Press and Media Resources

Contents

Biography of Julian Field

"Julian Field has wide experience of e-mail systems and has been a postmaster for many years. He has considerable skills in designing and delivering reliable software solutions for mission-critical applications and has always had a strong interest in computer and network security. He has been fighting computer viruses for many years, and has spent the last 4 years creating, developing and supporting MailScanner, initially just for the benefit of the UK academic community. Along the way, he has also acquired considerable experience of the problems caused by bulk e-mail, and has recently featured in local, national and international media programmes and conferences on the subject."

Images

Each of the images shown here is just a thumbnail of the real image. Click on an image to download the full-sized version of the image.

These photos are the property of Julian Field. I hereby grant permission to reproduce these photographs unaltered (except for necessary and reasonable scaling and/or cropping) by print and online publications to accompany bona fides journalism and conference promotion connected to me. All other rights are reserved and the photographs may not be used for any other purpose and/or in any other way without written permission from me.

MailScanner Logo (small)
MailScanner Logo (large)
Julian Field
 
 

Summary of MailScanner's Purpose

E-mail viruses costs businesses millions of pounds every year. Spam accounts for around 60% of all e-mail traffic, wasting large quantities of network bandwidth and resources.

There are many commercial e-mail systems available for a high cost that claim to help stop spam, but they are rarely effective in real-world environments. They provide support for a very restricted set of virus scanners, usually one or two, forcing the use of particular products in what should be a separate purchasing decision.

MailScanner is a highly-respected open source e-mail security system, with more users than AOL and Hotmail combined. It is used at over 30,000 sites and processes over 500 million messages per day. It supports the use of any combination of 20 different commercial anti-virus engines for reliability and good coverage. Its anti-spam system incorporates SpamAssassin, which without doubt is the best anti-spam engine available at any price.

MailScanner's History

MailScanner has been in continuous development for nearly 4 years. In that time it has grown from a simple virus scanner implemented in 1200 lines to a complete email security and anti-spam system of over 30,000 lines, and has been re-designed and rebuilt from the ground up as necessary to ensure the architecture is suitable for the complexity of the system.

MailScanner has been deployed in over 60 countries around the world, and is used for scanning mail destined for all 7 continents (even Antarctica). It scan over 5 billion messages per week for numerous large government departments, corporations, non-profit organisations and educational institutions. It is currently used by some large ISPs and mobile telephone companies in the UK and Europe, along with the largest space agency. It is now downloaded over 20,000 times each month, with a total of over 1/4 million downloads.

MailScanner is an open-source package, though the development model is slightly different to that used by many other projects. The author keeps tight control over the state of the source code, and other people are not allowed direct access to the latest development code that is stored in the CVS source repository. The major reason for this is that email is a business-critical application and considerable damage could be caused (such as the loss of email messages) if a "trigger-happy" administrator installed untested code that was in the middle of a critical development stage. Tested and proven releases of the code are frequent, so that the users can get access to the latest features as they are written. But untested code is not allowed out into the public domain. This approach has definitely helped build MailScanner's reputation as a highly reliable system, something that is not necessarily possible if administrators are allowed to install untested code.

Questions and Answers

1. Why are businesses today interested in moving from proprietary to open source security tools? (Why are they now open to open source? What do they see as the advantages?)

This is happening partly because of the often low standards of proprietary software. Companies have all been through many phases when they have introduced new proprietary software packages. These transitions often do not go well, end up going way over-budget and over-time. If the software is open source, it is often freely licensed, saving the company the licensing cost. Even if the introduction of the software goes over-time, it at least is unlikely to go so over-budget.

There is usually little or no review of proprietary closed-source security tools. This means that the vendors can base a large part of their security on the basis that no-one has access to their source code, so they can implement "security by obscurity". Furthermore, as peer source-code review cannot happen, bugs are not usually discovered for a long time, if ever. However, the "black hat" community will devote significant resources to breaking the security of the systems, giving them a major advantage. There are several companies, such as eEye Security, who have made a very healthy profit through attacking closed-source code.

On the other hand, open-source developers know that their source code will be examined carefully by potential attackers, and must therefore work much harder to protect against attacks. They cannot rely for one minute on "security by obscurity" as it simply doesn't exist in the open-source security world. Features must be carefully thought out, well designed and well implemented to avoid security holes. The system is designed and implemented on the assumption that the system will be attacked by people who have a full understanding of how all parts of the system work.

Building a new door-lock in a world where everyone is a locksmith or a burglar is much harder than building one in a world where people cannot see the innards of the lock. As a result, the door-lock produced in the former situation is much stronger than the latter.

2. What turns businesses away from or off to open source security?

Usually because of valid business concerns, such as: If a software package is only maintained by 1 person, what happens if they decide not to continue development any longer? The answer to this is that virtually all open-source applications are known and understood by a team of people from around the world, so the disappearance of 1 person has no long-lasting effect on the development.

Maintenance and support contracts are areas in which the open-source community have traditionally been somewhat lacking. However, the community knows this is a very valid concern, and so the business world has stepped in to fill the gap. Companies such as Fortress Systems Limited and LinuxIT were formed to provide commercial-grade support of open-source community software packages and systems. They are geared up to provide SLA's and liaise with the development team as necessary when resolution of a customer's problem is beyond their knowledge of the product. As the relationship between the developers and the companies progresses, the companies providing the support will learn how to resolve virtually all problems themselves. But they will still be able to directly contact the original developers directly, a position which is often difficult or impossible in closed-source systems.

