RedHat Linux security problem uncovered.
April 24, 2000 9:38 PM   Subscribe

First of all "backdoor password"--the paranoid's choice of words, perhaps--or no, a very real security hole was found (along with a sophomoric insult)--there's nothing "patently false" in that--and even Microsoft has publicly owned up to that fact, promising that heads will roll.

Second of all, security problems like the one you mentioned do make a stir in the Linux community, such as it is. I'd suggest you concentrate on spitting any bile you've got at what you perceive to be a "biased" press.

Third, nobody has to be "eager to deride" Microsoft when both the behavior of its employees and representatives--as well as its products and the claims it makes for those products--consistently position the company as an easy target for skeptical debunking to begin with. They proved that in court--though of course its useless saying so to the faithful who persist in believing all the spin about Microsoft "innovation."
The NT "backdoor password" (or whatever you want to call it) "Netscape programers are weenies" spelled backwards allowing unauthorized access to supposedly secure files is not merely remarkable--and in my view at least it does deserve more than cursory press coverage for that alone--it's also typical of the ridiculous sideshow antics the public has come to expect from Microsoft from long and repeated experience. (Oh Linux has its sideshows too--but while there may be Linux games where you squash Bill Gates to a pulp to score, to my knowledge nobody's ever managed to hack into a secure server via one of these.)
posted by mrpalomar at 3:20 AM on April 25, 2000

/. has a blurb about it. It's actually kind of sickening. These are my people talking like this, wow. Oh well, I guess that there are going to be a lot more of these as the redhat/linux user base continues to grow.

I've always said Microsoft's security issues were not as much shabby software production as much as wide usage. Any time you have literally millions of people using the stuff, you will have at least thousands chiping away trying to break it. At that rate, something is bound to turn up.

As for hacking into a secure server with one of these. Check out attrition.org and look at the archive of website defacements, many of them are not only secure, but are gov't FBI/NSA type servers running NT/IIS... it's backdoors like this that let people get in.
posted by Dean_Paxton at 6:27 AM on April 25, 2000

Ok, sure... try to recode some piece of MS software to fix a security hole, what's that? You can't do it? Need the source code hmmm? Try to fix a security hole in a piece of open source software... ahhh, there's the source!
posted by raster at 6:41 AM on April 25, 2000

The observation "with enough eyeballs, all bugs are shallow" applies to distributions and packages, just as much as it does to programs.

The real question here is this: compare the responses and response times of the two vendors, as well as the ability of the people operating the code to fix the problems themselves without losing the functionality in question.

No doubt, there are attitudinal differences in the reactions to the problems at hand... but these do not affect the fact that there are *material* differences in the situations.
posted by baylink at 7:44 AM on April 25, 2000

The funny thing is, is that this is just one of many holes that are discovered in the RedHat Linux system over the course of a release. At least weekly there is another program or daemon that needs to be patched due to exploits or bugs found within it.

I had an old Linux box cracked into when someone expoited a buggy daemon BEFORE I got the email from Redhat telling me there was a problem with it and that I needed to upgrade.

For an example, here's the list of all the software updates/bug fixes that I should upgrade toin order to keep my Linux server free from trouble:
posted by misterioso at 7:52 AM on April 25, 2000

The Microsoft "back door" was originally acknowledged, but on further analysis they determined that it wasn't really there and retracted the "admission". The system which had been tested had its permissions set wrong; it turns out that any password would have worked to let the testers in. If their permissions had been set correctly, no password would have worked.

There is a security hole in the DLL in question, but it turns out to be a potential one caused by a buffer overflow, not by a built-in password.

The "Netscape engineers are weenies" phrase was not actually a password. Rather, they were using it as a bit pattern to scramble some data by XORing prior to transmission over the net.

posted by Steven Den Beste at 8:16 AM on April 25, 2000

Yep, Mr Palomar, I suggest you check out the archives of NTBugTraq -- there was no backdoor password. What has been acknowledged after the fact is that there is a buffer overflow in the DLL, but no security risk at all. And Steven Den Beste is correct about the "Netscape engineers are weenies" phrase -- it's just a fixed cryptographic key, not a password. People: stop claiming, and spreading, that there was a backdoor. There wasn't.
I'm happy to contrast the responses of the two vendors -- they both fixed the problems, quickly.
In the case of RedHat, they released a new RPM of the package; in the case of Microsoft, they recommended deleting the file, since it has no current-day function. (Microsoft's two security bulletins are here and here.)
posted by delfuego at 9:10 AM on April 25, 2000

Ok, Del; yes, MS admitted to *this problem* quickly, but the record shows that, in general, this is not their characteristic behavior.

