An honest discussion about data privacy, open source, and communications security.

19 May, 2015 John W. Cloud, law, legal, Mail Server, open source, Security & Safety, Tech, Zimbra

Last week, Zimbra published their latest Zcast podcast about open source and security. I was fortunate to participate in the podcast. In preparation, I surveyed key XMission staff and found their candid responses regarding open source, data privacy, security, and the future of collaboration very intriguing.

Today I’ll share their answers. You will learn valuable insights from Pete (XMission president and founder), Aaron (systems administrator and encryption advocate), J.D. (email specialist), and John (that’s me, vice president of business development).

Data Privacy

* XMission has a privacy statement. What went into the creation of that, why did XMission do it and how would you rate yourself in terms of privacy (1-10, privacy advocate…)?

Pete –

10.  XMission protects our customer privacy as if it were our own.  It has been a very important aspect of doing business since our inception in 1993.  We also actively speak, lobby, and put money behind Internet privacy efforts.

John –

XMission protects our customer privacy as if it were our own. We believe that our data, and our customer’s data, is fundamentally protected from unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. (See Fourth Amendment.)

XMission does not provide email, web hosting, or data services to sell or deliver ads to you, your end users, or those you are communicating with. Your data is yours, we are merely shepherds.

We created our privacy policy because it was the right thing to do. It is what Pete and XMission have always done since the beginning. Privacy has been a fundamental part of our culture and it absolutely resonates with our customers.

I’d say we are a “solid 10” on the advocacy scale.

* In the last few years, what had the most impact on data privacy?

Pete –

In Utah a law was passed, in spite of our efforts, which allowed
law-enforcement to request information about an ISPs subscribers in cases of child endangerment.  XMission saw this law as fundamentally unconstitutional and turned back dozens of requests from Utah law-enforcement because they were not reviewed by a court.  This law was revised in 2014, due to our lobbying efforts, to require a proper warrant.

The Snowden NSA revelations have also caused us to increase and improve encryption efforts.

Aaron –

Arguably, the largest impact on data privacy has been the NSA revelations by whistleblower Edward Snowden. People didn’t pay much attention to data privacy before June 2013. While I wouldn’t say that everyone is concerned about their data privacy now, it has certainly raised eyebrows, and more people are aware of it, even though the numbers are probably far from where privacy advocates would like them.

Regardless, because of Edward Snowden, more sites are encrypting their web pages by default, even if they don’t need to. There has been a stronger attention paid to end-to-end encryption, with tools such as GPG, OTR, Tox, and Bitmessage. More rootkit and malware detection apps now exist for mobile phones than did previously. Companies have been updating boilerplate privacy policies, and there is even legislation pushback to change many laws, including many introduced by the Patriot Act.

J.D. –

The NSA leaks of 2013. There was lots of “worse-case-scenario” stuff that went from theoretical to practical thanks to the NSA.

John –

The assumption of privacy dissipated with the Snowden revelations. I think it was a shock for many, especially the general consumer. Fortunately a greater understanding and implementation of numerous encryption technologies is benefitting data privacy for those that choose to use it.

* Open source has at times been considered to be a tool of hackers. We believe the improvements that transparency brings to security and privacy are helping correct this myth. What would you say has had the most benefit on open source’s reputation?

Pete –

Usage.  30 years ago, open-source was a cute concept that not many bought into.  The expansion of the Internet and Linux has made open-source a viable concept.  XMission depends on and contributes to open-source.

Aaron –

The Linux kernel has undoubtedly been the largest driving force for getting open source software into the mindsets of CEOs, when they have a technically competent team that sort out issues on their own. It’s taken time, but CEOs, CTOs, CFOs, CSOs, etc have seen the value in a team that take an open source product, and tweak it to better fit their specific needs. IMO, the Linux kernel has done more for this than any other project. This has allowed team members to create all sorts of one-offs, such as monitoring door key cards, powering monitoring servers, all sorts of embedded boards, like room temperatures, cameras, lights, fire alarms, etc.

