{"id":3597,"date":"2015-05-19T07:18:49","date_gmt":"2015-05-19T14:18:49","guid":{"rendered":"https:\/\/xmission.com\/blog\/?p=3597"},"modified":"2015-05-19T07:18:49","modified_gmt":"2015-05-19T14:18:49","slug":"an-honest-discussion-about-data-privacy-open-source-and-communications-security","status":"publish","type":"post","link":"https:\/\/xmission.com\/blog\/2015\/05\/19\/an-honest-discussion-about-data-privacy-open-source-and-communications-security","title":{"rendered":"An honest discussion about data privacy, open source, and communications security."},"content":{"rendered":"

\"come-back-with-a-warrant\"Last week,\u00a0Zimbra<\/a>\u00a0published their latest Zcast podcast<\/a>\u00a0about open source and security. I was fortunate to participate in the podcast. In preparation, I surveyed key XMission staff and found their candid responses regarding\u00a0open source, data privacy, security, and the future of collaboration very intriguing.<\/p>\n

Today I’ll share their answers. You will learn valuable insights from Pete (XMission president and founder), Aaron (systems administrator and encryption advocate), J.D.\u00a0(email specialist), and John (that’s me, vice president of business development).<\/p>\n

 <\/p>\n

Data Privacy<\/strong><\/p>\n

* XMission has a privacy statement. What went into the creation of that, why did XMission do it and how would you rate yourself in terms of privacy (1-10, privacy advocate\u2026)?<\/strong><\/p>\n

Pete –<\/p>\n

10. \u00a0XMission protects our customer privacy<\/a> as if it were our own. \u00a0It\u00a0has been a very important aspect of doing business since our inception\u00a0in 1993. \u00a0We also actively speak<\/a>, lobby, and put money behind Internet\u00a0privacy efforts.<\/p><\/blockquote>\n

John –<\/p>\n

\n

XMission protects our customer privacy as if it were our own.\u00a0We believe that our data, and our customer’s data, is fundamentally protected from unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. (See Fourth Amendment<\/a>.)<\/p>\n

XMission does not provide email, web hosting, or data services to sell or deliver ads to you, your end users, or those you are communicating with. Your data is yours, we are merely shepherds.<\/p>\n

We created our privacy policy because it was the right thing to do. It is what Pete and XMission\u00a0have always done since the beginning. Privacy has been a fundamental part of our culture and it absolutely resonates with our customers.<\/p>\n

I’d say we are a “solid 10” on the advocacy scale.<\/p>\n<\/blockquote>\n

 <\/p>\n

* In the last few years, what had the most impact on data privacy?<\/strong><\/p>\n

Pete –<\/p>\n

In Utah a law was passed, in spite of our efforts, which allowed
\nlaw-enforcement to request information about an ISPs subscribers in\u00a0cases of child endangerment. \u00a0XMission saw this law as fundamentally\u00a0unconstitutional and turned back dozens of requests from Utah\u00a0law-enforcement because they were not reviewed by a court. \u00a0This law was\u00a0revised in 2014, due to our lobbying efforts, to require a proper warrant.<\/p>\n

The Snowden NSA revelations have also caused us to increase and improve\u00a0encryption efforts.<\/p><\/blockquote>\n

Aaron –<\/p>\n

Arguably, the largest impact on data privacy has been the NSA revelations by\u00a0whistleblower Edward Snowden. People didn’t pay much attention to data privacy\u00a0before June 2013<\/span><\/span><\/span>. While I wouldn’t say that everyone is concerned about their\u00a0data privacy now, it has certainly raised eyebrows, and more people are aware\u00a0of it, even though the numbers are probably far from where privacy advocates\u00a0would like them.<\/p>\n

Regardless, because of Edward Snowden, more sites are encrypting their web\u00a0pages by default, even if they don’t need to. There has been a stronger\u00a0attention paid to end-to-end encryption, with tools such as GPG, OTR, Tox, and\u00a0Bitmessage. More rootkit and malware detection apps now exist for mobile phones\u00a0than did previously. Companies have been updating boilerplate privacy policies,\u00a0and there is even legislation pushback to change many laws, including many\u00a0introduced by the Patriot Act.<\/p><\/blockquote>\n

J.D.\u00a0–<\/p>\n

The NSA leaks of 2013. There was lots of “worse-case-scenario” stuff that went from theoretical to practical thanks to the NSA.<\/p><\/blockquote>\n

