[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[seul-edu] IIS - ESR's email...
Taken from the Linuxchix List. Perhaps it will provide more fodder for
the 'Let's NOT Go To IIS' argument...
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org]
> Sent: Monday, May 14, 2001 5:43 PM
> To: email@example.com; firstname.lastname@example.org
> Subject: Reliance on closed source for security considered harmful
> Today, Yahoo is carrying the news that Microsoft has admitted the
> existence of a back door in its IIS webserver that could affect
> hundreds of thousands of websites worldwide . This comes barely
> two weeks after the revelation  that another, unrelated bug in IIS
> permitted crackers to gain root access to sites running IIS 5.0 and
> Windows 2000 -- the latest, greatest versions of Microsoft's flagship
> OS and web server.
> It's not exactly news that Microsoft's products are hideously
> insecure; these really serious incidents are taking place against a
> background that includes almost weekly announcements of some new macro
> virus or attachment trojan propagated through Microsoft Outlook. One
> might almost be tempted to yawn if these bugs weren't annually costing
> computer users worldwide billions of dollars worth of downtime, lost
> opportunities, and skilled man-hours.
> But there is something about this incident that deserves special
> attention. This most recent security hole was *not* a bug -- it was a
> deliberate back door inserted by Microsoft engineers.
> When Microsoft spokespeople said that the back door was "absolutely
> against our policy," they were doubtless intending to be reassuring.
> But on second thought, that statement should strike fear into the
> heart of any MIS manager relying on Microsoft products. Because the
> inevitable next question is this: if backdoors can find their way into
> Microsoft's production releases against Microsoft's own policy, *how
> many more undiscovered ones are there*?
> Microsoft doesn't know. Nor does anyone else. The only people who
> could tell us are other rogue Microsoft employees like the unnamed
> culprits behind today's backdoor. And they aren't talking.
> Back doors and security bugs, like cockroaches, flee the sunlight.
> There is only one way for software consumers to have reasonable
> assurance that they will not become victims of a back door -- open
> source code. The Apache web server that IIS competes against has never
> had a back door, because its code is routinely reviewed and inspected
> by a worldwide developer community alert to the possibility. Any
> developer tempted to insert one knows that it would be discovered and
> traced to him in short other -- thus, it's never even been tried.
> Ths illustrates a larger point. When you use closed source for a
> security-critical application, you must blindly trust *everyone* in
> the chain of transmission -- the developers who wrote it, the company
> that marketed it, and the people who made and shipped the physical
> media. Bad actors or simple mistakes at *any* of these stages can
> leave you with a computer begging to be owned by the first script kiddie
> who wanders along.
> With open source, you have a check on the system. You can see inside;
> you know what's going on. This changes the behavior of everyone
> upstream of you; the higher probability that a bug or backdoor will be
> exposed keeps them honest even *before* the code is reviewed. If
> Microsoft's IIS had been open, whoever was responsible for todaty's
> back door would never have dared to insert it.
> The few MIS managers who aren't alreedy evaluating open-source
> software need to wake up and smell the coffee. Today's backdoor
> demonstrates that Microsoft can't control its own employees well
> enough to be trusted with your critical data. More fundamentally than
> that, though, it reveals how deeply foolish and dangerous it is to
> rely on closed-source software for any security-critical use.
> As the security advantages of open source become clearer, managers who
> persist in this mistake may find they are putting their own jobs at
> risk. And deserving to lose them...
>  <http://www.eeye.com/html/Research/Advisories/AD20010501.html>
> (Re-distribute and publish freely.)
> <a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>
> "The bearing of arms is the essential medium through which the
> individual asserts both his social power and his participation in
> politics as a responsible moral being..."
> -- J.G.A. Pocock, describing the beliefs of the founders of the