Subject: Re: Microsoft: Closed source is more secure
From: "Stephen J. Turnbull" <turnbull@sk.tsukuba.ac.jp>
Date: Fri, 4 May 2001 13:08:05 +0900

>>>>> "Lynn" == Lynn Winebarger <owinebar@free-expression.org> writes:

    >> > (e) odd license and infrequent updates to official source

    Lynn> Qmail lacks a features that are necessary for running an
    Lynn> effective and secure mail exchange/relay operation "out of
    Lynn> the box".

So hire Russ Nelson.  Or any of the dozen or score of companies on the
www.qmail.org page.

Russ is a good dude; if you can't afford him, but have a good cause,
he might throw in some pro bono consulting.  (That's based on his
"good dude"-ness, I don't know what his personal policy on pro bono
is.  He may have already "given at the office".)

An alternative way of looking at (e) would be that DJB has an odd way
of saying "'running an effective and secure mail exchange/relay
operation' is a job for professionals, and cannot be done 'out of the
box', _any_ box..  Kids, don't try this at home."

    Lynn> By secure, I particularly mean supporting authorization and
    Lynn> starttls.

Merely supporting A & S is "secure"?  You have to know how to use
them!  That's non-trivial.  Among other things, it involves user
education and transitive trust, long known to be the weakest single
links in security.  "Don't try this at home."

Yes, I know what you "really meant".  But I think your argument as
stated depends on what you wrote, not on what you meant.

    Lynn> I should be familiar with every line of source code for
    Lynn> every package I run on the systems I maintain.  I should put
    Lynn> security absolutely above features.

Straw man.  If you really are interested in maintaining a secure
effective mail operation, investing the time or money to become or
hire a professional is the ante.  Otherwise I, for one, simply do not
believe you are serious.

"They" _are_ out to get us.  I've been "got", so have many of my
friends, including people running what they thought were "secure"
operations.  I have not made the investment to become a pro, nor do I
plan to immediately, because only I am at risk.  But I know what my
responsibility is if I extend my operations to serve people who don't
even have the minimal knowledge I do.

That doesn't mean I expect you to know how to deal with the legion of
holes opened up on systems that have Emacs or a C compiler available
-- you deal with those by not having them on the mail host.  Security
above features, absolutely.  :^)

    Lynn> Maybe I'm just not diligent enough, but I doubt it.  Or
    Lynn> maybe I'm an odd sysadmin.  Hard for me to tell.

I don't think you're odd, or lack diligence, at all.  I think you're
mixing "free speech" with "free beer" once again, as many (including
experienced sysadmins) do.  But in a very subtle way.  No question,
DJB's license does not qualify as a free software license.

Your real complaint, however, seems to be that you can't get qmail
levels of security plus the features you want cheaply by piggybacking
on DJB's code.  As we get extremely high quality, plus features,
through other (free) software.

_But that has nothing to do with the license._  You couldn't get that
anyway, even if it were a free license.  Security does not work that
way; mix and match inherently implies much lower levels of reliability
in the security domain than it does in others.  The "other side" is
actively seeking exploits, so unity of design and implementation is
much more important.

Yes, it would be cheaper if the software were free.  But nowhere near
as cheap as you suggest, because you have to include the cost of all
the "rm -rf /" exploits that happen to people who trusted "secure"
derivatives before hackers other than DJB get it as right as he has on
his limited domain.  The (high) probability of those is inherent in
free software.

The above expresses no opinion about whether DJB is playing political
games or what their motivation might be.

*****

That said, I agree that the restrictions are political; I think the
motivation is basically as stated -- he does not want to open himself
up to _any_ security-related criticisms.  Call it egotism if you like;
it's his software (assuming you don't go down rms's `no such thing as
IP' road) and he is welcome to put what restrictions on it he likes.

But there is also the argument that DJB has created what is, as far as
possible, a provably secure mail system, on a limited security domain.
He's backed it up with his bet.  That's a non-negligible contribution
to a more capable system.  (Eg, somebody could invent a secure
protocol for doing auth and starttls then handing them off to qmail,
then implement it.)

I see no reason why he should degrade his trade name (not to mention
one crucial to Russ Nelson's business) by opening it up to "addition
of features required" for _some_ applications.  Others (Russ!) may
prefer the minimal "maximum security" implementation.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."