It was on slashdot today:
http://slashdot.org/article.pl?sid=01/05/14/1858201&mode=thread
and it was posted last year as well (which slashdot notes in the
post above).
Melissa
[EMAIL PROTECTED] wrote:
>
> Hi there,
>
> I just got this note from Eric Raymond in my inbox. I must be on his
> PR list.
>
> I can't find any references online currently to the MS IIS backdoor ESR
> refers to. Have any of you heard of the backdoor, or seen security or
> press coverage of it? It's not on buqtraq or securityfocus or slashdot
> or... yet.
>
> Carolyn
> http://www.fscinternet.com
> http://www.sercureXpert.com
> http://diary.carolyn.org
>
> =================================================================
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 14, 2001 5:43 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Reliance on closed source for security considered harmful
>
> Today, Yahoo is carrying the news that Microsoft has admitted the
> existence of a back door in its IIS webserver that could affect
> hundreds of thousands of websites worldwide [1]. This comes barely
> two weeks after the revelation [2] that another, unrelated bug in IIS
> permitted crackers to gain root access to sites running IIS 5.0 and
> Windows 2000 -- the latest, greatest versions of Microsoft's flagship
> OS and web server.
>
> It's not exactly news that Microsoft's products are hideously
> insecure; these really serious incidents are taking place against a
> background that includes almost weekly announcements of some new macro
> virus or attachment trojan propagated through Microsoft Outlook. One
> might almost be tempted to yawn if these bugs weren't annually costing
> computer users worldwide billions of dollars worth of downtime, lost
> opportunities, and skilled man-hours.
>
> But there is something about this incident that deserves special
> attention. This most recent security hole was *not* a bug -- it was a
> deliberate back door inserted by Microsoft engineers.
>
> When Microsoft spokespeople said that the back door was "absolutely
> against
> our policy," they were doubtless intending to be reassuring. But on
> second
> thought, that statement should strike fear into the heart of any MIS
> manager
> relying on Microsoft products. Because the inevitable next question is
> this:
> if backdoors can find their way into Microsoft's production releases
> against
> Microsoft's own policy, *how many more undiscovered ones are there*?
>
> Microsoft doesn't know. Nor does anyone else. The only people who
> could tell us are other rogue Microsoft employees like the unnamed
> culprits behind today's backdoor. And they aren't talking.
>
> Back doors and security bugs, like cockroaches, flee the sunlight.
> There is only one way for software consumers to have reasonable
> assurance
> that they will not become victims of a back door -- open source code.
> The Apache web server that IIS competes against has never had a back
> door,
> because its code is routinely reviewed and inspected by a worldwide
> developer community alert to the possibility. Any developer tempted
> to insert one knows that it would be discovered and traced to him in
> short other -- thus, it's never even been tried.
>
> Ths illustrates a larger point. When you use closed source for a
> security-
> critical application, you must blindly trust *everyone* in the chain of
> transmission -- the developers who wrote it, the company that marketed
> it,
> and the people who made and shipped the physical media. Bad actors or
> simple
> mistakes at *any* of these stages can leave you with a computer begging
> to be
> owned by the first script kiddie who wanders along.
>
> With open source, you have a check on the system. You can see inside;
> you know what's going on. This changes the behavior of everyone
> upstream of you; the higher probability that a bug or backdoor will be
> exposed keeps them honest even *before* the code is reviewed. If
> Microsoft's IIS had been open, whoever was responsible for todaty's
> back door would never have dared to insert it.
>
> The few MIS managers who aren't alreedy evaluating open-source
> software need to wake up and smell the coffee. Today's backdoor
> demonstrates that Microsoft can't control its own employees well
> enough to be trusted with your critical data. More fundamentally than
> that, though, it reveals how deeply foolish and dangerous it is to
> rely on closed-source software for any security-critical use.
>
> As the security advantages of open source become clearer, managers who
> persist in this mistake may find they are putting their own jobs at
> risk. And deserving to lose them...
>
> [1]
>
><http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>
>
> [2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html>
>
> (Re-distribute and publish freely.)
> --
> <a href="http://www.tuxedo.org/~esr/";>Eric S. Raymond</a>
>
> "The bearing of arms is the essential medium through which the
> individual asserts both his social power and his participation in
> politics as a responsible moral being..."
> -- J.G.A. Pocock, describing the beliefs of the founders of the
> U.S.
>
> =================================================================
>
> _______________________________________________
> techtalk mailing list
> [EMAIL PROTECTED]
> http://www.linux.org.uk/mailman/listinfo/techtalk
--
/*********************************
/* Melissa Plunkett
/* System/Network Administrator
/* [EMAIL PROTECTED]
/* College of Education
/* University of Missouri - Columbia
/* 111 London Hall
/* Columbia, MO 65211
/* Phone: (573) 884-6835
/* Fax: (573) 884-5158
*********************************/
_______________________________________________
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
