Alan Cox talks about laws... and Linux

This set of interview responses from Linux hacker Alan Cox is overtly political, in line with the questions we asked him on May 6th. Alan doesn't just talk about problems here but proposes sensible solutions for them. Very nice. Thanks, Alan.

1) European DMCA
by Yohahn

Given that you won't visit the USA given the enactment of the DMCA. If the DMCA equivalent passes in Europe, will you move? If so, is there anywhere that is safe from this kind of insane law (it sounds like peru may be a new haven for free software)?

Alan:

It's very hard to fight laws in foreign countries. Dmitry for example was almost certainly chosen because he was Russian. It's sadly much easier to win a case in almost any country when you use your historical enemies and prejudices to set the precedents. "Foreigner attacking US business interests" just sounds so much better in court than "clever kid helping his grandma read ebooks", especially when someone notices you can easily get a longer sentence for helping grandma read than kicking her down the stairs.

In the EU we are doing what we can to make the EUCD harm limited, and also trying to educate politicians on the damage they have done. If we can tell them in advance the problems the EUCD is going to cause we can help them frame futher law to prevent those abuses, and to update it.

Knowing the EUCD will trip up its much easier to ensure that there is a nail bed where it will land and you know when to stick your foot out as it streamrollers past, than it is to attempt to hit it head on. We've already had some interesting pointers. In a recent case the judge accepted that the law favoured the bad guys, but said openly that had it been brought up several other ways they would have had no defence. So we have some good ideas how to hit back.

See www.eurorights.org and www.fipr.org for more information

I will be staying put for now. Its my job to hell fight the EUCD just as its the US folks duty to fight the DMCA if they believe in the values the USA claims to hold high. Maybe someone can find a way to use the US flag to defeat a copy protection system. That should make a most entertaining hearing.

Slowly the political wheel is turning, although not entirely in ways I like. The european parties advocating that the nation comes before europe and before international treaties are winning more and more votes. Sadly these parties also advocate racism and forced repatriation of foreigners. It is becoming very important for a lot of reasons that mainstream parties recognize what is going on, otherwise there is a real risk the racists will win real power, because it may be the only way people can vote for these other extremely important political changes.

2) What is your political goal?
by Capt_Troy

What is the goal you hope to obtain in regard to the DMCA dispute? How to you intend to meet those goals ?

Personally, I think that as time passes, people will become more and more technical and eventually the absurdity of the DMCA will be exposed on a more general population than just the techies that it is now. So the best means to an end IMHO is educating the general public. Is this your intention?

Alan:

The ultimate goal has to be to find a middle way that addresses both the rights of copyright holders to protection of their works, and the rights of society to ensure those protections are limited and don't do harm to the general good. Copyright was invented for government censorship and military purposes. It became something for the good of society, and the USA acquired it in that form. Its important it remains for the good of society.

The truth is that the DMCA has no value at all in stopping piracy, only in stopping innovation. It takes one person to break the protection on something and the game is over. That person may be anywhere and well beyond US law. What you can do is to deal with the actual folk who distribute such material. Lets face it, to get a copy of something on the internet you must be able to find it. If you can find it, so can law enforcement.

We need to get to a point where people who actual commit real crimes are punished not people who make tools that might be misused. The 'logic' of the DMCA extended to other regimes makes grim reading for any US citizen:

Photocopiers can be used to copy - ban them, control the libraries
Typewriters can be used to make copies - license then
Web sites can be used to publish illegal material - license/censor them

Which leaves you with a state remarkably similar to the old stalinist block.

The SSSCA mark two and the digital TV rights in the USA are very similar problems. The digital TV one is confused by the fact that encryption of free to air digital tv is heavily restricted in the USA. It isn't in the UK which makes that simpler and you can get Digital TV cards here. The UK encrypted to air TV people went spectacularly bankrupt but thats market forces at work.

