From: Eric S. Raymond
Subject: Reliance on closed source for security considered
Date: 14 May 2001 17:43:21 -0400
Today, Yahoo is carrying the news that Microsoft has admitted
the existence of a back door in its IIS webserver that could affect
hundreds of thousands of websites worldwide . This comes barely
two weeks after the revelation  that another, unrelated bug in
IIS permitted crackers to gain root access to sites running IIS 5.0
and Windows 2000 -- the latest, greatest versions of Microsoft's
flagship OS and web server.
It's not exactly news that Microsoft's products are hideously
insecure; these really serious incidents are taking place against a
background that includes almost weekly announcements of some new
macro virus or attachment trojan propagated through Microsoft
Outlook. One might almost be tempted to yawn if these bugs weren't
annually costing computer users worldwide billions of dollars worth
of downtime, lost opportunities, and skilled man-hours.
But there is something about this incident that deserves special
attention. This most recent security hole was *not* a bug -- it was
a deliberate back door inserted by Microsoft engineers.
When Microsoft spokespeople said that the back door was
"absolutely against our policy," they were doubtless intending to
be reassuring. But on second thought, that statement should strike
fear into the heart of any MIS manager relying on Microsoft
products. Because the inevitable next question is this: if
backdoors can find their way into Microsoft's production releases
against Microsoft's own policy, *how many more undiscovered ones
Microsoft doesn't know. Nor does anyone else. The only people
who could tell us are other rogue Microsoft employees like the
unnamed culprits behind today's backdoor. And they aren't
Back doors and security bugs, like cockroaches, flee the
sunlight. There is only one way for software consumers to have
reasonable assurance that they will not become victims of a back
door -- open source code. The Apache web server that IIS competes
against has never had a back door, because its code is routinely
reviewed and inspected by a worldwide developer community alert to
the possibility. Any developer tempted to insert one knows that it
would be discovered and traced to him in short other -- thus, it's
never even been tried.
Ths illustrates a larger point. When you use closed source for a
security- critical application, you must blindly trust *everyone*
in the chain of transmission -- the developers who wrote it, the
company that marketed it, and the people who made and shipped the
physical media. Bad actors or simple mistakes at *any* of these
stages can leave you with a computer begging to be owned by the
first script kiddie who wanders along.
With open source, you have a check on the system. You can see
inside; you know what's going on. This changes the behavior of
everyone upstream of you; the higher probability that a bug or
backdoor will be exposed keeps them honest even *before* the code
is reviewed. If Microsoft's IIS had been open, whoever was
responsible for todaty's back door would never have dared to insert
The few MIS managers who aren't alreedy evaluating open-source
software need to wake up and smell the coffee. Today's backdoor
demonstrates that Microsoft can't control its own employees well
enough to be trusted with your critical data. More fundamentally
than that, though, it reveals how deeply foolish and dangerous it
is to rely on closed-source software for any security-critical
As the security advantages of open source become clearer,
managers who persist in this mistake may find they are putting
their own jobs at risk. And deserving to lose them...
Eric S. Raymond
"The bearing of arms is the essential medium through which the
individual asserts both his social power and his participation in
politics as a responsible moral being..."
-- J.G.A. Pocock, describing the beliefs of the founders of the U.S.
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.