– By Eric S. Raymond –
Today, Yahoo is carrying the news that Microsoft has admitted the
existence of a back door in its IIS webserver that could affect
hundreds of thousands of websites worldwide . This comes barely
two weeks after the revelation that another, unrelated bug in IIS
permitted crackers to gain root access to sites running IIS 5.0 and
Windows 2000 — the latest, greatest versions of Microsoft’s flagship
OS and web server.
Editor’s note: The Yahoo article apparently has been pulled because of questions about the accuracy of the story. Slashdot has an update to the story. Here’s the official word from Microsoft. ESR’s piece continues with some interesting points …
It’s not exactly news that Microsoft’s products are hideously
insecure; these really serious incidents are taking place against a
background that includes almost weekly announcements of some new macro
virus or attachment trojan propagated through Microsoft Outlook. One
might almost be tempted to yawn if these bugs weren’t annually costing
computer users worldwide billions of dollars worth of downtime, lost
opportunities, and skilled man-hours.
But there is something about this incident that deserves special
attention. This most recent security hole was *not* a bug — it was a
deliberate back door inserted by Microsoft engineers.
When Microsoft spokespeople said that the back door was “absolutely
against
our policy,” they were doubtless intending to be reassuring. But on
second
thought, that statement should strike fear into the heart of any MIS
manager
relying on Microsoft products. Because the inevitable next question is
this:
if backdoors can find their way into Microsoft’s production releases
against
Microsoft’s own policy, *how many more undiscovered ones are there*?
Microsoft doesn’t know. Nor does anyone else. The only people who
could tell us are other rogue Microsoft employees like the unnamed
culprits behind today’s backdoor. And they aren’t talking.
Back doors and security bugs, like cockroaches, flee the sunlight.
There is only one way for software consumers to have reasonable
assurance
that they will not become victims of a back door — open source code.
The Apache web server that IIS competes against has never had a back
door,
because its code is routinely reviewed and inspected by a worldwide
developer community alert to the possibility. Any developer tempted
to insert one knows that it would be discovered and traced to him in
short other — thus, it’s never even been tried.
This illustrates a larger point. When you use closed source for a
security-
critical application, you must blindly trust *everyone* in the chain of
transmission — the developers who wrote it, the company that marketed
it,
and the people who made and shipped the physical media. Bad actors or
simple
mistakes at *any* of these stages can leave you with a computer begging
to be
owned by the first script kiddie who wanders along.
With open source, you have a check on the system. You can see inside;
you know what’s going on. This changes the behavior of everyone
upstream of you; the higher probability that a bug or backdoor will be
exposed keeps them honest even *before* the code is reviewed. If
Microsoft’s IIS had been open, whoever was responsible for today’s
back door would never have dared to insert it.
The few MIS managers who aren’t already evaluating open-source
software need to wake up and smell the coffee. Today’s backdoor
demonstrates that Microsoft can’t control its own employees well
enough to be trusted with your critical data. More fundamentally than
that, though, it reveals how deeply foolish and dangerous it is to
rely on closed-source software for any security-critical use.
As the security advantages of open source become clearer, managers who
persist in this mistake may find they are putting their own jobs at
risk. And deserving to lose them …
Editor’s note: This was an email Raymond sent to several news organizations Monday afternoon.
