I Respond to Joe's Third Email

(Who Is This Guy Anyway?)

Wednesday, 20 June 2001

That same Joe-someone from LJSystems who sent Michelle Delio a disingenuous reply to her Wired article, and who later sent me and Michelle yet another email, has apparently also been responding to the complaints of irate ComputerHQ customers.

One of those who complained has sent me Joe's response. It was received within mere minutes of the sender's email, which indicates that this is a prepared text that has been sent to numerous individuals.

This is my public response to that email.

From: "Joe"
To: [someone who complained]
Date: Mon, 18 Jun 2001

A PC consultant / web security firm called PCHelp (www.pc-help.org) ...

Woah there. I never told anyone I was a "web security firm." I'm not any sort of "firm". There's just me and myself.

Looks to me as if you want people to think I'm promoting my services by reprehensible means. That's an underhanded trick if I ever saw one.

Well thanks, Joe, you'd probably get me some business this way (I've had one inquiry already!), but I'm too busy doing other things. Like dealing with your PR lies, for one.

... that apparently searches the net for security breaches ...

I've told that story now for all to see, Joe. Lying to people you've already betrayed is bad form, by the way. They find out sooner or later; and then you're in far deeper than you were before.

... decided to try to break into a restricted area of our site.

Although I've dealt with the facts elsewhere, allow me to point out that this is an intentional, and particularly slimy lie.

While we have no excuse for the security hole ...

Now we're talking! About time you took some direct and full responsibility. Why, I thought you'd never - whoops! What's this? Joe, you said there was no excuse! Yet you say:

... it was an accident caused by moving the site to a new server a few days earlier.

Why, that is one of the purest forms of outright spin-doctoring I have ever seen.

Some of those customers of yours, whose records I firmly believe have been exposed for most of a year, are going to want you to back this up with hard evidence, Joe. Better get right to work falsifying those server logs...

When PCHelp notified us we immediately took the site down and applied a fix - ...

But it wasn't fixed!

... the site was down until Monday morning at 8am, with sporadic restarts to test the patch.

To TEST?! Why, you lying...

That's not what the facts will say. That's not what I'll say either, when testifying for the Plaintiffs. Nor will the several other individuals who personally witnessed your incompetence.

At 8am Monday the programmers were confident the security hole was fixed ...

How many programmers does it take to password-protect a directory on a Web server? Or at very least, to just delete a file?

... and we put the site online. This happened on the 16th, and the site with the fix was put online in the morning the 18th.

No, that's not what happened, Joe! Let me refresh your memory.

I told you about it Saturday afternoon.

The site was back online by 3AM Sunday, unfixed. What you think you fixed I have no idea. I had provided full and complete particulars of the actual, extremely simple problem.

At this point (Sunday AM) I daresay that your "programmers" may possibly have been "confident the security hole was fixed" -- but it wasn't, was it?

The site stayed online for 14 hours, and only because I intervened to save the day (and your sorry ass in the bargain), was it taken offline again for repairs!

It would have presumably remained unremedied for the foreseeable future if I had done nothing more.

Then in a supreme act of abject stupidity, while unquestionably aware of the exact problem and the extreme nature of the exposure it represented, you put it back online, still unremedied, and left it wide open for another hour and a half on Monday morning! As well as periodically throughout the previous night by your own statements.

Now, we would obviously not alert anybody about a security breach before it was fixed - that's the last thing you would do.

Granted. So of course now that it's fixed, that is what you're doing -- isn't it?

I'm waiting and watching, Joe. Several of your clients will be informing me whether you come to them with a letter of explanation.

No word yet.

Furthermore, since the PChelp web security firm ...

The what - ?

... notified us about this, we believed they had good intentions, and while we didn't hire them ...

Ah! There, see? Another slimy, underhanded attempt to suggest I was drumming up business. You're a real piece of work, Joe.

... we did call and ask him how he got into the restricted area of the site.

No, actually, you didn't. I called you, at considerable expense of time and effort, in a desperate attempt to get you to do something about it! I volunteered the information, actually gave it to you twice!

Next you'll claim I held the facts for ransom! But I wasn't concerned for myself. Nor for you, really. I was thinking of those thousands of people. Thousands! Whose credit card numbers and detailed personal info probably was and probably still is being passed around on IRC by any number of larcenous teenagers, exploited by organized Russian cybercriminals, used to perpetrate identity theft; you name it.

By the way, I think Ted Chen might actually have appreciated my help. He had the decency to tell me when the script had been revised, and ask me to verify. The guy showed some real evidence that he gave a damn.

Since then, the only word I've seen from you people is your blather, Joe. What a cold slap in the face this has been!

If Ted's half the man I think he is, by now he's ashamed to be associated with you, Joe. But if his Bay Area real estate isn't paid for, I presume he can't afford to say so openly and resign in disgust.

Since the site was moved to the new server on Thursday (and we were down most of the day because of that), and we were notified by a security firm on Friday, we believe that the chances of any compromise of personal info is extremely low.

While we apologize for the security breach, ...

You couldn't stop there; you had to add a lie:

... I feel that for the web security firm to explain to a magazine HOW TO RETRIEVE confidential information from a site,

Which is NOT what happened. That journalist was contacted by a friend (in whom I had confided only after your first failure to act); and she only had the information after the ComputerHQ.com site had presumably been secured.

