Eric S. Raymond: Designed for Insecurity — reprised

The status of the “back door” I discussed in “Microsoft:
Designed For Insecurity” is now uncertain. Since the problem was
reported on 14 April by BugTraq and the Wall Street Journal, one of
the people involved in discovering it has retracted his report.
There is now dispute over whether this problem was due to a genuine
back door or a server misconfiguration.

The general point of “Designed For Insecurity”, though, is
independent of this particular incident. As if to illustrate this,
there is yet another back door report from 13 April that may affect
hundreds of e-commerce sites. See


The key quote in this story is this one from Kasey Johns,
webmaster of one of the affected sites:

“I want the right to look at the code, make modifications, and
not be locked into whatever ghosts the author has hiding in there,”
said Johns.

The security and trust problems that come with that kind of
lock-in are the real point here, not the details of any particular
exploit or the name of the vendor attached to it.

The bottom line is very simple: Closed source can’t be trusted,
because you can’t see what it’s doing.

Eric S. Raymond

Of all tyrannies, a tyranny exercised for the good of its
victims may be the most oppressive. It may be better to live under
robber barons than under omnipotent moral busybodies. The robber
baron’s cruelty may sometimes sleep, his cupidity may at some point
be satiated; but those who torment us for our own good will torment
us without end, for they do so with the approval of their
— C. S. Lewis