Robert Hettinga <rah@shipwright.com> writes:

Would someone (besides <spit!> Dr. Vulis of course, or my kill-file eat it...) please forward me the Stronghold article by Dimitri and all replies thereto, so I can at least see what the fuss was all about? I might as well include them in the e$pam feed for posterity.

My archive is patchy at the time, as I subscribed to cp and cp-flames, and only switched to cp-unedited when it became apparent that I would be missing some posts by not being on cp-unedited. However, these are the posts that I have obtained from list members, the posts from Tim were forwarded to me by Tim himself (on request -- he offered in a post to do so), Dimitri's post was forwarded to me by Peter Hendrickson and confirmed by Toto, and Igor. Tim declined to confirm or deny when I forwarded him Dimitri's post due to the legal threats. I do think that this is Dimitri's original post. You will observe that the post it isn't flamish. There are many, many other posts which go to confirm the list of events. There may be other replies, but this should keep you going. [0] Dimitri [1, 2, 3, 4] Tim's followups (forwarded to me by Tim) [5] Tim on the legal threats I would appreciate confirmations of which of the lists cypherpunks@toad.com (moderated list) cypherpunks-unedited@toad.com cypherpunks-flames@toad.com these 5 posts went to, and confirmations that others on cypherpunks-unedited received them as quoted below. I would also be interested to know which lists my recent potted history went to, this was the posting starting: : Date: Sun, 16 Feb 1997 23:49:09 GMT : From: Adam Back <aba@dcs.ex.ac.uk> : To: cypherpunks@toad.com : Subject: Moderation experiment and moderator liability : : : There appears to be a bit of a hush up surrounding the circumstances : of the pause in the moderation experiment and subsequent change of : moderation policy. ... Thanks, Adam [0] ====================================================================== From: dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM) Subject: Security alert!!! To: cypherpunks@toad.com Date: Thu, 30 Jan 97 16:15:21 EST Message-Id: <aw5c2D4w165w@bwalk.dm.com> WARNING: There's a rogue trojan horse out there on the internet known as the "stronghold web server". It's actually a hacked-up version of Apache with a backdoor, which allows hackers (or whoever knows the backdoor) to steal credit card numbers and other confidentil information on the Internet. Be careful! Always use encryption. Do not send confidential information 9such as passwords and credit card numbers) to any site running the trojan horse "stronghold". In general, beware of "snake oil" security products and hacked-up versions of free software. Please repost this warning to all relevant computer security forums. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps [1] ====================================================================== Date: Fri, 7 Feb 1997 13:46:39 -0800 To: Against Moderation <antimod@nym.alias.net> From: "Timothy C. May" <tcmay@got.net> Subject: Is Sandy really censoring criticisms of Stronghold, his product? Cc: cypherpunks@toad.com At 9:19 AM +0000 2/7/97, Against Moderation wrote:

"Timothy C. May" <tcmay@got.net> writes:

...

Well, I only subscribe to the Flames list--there is no doubt about this.

In any case, what is the meaning of a message going only to the "Unedited" list? A message that goes to the Unedited list but _not_ to the Flames list must surely go to the Main list, right?

That is,

MAIN list + FLAMES list = UNEDITED list

No, this is not the case. At this point the unedited list does definitely get everything that gets mailed to cypherpunks. However, Vulis did apparently send a couple of [obnoxious, flamey and blatantly untrue] posts about security holes in Stronghold. Sandy deleted that ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ message and did not send to the mail or flames lists.

Could have been an accident, or could be because Vulis and Sandy hate each other...