I'd like to see the SSSCA stuff solved by market forces and sanity too. Let the Hollywood folks make themselves an antitamper PCI or USB2 hardware card that has only encrypted data in, a smartcard slot for per user rights management and an SVGA analogue overlay/analogue out. If the market is right they can sell/give away such hardware and make a profit on the films. No software system will survive a cracker long, and indeed things like vmware already make a mockery of software only stuff like windows digital media protection since people can record the audio output of the virtual pc trivially.

A tamperproof hardware card also means they can publish all the programming information to load and play movies on it with any OS. That will cut down the number of people interested in cracking it by 99% too.

Keep the government well out of it. Neither Hollywood or the US government (or indeed government in general) has been very good at meddling with technology and innovation. The SSSCA mark 2 is basically an attempt by the studios to make someone else pay for the technology they want to use to sell their product. Thats utterly cynical misuse of power. If its worth doing - let them pay for it.

Educating the public assumes you have access to media that the public proper read and which sees the DMCA as bad. You don't, the media empires helped create that law. That makes such a process very slow and hard to achieve as it has to be done person by person.

3) Microsoft .NET and Linux
by SL33Z3

What are your feelings on Microsoft's .NET and any initiatives to make the technology work on Linux?

Alan:

Microsoft has publically stated that it has patents on critical parts of .NET and will enforce them. If you think that .NET is a good idea, or cloning .NET is a good idea, remember you won't have a US market unless they find you amusing enough to allow to live on. And if you think Microsoft can be trusted on this look at their recent activities against Samba.

The system itself is mildly interesting as a technology. Its yet another virtual machine, roughly equivalent to picojava in capabilities. It has an interesting way to self generate IDL, but one which their own papers say cannot represent all programming languages.

The more dangerous parts of all this are not so much .NET but chunks of the model that not only the .NET product and the Java standards rely on. Things like xmlrpc, soap and the stuff on top of them are designed to "interwork through firewalls". A better phrase would be "go through the firewall like a knife through butter in a way that prevents the companies involved monitoring the activity".

When all you have is an encrypted SSL session how are you going to figure out if its a legitimate bit of ebusiness with a related company or someone in your company uploading your entire company customer database?

4) Organizing the OSS community for activism
by akb

Free software programmers and the extended community are arguably the most organized non-hierarchical, grassroots constituency in the world. The community includes the tens of thousands developers and millions of endusers tightly networked through institutions like sourceforge, slashdot, countless LUGs, etc. The ability to produce projects of the scale and complexity of the Linux kernel, the Debian distribution, or the engineering behind the Internet itself is a testament to the community's ability to organize more than anything else.

Despite this incredible organizing for software production, support and distribution very little of this gets translated into the political realm. In his last slashdot interview [slashdot.org] Lawerence Lessig chided the community for this.

Organizers of traditional political campaigns for social justice or equitable distribution of power would drool over having a constituency as organized as that which we have. How do you think the community can translate its effective organizing in the technical arena into the political realm?

Alan:

Most organised grassroots constituency. Nowhere near. It's an elitist rather unrepesentative bunch of lazy people. They have far too small an overlap with the masses or with the political powers. I also think that the church would probably find any claim of that nature by the free software people rather funny. Walk into a random record shop and say "Tipper Gore" then, assuming you survive, count the percentage of people who don't know. Repeat the same by going into a random pcworld type computer shop but saying "EFF". The mainstream awareness just is not there.

The way you fix that is to get up off said backsides and write to politicians, propose alternatives, write letters to the mainstream newspapers and organise events to publicize things. Unfortunately everyone thinks it will be OK because someone else will get up off their backside instead.

You achieve change because everyone gets off their backsides and does stuff. Gandhi didn't free India alone, women didn't get the vote because one person rang the prime ministers office and asked for it. The same goes for much smaller and less important goals too.

