Software Consulting Tornado Icon Software Consulting Tornado Icon


I don't discuss my clients here, or in any public forums, as a general courtesy. I believe sharing some of my unique technical expertise, experiences (including mistakes), and concerns is helpful to the Internet as a whole, because my consulting income derives substantially from the fundamental belief, represented by the Internet, that a worldwide resource for communication, substantially open to all and made available at very low cost, is a boon to humanity.


Updated my resume (PDF and Word/DOC).


After some quick accomplishments getting an E2E scenario working for one of my projects, wanted to get up to speed on git while catching up on my own backup/archival needs. Decided I really wanted to delete duplicate files in my older (and rather large) archives, discovered duff 0.4. Tried it, and, when it proved too slow, improved its performance by replacing the Bubblesort-ish algorithm to find duplicates with one using qsort(). Then threw versions 0.4 and my "0.5 RC1" candidate up on a new GitHub page for duff. Check it out! (For Unix-like systems only.)


Resuming my consulting business soon, after finishing up an enjoyable, whirlwind stint as a Senior Software Development Engineer in Test at Microsoft. Feel free to contact me about my availability, currently planned for sometime in November 2010, or about needs or opportunities in the community.


Reviewed "Qmail Quickstarter".


Wrote up a page on my concerns about Challenge/Response Systems (for email users).


Significantly revised my "It Wasn't Me!" page, and expanded on my use of (and take on) SPF in a new page.


Introduced some of my thoughts on hostile environments, such as the Internet, focusing on concerns I have that are not generally recognized in the community.


Published my new(-ish) public key, which includes a revoked version of my previous one.

The new key uses my "new" consulting email address, james at, which I'm switching over to since the old one (craig at etc....) was joe-jobbed so much that I've gotten the impression some sites simply drop incoming email allegedly from that address without any due notice.

Meanwhile, it has now been over 16 months since I first mentioned, on my web site, that it would be fairly easy for me to fix the infamous "Guninski bugs" in qmail (other than the one I already fixed in qmail-smtpd).

Yet, though I have since been hired to do all sorts of work on qmail, including customizing the code in certain cases, nobody has seen fit to hire me to fix these bugs, nor have I seen any evidence that anyone else has published fixes to these bugs.

I tentatively conclude that nobody is willing to spend even a modest amount of money or time fixing what they must surely perceive as only theoretical bugs, probably because there still is no evidence that they can be exploited for nefarious purposes.

So, despite all the allegedly "necessary" patches, add-ons, and workarounds required for a typical qmail installation on a public site, it has been many years now that we've gotten along quite well with version 1.03, and pretty much "perfectly" when it comes to qmail's security record.

While I continue to dream about and design a new email system, the prospect of having to live up to qmail's record of success is more than daunting — it is forcing me to think in terms of employing "bug-free" methods of coding, which I've long considered desireable anyway.


I now believe that the Guninski "security alerts" pertaining to qmail represent legitimate potential security vulnerabilities.

The vulnerabilities of which I'm presently aware (as I have not yet studied all potential problems in qmail) are unlikely to be exploitable on ordinary 32-bit systems such as 32-bit CPUs running GNU/Linux, or on any systems that impose reasonable per-process limitations on virtual-memory usage.


Here's my take on the Guninski "security alerts" pertaining to qmail.


Copyright (C) 2005, 2006 James Craig Burley, Software Craftsperson
Last modified on 2010-10-06.