First, the Interbase code has only been out for about six months. Second, Borland didn't tell
anyone. The problem was found by a member of the Firebird community. Third, it was found by reading the source.
Heartening.
No, the senior developer currently on the project
was present when the back door was implemented,
and used the back door during development of
the most recent version (V6). He just didn't think about the implications.
I don't think you undestand the nature of the
"patch". The program is an image zapper that
replaces the compiled in account/password with
randomized strings. The problem with that
technique is that a counterfeit zapper could
replace the known back door with an unknown
backdoor.
The most effective way to prevent counterfeit
zappers is to insist that people down load
their own zappers.
There is a very good fix at
http://firebird.ibphoenix.com
The fix is an image zapper that finds and
replaces the account, password, and the
doomsday function with randomized byte
strings. It's available for all almost
all platforms and works for all versions
of Interbase, except for the latest
Firebird, which doesn't have the problem.
The zapper, named ibsecure, is also ready
to zap the anticipated new backdoor in
Borland's latest release. Oh, maybe they
did do a profession job this time? But
since they're not talking, who knows?
Actually, they didn't forget about it. One of
the developers used it to implement a feature
in version 6, the current version.
The original solution by the self same developers
(sent to the world when they forgot to purge their
internal CVS notification list) was to change the
backdoor account and password and just not tell
anyone (they apparently aren't aware that an
image can be dumped in ascii).
Now they claim a different fix. But this time
they're not telling anyone (me, you, the users
or even CERT) how they closed the back door.
Slashdot Mirror
First, the Interbase code has only been out for about six months. Second, Borland didn't tell anyone. The problem was found by a member of the Firebird community. Third, it was found by reading the source. Heartening.
No, the senior developer currently on the project was present when the back door was implemented, and used the back door during development of the most recent version (V6). He just didn't think about the implications.
I don't think you undestand the nature of the "patch". The program is an image zapper that replaces the compiled in account/password with randomized strings. The problem with that technique is that a counterfeit zapper could replace the known back door with an unknown backdoor. The most effective way to prevent counterfeit zappers is to insist that people down load their own zappers.
There is a very good fix at http://firebird.ibphoenix.com The fix is an image zapper that finds and replaces the account, password, and the doomsday function with randomized byte strings. It's available for all almost all platforms and works for all versions of Interbase, except for the latest Firebird, which doesn't have the problem. The zapper, named ibsecure, is also ready to zap the anticipated new backdoor in Borland's latest release. Oh, maybe they did do a profession job this time? But since they're not talking, who knows?
Actually, they didn't forget about it. One of the developers used it to implement a feature in version 6, the current version. The original solution by the self same developers (sent to the world when they forgot to purge their internal CVS notification list) was to change the backdoor account and password and just not tell anyone (they apparently aren't aware that an image can be dumped in ascii). Now they claim a different fix. But this time they're not telling anyone (me, you, the users or even CERT) how they closed the back door.