SAN MATEO (05/08/2000) - Microsoft Corp. fans spoke up last week regarding my recent column on back-door passwords in Microsoft software. The letters all pointed to an expose of a potential back door in Red Hat Inc. Linux 6.2 and (ostensibly in the spirit of the Microsoft hidden message, "Netscape engineers are weenies") were usually accompanied by an argument that could be summed up as, "Nyah, nyah!" Because many letters were from anonymous MSN and Hotmail accounts, I'd like to address the authors here.
I'm afraid I have to admit defeat and offer the Microsoft fans an apology. When you look closely at the two reported incidents, you can see that open-source software is clearly as dangerous as closed source. In fact, Microsoft clearly comes out on top.
To begin with, Red Hat's Web cluster software called Piranha, the product with the alleged back door, is a Version 0.4.12 product. In other words, the developers are unashamedly communicating the fact that this product is less than half finished. In contrast, the alleged Microsoft back door was found in Windows NT 4.0's Internet Information Server with FrontPage 98 extensions.
Now on the surface, this looks bad for Microsoft. But it is common knowledge that Microsoft doesn't get any product right until its third release. This means the third release of Windows NT should actually be considered Version 1.0. Windows 2000 is the third release of Windows NT (the first release was Windows NT 3.1, the second was Windows NT 4.0). So if Windows 2000 is really Windows NT 1.0, that makes Windows NT 4.0 -- the version that contained the alleged back door -- a 0.66 product (0.666 if you are a conspiracy theorist).
We're actually talking about Version 0.4.12 on the Red Hat side and Version 0.66 on the Microsoft side.
With an arbitrary margin of error of 0.25, that makes the two versions roughly equivalent. So we'll call it even on this account.
Now as to timeliness: The problem with Red Hat's Piranha was discovered and corrected almost immediately after the product was released. Microsoft also claimed to isolate and fix the problem quickly. According to Cnet, a Microsoft spokeswoman said, "After a pretty thorough evaluation, it was clear that it was a security issue with FrontPage 98 and FrontPage 98 extensions, and we figured out at the same time there was a very simple fix: removing the single file [dvwssr.dll]." After another pretty thorough examination, Microsoft said there was never a back-door problem to begin with.
Because it is closed source code, we have no way to verify which examination yielded the correct results. Assuming the worst, the back door in NT 4.0 was present for four years before a work-around was announced.
Again, this looks bad for Microsoft. But consider that Microsoft still hasn't shipped the product code-named "Cairo," which it originally promised to deliver as Windows NT 4.0. One could argue that this means Microsoft still hasn't delivered Windows NT 4.0.
Therefore, the Microsoft work-around was released before the product ever shipped! The victory clearly goes to Microsoft.
Finally, Linux fanatics argue that the problem with Piranha isn't even a back door; it's a bug. But as you'll see, the distinction is a subtle one, and I think I can prove otherwise.
Here's how the problem surfaces. The default password for the administrator account for Piranha is supposed to be blank. You are expected to assign a new password the first time you log in. Unfortunately, Red Hat shipped Piranha with the administrator password set to "q." Because it was (allegedly) an accident, the documentation doesn't tell you that the default password is "q." Instead it simply locks you out of the system. The only way to log in to administer your Piranha system is to discover the secret password or delete the unknown password and assign a new one. In other words, the first thing you have to do to make Piranha useful is to eliminate the so-called back door.
Linux users would have us believe that all this evidence points to a hastily packaged version of a prerelease product rather than a calculated attempt to provide a back door into the system. But after a pretty thorough examination, I have a bulletproof argument that Red Hat maliciously planted a back door in Piranha: Linux engineers are weenies!
Do you think Nicholas Petreley is a weenie? Let him know at firstname.lastname@example.org.