Whether true or not, it is not the role of Sandy the Censor to decide on the truth of various claims in people's posts. Even by his own (vague and changing) standards, deciding on the _truthfulness_ of articles was never a criterion. This is a serious charge. Can you send to the list, with a copy to me, the articles which cited security holes in Stronghold? Given that Sandy works for a company, Community Connection/C2NET, which _sells_ Stronghold, it would be serious indeed if Sandy is using his role as List.Censor to keep such articles from the main list, and even more serious (much more serious), if Sandy is discarding such articles completely. Given the extremely serious implications of this charge, I would like to see some evidence before believing it. By the way, this again raises the issue of the danger of filtering out posts merely because _somewhere_ in the post insulting words are used. (Recall that my long essay was almost scrapped by Sandy, by his own admission, because one small paragraph said unflattering things about some people. Jeesh. Is this what Cypherpunks has become?) It would be far better, and more honest (in a warped way), if Sandy were to leave in the substantive sections of all posts and merely mark offending sections as "***** C E N S O R E D *****." Then people could read the various claims made in posts and still have the "naughty bits" blacked out, so as not to offend their sensibilities. It's the honest way to censor. --Tim May [2] ====================================================================== Date: Fri, 7 Feb 1997 13:59:23 -0800 To: cypherpunks@toad.com From: "Timothy C. May" <tcmay@got.net> Subject: More on the Stronghold Charge Cc: dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM) Vulis has sent me private mail, which I won't quote here because of the usual netiquette standards that private mail not be quoted (though it's legal to do so). He asserts that a few weeks ago he sent criticisms of Stronghold out to the Cypherpunks list, and the criticisms did not appear on any of the distributed lists. He claims he then received communications from C2Net of a legal nature, threatening him with legal action. I'll let Vulis elaborate if he wishes, as I don't know the situation. And I encourage him to do so, for more than one reason. As I just replied to "Against Moderation" on, I would like to see these articles which were suppressed. Please repost them to the list, and copy me to ensure that I get them. If this claim is true, that Sandy blocked criticism of Stronghold from reaching either the Main list (bad enough), or from even going out at all on the Flames list (reprehensible), then this is an extremely serious charge. If the claim is true that Sandy used articles sent to the Cypherpunks list, but never distributed to the list, as the basis by the company which employs him of legal threats of any kind, then this is even more than just "extremely serious." I would like to hear more from Vulis, and copies of any such articles, and of course would like to hear Sandy's version of things. This is too serious a charge not to resolve. --Tim May [3] ====================================================================== Date: Fri, 7 Feb 1997 15:03:02 -0800 To: Against Moderation <antimod@nym.alias.net> From: "Timothy C. May" <tcmay@got.net> Subject: Re: Is Sandy really censoring criticisms of Stronghold, his product? Cc: cypherpunks@toad.com At 10:07 PM +0000 2/7/97, Against Moderation wrote:

Okay, I went through my old mail, and I'm fairly sure this is the message. I'm convinced it never went to the flames list, and now that I've found out I'm on the -unedited list after all, I think it probably didn't go to the regular cypherpunks list either. Can people on the various lists confirm this for me?

I checked the archive site (http://infinity.nus.sg/cypherpunks) for the "main" (censored) list, and do not see it there, either by title or by author. I only recently subscribed to the Flames list, so I cannot check to see if it went there. Anyone else check the Flames list? As I said in my last messages, if this message went to neither the Main list nor the Flames list, then a very serious problem has been exposed. Further, if the post, while not being sent to either of the nominal lists which filtered stuff is supposed to go to, was used as the basis of legal threats by the employer of Sandy, the list's censor, then dramatically more serious implications seem evident. I await Sandy's views with great anticipation. The message itself does not look flamish to me. It makes charges, but so do a zillion other posts. It cannot be the job of a censor to decide on what is true and what is not true.