5) The end of cheap "open" hardware?
by I91MM

It looks like us PC hardware hackers are likely to have a much harder time in the next ten to twenty years as the average (desktop) PC becomes increasingly integrated. I see a trend away from the PC of today towards an increasingly closed 'black box' where the components are no longer a set of cards which are easily replacable. This is inevitable, especially at the lower end of the PC market, since increasing integration leads to lower costs for the manufacturers. Correspondingly, custom hardware will become more expensive and be increasingly restricted to the high end...

How do you think such a trend away from "open" hardware would affect open source development, especially at the lower end of the spectrum? As the computer becomes more and more of a mysterious black box, do you think that the would-be hardware hackers of tomorrow are more likely to turn towards software and application development, and would this be mostly good or mostly bad for open source software (more applications/systems programmers, but fewer hardware-level programmers)?

Alan:

The desktop PC is an anachronism already to most people. The high flexibility of the system makes it scary to use, expensive to manufacture, and hard to make reliable. PC's are also noisy, they are hard to reset to the state they arrived in without losing your personal data and so forth.

The low cost sealed box PC is an inevitability, and one that is badly needed to push computing on a stage. It is much cheaper to do safety and approvals work on a system that the user can't poke a screwdriver inside and which doesn't contain connectors sticking up off the board like small aerials.

I don't see all custom hardware getting more expensive, or the inability to fit cards as a problem. If the entire system is cheaper than the new card it is a quite serious recycling problem rather than a financial one. A lot of electronics hackers have found things like USB very good too. Its not hard to write USB devices and its a great way to plug fun electronics into a PC, USB even provides device power for you.

There is a temptation for some manufacturers to make it deliberately hard to twiddle with a computer, to fit non standard external connectors and the like but I'm hopeful the market will address that - preferably better than it did laptop docking stations.

I'm also not sure sealed boxes make less "open" hardware in the free software sense. It may even be advantageous. If the systems are very integrated it becomes easier for all OS vendors to handle things like driver writing because there are less drivers to write. A piece of silicon is pretty opaque without the manual whether you have to saw the box open or undo screws.

It might mean a reduction in the number of programmers with good hardware experience, it might also mean there are more good programmers free to work on the next critical things - user interfaces, security models, or replacing the current web services garbage with something that is scalable and can be made to work for example

6) Free vs Commercial
by div_2n

With free versions of software such as Open Office constantly improving, what place do you perceive commercial software to have in the free software world as free alternatives mature to an acceptable and usable state?

Alan:

It really comes down to people having a business model that justifies the extra cost of their proprietary product, both in convenience to the user and development cost to them.

Sometimes that equation makes real sense. For example I'm sick of deleting bug reports from people with the Nvidia kernel modules. I've talked to Nvidia folks about why they do it. The bottom line is that I can't make a good case for them to open source it. Their worries about what it might do to their performance relative to competitors are quite well founded.

If the governments would do something properly about the Microsoft monopoly, patent abuse and other false pressures the markets ought to sort it out. Right now its not the "invisible hand" guiding the markets its the "lobbyists jackboots"

7) Beards?
(Score:5, Funny)
by WinstonSmith

I've been programming a computer since I was 8 years old. I'm 29 now. That's 21 years of "experience". Lately, however, I've come to the realization that I'm never going to make it "big" unless I grow a Big Ole Programmer's Beard. I'd like to think it's possible to be a wise UNIX guru without one, but I think it would be easier if I had a beard. A big one.

My question is: Since my wife won't let me grow the Big Ole Programmer's Beard, what should I do to make it "big" in the world of UNIX gurus?

Alan:

You could try a disguise kit. Maybe a stick on beard would work? I'm glad to see that you have at least decided the wife is more important than a beard.

Linus is proof that you can change the world without a beard, even by accident. In my opinion you have to do two things to be a Unix guru. Firstly you need to know a lot about the system and the philosophy. Being able to say "V7 was the last real Unix" and justify your claim is a good test. Secondly you need to be actively helping and teaching other people that knowledge - which in turn also improves yours immensely. If you want the holes in your knowledge showing up try teaching someone.