John –<\/p>\n

The assumption of privacy dissipated with the Snowden revelations. I think it was a shock for many, especially the general consumer.\u00a0Fortunately a\u00a0greater\u00a0understanding and implementation of numerous\u00a0encryption<\/a> technologies is\u00a0benefitting data privacy for those that choose to use it.<\/p><\/blockquote>\n

 <\/p>\n

* Open source has at times been considered to be a tool of hackers. We believe the improvements that transparency brings to security and privacy are helping correct this myth. What would you say has had the most benefit on open source\u2019s reputation?<\/strong><\/p>\n

Pete –<\/p>\n

Usage. \u00a030 years ago, open-source was a cute concept that not many\u00a0bought into. \u00a0The expansion of the Internet and Linux has made\u00a0open-source a viable concept. \u00a0XMission depends on and contributes to\u00a0open-source.<\/p><\/blockquote>\n

Aaron –<\/p>\n

The Linux kernel<\/a> has undoubtedly been the largest driving force for getting\u00a0open source software into the mindsets of CEOs, when they have a technically\u00a0competent team that sort out issues on their own. It’s taken time, but CEOs,\u00a0CTOs, CFOs, CSOs, etc have seen the value in a team that take an open source\u00a0product, and tweak it to better fit their specific needs. IMO, the Linux kernel\u00a0has done more for this than any other project. This has allowed team members to\u00a0create all sorts of one-offs, such as monitoring door key cards, powering\u00a0monitoring servers, all sorts of embedded boards, like room temperatures,\u00a0cameras, lights, fire alarms, etc.<\/p>\n

I would say second to the Linux kernel would be WordPress<\/a>. WordPress powers\u00a0more sites than probably any other CMS. I don’t have any data to back this up\u00a0however, so take it with a grain of salt. However, I do know that the WordPress\u00a0community is very vibrant and very engaging. There are theme templates and\u00a0plugins for just about anything you want to do with it. Movable Type learned\u00a0the hard way, that closing up your source code, meant losing your user base.<\/p>\n

There are so many more examples, but I think that executives are seeing the\u00a0value that open source software brings to their team, allowing them to hack on\u00a0the code, and make the product work for them and their needs.<\/p><\/blockquote>\n

J.D.\u00a0–<\/p>\n

If you mean hackers in the sense of people who compromise software and servers, I’m not sure if that is really fair.<\/p>\n

There was an argument about security between the closed and open source camps. Closed source saw “security through obscurity”, combined with lots of money influencing the development process, as a security advantage. Open source saw having the eyes of the world as a security advantage–if anybody can pour through the code to find bugs, that means everybody can pour through the code to find *and fix* bugs. The flipside is that this requires active community involvement, which doesn’t necessarily end up resulting in active security development.<\/p>\n

In the end, open source has won this argument, though the closed source camps weren’t quite as off base as the open source community would like to believe, mainly on the last point. It’s been proven time and time again (just look at all the security snafus once Windows pc’s started having internet connections, compromising web sites, large services, etc. on all platforms) that bad actors don’t need access to code to find bugs. End users, however, need access to fix bugs, and large organizations with closed source software rely on often slower, hidden processes to fix and push security updates out to those end users. In the Linux world, major security issues (see recent major openssl security bugs) are often fixed, with updated packages live, within hours of their discovery.<\/p>\n

If nothing too major has been publicized, Microsoft waits until “patchtuesday<\/span><\/span><\/span>“.<\/p>\n

The one flaw is that there really does need to be active community involvement. OpenSSL<\/a> is the perfect example of this–it’s a travesty that the most common, most relied-upon SSL library on earth was in the state it was when a lot of it’s recent bugs started coming out last year. Usage does not imply development, and it’s possible for even large projects to go stale.<\/p>\n

Nevertheless, that doesn’t end up a point for close source, either: because it was open source, fixes were made once word got out. The project was forked by the OpenBSD<\/a> folks into LibreSSL<\/a>, a security audit of OpenSSL is forthcoming, and we’re generally in a better place than we were before the publicity. This is because we have the freedom to peruse and modify the code.<\/p>\n

If this was a project by a major company, not only would we be beholden to them to fix it at their leisure, but we would likely be completely unaware of the risks of running the software.<\/p><\/blockquote>\n

John –<\/p>\n

The reality is that open source is a tremendously flexible and viable tool. We see hobbyists and organizations alike create beautiful and efficient applications that service real needs. Online repositories such as GitHub<\/a> have increased the reputation of open source and foster\u00a0a thriving community of developers.<\/p>\n

