That was the message from Wietse Venema, a Dutch programmer with IBM who visited Melbourne this week for SECURECon, a three-day technical conference highlighting a range of current security issues and remediation strategies for developers.
Venema, long a figurehead in the open source and Unix worlds, is best known for his creation of Postfix (initially known as Secure Mailer), a widely used e-mail server application that he wrote to improve upon the dominant but flawed SendMail application. Postfix, developed while Venema was on a six-month research stint at IBM, has since become the standard mailer in Mac OS X and numerous versions of Linux.
Even as it continues to evolve today -- the latest version of Postfix was released last month -- the program was significant in that it brought open-source software to the attention of IBM head Lou Gerstner, who in 1998 read a New York Time article on the software and pushed IBM into a formal open-source strategy. IBM is now one of the major contributors of code to the open-source movement.
Broad distribution and takeup of the software helped Postfix grow from a short-term project into an ongoing effort, and Venema was quick to credit the scores of open-source developers who have continually improved the system's design.
"It's not difficult to build a decent mail system, but it's very easy for people with poorly designed countermeasures too destroy it," he said. "Systems that are not built to be secure will always be like Swiss cheese -- full of holes. You can't make systems secure by just patching the holes."
Venema enjoyed mainstream notoriety in the late 1990s as United States media launched a fire-and-brimstone attack on the PhD-qualified physicist, who partnered with fellow security expert Dan Farmer to release SATAN (Security Administrator Tool for Analyzing Networks). Designed as a strong automated probe for weaknesses in any system it targeted, histrionic observers believed Venema and Farmer's tool would destroy the information economy by giving hackers powerful tools to bring down major Web sites.
Releasing the system was important, Venema decided, because such security problems could only be fixed if they were known about. His own testing of SATAN found that many systems, even those directly connected to secure systems, had vulnerabilities that were open to exploitation. After inadvertently leaving an early version of SATAN running overnight during its development, Venema found the application had followed a "web of interdependencies" between insecure systems that had taken its probing halfway across the Netherlands.
"I found that even people who were very careful about their systems, like my colleagues, had either file sharing relationships or logging relationships with other systems that were wide open," he recalls. "Basically, nearly every system had a bad neighbour."
Ferreting out these bad neighbours would help everyone concerned, Venema released -- and the eventual release of the open-source SATAN ultimately proved less controversial than expected. Network administrators "discovered all kinds of stuff they didn't know about," he recalls.
"They didn't know there were all these Web servers running on peoples' machines, or even on machines they didn't know about. At the time, people just didn't scan their systems like that. It used to be that people could get fired for running SATAN, but now they can get fired for not running it."
