Tim May wrote:
At 5:11 PM -0700 6/15/97, Tom Weinstein wrote:
Tim May wrote:
(What the Danes offered was a straight buiness deal, albeit made weirder and more frantic by the constraints of time, publicity, and worldwide attention. Still a business deal, though. When Collabra wanted X dollars to be acquired by Netscape, was this also "terrorism"? The term "terrorist" hardly applies in business deals.)
If it was just a business deal, that would be okay. We would have a right to not pay him. It becomes blackmail when he says "If you don't pay me, I will try to damage you." That's what he did. He said that if we didn't pay him, he'd time his press announcement to coincide with DevCon in order to cause us the maximum damage, which he did.
It's still not "terrorism." Just ordinary high-pressure bargaining, as when a film star holds out to the last minute on a deal, knowing her value increases as the deadline approaches.
It's blackmail. IANAL, but I believe that blackmail consists of a demand, and a threat to harm if the demand is not met. If he had said: "I'm going to go to the press on this date. You can buy the information from me before that for X amount of money." That would be an ordinary business transaction. Instead, what he said was something like: "Pay me lots of money or I will go to the press in such a way as to damage you the most." That is blackmail. It's clear that the money is to prevent the damage, not just for the information.
Or scads of similar examples, as when Netscape or Microsoft time their announcements for maximum impact.
One can imagine people approaching a company with reports of a bug--as a certain math professor approached a certain chip company with reports of a strange FDIV problem--and being given the polite runaround. "Thank you for sharing. We'll have one of our QA engineers look into your report and maybe he'll get back to you."
(I have no idea if Netscape reacted in this way, but I can imagine that the flow of bug reports may cause many to linger in the "In" baskets without action.)
As a matter of fact, we responded to him very quickly. The day after we heard from him we had a phone call where Jeff Weinstein, Jim Roskind (Java security), and I were present. We gave it serious attention as we do with all security holes.
By reporting the bug to PC Magazine and CNN-FN, the "value" of the bug information shot up rather dramatically. The Arrhus team may not have gotten any bucks from Netscape--and may not even get a free "Bugs Bounty" sweatshirt--but their consulting rates and business have probably both gone up.
He reported it to CNN because he was following through on his threat when we refused to pay him not to.
Browsers are big business, and high stakes poker. It's not surprising to me to see this kind of bluffing and "terorrism" (to quote Homer, with his rosy-fingered typing). What's surprising is that it hasn't happened more often, or at least hasn't gotten as much publicity.
"Terrorism" probably doesn't apply, since his aim was not political. (Or doesn't terrorism have to be political?) I think blackmail is a more appropriate term. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | tomw@netscape.com transcending structure. -- The Tao of Programming |