XMission has supported customers with open source applications since the early days. Two of our most successful\u00a0applications based on open source and open standards are WordPress (for site content management) and Zimbra Collaboration<\/a> (a very powerful email and collaboration platform for businesses). We find that the bulk of our customers trust open source and commercial open source software for messaging, collaboration, and content management. It has been my experience\u00a0that customer\u00a0perceptions of proprietary software has been on a rapid\u00a0decline over the past decade.<\/p><\/blockquote>\n

 <\/p>\n

Does XMission participate actively in the open source community? <\/strong><\/p>\n

Pete –<\/p>\n

Yes. We have contributed patches to open-source and our admins\u00a0participate in many project communities and mailing lists.<\/p>\n

We financially support open-source projects.<\/p>\n

XMission has been an advocate for open-source since our inception. \u00a0This\u00a0has garnered us respect from the open-source community which results in\u00a0customers and high recommendations.<\/p><\/blockquote>\n

Aaron –<\/p>\n

Yes. XMission sponsors the yearly Utah open source conference OpenWest. We have\u00a0a Github account (although it’s a bit sparse at the moment). We have had\u00a0employees submit patches to upstream open source projects, and they have been\u00a0accepted into the main stable code base.<\/p><\/blockquote>\n

J.D.\u00a0–<\/p>\n

We aren’t largely a development shop, but we’ve contributed changes back. I’ve contributed some minor patches to SpamAssassin (added failover options to spamc), IMAPSYNC\u00a0(XOATH2 support) and Salt (a bugfix or two). We don’t keep track of this in any way, admins just do what they feel is prudent with what they’re working on.<\/p>\n

Aaron\u00a0has put d-note (his software behind https:\/\/secrets.xmission.com<\/a>) out there, and has made some pretty nice documentation on ZFS on his blog, https:\/\/pthree.org\/<\/a>.<\/p><\/blockquote>\n

John –<\/p>\n

Absolutely! We are strong open source\u00a0advocates.<\/p>\n

XMission staffers regularly contributes code to projects.<\/p>\n

XMission financially supports open source projects such as code camps, numerous events (such as Linux install fests), and conferences (such as OpenWest).<\/p>\n

Our team commonly speaks publicly in support of open source.<\/p><\/blockquote>\n

 <\/p>\n

* What innovation in communication and collaboration software are you looking forward to the most that can both improve your work or personal life and still maintain your right to privacy?<\/strong><\/p>\n

Pete –<\/p>\n

Ubiquitous person-to-person strong encryption. \u00a0Keyed email that would\u00a0eliminate unsolicited email.<\/p><\/blockquote>\n

Aaron –<\/p>\n

I’m not a standard use case. I don’t use email “collaboration suites”, such as\u00a0Zimbra, Exchange, Outlook, Evolution, etc. Mutt is my default MUA, and has been\u00a0since 2007, and I don’t see that changing anytime soon. As such, calendar\u00a0invites are worthless to me, unless I have a web interface to login to, so it\u00a0can be accepted or declined.<\/p>\n

As you know, I wrote d-note, a single-use encrypted pastebin. The end goal is\u00a0actually not to protect the end users, but to protect the system\u00a0administrators. If there is any need for Big Brother to say “we need the data\u00a0to this post in this email”, the administrators can say “sorry, it was\u00a0encrypted, we don’t have the key, and as such, don’t have the ability to give\u00a0you what you need”. However, I would like to write an API (complete with Zimlet\u00a0(in the works)), so from the Zimbra<\/a> web interface, a user could create a secret\u00a0note in the Zimbra web interface, retrieve the link, then use their contact\u00a0list to email the link to their recipient. I hope to have this done soon.<\/p>\n

Personally, I would like to see more use of GnuPG<\/a> for end-to-end encrypted\u00a0emails. Unfortunately, setting up GnuPG is not a trivial thing, and I\u00a0understand why most people are not using it. Even for myself, staying on top of\u00a0keeping my key up-to-date, going to key signing events, etc. is a ton of work.\u00a0I don’t mind it, but I suspect most will.<\/p>\n

I would really like to see Bitmessage<\/a> take off. It’s a decentralized end-to-end\u00a0encrypted messaging solution that behaves very much like email. Unfortunately,\u00a0the main client is written in Python instead of C, which brings some\u00a0performance problems. Further, it has some security problems that have been\u00a0identified by the community, and it hasn’t even had a code audit yet. But, end\u00a0users don’t need to worry about managing keys, or any of that. Install the\u00a0client, then go.<\/p>\n