8) The future of Linux
by halftrack

With the rise of KDE3, increased user friendlyness and "simple" distros such as Mandrake and Lindows. Do you belive the development of Linux and the open source comunity would be harmed in any way, if Linux ever became mainstream?

Alan:

Linux is already mainstream in the embedded world and in the server world. Take a look at the huge Wall Street companies using Linux if you doubt that.

The desktop is much more challenging, but I don't actually see it as a "problem" if it becomes mainstream. It will certainly add pressure to improve standardisation work in the LSB for the user interface libraries.

The bigger challenge in terms of not breaking the OS is embedded. The drive for size is not that major a problem but the goal of extremely good real time response does have potential conflicts. Solving those of course also helps on the desktop.

9) What should we fear the most?
by jmv

There are many plagues that threaten the open-source community and even the software industry in general. There are software patents, DMCA and the like, frivolous lawsuits, MS bullying to name a few. In your opinion which one is the most dangerous? Also, what do you think is the best way to fight it?

Alan:

Most of them depend what country you are in. I don't see the USA or western europe as a long term software development market for example. They are too expensive and there is too much stupid (as opposed to justified) red tape and expense.

Software patents and frivolous lawsuits all sit together. When you look at the kind of rubbish the USPTO has allowed to be patented - stuff like merge sorting web logs - you being to realize the scale of the mess. Fortunately everyone is now telling the US government this, even patent attorneys. It is going to take a lot of cleaning up and will require political will alas.

Microsoft certainly are a threat. If they are given a slapped wrist then their behaviour after the lawsuit is going to make their behaviour before it look quite saintly. It won't be politicially acceptable for the US to drag them straight back into court. They know that from their last slapped wrist. The fact they have been able to avoid paying shareholders dividends has given them huge amounts of cash and power. Typically a corporation pays over 80% of its profit as shareholder dividends in the USA.

Its actually quite ironic for them to describe Linux as un-American. Work out the tax that would have arisen if they paid dividends like normal companies on their 30 billion plus cash mountain. Now convert that into extra on the ground US security service employees and ask the obvious question..

10) Do you have any other interests?
by gosand

Do you have any other interests, besides Linux? I know in order to get to the "guru" status you have to be pretty dedicated to one thing. But what else do you like? Or are you a 100% Linux-kernel-hacker? I swear I saw you the other day riding a Harley. ;-)

Alan:

I don't think you can obtain guru status without having other interests. If you never look out of your own windows you will miss so much that has direct relevance and is usable in your own field of work.

The things I actually do tend to vary, the last couple of weeks have involved playing Illuminati and practicing my world domination skills (one win, one joint win out of two) and investigating furniture. Next week may involve repotting plants I think, and trying to work out why one of my spiderplants is dying.

I know I'm getting older too. There comes that certain point in life when you actually find things like furniture catalogues interesting. As a friend summed it up "I have found in me the urge to buy power tools".

You wouldn't find me riding a Harley however. I've never been keen on bikes. and my mother promised long ago if I ever got one she'd smash it into little pieces (a close relative ended up with a permanent limp from a bike accident). I've done enough damage falling off a real horse, I'll skip iron ones.

Mabe true but, exagerated

[billstr78]

It's very hard to fight laws in foreign countries. Dmitry for example was almost certainly chosen because he was Russian. It's sadly much easier to win a case in almost any country when you use your historical enemies and prejudices to set the precedents. "Foreigner attacking US business interests" just sounds so much better in court than "clever kid helping his grandma read ebooks", especially when someone notices you can easily get a longer sentence for helping grandma read than kicking her down the stairs.


Dmitry was not in hot water just for "helping grandma to read", he made it possible for millions of copywritten works which make up for some people's livleyhoods, to be exploited without proper compensation by 10's of millions of people. If he wanted to help grandma read, he would bring some books from the local library and get grandma some warm tea and a bright light.

I am sure that there were certain portions of the way he was procecuted that were not fair, but this sort of gross exageration does not fool anyone and really does more harm than good.

