– By Eric S. Raymond –

Today, Yahoo is carrying the news that Microsoft has admitted the
existence of a back door in its IIS webserver that could affect
hundreds of thousands of websites worldwide . This comes barely
two weeks after the revelation that another, unrelated bug in IIS
permitted crackers to gain root access to sites running IIS 5.0 and
Windows 2000 — the latest, greatest versions of Microsoft’s flagship
OS and web server.

Editor’s note: The Yahoo article apparently has been pulled because of questions about the accuracy of the story. Slashdot has an update to the story. Here’s the official word from Microsoft. ESR’s piece continues with some interesting points …

It’s not exactly news that Microsoft’s products are hideously
insecure; these really serious incidents are taking place against a
background that includes almost weekly announcements of some new macro
virus or attachment trojan propagated through Microsoft Outlook. One
might almost be tempted to yawn if these bugs weren’t annually costing
computer users worldwide billions of dollars worth of downtime, lost
opportunities, and skilled man-hours.

But there is something about this incident that deserves special
attention. This most recent security hole was *not* a bug — it was a
deliberate back door inserted by Microsoft engineers.

When Microsoft spokespeople said that the back door was “absolutely
against
our policy,” they were doubtless intending to be reassuring. But on
second
thought, that statement should strike fear into the heart of any MIS
manager
relying on Microsoft products. Because the inevitable next question is
this:
if backdoors can find their way into Microsoft’s production releases
against
Microsoft’s own policy, *how many more undiscovered ones are there*?

Microsoft doesn’t know. Nor does anyone else. The only people who
could tell us are other rogue Microsoft employees like the unnamed
culprits behind today’s backdoor. And they aren’t talking.

Back doors and security bugs, like cockroaches, flee the sunlight.
There is only one way for software consumers to have reasonable
assurance
that they will not become victims of a back door — open source code.
The Apache web server that IIS competes against has never had a back
door,
because its code is routinely reviewed and inspected by a worldwide
developer community alert to the possibility. Any developer tempted
to insert one knows that it would be discovered and traced to him in
short other — thus, it’s never even been tried.

This illustrates a larger point. When you use closed source for a
security-
critical application, you must blindly trust *everyone* in the chain of
transmission — the developers who wrote it, the company that marketed
it,
and the people who made and shipped the physical media. Bad actors or
simple
mistakes at *any* of these stages can leave you with a computer begging
to be
owned by the first script kiddie who wanders along.

With open source, you have a check on the system. You can see inside;
you know what’s going on. This changes the behavior of everyone
upstream of you; the higher probability that a bug or backdoor will be
exposed keeps them honest even *before* the code is reviewed. If
Microsoft’s IIS had been open, whoever was responsible for today’s
back door would never have dared to insert it.

The few MIS managers who aren’t already evaluating open-source
software need to wake up and smell the coffee. Today’s backdoor
demonstrates that Microsoft can’t control its own employees well
enough to be trusted with your critical data. More fundamentally than
that, though, it reveals how deeply foolish and dangerous it is to
rely on closed-source software for any security-critical use.

As the security advantages of open source become clearer, managers who
persist in this mistake may find they are putting their own jobs at
risk. And deserving to lose them …

Editor’s note: This was an email Raymond sent to several news organizations Monday afternoon.

Slashdot readers talk abouta story at Yahoo.com saying that Microsoft has admitted that its engineers wrote a backdoor into a webserver product.

The BBC has more information on communications giant Nokia hosting an Open Source, open standards home entertainment box development project. Slashdotters also discuss the news, and here’s the press release.

Interactive Week has a story about how Open Source software is popping up at “more and more enterprises” even though some IT managers still have reservations.

ZDNet News UK: “In a softening of its earlier position, Microsoft has said it will
support the Universal Serial Bus (USB) 2.0 high-speed
connection technology in its next version of Windows — but
only in the form of add-on drivers.”

From the Wall Street Journal (via ZDNet News): “You thought upgrading the operating system of a single PC was a chore.
Imagine the headaches involved in revamping millions of servers across
the globe so they can better route traffic over the Internet.

It is a problem that engineers, government researchers and entrepreneurs have
been grappling with for a decade. Many of those people will meet this week in Ottawa
to update efforts to coordinate the global move to the upgrade, dubbed Internet
Protocol version 6, or IPv6.”

“Nokia has reiterated that it is turning to the Linux community to ensure
that its Media Terminal set-top box, due to be launched later this year,
has plenty of applications from the word go.

In particular, it wants games developers to get coding for MT, based
around what Nokia is now calling its Open Source Terminal platform.” Full story at The Register.

Paulo Henrique Caruso writes “Cédric Godart was the Linux Today French Version editor, which have recently announced its breakdown. The Belgian journalist talks about the polemic decision from internet.com in a special interview.

Read this at

OLinux.”

Freeb writes “According to this post on FoRK, Microsoft continues to move Anders Hejlsberg’s whizzy new C# language towards being an ECMA standard. The specs themselves are pretty huge, so it will take a while to chew through them, but creating an alternative implementation seems like an intriguing possibility (and a big job).”

joabj writes “ZD Net has a story on how Microsoft’s developer base for Visual Basic may be eroding. A March survey found that the use of VB slipped in the last year by almost 20 percent for programmers using multiple languages–from 62 to 46 percent. A quote from one programmer summed up why this may so: “They have changed Visual Basic to make it more like C++, which begs the question: Why don’t we just use C++ or Delphi? Or Java?””