[techtalk] Eric Raymond, MS security, and open source..

Melissa Plunkett plunkettm at missouri.edu
Mon May 14 20:16:19 EST 2001 

It was on slashdot today: 
http://slashdot.org/article.pl?sid=01/05/14/1858201&mode=thread
and it was posted last year as well (which slashdot notes in the
post above).

Melissa

clburke at fscinternet.com wrote:
> 
> Hi there,
> 
> I just got this note from Eric Raymond in my inbox.  I must be on his
> PR list.
> 
> I can't find any references online currently to the MS IIS backdoor ESR
> refers to.  Have any of you heard of the backdoor, or seen security or
> press coverage of it?  It's not on buqtraq or securityfocus or slashdot
> or... yet.
> 
> Carolyn
> http://www.fscinternet.com
> http://www.sercureXpert.com
> http://diary.carolyn.org
> 
> =================================================================
> 
> -----Original Message-----
> From: esr at thyrsus.com [mailto:esr at thyrsus.com]
> Sent: Monday, May 14, 2001 5:43 PM
> To: esr at thyrsus.com; wire-service at thyrsus.com
> Subject: Reliance on closed source for security considered harmful
> 
> Today, Yahoo is carrying the news that Microsoft has admitted the
> existence of a back door in its IIS webserver that could affect
> hundreds of thousands of websites worldwide [1].  This comes barely
> two weeks after the revelation [2] that another, unrelated bug in IIS
> permitted crackers to gain root access to sites running IIS 5.0 and
> Windows 2000 -- the latest, greatest versions of Microsoft's flagship
> OS and web server.
> 
> It's not exactly news that Microsoft's products are hideously
> insecure; these really serious incidents are taking place against a
> background that includes almost weekly announcements of some new macro
> virus or attachment trojan propagated through Microsoft Outlook.  One
> might almost be tempted to yawn if these bugs weren't annually costing
> computer users worldwide billions of dollars worth of downtime, lost
> opportunities, and skilled man-hours.
> 
> But there is something about this incident that deserves special
> attention.  This most recent security hole was *not* a bug -- it was a
> deliberate back door inserted by Microsoft engineers.
> 
> When Microsoft spokespeople said that the back door was "absolutely
> against
> our policy," they were doubtless intending to be reassuring.  But on
> second
> thought, that statement should strike fear into the heart of any MIS
> manager
> relying on Microsoft products.  Because the inevitable next question is
> this:
> if backdoors can find their way into Microsoft's production releases
> against
> Microsoft's own policy, *how many more undiscovered ones are there*?
> 
> Microsoft doesn't know.  Nor does anyone else.  The only people who
> could tell us are other rogue Microsoft employees like the unnamed
> culprits behind today's backdoor.  And they aren't talking.
> 
> Back doors and security bugs, like cockroaches, flee the sunlight.
> There is only one way for software consumers to have reasonable
> assurance
> that they will not become victims of a back door -- open source code.
> The Apache web server that IIS competes against has never had a back
> door,
> because its code is routinely reviewed and inspected by a worldwide
> developer community alert to the possibility.  Any developer tempted
> to insert one knows that it would be discovered and traced to him in
> short other -- thus, it's never even been tried.
> 
> Ths illustrates a larger point.  When you use closed source for a
> security-
> critical application, you must blindly trust *everyone* in the chain of
> transmission -- the developers who wrote it, the company that marketed
> it,
> and the people who made and shipped the physical media.  Bad actors or
> simple
> mistakes at *any* of these stages can leave you with a computer begging
> to be
> owned by the first script kiddie who wanders along.
> 
> With open source, you have a check on the system.  You can see inside;
> you know what's going on.  This changes the behavior of everyone
> upstream of you; the higher probability that a bug or backdoor will be
> exposed keeps them honest even *before* the code is reviewed.  If
> Microsoft's IIS had been open, whoever was responsible for todaty's
> back door would never have dared to insert it.
> 
> The few MIS managers who aren't alreedy evaluating open-source
> software need to wake up and smell the coffee.  Today's backdoor
> demonstrates that Microsoft can't control its own employees well
> enough to be trusted with your critical data.  More fundamentally than
> that, though, it reveals how deeply foolish and dangerous it is to
> rely on closed-source software for any security-critical use.
> 
> As the security advantages of open source become clearer, managers who
> persist in this mistake may find they are putting their own jobs at
> risk.  And deserving to lose them...
> 
> [1]
> <http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>
> 
> [2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html>
> 
> (Re-distribute and publish freely.)
> --
>                 <a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>
> 
> "The bearing of arms is the essential medium through which the
> individual asserts both his social power and his participation in
> politics as a responsible moral being..."
>         -- J.G.A. Pocock, describing the beliefs of the founders of the
> U.S.
> 
> =================================================================
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk

-- 
/*********************************
/* Melissa Plunkett
/* System/Network Administrator
/* melissa at coe.missouri.edu    
/* College of Education
/* University of Missouri - Columbia
/* 111 London Hall
/* Columbia, MO 65211
/* Phone: (573) 884-6835
/* Fax:   (573) 884-5158
*********************************/

More information about the Techtalk mailing list