright, intentional lie, Joe.

If any of your irate vict- er, customers should ever require you to prove it in court, I will be fascinated to see the evidence.

(and during the update process over the weekend), where hackers that knew how to get it - could potentially get it - ...

Every customer you sent an invoice for the past year knew how to get it.

Are you saying you regard something to be a secret which you've told to ten to fifteen thousand people?

I'm not sure how you measure risk, Joe. But I think you're going to find you're not in step with your customers on that issue.

... that does NOT justify stealing confidential information; whether it was for journalistic or even more sinister purposes.

I'm sure you'll be relieved (if not surprised) to learn that I accessed the data which you were handing out freely for neither of those purposes.

At this point we have made no decision as to suing PChelp or Wired Magazine.

Now THAT is something I am POSITIVE is a threat.

I feel, however, that the integrity of both PCHelp and Wired is seriously hurt. What PCHelp did in forwarding the confidential information was irresponsible at best ...

Ah, and THAT is a DIRECT accusation of (what you're attempting to define as) wrongdoing.

I've answered this elsewhere. The real circumstances bear no resemblance to this fiction.

... - and Wired Magazine actually admitting to using the confidential information to contact customers, well, that seems just plain stupid.

Ah, so you did read the article. I knew you were just blowin' smoke, Joe.

While I have 50 programmers, ...

What are they, Microsoft's rejects? Just out of vocational school?

... one of which apparently made a mistake when transfering the website to a new machine,

Keep working on your story there, Joe. Something tells me you'll need it in court.

I at least fixed the problem quickly ...

Quit it, Joe! It's hard to type while I'm laughing!

... - you discovered it on the 16th and it was fixed in the morning of the 18th, with the site being down 90% of the time in between ...

It should never, ever, not for one MINUTE have gone back online with all those people's personal data and credit cards hanging out, Joe. That was an act of sheer negligence. It will probably be one of the most damning facts that destroys you in court if you're sued. And here you are admitting to it.

The site was not down "90% of the time", it was down no more than 60% of the time between my initial report at 4:45 PM on Saturday and 8:00 AM Monday.

The time span was 39 hours from the time I first reported the problem on Saturday until the script was revised on Monday. The site was up and totally accessible for 14 hours continuously on Sunday, from at least 3:11 AM to about 5:20 PM. It was also up, I have proof, from at least 6:30 AM until 8:00 AM on Monday. But you yourself have said that your "programmers" had the site open periodically Sunday night into Monday morning. Therefore the site was up and wide open to exploit for at least 15-1/2 hours (40% of that 39-hour period), and doubtless several hours longer.

What you are doing here, besides lying, is admitting to your own almost inconceivable irresponsibility and incompetence.

You have 50 programmers in your employ, and none of them can fix just one little script?

A task requiring no more skill than the ability to read a manual, requiring mere minutes of someone who has read the manual, required two days to fix, and necessitated the continued exposure of thousands of people to risk and loss?

Rarely in my life have I seen such a lame, inept and despicable attempt to dodge self-evident facts.

I am beginning to lose my respect for you, Joe.

- for PCHelp and Wired to retrieve confidential information and then use it, I find that inexcusible.

Again you make a direct accusation. I never "used" any of that information, for the record.

I really hate being threatened.

Having it come from someone I tried to help is especially insulting.

You could just as easy have explained the situation - no need to make use of information that is clearly not yours - which is what I assumed was the reason you contacted us about the security flaw in the first place.

But you've changed your mind about that now?

In case anyone wonders how I feel about Michelle's methods -- I think she did those people a big favor. I am personally certain that she did absolutely nothing illegal, nor even improper.

Again, I appreciate that you expose security flaws in general ...

Who says that's what I do? I stumbled across this thing by sheer accident. I have never pretended otherwise.

... but feel that you handled it the wrong way this time.

Well, gee, Joe. I guess next time I find someone being as abysmally irresponsible as you, I'll just delete my browser, shut my lil' mouth, and forget I ever saw a thing.

Or maybe call the FBI.

If either of you have any decency you print this is a follow up to your articles.

Well, you got your wish, Joe. But I think you better get some help for those self-destructive impulses.

Thank You.

How about that! Those were the only two words I thought I'd never hear from you.

Joe J.