RH have had their problems in the past as well, and no one's denying *that* either -- or at least, *I'm* not.

But the point I was trying to make is *this*: It doesn't matter whether RedHat admitted to the problem and shipped a fix. If I'm running RH, and I care about the problem, I am not at their mercy: I can fix it myself.

With the Microsoft "operating system", I can't.

And that is all the point has ever been.
posted by baylink at 9:19 AM on April 25, 2000

As to the open-vs.-closed source thing, we're not going to convert each other; where you prefer to be able to grab the source and code your own fixes, I (someone who it not comfortable writing lots of kinds of code) prefer to leave that to a company with the resources to regression test fixes, employees who know a hell of a lot more about coding and security than I do, and system whereby a standard solution is implemented, so I know that any system with the fix applied is fixed the exact same way.

But I am sick to death of the oft-stated belief that Microsoft's record shows some lack of commitment. You're dredging up history here (relatively ancient, I might add, as Internet time goes) -- Microsoft has been pretty damn great about fixing security holes in recent years, releasing a fix within hours to days of a report of a problem. Peruse the NTBugTraq archive for this -- a bug is usually reported, and within 24-48 hours, you have a MS Security Bulletin.
posted by delfuego at 10:10 AM on April 25, 2000

While it's true in some vague theoretical way that with open source you can "fix the problem yourself", I note that you actually did not do so, but rather waited for Red Hat to issue the fix.

That's because the learning curve necessary to reach the point where you could actually fix the problem is so steep that by the time you got to that point, the vendor would probably have gotten a fix out for you already.

The argument that with open source you can fix your own bugs is more impressive than true; in actuality it isn't practical for you to do so even if you do have the source, in most cases.
posted by Steven Den Beste at 10:19 AM on April 25, 2000

The advantage of open source software isn't that anybody can find and fix their own bugs. Obviously the vast majority of users are unable and unwilling to do so, with good reason. I drive a car every day, but I'm not able to spot design flaws and correct them when I get home every evening.

The advantage is that open source software enables peer review at a level that is impossible with closed source software. The point is that interested parties are able to comb through the Linux kernel for security flaws, or find performance bottlenecks in Apache.

The overriding theory was stated above, "Given enough eyes, all bugs are shallow." That doesn't mean that every eye must look for bugs, or that you must fix the bugs yourself.

As far as media coverage goes, I think that the Red Hat hole has been pretty widely publicized, at least in the places I usually go to look for news about what's going on.

I'll also chime in to say that Microsoft has been very good about responding to exploits recently. The open source community has set a very high standard in this area, and the commercial software vendors have done a good job of catching up with the open source people in this regard.

Once full disclosure public mailing lists (like Bugtraq and NT Bugtraq) became popular and the open source guys got really good at issuing patches immediately after exploits were publicized, it was necessary for Microsoft, Sun, and others to decrease their response time. They did so.
posted by rafeco at 10:43 AM on April 25, 2000

Microsoft usually releases bug fixes pretty quickly. But it is true, the people at Slashdot spoke of the problem, but only after it had been fixed, and even then they found a plus side. "hooray for open source!"
That's why I don't go to slashdot anymore
posted by starduck at 3:40 PM on April 25, 2000

delfuego: Ok. I stand corrected, at least partially--the underlying software problem wasn't exactly as I described it--or as much of the media has reported it. But I'll stick to my ground insofar as the "weenies" business goes--that being why this particular bug with which it was associated deserved to get such widespread press attention.

What's more, as someone pointed out, Microsoft gets dissed for technical screw-ups (in general, not just with NT or any of its OSs) more often than Linux (whatever distrib) or Open Source software for the obvious reason that it's got the biggest share of the PC market. You may be sick and tired of it, but how can you expect otherwise? Maybe it's out-of-proportion with reality--and yes I do realize Microsoft actually has a pretty good track-record re responding to bugs like this one--but my own experience is that it isn't at all.

Steve DB does bring up a very valid counterargument re the praise for Open Source response-time for bug-fixes etc. being misconceived.
posted by mrpalomar at 7:21 PM on April 25, 2000

Mr Palomar (cool name, btw: also a Calvino fan?) is right: Microsoft's bugs get attention because they affect more people. Put Microsoft in the headline and Joe Sixpack reads the story; put Linux in the headline and only geeks and maybe some business peopl will read it.
posted by dhartung at 9:14 AM on April 26, 2000

Exactly.

Anyway, re Calvino: Yes.
posted by mrpalomar at 5:01 AM on April 27, 2000