End of all Open Source.

From: Feher Tamas (etomcat@freemail.hu)
Date: 03/04/03


From: "Feher Tamas" <etomcat@freemail.hu>
Date: Tue, 4 Mar 2003 17:40:29 +0100

Dear Sirs,

I am sure you have heard of the latest huge buffer overflow, root exploit
security hole in the open source SendMail MTA and its bugfix.

We know that this security issue was discovered on 27th Nov 2002 by ISS
Corp. (CVE MITRE ID# CAN-2002-1337)

However, the US Department of Homeland Security prohibited Sendmail Inc.,
the US-based developer of the affected MTA software from disclosing the
issue to public. The state authorities organized all major vendors, from Sun
to IBM to make patchES and the issue + fixes were disclosed to public only
this monday, that is, more than 3 moths later.

I am hereby calling all honest people and especially the software developers
to:

-publicly condemn the incident, because it represents a blantant violation
of the US Constitution, especially the institution of free speach which is
introduced by the First Amendment. Source code, the essence of Open Source
has been repeatedly declared free speach by the supreme court. Any exploit
or bugfix for a particularly software is source code itself, therefore
protected under Amendment One.
The US goverment's action represents an abuse of power, regardless of the
fact, that the intention of the action was most likely positive, i.e.
protect the public from the danger. Year 1984 is still1984, even if it's
Boxing Day, not Halloween.

-You shall state in public that you will not succumb to pressure by state or
participate in cover-ups, like the one described above.

-You shall immediately review the list of your source code suppliers (those,
whose code you reuse) to determine, whether those entities may be subject to
the same rules, which Sendmail Inc. followed, that is to keep mouth shut, if
Uncle Sam tells them so. If that is the case, your customers / users are
being in danger when using your software and those suppliers must be
replaced with safe ones.

This is not a joke, we are talking about something very orwellian. In fact I
am afraid this Sendmail incident put the . on an empty line at the end of
the history of Open Source development. Or maybe forming source code reading
clubs can save the day. Welcome to the world of Fahrenheit 451!

Faithfully: Tamas Feher.



Relevant Pages

  • [UNIX] CERT advisory: Trojan Horse Sendmail Distribution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sites that employ, redistribute, or mirror the Sendmail package should ... contain a Trojan horse. ... encourages users who may have downloaded the source code via HTTP ...
    (Securiteam)
  • Re: Distributing user-developed Linux software and licensing issues.
    ... >> capable of secure data transmissions. ... > I'm not a security expert so I'm learning as I go. ... > application can be completely open source and secure ... > key works since access to the source code is ...
    (Fedora)
  • Re: End of all Open Source.
    ... ]security hole in the open source SendMail MTA and its bugfix. ... Source code, the essence of Open Source ... refuses to publicise a hole until the vendor has a patch. ...
    (comp.security.misc)
  • Re: End of all Open Source.
    ... ]security hole in the open source SendMail MTA and its bugfix. ... Source code, the essence of Open Source ... refuses to publicise a hole until the vendor has a patch. ...
    (alt.computer.security)
  • Re: Crypto implementation in consumer encryption software
    ... > products out there are open source. ... > is that high-quality crypto often comes out first in open source (while ... The proportion of the source code in a typical ... commercial security product that is comprised of direct cryptographic ...
    (sci.crypt)