Eric S. Raymond: Designed for Insecurity -- reprisedApr 16, 2000, 23:51 (8 Talkback[s])
(Other stories by Eric S. Raymond)
The status of the "back door" I discussed in "Microsoft: Designed For Insecurity" is now uncertain. Since the problem was reported on 14 April by BugTraq and the Wall Street Journal, one of the people involved in discovering it has retracted his report. There is now dispute over whether this problem was due to a genuine back door or a server misconfiguration.
The general point of "Designed For Insecurity", though, is independent of this particular incident. As if to illustrate this, there is yet another back door report from 13 April that may affect hundreds of e-commerce sites. See
The key quote in this story is this one from Kasey Johns, webmaster of one of the affected sites:
"I want the right to look at the code, make modifications, and not be locked into whatever ghosts the author has hiding in there," said Johns.
The security and trust problems that come with that kind of lock-in are the real point here, not the details of any particular exploit or the name of the vendor attached to it.
The bottom line is very simple: Closed source can't be trusted, because you can't see what it's doing.
Of all tyrannies, a tyranny exercised for the good of its
victims may be the most oppressive. It may be better to live under
robber barons than under omnipotent moral busybodies. The robber
baron's cruelty may sometimes sleep, his cupidity may at some point
be satiated; but those who torment us for our own good will torment
us without end, for they do so with the approval of their