I would say second to the Linux kernel would be WordPress. WordPress powers more sites than probably any other CMS. I don’t have any data to back this up however, so take it with a grain of salt. However, I do know that the WordPress community is very vibrant and very engaging. There are theme templates and plugins for just about anything you want to do with it. Movable Type learned the hard way, that closing up your source code, meant losing your user base.

There are so many more examples, but I think that executives are seeing the value that open source software brings to their team, allowing them to hack on the code, and make the product work for them and their needs.

J.D. –

If you mean hackers in the sense of people who compromise software and servers, I’m not sure if that is really fair.

There was an argument about security between the closed and open source camps. Closed source saw “security through obscurity”, combined with lots of money influencing the development process, as a security advantage. Open source saw having the eyes of the world as a security advantage–if anybody can pour through the code to find bugs, that means everybody can pour through the code to find *and fix* bugs. The flipside is that this requires active community involvement, which doesn’t necessarily end up resulting in active security development.

In the end, open source has won this argument, though the closed source camps weren’t quite as off base as the open source community would like to believe, mainly on the last point. It’s been proven time and time again (just look at all the security snafus once Windows pc’s started having internet connections, compromising web sites, large services, etc. on all platforms) that bad actors don’t need access to code to find bugs. End users, however, need access to fix bugs, and large organizations with closed source software rely on often slower, hidden processes to fix and push security updates out to those end users. In the Linux world, major security issues (see recent major openssl security bugs) are often fixed, with updated packages live, within hours of their discovery.

If nothing too major has been publicized, Microsoft waits until “patchtuesday“.

The one flaw is that there really does need to be active community involvement. OpenSSL is the perfect example of this–it’s a travesty that the most common, most relied-upon SSL library on earth was in the state it was when a lot of it’s recent bugs started coming out last year. Usage does not imply development, and it’s possible for even large projects to go stale.

Nevertheless, that doesn’t end up a point for close source, either: because it was open source, fixes were made once word got out. The project was forked by the OpenBSD folks into LibreSSL, a security audit of OpenSSL is forthcoming, and we’re generally in a better place than we were before the publicity. This is because we have the freedom to peruse and modify the code.

If this was a project by a major company, not only would we be beholden to them to fix it at their leisure, but we would likely be completely unaware of the risks of running the software.

John –

The reality is that open source is a tremendously flexible and viable tool. We see hobbyists and organizations alike create beautiful and efficient applications that service real needs. Online repositories such as GitHub have increased the reputation of open source and foster a thriving community of developers.

XMission has supported customers with open source applications since the early days. Two of our most successful applications based on open source and open standards are WordPress (for site content management) and Zimbra Collaboration (a very powerful email and collaboration platform for businesses). We find that the bulk of our customers trust open source and commercial open source software for messaging, collaboration, and content management. It has been my experience that customer perceptions of proprietary software has been on a rapid decline over the past decade.

Does XMission participate actively in the open source community?

Pete –

Yes. We have contributed patches to open-source and our admins participate in many project communities and mailing lists.

We financially support open-source projects.

XMission has been an advocate for open-source since our inception.  This has garnered us respect from the open-source community which results in customers and high recommendations.

Aaron –

Yes. XMission sponsors the yearly Utah open source conference OpenWest. We have a Github account (although it’s a bit sparse at the moment). We have had employees submit patches to upstream open source projects, and they have been accepted into the main stable code base.

J.D. –

We aren’t largely a development shop, but we’ve contributed changes back. I’ve contributed some minor patches to SpamAssassin (added failover options to spamc), IMAPSYNC (XOATH2 support) and Salt (a bugfix or two). We don’t keep track of this in any way, admins just do what they feel is prudent with what they’re working on.

Aaron has put d-note (his software behind https://secrets.xmission.com) out there, and has made some pretty nice documentation on ZFS on his blog, https://pthree.org/.

John –

Absolutely! We are strong open source advocates.

XMission staffers regularly contributes code to projects.

XMission financially supports open source projects such as code camps, numerous events (such as Linux install fests), and conferences (such as OpenWest).

Our team commonly speaks publicly in support of open source.

* What innovation in communication and collaboration software are you looking forward to the most that can both improve your work or personal life and still maintain your right to privacy?

Pete –

Ubiquitous person-to-person strong encryption.  Keyed email that would eliminate unsolicited email.