Given the total lack of technical content, the flamey nature of the

It's not "flamey." Nobody is called a cocksucker, nobody is called a faggot, etc. Yes, it claims a product has a trojan horse, but this is a claim comparable to other claims routinely made on list and newsgroups. I'm also neither stupid nor disingenuous. I realize full well that Vulis probably made the claim because he knows Sandy works for the seller of Stronghold. Be that as it may, it is not proper for a censor employed by the seller of a product to decide that criticisms of his product are flamish. Would the list have countenanced censorship of criticisms of an RSADSI product if the list were being censored by an employee of RSADSI? And by letting Vulis make such a claim, and then having it quickly rebutted by other employees of C2Net, for example, Vulis would be shown to be spreading disinformation and his reputation capital would decline still further. If in fact the Vulis claim never made it either of the two lists to which all filtered messages are supposed to be sorted, then deception has occurred. And a conflict of interest. Again, I await Sandy's response.

A lot of people out there are subscribing to the cypherpunks-flames and cypherpunks lists thinking that they will see everything that gets rejected (albeit with a substantial delay). If this is not the case, it should be made clear. Otherwise, it's not moderation, but dishonesty.

Indeed. --Tim May [4] ====================================================================== Date: Fri, 7 Feb 1997 21:46:10 -0800 To: Against Moderation <antimod@nym.alias.net>, cypherpunks@toad.com From: "Timothy C. May" <tcmay@got.net> Subject: Re: The Frightening Dangers of Moderation Cc: hugh@toad.com At 4:31 AM +0000 2/8/97, Against Moderation wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Well, folks, tonight I have witnessed the frightening dangers of moderation and censorship first-hand, and would like to tell you what has happened. I think there is an important lesson to be learned from these incidents.

(long account of getting legal threats for quoting a message about CENSORED elided) This is indeed an important incident. I hope we can discuss it. Many issues central to Cypherpunks are involved. To name a few: * the moderation/censorship issue itself (though we have probably beaten this one to death in the last few weeks). * the "libel" issue, especially as it involves Sandy, his company, and the machine the list is hosted from. The introduction of a censor has, as many of us predicted, raised serious libel and liability issues. (This is the best reason I can think of it to move to an "alt.cypherpunks" system, where bypassing of liability, libel, copyright violation, etc., laws is naturally handled by the globally decentralized and uncontrolled nature of Usenet.) * conflicts of interest issues. Apparently Sandy feels information deleterious to C2Net, having to do with a claimed CENSORED in the software product CENSORED, cannot be passed by him to _either_ of the two lists to which articles are supposed to be sent. (Sadly, he did not tell us of this meta-censorship when it happened. This made what he did deceptive as well as wrong.) * chilling of discussion. As "Against Moderation" notes, merely _quoting_ the article of another caused Sandy to not only reject his article, but also to contact him and raise the threat of legal action. (This even though Against Moderation added all sorts of "obviously false" comments to what Vulis had written.) * even more threats. At the request of CENSORED today, I called CENSORED and had a verbal communication with him (a nice guy, by the way) about this situation. He averred that "you don't want to be pulled into this," and suggested that if I post certain things, even quoting the reports that a CENSORED exists in CENSORED, I could well be sued by the lawyers of his company! These are issues which remailers, decentralized servers, anonymity, data havens, and other Cypherpunks technologies make important issues for us to discuss. When did Cypherpunks start thinking about libel? (Obvious answer: when _their_ companies were the targets of criticism, lies, libel, whatever.) It's not as if insulting or even "libelous" (I'm not a lawyer) comments have not been made routinely on the list. Insulting companies and other institutions has been standard Cypherpunks fare since the beginning. Mykotronx has been accused of high crimes, RSADSI has been declared to be placing backdoors in code, Phil Zimmermann has been declared to be an NSA plant ("only trust the versions of PGP before he cut the deal to get his freedom"), and so on. Think about it. Just about any company with any product related to crypto has at one time or another had their motives questioned, their products slammed, etc. Unfortunately, our Late Censor is an employee of one of the companies so slammed, and he has reacted by rejecting one or more of these slams without bothering to tell the list that he has to do so. (Were it me, I would have "recused" myself from the decision, or at least told the list in general terms what was going on, or, more likely, resigned as censor. But then I would never have been a list.censor in the first place.) I understand that Sandy is stepping down as our Moderator. The Censor is Dead, Long Live Sandy! I expect to harbor no continuing resentment toward Sandy (though I expect things will be strained for a while, as might be expected). The issues raised are ugly ones. Here's what scares me: the "precedent" may irretrievably be established that companies offended by words on the list will threaten legal action to recover their good name. I can imagine Mykotronx or even First Virtual citing the actions of C2Net as a precedent (a cultural precedent, to the extent there is such a thing) for their own legal letters. As with the terrible precedent set by the "even Cypherpunks had to censor themselves" experiment, these companies may be able to say "But even a Cypherpunk-oriented company realized that the antidote for damaging speech was not rebutting speech. No, these Cypherpunks realized that some threatening letters and pulling the plug on the speaker was a better approach." And we won't be able to easily argue that Mykotronx has no right to do this while C2Net does. Sandy, in his message a few hours ago to Against Moderation, even made the claim (and Sandy _is_ a lawyer, or at least once was) that John Gilmore could be held liable for speech on the Cypherpunks list. (I don't doubt the "could," but I hate like hell to see a Cypherpunkish company leading the charge.) Perhaps this is true. But the Censorship experiment, and the resulting threats of legal action by C2Net to stop mention of the alleged CENSORED in their product CENSORED, fuel the fire. Instead of denigrating such legal moves--as I'm sure most Cypherpunks would have done a few years ago if RSADSI were to try to sue people for making outrageous claims--we have a major company consisting of several leading Cypherpunks making just such threats. I'm not a legal scholar, but is it really the case that merely _alluding_ to the allegedly libelous comments of another is itself a libel? Is a reporter who writes that "Person X has alleged that Product Y has a Flaw Z" thus committing a libel? (I don't think so, as reporters frequently report such things. If merely quoting an alleged libel is also libel, then presumably a lot of reporters, and even court clerks reporting on cases, are libelers.) (ObLisp reference: quoting an expression ought to have a different return value than evaluating an expression! That's what quotes are for.) My comments this past week have not been motivated by animosity toward Sandy, and certainly my comments today are not motivated by any animosity about C2Net or any of its employees (including CENSORED, whom I spoke with today). My comments started out as being a summary of why I had left Cypherpunks when the Great Hijacking was announced. Since last Sunday, when I issued my "Moderation" post, I've only responded to messages I was CC:ed on, or to messages on the Flames list, which I subscribed to temporarily to better see what Sandy was calling flames. The discovery that certain posts were not appearing on either the Main list or the Flames list triggered today's comments about Sandy and the alleged CENSOREDCENSOREDCENSORED (blah blah blah). I hope we can declare this Censorship experiment a failure and move on. However, it is almost certain that as a result of attempts to suppress certain views, that the move back to an unfiltered state will mean that some will use anonymous remailers and nym servers to post even _more_ claims, however outrageous. This is a predictable effect. Cf. Psychology 101 for an explanation. Kicking Vulis off the list predictably produced a flood of Vulis workarounds, and a surge in insults via anonymous remailers. Instituting censorship of the list triggered a flood of comments critical of the experiment, and a predictable "testing" of the censorship limits. And, finally, now that C2Net is threatening legal action to stop discussion--even in quotes!!--of alleged CENSORED in CENSORED, expect a lot of repetition of these claims via remailers. And, I predict, claims about CENSORED will even be spread more widely, e.g., on the Usenet. (Sadly, I half expect a letter from some lawyers or lawyer larvae saying I am "suborning libel," or somesuch nonsense. As Sandy would say, "piffle." Lawyers, take your best shot.) ====================================================================== Date: Sun, 16 Feb 1997 19:14:04 -0800 From: tcmay@got.net (Tim May) To: cypherpunks@toad.com Subject: Threats of Legal Action and C2Net/Stronghold Issue Newsgroups: alt.cypherpunks,alt.privacy,comp.org.eff.talk References: <tcmay-ya023180001202971203130001@news.znet.net> <5e2qqm$ahi$1@news.sas.ab.ca> <E5nqty.4rD@world.std.com> (A copy of this message has also been posted to the following newsgroups: alt.cypherpunks, alt.privacy, comp.org.eff.talk) At 6:07 PM -0800 2/16/97, Sandy Sandfort wrote:

Curiously, in a subsequent telephone conversation, Tim May proposed almost that exact suggestion as an alternative form of moderation that he said would have been acceptable to him. Go figure.

