IP Addressing Problems: on my laptop

Mark S. Miller markm@erights.org
Wed, 13 Jan 1999 19:14:06 -0800 

At 06:25 PM 1/13/99 , Jim McCoy wrote:
>I think that this is a somewhat generous claim on your part.  While it would
>be nice for E to get the same type of public review as PGP, it will not.
>There is just not 1/1000th of the user base which is interested in it.
>Additionally I would point out that sendmail has been open for public review
>for over a decade and there is at least one major security hole found every
>year...

[+] The sendmail point is indeed sobering.
Though PGP established its credibility when it had a vastly smaller user
base than it does now.  Also, I hope the E source will be far more
understandable than sendmail.

I also expect to offer escalating prizes for demonstrations of security
holes.  Should time go by with these visibly unclaimed...


>If you get a reserved port and create a proxy which works for various
>firewalls then you are going to be take far more seriously than if you just
>say "trust us and here is the source" (to be completely honest most people
>in charge of firewalls have lots of better things to do with thier time than
>check your code; it is easier to disallow unless there is a compelling need
>rather than allow until a bug is found.)

[+] We may as well explore the port option as well.
Ok, how does one go about getting a reserved port number?

[-] It's irrational.
While E isn't believed to be secure, administrators may sensibly ban it.
But how does a reserved-port & proxy help?  Until E's security is credible,
they should be *equally* adamant about not letting E traffic through an
officially sanctioned proxy as they are about not wanting to let it tunnel.
 If they are satisfied it's safe to let it proxy, why would they worry
about having it tunnel?

[-] Companies are not of one mind.
As an actual employee of actual companies, I have downloaded many programs
from the net and run them inside these companies, and I have seem others
openly do likewise, without ever consulting an approved-software list.  As
long as the programs were from known credible sources, and the admins had
not specifically prohibited them, all was cool.  

If hackers in a company must get their sysadmin to install a proxy before
they can start playing with E, I believe vastly fewer companies will
discover why E is valuable enough to bother to install a proxy.

Placeware invented http tunnelling to work around firewalls, and I believe
their experience supports this strategy.  In particular, though Placeware
has no strong reputation for being secure, it also has none for being
dangerous, so afaik no one has banned it.


So let's also ask for that port number, but let's not wait till we've
gotten it.