Date: Fri, 22 Mar 2002 16:49:16 -0600
To: gjstrand@ci.battle-creek.mi.us
Subject: Settling with ORBZ.org
Message-ID: <20020322164915.B7213@forestfield.org>

I would have addressed Michelle Reen directly but her e-mail address was not listed on your web site.

I support Battle Creek's decision to not pursue charges against Ian Gulliver. What you faced with your recent e-mail outage was inevitable. You chose bad e-mail server software (Lotus Domino) and didn't maintain it as you should have. Furthermore, the analogy the city chose to use to explain what happened is a gross distortion that confuses physical harm with an entirely avoidable inconvenience. Since you recognize Gulliver has done you a service, I hope you'll do him one in return and help him get his anti-spam service back online. Your threat of criminal action was unwarranted and unwise. It is fair to ask you to help him put back what you helped take down.

In the press release, you state:

The Detective had no reason not to believe he was pursuing a hacker when he issued a search warrant.

Any good system administrator would have been able to tell the detective the city of Battle Creek was running software known to be faulty. Lotus had tacitly admitted Domino was faulty by releasing a patch to correct the behavior. I hope you'll consider switching to free software (that's free as in freedom, not necessarily free as in price).

[W]e hope, we have also sent a message to hackers that we will pursue online activity that we feel may be maliciously intended.

The city of Battle Creek overreacted by pursuing charges against Gulliver in this instance. A thorough investigation would have revealed Lotus' software was at fault. The e-mail that triggered the Lotus Domino bug could have come from anyone at any time, it was an unfortunate coincidence that this e-mail came from Gulliver's service.

It should be obvious to you that no e-mail server should ever react to any input by locking up.

In the future, please investigate these matters with competent sysadmins before bringing threats of legal action. Your haste in pursuing a legal "remedy" makes your organization look bad because a lawsuit will not fix the underlying problem—your poor administration and poor choice of server software. Your haste in bringing legal action helped bring down a valuable service.

Your aggression may have an unintended consequence: alerting "script kiddies" (novice crackers using scripted attacks on servers) that you run inadequate software.

Please don't take this the wrong way: I am not threatening you. I have no desire to bring inconvenience or harm to your city or your computer system. I am writing to encourage you to change your behavior by first investigating the problem then (and only if truly necessary) following through with legal action. It's clear in this case you did not investigate thoroughly first.

We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general.

You can avoid the issue by deleting your proprietary e-mail server software and running a free software e-mail server instead. Exim (http://www.exim.org/) and Postfix (http://www.postfix.org/) are two free software replacements. They are not open relays by default (you have to work rather hard to turn them into open relays). You get source code under a license that allows you to benefit from modifying and sharing the program. Even if you're not a programmer you can see the value in these freedoms if you think about how they scale up—free software is fixed and enhanced very quickly when there is a problem. With proprietary software, you're buying into a monopoly for support. If the proprietor doesn't fix your problem you're out of options.

You can obtain a complete free software operating system (such as Debian GNU/Linux, visit http://www.debian.org/ for details) at no charge. A complete Debian GNU/Linux system with Exim or Postfix is available at no charge.

Finally, I'd like to directly address the analogy you used in the press release:

[J]ust because everyone should wear a computerized bulletproof vest doesn't mean that shooting people to find out who isn't wearing one is the best answer.

Bullets are fired with the intention to hurt or kill. E-mail is incapable of killing someone. Gulliver's intention was not to hurt anyone. What you suffered was an inconvenience. Your analogy exaggerates your problem by comparing it to firing a gun at someone. Your e-mail server problems were caused by your poor choices of server and administrator. As hard as it may be to hear it, those choices are nobody's fault but your own.

Sincerely,
J.B. Nicholson-Owens

Valid HTML 4.01! Valid CSS!
Verbatim copying and distribution is permitted in any medium provided this notice is preserved.
Copyright © 2002 J.B. Nicholson-Owens jbn@forestfield.org