Aaron –

I’m not a standard use case. I don’t use email “collaboration suites”, such as Zimbra, Exchange, Outlook, Evolution, etc. Mutt is my default MUA, and has been since 2007, and I don’t see that changing anytime soon. As such, calendar invites are worthless to me, unless I have a web interface to login to, so it can be accepted or declined.

As you know, I wrote d-note, a single-use encrypted pastebin. The end goal is actually not to protect the end users, but to protect the system administrators. If there is any need for Big Brother to say “we need the data to this post in this email”, the administrators can say “sorry, it was encrypted, we don’t have the key, and as such, don’t have the ability to give you what you need”. However, I would like to write an API (complete with Zimlet (in the works)), so from the Zimbra web interface, a user could create a secret note in the Zimbra web interface, retrieve the link, then use their contact list to email the link to their recipient. I hope to have this done soon.

Personally, I would like to see more use of GnuPG for end-to-end encrypted emails. Unfortunately, setting up GnuPG is not a trivial thing, and I understand why most people are not using it. Even for myself, staying on top of keeping my key up-to-date, going to key signing events, etc. is a ton of work. I don’t mind it, but I suspect most will.

I would really like to see Bitmessage take off. It’s a decentralized end-to-end encrypted messaging solution that behaves very much like email. Unfortunately, the main client is written in Python instead of C, which brings some performance problems. Further, it has some security problems that have been identified by the community, and it hasn’t even had a code audit yet. But, end users don’t need to worry about managing keys, or any of that. Install the client, then go.

CryptoCat can be setup internally for users to have an end-to-end encrypted conversation, without any key management or overhead for users, similarly to Bitmessage. However, CryptoCot behaves more like an instant chat, rather than an email client. But, like Bitmessage, it Just Works ™.

I’m a big fan of IRC (Internet Relay Chat), and IRC supports client-to-server TLS connections. However, there is no native client-to-client encrypted communication that is supported in the protocol. As such, users must install client-side scripts, such as FiSH or OTR to get end-to-end encrypted chat. This is a little bit more work, but can work really well when setup.

Finally, I like the idea of Tox. Like Bitmessage, it is also a decentralized messaging platform. It’s designed to be a Skype replacement, and from my limited testing, it works very well. It can be good for internal video conferencing, but like Bitmessage, it hasn’t seen a code audit yet.

J.D. –

This is a pie-in-the-sky that I’m not sure I’ll ever live to see, but I’d like to either see something replace SMTP for mail exchange, or see some of the add-ons (SPF/DKIM/DMARC-type stuff and SSL) become mandatory. While I think it might not be possible to completely bake enough security and authentication to fully ensure privacy and prevent spam into the email systems, without compromising the fully democratic and open nature of the system, it wouldn’t be hard to take steps to stop it from being blatantly insecure by design.

As it is, a huge amount of mail is completely unencrypted and is completely forge-able.

John –

I look forward to a day when spam doesn’t exist because everyone I email has a level of authentication I can trust (SSL/DMARC/etc.). I look forward to a day when encryption services are easy enough for everyone to use, including my mom. A day when I can easily and securely share even the most sensitive of files. Our customers look forward to this day as well.

There is more to share on this discussion which we will pick up in future blog posts.

I would further encourage you to listen to the podcast at your convenience: https://podcast.zimbra.com/2015/05/why-open-source-isnt-just-about-software/

This recent Ponemon survey shows that more than 70% of U.S. IT professionals prefer open source to proprietary software for continuity and control. As you consider changing your proprietary mail platform I would encourage you to consider Zimbra Collaboration services with XMission. We have a proven history as an excellent provider of Zimbra hosting and license sales.

Thank you for reading and please comment below.

John Webster, VP of Business Development and Zimbra Product Manager, has worked at XMission for over 19 years doing his favorite thing: helping companies communicate with customers through technology to grow their business. When he’s not uncovering Zimbra’s secrets you might find him in our beautiful Utah mountains.  Connect with him on LinkedIn today!

Follow, like, circle, and connect with us on the social links below.

Is Colocation Right for Your Enterprise? Upgrade to Zimbra licensing and save 25%! – EXPIRED