[techtalk] Eric Raymond, MS security, and open source..

clburke at fscinternet.com clburke at fscinternet.com
Mon May 14 20:52:56 EST 2001 

Hi there,

I just got this note from Eric Raymond in my inbox.  I must be on his 
PR list.  

I can't find any references online currently to the MS IIS backdoor ESR 
refers to.  Have any of you heard of the backdoor, or seen security or 
press coverage of it?  It's not on buqtraq or securityfocus or slashdot 
or... yet.

Carolyn
http://www.fscinternet.com
http://www.sercureXpert.com
http://diary.carolyn.org

=================================================================

-----Original Message-----
From: esr at thyrsus.com [mailto:esr at thyrsus.com] 
Sent: Monday, May 14, 2001 5:43 PM
To: esr at thyrsus.com; wire-service at thyrsus.com
Subject: Reliance on closed source for security considered harmful


Today, Yahoo is carrying the news that Microsoft has admitted the
existence of a back door in its IIS webserver that could affect
hundreds of thousands of websites worldwide [1].  This comes barely
two weeks after the revelation [2] that another, unrelated bug in IIS
permitted crackers to gain root access to sites running IIS 5.0 and
Windows 2000 -- the latest, greatest versions of Microsoft's flagship
OS and web server.

It's not exactly news that Microsoft's products are hideously
insecure; these really serious incidents are taking place against a
background that includes almost weekly announcements of some new macro
virus or attachment trojan propagated through Microsoft Outlook.  One
might almost be tempted to yawn if these bugs weren't annually costing
computer users worldwide billions of dollars worth of downtime, lost
opportunities, and skilled man-hours.

But there is something about this incident that deserves special
attention.  This most recent security hole was *not* a bug -- it was a
deliberate back door inserted by Microsoft engineers.

When Microsoft spokespeople said that the back door was "absolutely 
against
our policy," they were doubtless intending to be reassuring.  But on 
second
thought, that statement should strike fear into the heart of any MIS 
manager
relying on Microsoft products.  Because the inevitable next question is 
this:
if backdoors can find their way into Microsoft's production releases 
against
Microsoft's own policy, *how many more undiscovered ones are there*?

Microsoft doesn't know.  Nor does anyone else.  The only people who
could tell us are other rogue Microsoft employees like the unnamed
culprits behind today's backdoor.  And they aren't talking.

Back doors and security bugs, like cockroaches, flee the sunlight.
There is only one way for software consumers to have reasonable 
assurance
that they will not become victims of a back door -- open source code.
The Apache web server that IIS competes against has never had a back 
door,
because its code is routinely reviewed and inspected by a worldwide 
developer community alert to the possibility.  Any developer tempted
to insert one knows that it would be discovered and traced to him in
short other -- thus, it's never even been tried.

Ths illustrates a larger point.  When you use closed source for a 
security-
critical application, you must blindly trust *everyone* in the chain of
transmission -- the developers who wrote it, the company that marketed 
it,
and the people who made and shipped the physical media.  Bad actors or 
simple 
mistakes at *any* of these stages can leave you with a computer begging 
to be
owned by the first script kiddie who wanders along.

With open source, you have a check on the system.  You can see inside;
you know what's going on.  This changes the behavior of everyone
upstream of you; the higher probability that a bug or backdoor will be
exposed keeps them honest even *before* the code is reviewed.  If
Microsoft's IIS had been open, whoever was responsible for todaty's
back door would never have dared to insert it.

The few MIS managers who aren't alreedy evaluating open-source
software need to wake up and smell the coffee.  Today's backdoor
demonstrates that Microsoft can't control its own employees well
enough to be trusted with your critical data.  More fundamentally than
that, though, it reveals how deeply foolish and dangerous it is to
rely on closed-source software for any security-critical use.

As the security advantages of open source become clearer, managers who
persist in this mistake may find they are putting their own jobs at
risk.  And deserving to lose them...

[1] 
<http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>


[2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html>

(Re-distribute and publish freely.)
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

"The bearing of arms is the essential medium through which the
individual asserts both his social power and his participation in
politics as a responsible moral being..."
        -- J.G.A. Pocock, describing the beliefs of the founders of the 
U.S.

=================================================================

More information about the Techtalk mailing list