It was inconceivable that you'd put the site back online with the enormous, gaping hole still intact, after I had warned you about it with full specifics for the second time and had personally confirmed that the site had gone offline for repairs. Who could have anticipated something so outrageously stupid and irresponsible?

... and they in turn hack into our site ...

A calculated, intentional lie. You should be utterly ashamed of yourself, Joe.

... and then USE the illegally obtained information, now that is not right.

Illegal? Oh, well, now you must call in the Feds, Joe.

They will be most unhappy with you when they find out the real story.

Both the web security firm and Wired magazine should know right from wrong, and as an attorney explained to me tonight, "the fact that a door is open does NOT make it right to enter and take something."

Joe, you know not the limits of decency.

In view of the fact that you show no evidence whatsoever of informing those thousands of victims who need to know of your incompetence, your stupidity, and your betrayal of their trust; how dare you rail against someone who did it in your stead?

I realize that your concern is with your confidential information, but at this point we know of know other breach than PCHelp, Wired Magazine and possibly Ziff-Davis.

Considering your honesty in other respects, Joe, who do you suppose should believe this?

The fact is that your web logs, if you've retained them, will contain every instance that the tattle-tale script was accessed.

It is a 100% certainty that you have the logs from recent weeks. Therefore, you know what I accessed. You know what Michelle Delio of Wired accessed, and you know any and all other instances.

Sadly, such logs are easily doctored, and obliterating them is as easy as deleting a few files. So if you choose, you can be either informative or deceptive, even treacherous where it comes to the disclosure of the facts.

I vote for treacherous.

The PCHelp guy apparently did it as a publicity stunt, ...

See what I mean? Treacherous.

For the record, I only created this web page at the urging of a friend.

I also found I had little choice but to tell my side of the story when confronted with your intentional, inexcusable lies, Joe.

It's fair to say that any and all publicity relating to this incident is primarily a result of your actions (and lack thereof).

... and while I have no problem with that part of it ...

Of course you haven't, seeing as you just invented that "part of it"!

... I have a serious problem with him walking through that door and taking information.

You have the logs, Joe. You know what I did. It is precisely as I have described here, I can prove it easily with evidence I have retained, and I will do so if it is ever required.

For Wired Magazine, part of Lycos, to do it, and possibly Ziff-Davis as well, I find even stranger, but realize that they use freelance journalists that are just as interested in making a statement as the PCHelp guy.

Neither journalist is freelance.

Both journalists, as I understand it, acted only after consulting carefully on the legality of their actions. Media organizations of any size always retain attorneys for just this purpose.

Had "making a statement" been my purpose, I'd have never argued against disclosing the name of the business prematurely, never spoken to moderate the outrage others expressed. I'd never have hesitated to place full details on my own website. But I did all those things.

In case of your card being used without your permission I believe there is a maximum $50 charge for you according to the law, ...

To my knowledge, there is no such limit based in law, rather it is simply the policy of most of those who issue credit. Furthermore, there is NO limit to the potential loss to a consumer who may use a debit card -- which is outwardly indistinguishable from a credit account. The cardholder's personal account can be cleaned out and they may be without recourse of any kind unless they actively prove the lost funds were removed by no fault of their own.

What really gets me about this Joe, is - how dare you, in your depths of dishonesty and irresponsibility, try to negate the severity of the inconvenience and loss to which you've put these people?

How dare you try to shift the blame, not merely to an innocent party, but to the one person who alone did the most to resolve this terrible sitation, a Good Samaritan whom you know did all he could to help all those concerned?

... and we will certainly cover that for you if necessary.

Joe, I read this to say that you have agreed to cover a maximum of $50 of losses to any person whose credit account was, is, or will have been compromised by your negligence.

While that much is certainly called-for, I daresay it is nowhere near enough. What about cleaned-out debit accounts? What about the gross inconvenience, the shock and worry, to which all of those thousands of people will be put when they learn they must cancel accounts, pore over statements, agonize over your stupidiy?

And where is it you're promising to notify all those people of their exposure? I don't see it here, Joe.

Also, if your credit card company charges you for replacing your card (not likely), please let me know.

Ever the nice guy, eh, Joe?

I hope you understand our position and accept our apologies ...

Indeed you do hope so, Joe, because if they don't you're likely to face lawsuits.

By the way, how are people to understand something about which you're lying to them?

... - for the short breach of our site, ...

Not for an instant do I believe it was short. Readers will find my rationale for that belief well articulated elasewhere.

And once again -- shall we rely upon your word for that? You seem rather unreliable to me, Joe.

... and especially for the behaviour of PCHelp and Wired Magazine.

Apologizing for what I did? You slimy creep, Joe!

I hereby formally and with finality, utterly reject and deny any need whatsoever for anyone, especially Joe, to ever apologize in any way, shape or form for anything I have done at any time in relation to this incident.

Wired can speak for themselves. I doubt they'll take this kindly.

They have the right to report this security breach, but NOT use it to retrieve confidential information, as they apparently did for the Wired story.

Which made the story more damaging to you, Joe. Isn't that what concerns you?

I can't bring myself to believe it's because you care about the victims.

Thank You.