Linux Today: Linux News On Internet Time.

Eric S. Raymond: Designed for Insecurity -- reprised

Apr 16, 2000, 23:51 (8 Talkback[s])
(Other stories by Eric S. Raymond)

The status of the "back door" I discussed in "Microsoft: Designed For Insecurity" is now uncertain. Since the problem was reported on 14 April by BugTraq and the Wall Street Journal, one of the people involved in discovering it has retracted his report. There is now dispute over whether this problem was due to a genuine back door or a server misconfiguration.

The general point of "Designed For Insecurity", though, is independent of this particular incident. As if to illustrate this, there is yet another back door report from 13 April that may affect hundreds of e-commerce sites. See


The key quote in this story is this one from Kasey Johns, webmaster of one of the affected sites:

"I want the right to look at the code, make modifications, and not be locked into whatever ghosts the author has hiding in there," said Johns.

The security and trust problems that come with that kind of lock-in are the real point here, not the details of any particular exploit or the name of the vendor attached to it.

The bottom line is very simple: Closed source can't be trusted, because you can't see what it's doing.

Eric S. Raymond

Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their consciences.
-- C. S. Lewis

Related Stories: