From: C Matthew Curtin <cmcurtin@ee.net>
Date: Tue, 27 Aug 1996 14:25:16 +0800
To: "JOHN E. HOLT" <76473.1732@CompuServe.COM>
Subject: Re: libelous action
In-Reply-To: <960826212342_76473.1732_BHT114-1@CompuServe.COM>
Message-ID: <199608270042.UAA04986@goffette.research.megasoft.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "JOHN" == JOHN E HOLT <76473.1732@CompuServe.COM> writes:

JOHN> Dear Mr. Curtin 
JOHN> Your statements about myself and my product, The
JOHN> POUCH are defamatory.  Since they have been made in writing and
JOHN> shown to and seen by other parties on the Internet, they
JOHN> constitute libel. Please admit to all parties that you have no
JOHN> personal knowledge of my product capabilities or my personal
JOHN> character or reputation.  Failure to do so at once will result
JOHN> in legal action against you personally and Megasoft.

As my signature said, I speak only for myself. I am not a
representative of Megasoft in any official capacity. That which I have
posted does not represent the views of Megasoft, its employees, its
shareholders, its customers, its business partners, its landlord, its
employees' mothers, and is in no way representative of any person
living or dead, other than myself.

I have no knowledge of JOHN E HOLT <76473.1732@CompuServe.COM>. The
only knowledge I have of THE POUCH is its web site, found at 
http://www.flagler.com/security.html

On 18 August 1996, I posted to the Cypherpunks mailing list, a note
regarding THE POUCH, which included this paragraph:

    If it is any good, there's no way for us to know. But your
    marketing of the product has every indication that it's nothing
    more than smoke and mirrors. To coin a phrase, "pseudocrypto."

I, speaking only on behalf of myself, stand by this statement. I do
not apologize for my comments. If you, Mr. Holt, feel that this is a
personal attack against you, I regret that you've misunderstood the
tone and nature of my post. My statement is hardly libelous; I simply
observed that if your product is truly secure, there is no means by
which security experts can verify such claims.

Study of computer security has shown that obscurity (using unpublished
algorithms, for example) is not "security." By perpetuating confusion
between the two terms, nonexpert users of crypographic software are
hard pressed to make good decisions about what they use, and the risks
of the software they're using. Hiding the internals of such software,
claiming that it is "highly resistant to all known forms of
cryptographic attack," is, in my opinion, irresponsible marketing. It
is my hope that future marketing endeavors of THE POUCH will be more
open and straightforward in its approach to security, providing
evidence of a crystal-box architecture, whose security can be more
objectively determined by potential customers.

Hiding a paper from me by putting it somewhere in New York City is
obscurity. If you hide a paper from me by putting it in a safe, and then
give me the safe, and the technical documentation of the safe's
locking mechanism, and I still can't get the paper, then *that* is
security.

(And, by the way, I think you'll find insisting that I somehow retract
my statements, rather than prove me wrong by showing the quality of
your product, will likely further add to the suspicion that the
security of THE POUCH cannot be proven.)

- -- 
C Mattew Curtin
cmcurtin@ee.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Have you encrypted your data today?

iQCVAwUBMiJEYRhyYuO2QvP9AQFPmwQAgimf3IhoX4wMPPNk7JY9nlFDJG2K/gO3
Xnd7ygPYAhz4BRaEl6SAaOOWiKjBA1l5EI5GhZdTL0WIWdKQv5MJROElzTVcY7nx
Tq1wysgTRTLjt7XQS2FyIa1S7OSvyhJttAslbJjpl+PqCwT18bhr3Oh9Cp2g1LRq
sNxdtB1BtQQ=
=I28g
-----END PGP SIGNATURE-----