Re:Mabe true but, exagerated

Er, the point he was making was that it would have been a lot harder to prosecute Dmitry if he HAD been a cute clever kid "helping grandma to read".

Whether you agree with that is of course another matter, but disagreeing with something Alan didn't say is silly.

Daniel (Slashdot thinks I'm logged in on the main page, but not here. Go figure)

Re:Mabe true but, exagerated

[TheCrazyFinn]

Well, there's a hell of a lot more than a couple dozen. I own about 45 from one publisher alone, and that's less than 1/4 of that publisher's catalogue. Of course, Dmitri's work wouldn't affect this publisher, because they don't use any encryption.

There are two companies making money in the E-Book business, Baen Books, and Fictionwise. Both sell E-Books cheap, and avoid encryption if at all possible (Some Fictionwise stuff is encrypted, no Baen stuff is encrypted.)

So go check out the Free Library at www.baen.com
for free E-Books from popular SF and Fantasy Authors.

The Crazy Finn

Re:Mabe true but, exagerated

[aronc]

If he wanted to help grandma read, he would bring some books from the local library and get grandma some warm tea and a bright light.

My wife is blind. Completely and totally. Tell me how a bright light helps her read the ebook I just bought for her. Go ahead bright boy, tell me.

Microsoft and Dividends

[Pave+Low]

Where is this notion that Microsoft "avoids" paying dividends come from? They have no obligation whatsoever to pay out dividends if management decides not to. You can't avoid doing something where you might otherwise have to.

Shareholders know they don't pay dividends, they invest full well knowing that. They bet that by reinvesting that money back into the company, the shareholder value will increase. That in of itself is better than a dividend.

Re:Microsoft and Dividends

[sphealey]

Where is this notion that Microsoft "avoids" paying dividends come from? They have no obligation whatsoever to pay out dividends if management decides not to.

Up to a point. However, if the company stops growing, and continues to retain cash in excess of its reasonable operating requirements, there comes a point where the management can be accused of failing in their fiduciary duty to maximize total return to the stockholders.

What is that point? Hard to say since it varies from industry to industry, from board of directors to board of directors, and from presidential administration to presidential administration. However, in the auto industry the tipping point has usually been around $5 billion (USD, US billion) on annual sales of $50B. Past that point shareholders, the SEC, and the Justice Dept. start getting restive.

sPh

DMCA does work.

[glrotate]

The truth is that the DMCA has no value at all in stopping piracy

Really Alan? Please direct me to a commercialy available DVD->DVD copier, or a DVD->VHS unit?

It's hollywoods fault

[MountainLogic]

Alan makes a very important point:

I'd like to see the SSSCA stuff solved by market forces and sanity too. Let the Hollywood folks make themselves an antitamper PCI or USB2 hardware card that has only encrypted data in, a smartcard slot for per user rights management and an SVGA analogue overlay/analogue out. If the market is right they can sell/give away such hardware and make a profit on the films. No software system will survive a cracker long, and indeed things like vmware already make a mockery of software only stuff like windows digital media protection since people can record the audio output of the virtual pc trivially.

The real problem is that Hollywood wants their cake and to eat it too. They want to use commodity PC hardware (DVDs). They should kill the DVD, create a propritary platform (players only) and NEVER aloow it to run on a PC. Geez, I publish something in a public format I then I'm surprised the public can share it? Get real.

This whole screw-up is Hollywoods fault. Don't let them stick it to us for their mistakes.

Flamebait: V7 *WAS* the last real unix.

[Amazing+Quantum+Man]

Yeah, it may be OT and it may be flamebait, but Alan mentioned this one...

After V7, more and more got thrown into the kernel. V7 was the last "minimalist" kernel, where small was beautiful.

Re:what's up with the FUD?