The only phone conversation I had was with Doug Barnes, at the request of Doug that I urgently phone either him or Sameer. I called Doug as soon as I got the message. (Doug also said he was the only one in the room at the time, and that the call was *not* being recorded, so I have to surmise that Sandy got his version of things via a recap by Doug.)

...

21. Tim received a warning from C2Net's lawyers that if he did not desist from mentioning that Dimitri had posted an article criticising a C2Net product that he would be sued!

Absolutely false.

What Doug told me was that Dimitri Vulis had already been served with a legal notice about his warnings about a security flaw in Stronghold, and that any repetition of Dimitri's claims by me or anyone else would result in similar legal action. Doug said that any repetition of the claims, even as part of a quote, would be seen as actionable by C2Net. "We'll vigorously defend our rights." (as best I can recall) He said he thought my messages, to the extent they merely _alluded_ to the claims were probably OK and that they would certainly go through to the list, as Sandy has already resigned from his role as moderator. (For the record, these messages DID NOT GO THROUGH, and have not gone through as of tonight, 8-9 days later. However, I have forwarded them to several people who requested them.) (I also did not have a recorder running, so I can't claim this is a verbatim summary of what was said. As to what I said about how the moderation thing might have been done differently, Doug and I chatted for a while about various alternatives. I raised the point I've made before, that having a "members only" policy, with some special provision for some amount of remailed messages, would probably best suit the notion of keeping the "community" running. What I told Doug was that my main objection was having Sandy sit in judgement to essays folks might have spent a long time composing, and I cited physical parties, where a host invites those he wants in attendance, but does not micromanage or screen conversations being held at the party. My sense was that Doug agreed, and agreed that the whole thing had been handled in a bad way...but Doug should comment to tell his view of things.) The next day, at the physical Cyperpunks meeting at Stanford, I briefly talked to Greg Broiles, working as a legal aide at C2Net. I told Greg he could "take his best shot," in terms of filing suit against me about my messages, as I'm prepared to fight C2Net in court on this matter, and have the financial resources to hire some pretty good lawyers. (I don't recall if Greg replied, or what his reply was.) In a message to Cypherpunks, I outlined my understanding of the Vulis report on security flaws in Stronghold, and put the claims in the context of messages not appearing on either of the two main lists, but none of my messages were sent to either the Main list or the Flames list. (I also had communication with several members of the list, some known to me and some only pseudonyms. I have taken the precaution of erasing these messages and copying files to the disk on which they resided to head off any attempts by C2Net seize my computer and disks as part of some "discovery" process.) I find it unfortunate that C2Net is behaving in such a manner, and their actions are generating far more publicity about the claimed security flaws in Stronghold than the original Vulis message ever would have generated. Sunlight is the best disinfectant, as a Supreme Court justice averred. And suppression is a breeding ground for all sorts of bacteria, fungi, and ugly growth, as a less articulate person said. Reporters interested in this story have already contacted me. They're interested in the situation surrounding the claims of a flaw. I told one reporter I had no expertise in Stronghold, SSL, etc., and could not say, but that I suspected strongly that the claim was made just as a "tweak" of C2Net. "Truth is an absolute defence against libel claims." (P.S. To repeat, I doubt there is a flaw in Stronghold, either introduced by RSA (Republic of South Africa, of course) or by the NSA, or by C2Net, or by anyone else. I said as much in my messages which never made it to the list.) --Tim May