CryptoCat<\/a> can be setup internally for users to have an end-to-end encrypted\u00a0conversation, without any key management or overhead for users, similarly to\u00a0Bitmessage. However, CryptoCot behaves more like an instant chat, rather than\u00a0an email client. But, like Bitmessage, it Just Works ™.<\/p>\n

I’m a big fan of IRC (Internet Relay Chat), and IRC supports client-to-server TLS<\/a> connections.\u00a0However, there is no native client-to-client encrypted communication that is\u00a0supported in the protocol. As such, users must install client-side scripts,\u00a0such as FiSH or OTR to get end-to-end encrypted chat. This is a little bit more\u00a0work, but can work really well when setup.<\/p>\n

Finally, I like the idea of Tox<\/a>. Like Bitmessage, it is also a decentralized\u00a0messaging platform. It’s designed to be a Skype replacement, and from my\u00a0limited testing, it works very well. It can be good for internal video\u00a0conferencing, but like Bitmessage, it hasn’t seen a code audit yet.<\/p><\/blockquote>\n

J.D.\u00a0–<\/p>\n

This is a pie-in-the-sky that I’m not sure I’ll ever live to see, but I’d like to either see something replace SMTP for mail exchange, or see some of the add-ons (SPF\/DKIM\/DMARC<\/a>-type stuff and SSL<\/a>) become mandatory. While I think it might not be possible to completely bake enough security and authentication to fully ensure privacy and prevent spam into the email systems, without compromising the fully democratic and open nature of the system, it wouldn’t be hard to take steps to stop it from being blatantly insecure by design.<\/p>\n

As it is, a huge amount of mail is completely unencrypted and is completely forge-able.<\/p><\/blockquote>\n

John –<\/p>\n

I look forward to a day when spam\u00a0doesn’t exist because everyone I email has a level of authentication I can trust (SSL\/DMARC\/etc.). I look forward to a\u00a0day when encryption services are easy enough for everyone to use, including my mom. A day when I can easily and securely share even the most sensitive of files. Our customers look forward to this day as well.<\/p><\/blockquote>\n

There is more to share on this discussion which we will pick up in future blog posts.<\/p>\n

I would further encourage you to listen to the podcast at your convenience:\u00a0https:\/\/podcast.zimbra.com\/2015\/05\/why-open-source-isnt-just-about-software\/<\/p>\n

This\u00a0recent Ponemon survey<\/a>\u00a0shows that more than 70% of U.S. IT professionals prefer open source to proprietary software for continuity and control. As you consider changing your proprietary mail platform<\/a> I would encourage you to consider Zimbra Collaboration services with XMission. We have a proven history as an excellent provider of Zimbra hosting<\/a> and license sales<\/a>.<\/p>\n

Thank you for reading and please comment below.<\/p>\n

John Webster<\/a>, VP of Business Development and Zimbra Product Manager, has worked at XMission<\/a> for over 19 years doing his favorite thing: helping companies communicate with\u00a0customers\u00a0through\u00a0technology to grow their\u00a0business. When he\u2019s not uncovering\u00a0Zimbra\u2019s secrets<\/a>\u00a0you might find him in our beautiful Utah mountains. \u00a0Connect with him on LinkedIn today!<\/a><\/em><\/p>\n

Follow, like, circle, and connect with\u00a0us on the social links below.<\/p>\n","protected":false},"excerpt":{"rendered":"

Last week,\u00a0Zimbra\u00a0published their latest Zcast podcast\u00a0about open source and security. I was fortunate to participate in the podcast. In preparation, I surveyed key XMission staff and found their candid responses regarding\u00a0open source, data privacy, security, and the future of collaboration very intriguing. Today I’ll share their answers. You will learn valuable insights from Pete (XMission […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[179,138,188,396,310,3,130,39],"tags":[],"class_list":["post-3597","post","type-post","status-publish","format-standard","hentry","category-cloud","category-law","category-legal","category-mail-server","category-open-source","category-security-safety","category-tech","category-zimbra"],"_links":{"self":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/3597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/comments?post=3597"}],"version-history":[{"count":61,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/3597\/revisions"}],"predecessor-version":[{"id":3759,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/posts\/3597\/revisions\/3759"}],"wp:attachment":[{"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/media?parent=3597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/categories?post=3597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xmission.com\/blog\/wp-json\/wp\/v2\/tags?post=3597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}