Resellers of closed-source systems rarely have direct email access to the original developers of the product, instead having to go via several layers of support staff at the original vendor's company. They are therefore limited in what help they can get. In the open-source world, the support companies can always directly contact the development team, gaining support from the authors themselves. Customers are always very impressed by the speed and quality of support available from developers of open-source systems. This is not simply because the software is open-source, but is because of the development community model in which open-source products are normally developed.

3. What are the most common problems encountered in migrations from proprietary to open source security?

The most common problem is the actual installation of the open source software package. Proprietary packages, however poor their performance and functionality might be, usually spend a large amount of time and effort creating the installer using a closed-source installation package. The costs of the most common installation systems are beyond the funds available to the open-source community, and so installation is often slightly more awkward, relying more heavily on the knowledge and skills of the engineers installing the software.

Most open-source security systems do not run on Microsoft Windows, due in part to the huge learning curve required before a decent high-performance package can be written. Due to its nature as a tool box of interacting, but separate, components, it is usually far easier to write security applications for Unix or Linux based systems. Microsoft Windows is very much one integrated system, where you are restricted in your actions by what Microsoft chose to let you do in separate parts of the system. This isn't to say that these applications cannot be written for a Microsoft platform, it is that their design can be far more modular and insular in Unix-based systems, without the possibility of causing any awkward reactions in other unrelated parts of the system.

This results in problems for companies that only know how to run Microsoft Windows based systems, as suddenly they are going to need to be able to run a Unix or Linux system for a new application. This is not hard, but it is new to them. The system administrators may need to attend training courses in Unix, as well as training for the security application if necessary.

4. Who's spreading FUD against open source security? What are they saying?

Almost all the closed-source commercial security vendors spread FUD against open source. The most common thing they say is that their systems are better and that the TCO is lower for their systems. They have far larger marketing budgets than most of the open-source community, and are quite happy to portray very minor features and major new "technologies". The open-source community is usually more honest, and will only push features and techniques that make a real example. That may make them appear to be more naive, from a closed-source commercial point of view. One classic example is Qualcomm's advertising of Eudora's new "Launch Protect" technology to protect users from opening dangerous attachments. It actually consists of one dialog box which is presented when the user clicks on an attachment. All this does is make the user click one extra button to view the attachment. It doesn't add any real protection at all, but Qualcomm pushed it as a major new feature.

The TCO concern is pushed on the basis that the closed-source vendors have these wonderful teams of technical support staff who will solve complex problems in an instant. Anyone who has dealt with most of these companies will be painfully aware of the real truth of this marketing. How many closed-source vendors will give you the email addresses of individual members of the development team?

5. Why are the FUDrakers wrong about open source security? What do current users know that prospective users should know?

They are very wrong when it comes to the quality and speed of support available. Current users know how good the support for open-source applications can be, compared to the paid-for support they are getting from closed-source vendors. If you want to see an example of this, take a look at the MailScanner "user testimonials guestbook" where users write their honest opinions of the value of the software itself as well as the quality and speed of support they get. The guest book is at http://www.sng.ecs.soton.ac.uk/mailscanner/book/guestbook.php

The guest book contents is completely unedited except for the removal of advertising spam.

6. What issues are holding up the development of secure open source software?

Very little. The main problem is being able to purchase commercial support contracts. Most organisations are happier knowing that there is always someone they can contact by phone or email, regardless of the time of day or the fact they are paying for this support. More companies like Fortress Systems Ltd and LinuxIT are needed to provide commercial support.

7. If you haven't delved into this before, how is the SCO suit and slander campaign impacting the adoption and development of open source security software? And...

It is actually having little effect. Anyone who has read the more recent press releases from the head of SCO will be starting to realise this guy "isn't all there". A few companies have foolishly agreed to pay SCO money for licences, but there is absolutely no public evidence that the Linux world did anything wrong against SCO, and that it wasn't SCO who did wrong against Linux. The entire lawsuit is starting to become a very expensive joke. Take a look at the history of the SCO share price over the last few months.

A good history of the saga is available at http://forms.theregister.co.uk/search/?q=SCO&x=0&y=0.

8. How have the Patriot Act and other post-911 concerns impacted the development of open source security software?

I think they have encouraged the development of open-source security software as the code is open for public examination. An employee of a closed-source company who may be against the USA can quietly introduce features and bugs into their software knowing that they could be exploited later by other people who they inform about the bugs. In the open-source world this cannot happen so easily as the code is reviewed far more carefully than in the closed-source world.

9. What are your evaluation tips for companies that are considering moving from proprietary to open source security?

First has to be this:

1) Talk to other people already using the software. It is usually very easy to get a long list of reference sites already using the software. You don't have to only go to the sites recommended as references by the closed-source vendors. Just ask on the mailing list and you will get an independent view from those actually using it.

2) Is there decent support available? Consider purchasing an SLA from a company providing this for the software you are evaluating, but also look at the mailing lists associated with the software. Are questions answered most of the time? How long does it take for most people to resolve a problem?

3) Run a pilot project. This is really essential for any new security system, be it closed-source or open-source, but it is an invaluable exercise to do. Run the software for one department or branch of your organisation, with a very fast "escape" procedure should any major problems arise.

3b) The pilot project should help you calculate the true implementation cost, involving hardware costs and user education that may be needed. This should also be kept in mind when considering any closed-source solution of course, but are often overlooked. Software that is "free as in speech" is usually not "free as in beer" for large sites, there are still ancillary costs involved.

4) Read all the documentation and learn your way around the software, getting to know it as thoroughly as you can. You will get far more respect on mailing lists and from the developers if you have actually read what is available first. People who provide unpaid support do not like spending their time answering questions to which there are answers already available.