[Alan+Cox]

If you are going to insult me look up your facts. If Microsoft paid typical US dividends they would have under 20% of their current slush fund. (under because at 80% dividends the investors not the corporation got the benefit of reinvestment of most of the interest)

If they choose to sit on that $40 billion they should be paying tax on it because I really doubt they can demonstrate its neccessary for operational overheads. In which case 39% of it belongs to the US people. Which on a quick back of the envelope calculation is a bit over $50 per US citizen

Nvidia vs ATI

[joneshenry]

Alan Cox admits he just can't make an economic argument to Nvidia why they should open source their drivers. He tries to save the situation by doing some hand-waving about patents and IP but eventually has to acknowledge that open-sourcing the drivers would help Nvidia's competitors.

Let's be blunt, if Nvidia were to open source their drivers even Alan Cox is admitting that say ATI could act as a parasite on Nvidia's IP. And that would simply be wrong. Nvidia has invested in a unified driver model where Linux support is almost on par with Windows support whereas ATI has chosen to not invest in skilled driver writers. It is incredible that card generation after card generation the universal complaint about ATI is always about the drivers, the company is based in Canada where presumably with any sort of effort they could hire extraordinary programmers to write these drivers, yet ATI management chooses this area to skimp on spending money.

Why should a company that is too cheap to hire sufficiently skilled programmers be given a free ride on Nvidia's investments?

Re:Use the flag to defeat a copy protection system

[GregWebb]

If the US flag itself could be used as a device to circumvent an access control then it would technically become illegal.

Personally, I suspect you'd have more luck with an ASCII Constitution but that's the principle. Can't see it happening (it's too artificial and would get laughed out of court) but it would be entertaining...

.Net

[hackus]

The idea of creating and using a independant language based development facility to create software has no basis in reality.

I for one don't care about language independance as there is no use for a application written in X different languages. US Military tried that two decades ago and said enough is enough, and created ADA to solve that problem.

It would seem Microsoft hasn't kept up to date on the historic research in antiquidated software development practices.

Not surprising, it hasn't kep up to date with MODERN practices either!!

.Net was created with one thing and one thing in mind only, to destroy Java and to sell more software, not because it solves a pressing problem in the market place. (Beyond people flocking to Java to solve the decade old problem of keep software alive and well between hardware upgrades.)

.Net was not created because it offers something of value to the market place.

.Net was not created because it solves a technology problem in our industry like Java. (i.e. Truly portable code over target machine hardware)

.Net in short is a solution looking for a problem.

It offfers NO advantage over its target market it wants to kill, (i.e. Java developers) and actually restricts your organization by not allowing your software to run anywhere but on Microsoft's own limited vision of what computing power is, (i.e. PC hardware).

Like so many other times I have commented on .Net, it is a ludicrously expensive software API to develop on, and offers no real value in developing internet based applications as a result.

-Hack

Wrong! The law is clear on this

[AirLace]

I'm surprised there are still people on Slashdot who haven't heard of the exception to patent law called Independent Discovery. I could go ahead and describe it here, or I could quote one of the more eminent legal resources on the Web. Basically, if you didn't copy the patent directly off their patent claim sheets, then they don't have a case against you (US and UK law):

1. Independent Discovery

Anyone who creates the same secret information independently -- even if it is identical to your business' trade secret -- is free to use and disclose that information. In other words, creating a trade secret, by itself, does not grant you exclusive rights to use that secret.

EXAMPLE: Dudely Company and Manly Company sell competing after-shave products. Dudely creates a database that compares different brands of after-shave advertising and resulting annual sales. Dudely uses this trade secret information to determine how to allocate its advertising budget. Manly's president independently creates a similar database and publishes it in a business book. Dudely will be unable to protect its formula under existing NDAs because its database is no longer a trade secret.

To preserve a possible claim of independent discovery, many companies will not look at materials furnished by an outsider who wants to sell something to the company. By refusing to consider unsolicited materials, the company has a better argument for its independent creation of similar products. One method of proving independent creation is to use clean room techniques (see "Clean Rooms" below)

Failed encryption TV in the Netherlands

[Rob+Kaper]

The UK encrypted to air TV people went spectacularly bankrupt but thats market forces at work.

