Linux Today: Linux News On Internet Time.

Eric S. Raymond: Reliance on closed source for security considered harmful

May 15, 2001, 18:45 (40 Talkback[s])
(Other stories by Eric S. Raymond)

From: Eric S. Raymond
Subject: Reliance on closed source for security considered harmful
Date: 14 May 2001 17:43:21 -0400

Today, Yahoo is carrying the news that Microsoft has admitted the existence of a back door in its IIS webserver that could affect hundreds of thousands of websites worldwide [1]. This comes barely two weeks after the revelation [2] that another, unrelated bug in IIS permitted crackers to gain root access to sites running IIS 5.0 and Windows 2000 -- the latest, greatest versions of Microsoft's flagship OS and web server.

It's not exactly news that Microsoft's products are hideously insecure; these really serious incidents are taking place against a background that includes almost weekly announcements of some new macro virus or attachment trojan propagated through Microsoft Outlook. One might almost be tempted to yawn if these bugs weren't annually costing computer users worldwide billions of dollars worth of downtime, lost opportunities, and skilled man-hours.

But there is something about this incident that deserves special attention. This most recent security hole was *not* a bug -- it was a deliberate back door inserted by Microsoft engineers.

When Microsoft spokespeople said that the back door was "absolutely against our policy," they were doubtless intending to be reassuring. But on second thought, that statement should strike fear into the heart of any MIS manager relying on Microsoft products. Because the inevitable next question is this: if backdoors can find their way into Microsoft's production releases against Microsoft's own policy, *how many more undiscovered ones are there*?

Microsoft doesn't know. Nor does anyone else. The only people who could tell us are other rogue Microsoft employees like the unnamed culprits behind today's backdoor. And they aren't talking.

Back doors and security bugs, like cockroaches, flee the sunlight. There is only one way for software consumers to have reasonable assurance that they will not become victims of a back door -- open source code. The Apache web server that IIS competes against has never had a back door, because its code is routinely reviewed and inspected by a worldwide developer community alert to the possibility. Any developer tempted to insert one knows that it would be discovered and traced to him in short other -- thus, it's never even been tried.

Ths illustrates a larger point. When you use closed source for a security- critical application, you must blindly trust *everyone* in the chain of transmission -- the developers who wrote it, the company that marketed it, and the people who made and shipped the physical media. Bad actors or simple mistakes at *any* of these stages can leave you with a computer begging to be owned by the first script kiddie who wanders along.

With open source, you have a check on the system. You can see inside; you know what's going on. This changes the behavior of everyone upstream of you; the higher probability that a bug or backdoor will be exposed keeps them honest even *before* the code is reviewed. If Microsoft's IIS had been open, whoever was responsible for todaty's back door would never have dared to insert it.

The few MIS managers who aren't alreedy evaluating open-source software need to wake up and smell the coffee. Today's backdoor demonstrates that Microsoft can't control its own employees well enough to be trusted with your critical data. More fundamentally than that, though, it reveals how deeply foolish and dangerous it is to rely on closed-source software for any security-critical use.

As the security advantages of open source become clearer, managers who persist in this mistake may find they are putting their own jobs at risk. And deserving to lose them...

[1] <<a href="http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno">http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>

[2] <<a href="http://www.eeye.com/html/Research/Advisories/AD20010501.html">http://www.eeye.com/html/Research/Advisories/AD20010501.html>

(Re-distribute and publish freely.)

                Eric S. Raymond

"The bearing of arms is the essential medium through which the
individual asserts both his social power and his participation in
politics as a responsible moral being..."
        -- J.G.A. Pocock, describing the beliefs of the founders of the U.S.

Related Stories: