Following Up "Beware the Microsoft Shell Game!"
May 3rd, 2001 by Eric S. Raymond in
What this means is that unless a knowledgeable sysadmin has taken explicit action to prevent it, any 15-year-old who can copy code off the Internet, can use Microsoft's IIS to bypass your firewall, bypass your password system and gain administrator-level access to the machine that hosts your web server. They can inspect, alter or delete files at will, no matter how you have them secured. They can also use root-level access to that machine as a springboard for attacks on other systems inside your firewall.
A writeup on this latest in the apparently unending stream of gaping holes in Microsoft's security is at http://www.eeye.com/html/Research/Advisories/AD20010501.html.
This is about bad as it gets, folks. It's a big, nasty problem even by Microsoft's security-bug-of-the-month standards.
At Craig Mundie's anti-open-source sermonette in New York Thursday, I hope someone will have the temerity to ask him a few simple questions:
1. Should Microsoft's record on security inspire confidence in customers considering entrusting their digital identities to Microsoft's Hailstorm system and their critical business data to .NET?
2. Even the most cursory inspection of sites that specialize in tracking security bugs (such as CERT and BugTraq) suggests that open-source operating systems such as Linux and the BSDs have a far better security record than Microsoft Windows, both in having fewer vulnerabilities and in more rapid deployment of fixes. How does Microsoft propose to close the technology gap and catch up to the quality level of these systems?
3. How can potential operating-system customers with millions (perhaps billions) of dollars riding on the security of their computer systems form a rational estimate of their exposure if they cannot inspect the source code of those systems?
4. If the answer to question 3 is "You can see the source code if you're a big enough company to pay us for the privilege", then why should customers have to pay for the privilege of doing the job Microsoft's own QA teams so frequently bungle?
5. How would you respond to the following statement: "Any engineer or executive who, disregarding best practices, entrusts security-critical functions to closed-source software is committing an actionable breach of their responsibility to their employer?"
Eric Raymond can be contacted at Eric S. Raymond.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
July 2009, #183
News Flash: Linux Kernel 3.0 to include an on-the-go Expresso machine interface! Ok, maybe not, but Linux is definitely going mobile, from phones to e-readers. Find out more inside about Android, the Kindle 2, the Western Digital MyBook II, The Bug, and Indamixx (a portable recording studio). And if you've gone mobile and you been wanting more Emacs in your life then check out Conkeror.
To compliment the mobile we've got the stationary: parsing command line options with getopt, checking your Ruby code with metric_fu, and building a secure Squid proxy. How is this stationary you ask? What can we say? It's not. We just wanted to see if anybody actually read this part of the page :) .
All this and more, and all you have to do is get your hot sweaty hands on the latest copy of Linux Journal.
Post new comment