Secure VPN Gateway a new solution to InterNet Security

On 2006-06-06, David Gempton <> wrote:
[...]
> My reason for posting to these three news groups is that they all
> focus on Computer security issues. I hoped that members of these
> groups would also be focused on security, rather than GPL trivia.

Copyright infringement and (lack of) license compliance in a product
that you are selling is "trivia"?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Darren Tucker

Darren Tucker wrote:
> On 2006-06-06, David Gempton <> wrote:
> [...]
>> My reason for posting to these three news groups is that they all
>> focus on Computer security issues. I hoped that members of these
>> groups would also be focused on security, rather than GPL trivia.
>
> Copyright infringement and (lack of) license compliance in a product
> that you are selling is "trivia"?

Don't forget the lack of usable documentation, installation instructions,
and source code.

Nico Kadel-Garcia

Nico Kadel-Garcia wrote:
> Darren Tucker wrote:
>
>>On 2006-06-06, David Gempton <> wrote:
>>[...]
>>
>>>My reason for posting to these three news groups is that they all
>>>focus on Computer security issues. I hoped that members of these
>>>groups would also be focused on security, rather than GPL trivia.
>>
>>Copyright infringement and (lack of) license compliance in a product
>>that you are selling is "trivia"?
>
>
> Don't forget the lack of usable documentation, installation instructions,
> and source code.
>
>
Nico,

I must thank you for your firm encouragement to get the licensing issues sorted out. I
believe that I'm now well on the way to having it properly GPL licensed.

I say "on the way" because at this stage nobody has reviewed my efforts to make everything
comply with GPL Version 2.

One of my concerns was around the distribution of SmoothWall Express 2.0 as a Vmware
virtual machine. So far the SmoothWall community have said that this is not in breach of
their Free Software License.

The documentation is going to be an ongoing project. I am now starting to receive e-mails
from some people that are using the software and this has highlighted areas where I have
not documented things well enough.

As always you can download the Secure VPN Gateway from http://www.ttc4it.co.nz/vpn/index.html

Many thanks
David Gempton.

David Gempton

David Gempton wrote:
> Nico Kadel-Garcia wrote:
>> Darren Tucker wrote:
>>
>>> On 2006-06-06, David Gempton <> wrote:
>>> [...]
>>>
>>>> My reason for posting to these three news groups is that they all
>>>> focus on Computer security issues. I hoped that members of these
>>>> groups would also be focused on security, rather than GPL trivia.
>>>
>>> Copyright infringement and (lack of) license compliance in a product
>>> that you are selling is "trivia"?
>>
>>
>> Don't forget the lack of usable documentation, installation
>> instructions, and source code.
>>
>>
> Nico,
>
> I must thank you for your firm encouragement to get the licensing
> issues sorted out. I believe that I'm now well on the way to having
> it properly GPL licensed.

Firm encouragement? I thought I was chastising you. But getting the GPL
straightened out is a big deal.

> I say "on the way" because at this stage nobody has reviewed my
> efforts to make everything comply with GPL Version 2.

That's because you haven't published source code, unless you've stuffed it
all inside that VMware module, and no one sane is going to install that
without some better breakdown of what it does and what's in it. VMware
installations can trash your system but hard! As such, they

> One of my concerns was around the distribution of SmoothWall Express
> 2.0 as a Vmware virtual machine. So far the SmoothWall community have
> said that this
> is not in breach of their Free Software License.

But didn't you modify it? Where is your source code if you did? And where is
the acknowledgement in your documentation of the source for the software, if
you didn't modify it? And who exactly are you referring to as "the
SmoothWall community"? It had better include some of the actual authors, or
their lawyers, not just some mailing list members!

This newsgroup from which I'm writing, comp.security.ssh, is unusual in that
it has actual authors of OpenSSH and other utuilities on it. But you
shouldn't take a random post from, say, *ME* as any kind of software
copyright permission, and I hope you're being more careful with those legal
issues than you were in your public claim of "Absolutely Secure" software.
Seriously!

> The documentation is going to be an ongoing project. I am now
> starting to receive e-mails from some people that are using the
> software and this has highlighted areas where I have not documented things
> well enough.

They shouldn't have to be writing this stuff! A simple white paper on how it
works, and most especially the source code, would allow people to give some
of that feedback you crave. But asking the OpenSSH community especially to
review and report on the feasibility of man-in-the-middle attacks without
even a white paper to work from is.... nuts.

> As always you can download the Secure VPN Gateway from
> http://www.ttc4it.co.nz/vpn/index.html
> Many thanks
> David Gempton.

And the documentation is still pitiful, although it's beginning to improve.
Instead of hiding the various files in the http://www.ttc4it.co.nz/download/
directory and only accessing them web links from elsewhere, why not make
that directory browseable? That way, the PDF's and binaries you put there
can be accessed without your having to organize and maintain links to them?

Look, David, I've got nothing personal against you or your development
efforts. The fact that you're posting here is an indication that you're
actually trying to get your stuff working: But that lack of source code is
killing your credibility, in my personal opinion. It's one of the factors
you've simply not properly addressed. Many of the best modern security
tools, like OpenSSH and Triipwire and SELinux, rely heavily on their public
nature to point out potential vulnerabilities. You've apparently ignored
that and kept your code private, even though you apparently also built it on
top of GPL based tools such as SmoothWall Express. That's not just
dangerous, it's insulting to open source developers.

If you won't share your code, why should they share their valuable time
reviewing your product?

Nico Kadel-Garcia