Same in the Netherlands. They wanted to hide our premier football league (American? read: soccer) behind a subscription model. Noone used it, the "Sport 7" channel went bankrupt and football is right back on public TV.

Turns out you can't cheat the public from what they think should be available. Piracy wasn't an issue here (weekly matches are much permanent than movies and audio, which you tend to *keep*). Only bad thing: many of the smaller teams now have huge debts because they made huge investments based on a multi-year sponsor contract of Sport 7.

Let's hope the general audience will also be smart enough to ignore any devices and software overly protected just for the sake of getting more money. Educating them indeed seems the proper way to fight.

BWAHAHAHAHAHA mk. 2

[Ashurbanipal]

So you'll take a handout, but you'd call a government "facist" that supplied one? You're slaying me here, man, that's funny as hell!

If businesses/industry do not exist to serve the needs of the socio-cultural matrix that allows them to exist, what are they for? Is the existence of widgets of inherent value aside from the generation of taxes and payroll checks during their production? Perhaps all the Happy Meal toys are really Objectivist Holy Relics?

Now I'm cracking myself up. I'm easily amused today.

Very nice interview .. but SOAP and Firewalls :-/

[angel'o'sphere]

The more dangerous parts of all this are not so much .NET but chunks of the model that not only the .NET product and the Java standards rely on. Things like xmlrpc, soap and the stuff on top of them are designed to "interwork through firewalls". A better phrase would be "go through the firewall like a knife through butter in a way that prevents the companies involved monitoring the activity".
When all you have is an encrypted SSL session how are you going to figure out if its a legitimate bit of ebusiness with a related company or someone in your company uploading your entire company customer database?


This is a part form the answer to the qestion:
3) Microsoft .NET and Linux by SL33Z3
What are your feelings on Microsoft's .NET and any initiatives to make the technology work on Linux?


Hu hom ... I simply do not get that freaking panic about SOAP and firewalls.

If I run a corporate network and I have a server inside of my network, which exposes its functionality via SOAP, my firewall does not NEED to filter it. Well, sure, I'm paranoid, so I filter the adresses so that outside requests only go to the HTML web server or to the SOAP server.
What the heck should be the security issue with SOAP via HTTP if *I* run a soap service. I can configure everything to make it bullet proof.

So other scenario:
Someone outside of my network is running a SOAP service. Clients inside of my network like to access it. My firewall should "be involved".
So again, what is the freaking security problem?
A guy inside of my network likes to upload the client data base to an outside destination?
So, first thing: I only alow SOAP requests to known SOAP servers where my business processes rely on.
Second, "of course" I need a inspecting fire wall. I only allow requests which fit my restrictions of service endpoint and called method.

Third, if you in fact use SOAP you install a forwarding SOAP server inside of your network. That one is configured to accept all requests which are ment to reach a known outside destination. All requests are prechecked if needed or simply forwarded if the destination is accepted or dropped if the destination is not accepted.

The firewall is configured to accept and pass through HTTP requests with content type text/xml or text/soap only from that server.

So what is the problem?

The remaining problem is one can write a custom application using SOAP via SSL to bypass the internal server. The firewall can not check the content because of SSL? I think the firewall still can recognize the content type, only the body of teh request is encrypted, right?

So, you think that is a SOAP problem? Isn't that a generic problem of firewalls?

I can write a custom application, a ten liner in Java or likely a one liner shell script with CURL, just using plain HTTP for a plain .html request for a plain web site posting what I like to that side.

What does the firewall do in that case? The same like in case of SOAP. Either it is statefull and well configured or not. And for inside out attacks firewalls are hard to make water proof I would say.

Bottom line: I see no SOAP inherent problem regarding firewalls. But thats only because the guys who are much smarter in that respect fail to make clear WHY there is indeed a problem.

I would love to see some good points showing why SOAP messes everything up(security wise). I only found statement snd no backing, even from Bruce Schneier.

angel'o'sphere