Philippe wrote:
> With reference to the “President Clinton” incident, no doubt that CNN’s
> handling of the chat software they are using or have been using has not been
> ideal. Having said that, it is not always easy, nowadays, to assess the
> reliability of one’s software, and it is an all too common story that bugs
> in newly (or not so newly) released software are discovered at the occasion
> of a “hack-attack” of some sort.

It is very easy to insure that your software is not THAT poorly configured.

> That someone could impersonate the President in such circumstances is simply
> mind-boggling.

I agree.  My mind was quite boggled that they would allow such a thing.

> HOWEVER, I would also seriously question the honesty and integrity of a
> person who, knowingly, took advantage of a situation which was already all
> too stressful for the people who made the chat possible in the first place.

I did not know at the time I typed those comments that they would be sent to
the other users.  I was still in disbelief that the system would allow it.

> Granted, your impersonation of the President was no hack. But, and that is
> one statement you are not likely to rebuff, as it seems to be your pride, it
> still is an impersonation. Had the governments around the globe caught up
> with the Internet developments, they probably would have come up with severe
> penalties and a battery of laws aimed at preventing such misuses of an
> otherwise very useful tool.
>
> Had it happened anywhere else but on the Internet, you probably would have
> found yourself with an indictment for what surely should be considered as an
> offence of some sort. And that would have been justified.

"offence of some sort."  Please expand on this further when you are a practicing
lawyer.

> For my part, I would like to turn my attention to considerations which you
> probably never even thought about, too busy that you are trying to mock the
> systems, or to prove that you are cleverer than the people designing those
> systems, with or without hack.

First of all, as this prank was completely unplanned and spontaneous, I
did not think about it at all before it happened.  That would have been
the time to think about most of what I'm sure you're about to say, but
unfortunately I left my stop time device at home that day.

> Firstly, have you ever considered the impact this little “good joke” of
> yours could have on the staff responsible for systems security at CNN? Have
> you ever thought that some of them could eventually be sacked as a result of
> your “interlude”, because of the embarrassment caused to CNN? After all,
> someone will have to pay, and since you are not likely to be the one to take
> the blame, the scapegoat will have to be someone at CNN. I truly hope this
> does not occur, but there are too many similar stories around the IT world
> to doubt that someone’s career will be seriously impacted, even if what
> happened has little to do with IT at all. How does this make you feel?

Considering that the admin was stupidly running a script to auto-voice me,
that may possibly be his fate.  It was extreme negligence on his part, and
whoever planned the chat to not use the NickServ was also quite negligent.
I certainly was not trying to get anyone fired, but sometimes when you
screw up really bad, that's the price you pay.  It happens to all of us.

If CNN is an reasonable employer, however, I'm sure they will find a
better way of responding to the mistakes.  Unless an employee intentionally
screws up, there is rarely a reason to dismiss him.  People learn through
their mistakes, and someone that has made a mistake while in your employ
is all the more valuable for the experience and knowledge they have gained.

> Secondly, in your attempt to defend yourself, you have attacked the
> reputation and integrity of a software product (in spite of your claims you
> did not intend to do so), to discover later that you were misinformed, and
> that your comments about this software product were way out of line. You
> would be well advised to make sure the information you base yourself upon to
> criticise some products is accurate, and is not simply your personal
> interpretation of the technical specifications of those products. That is an
> advice, as some companies may not be as understanding as WebMaster’s. You
> could very well be faced with lawsuits in the future, where you would have
> to justify the kind of irresponsible comments you have made initially.

My statements were orignally too harsh.  I did not change or remove any
statements I made about the software in my original statement.  I simply
chose some less inflammatory words when I was able to reevaluate the statement.
It was originally written quite late at night after I had just finished
dealing with a slew of reporters accusing me of hacking, and I was irresponsible
in my choice of words.

However, as I said to WebMaster, my statements about the product in the original
statement were essentially correct.  A software product which crashes under
high load is, by definition, incorrect (unless that was the specified behavior).
If problems in Windows NT prevent them from building a product that does not
crash, then they should not provide software for that platform.

That is, of course, a very idealistic statement to make.  In the current
software market, almost no one seems to believe it.  Nonetheless, it is true.

> Thirdly, it is experiences like the one you caused that make corporations
> and people think twice about using the Internet for wider applications.
> Security has always been an issue, and will remain one, as long as
> unscrupulous individuals will continue to take advantage of the
> imperfections of the system. I would have an awful greater lot of respect
> for you if you were offering your services as a professional to
> organisations such as CNN or WebMasters to help them identify any
> deficiencies in their systems/networks. But that would not be “as much fun”,
> would it! Because that would be constructive, not destructive.

It should make them think twice about using the Internet.  No one should
simply put applications on the Internet without thinking about it 3, 4 or
5 times.  It is a risk to themselves and to others.

Also, I offer my professional services to several organizations, and
offered them to CNN as well.  I have also spoken with WebMaster extensively.

As for being "constructive" rather than "destructive," I have not had anyone
else suggest that this prank was destructive.  Embarassing, perhaps, but at
least CNN found out before someone did something far more embarrassing and
potentially destructive.

> In short, your excuses and explanations about the matter are nothing short
> of pitiful, shameful and idiotic.

I will not lower myself to the level of making personal attacks.

> In addition, I can not even comprehend how you can try to justify your
> behaviour under the cover of “testing” security for the CNN systems. And the
> statement you made (“I hope that this harmless prank has served to let CNN
> know that this system is insecure and needs to be overhauled before someone
> does actual harm to them or one of their guests. This should also serve as a
> reminder to all other online outlets that security is not something to be
> overlooked, even on a system as seemingly trivial as an IRC chat server.”)
> would almost look like an “after the facts” justification to your acts. If
> there was any justification to your acts, I think you could have made your
> point as clearly without having used such disrespectful comments/questions
> as “Personally, I would like to see more porn on the Internet". This
> sentence clearly indicates that your intentions were to mock a serious
> event.

I never attempted to justify my behavior in such a way.  I never claimed to
be "testing security for CNN."  And I do hope that, while I was not attempting
to show CNN that there was a problem in their system, I hope they do lock their
system down more because of this.  If I had known ahead of time that they had
such a problem, I would have let the admins know through some other channel.

Yes, the comment I made was intended to be humorous.  Is humor a bad thing?
My humor was not very good (though it has certainly garnered a lot of praise),
but I honestly didn't have a lot of time to work on what to say.  I've already
stated that there are many things I would have rather said.  I could have
been far more offensive, making a personal comment about Clinton, his family,
his staff, or his acquaintances, as many would have done.  Instead, I chose
to blurt out a short bit of political satire, playing off the huge amount of
attention pornography on the Internet has gotten, as well as the President's
known sexual indiscretions.  It was certainly not intended as an impersonation,
and I can't see how anyone would have interpreted it as such.

> Finally, I find appalling that an individual as you can be the Chief
> Technologies Officer for a company. This simply is a mockery of the
> professionalism in the IT industry.

You're certainly entitled to your opinion.  However, I think that I have
handled the incident in a very professional way since it happened.  I
have consistently and deliberately redirected the line of questioning in
interviews away from this specific incident and towards the greater topic of
Internet security at large.  I think that I have provided as much positive
attention as I can during these interviews to the need for organizations
to insure that their systems do not place themselves and others at risk.