[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[seul-edu] IIS - ESR's email...

Taken from the Linuxchix List. Perhaps it will provide more fodder for
the 'Let's NOT Go To IIS' argument...

-- Pete

> -----Original Message-----
> From: esr@thyrsus.com [mailto:esr@thyrsus.com]
> Sent: Monday, May 14, 2001 5:43 PM
> To: esr@thyrsus.com; wire-service@thyrsus.com
> Subject: Reliance on closed source for security considered harmful
> Today, Yahoo is carrying the news that Microsoft has admitted the
> existence of a back door in its IIS webserver that could affect
> hundreds of thousands of websites worldwide [1].  This comes barely
> two weeks after the revelation [2] that another, unrelated bug in IIS
> permitted crackers to gain root access to sites running IIS 5.0 and
> Windows 2000 -- the latest, greatest versions of Microsoft's flagship
> OS and web server.
> It's not exactly news that Microsoft's products are hideously
> insecure; these really serious incidents are taking place against a
> background that includes almost weekly announcements of some new macro
> virus or attachment trojan propagated through Microsoft Outlook.  One
> might almost be tempted to yawn if these bugs weren't annually costing
> computer users worldwide billions of dollars worth of downtime, lost
> opportunities, and skilled man-hours.
> But there is something about this incident that deserves special
> attention.  This most recent security hole was *not* a bug -- it was a
> deliberate back door inserted by Microsoft engineers.
> When Microsoft spokespeople said that the back door was "absolutely
> against our policy," they were doubtless intending to be reassuring.  
> But on second thought, that statement should strike fear into the 
> heart of any MIS manager relying on Microsoft products.  Because the 
> inevitable next question is this: if backdoors can find their way into 
> Microsoft's production releases against Microsoft's own policy, *how 
> many more undiscovered ones are there*?
> Microsoft doesn't know.  Nor does anyone else.  The only people who
> could tell us are other rogue Microsoft employees like the unnamed
> culprits behind today's backdoor.  And they aren't talking.
> Back doors and security bugs, like cockroaches, flee the sunlight.
> There is only one way for software consumers to have reasonable
> assurance that they will not become victims of a back door -- open 
> source code. The Apache web server that IIS competes against has never 
> had a back door, because its code is routinely reviewed and inspected 
> by a worldwide developer community alert to the possibility.  Any 
> developer tempted to insert one knows that it would be discovered and 
> traced to him in short other -- thus, it's never even been tried.
> Ths illustrates a larger point.  When you use closed source for a
> security-critical application, you must blindly trust *everyone* in 
> the chain of transmission -- the developers who wrote it, the company 
> that marketed it, and the people who made and shipped the physical 
> media.  Bad actors or simple mistakes at *any* of these stages can 
> leave you with a computer begging to be owned by the first script kiddie 
> who wanders along.
> With open source, you have a check on the system.  You can see inside;
> you know what's going on.  This changes the behavior of everyone
> upstream of you; the higher probability that a bug or backdoor will be
> exposed keeps them honest even *before* the code is reviewed.  If
> Microsoft's IIS had been open, whoever was responsible for todaty's
> back door would never have dared to insert it.
> The few MIS managers who aren't alreedy evaluating open-source
> software need to wake up and smell the coffee.  Today's backdoor
> demonstrates that Microsoft can't control its own employees well
> enough to be trusted with your critical data.  More fundamentally than
> that, though, it reveals how deeply foolish and dangerous it is to
> rely on closed-source software for any security-critical use.
> As the security advantages of open source become clearer, managers who
> persist in this mistake may find they are putting their own jobs at
> risk.  And deserving to lose them...
> [1]
> <http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>
> [2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html>
> (Re-distribute and publish freely.)
> --
>                 <a href="http://www.tuxedo.org/~esr/";>Eric S. Raymond</a>
> "The bearing of arms is the essential medium through which the
> individual asserts both his social power and his participation in
> politics as a responsible moral being..."
>         -- J.G.A. Pocock, describing the beliefs of the founders of the
> U.S.
> =================================================================