Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

Perl and Backdoors

posted by pudge on 2000.04.15 20:32   Printer-friendly
In the midst of the hubbub over the Microsoft "backdoor" recently uncovered, ESR took the opportunity write to Slashdot about why this can't happen in Open Source software.
Apache has never had an exploit like this, and never will. Nor will Linux, or the BIND library, or Perl, or any of the other open-source core software of the global Internet. Open-source software, subject to constant peer review, evolves and gets more secure over time.

Is he right? Should we try to put a backdoor in Perl source to prove him wrong? :-)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Too late. (Score:1, Interesting)

    Well, it's not really a back door, but it is undocumented behavior that nobody seems to have noticed is possible. It reports an apparent attempt to subvert suidperl:

    if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) { /* heh, heh */

    We should at least add a Configure variable for the actual location of the mail binary. :-)

  • By the way.... (Score:1, Interesting)

    .... Eric is, as usual, trying to set the terms of debate. And, I think, he's doing a very good job of it. He may get flamed by the geeks who think he's being simplistic, but just watch -- next time there's a trojan or back door, dozens of geeks will chime in with "Open Source would have made this impossible." :-)
  • Well, I'm not a huge ESR fan anyway but this article made such huge generalisations it was all rather fluffy and pointless.

    He appears to define 'Open Source' as 'famous Open Source software that everyone knows and loves and hasn't had any major security flaws recently'. One might point out just how long it took to fix some of sendmail's horrors.

    Open Source has not by definition been extensively reviewed, and I would guess that most Open Source software has been very narrowly reviewed. Sure the big famou
  • Aleph1's recent article on securityfocus.com http://www.securityfocus.co m/templates/article.html?id=19 [securityfocus.com] makes many of the same points as you do. As well, he makes the point that the people reading the source may not be knowledgable enough about security issues to properly audit the code. Why else would we keep seeing the same type of exploits being used over and over again (buffer overflows, symlinks, failure to drop privs, bad crypto)? The Dansie Shopping cart problem that recently came through BUG
  • I do wish Eric would stop with these sorts of nonsensical declarations. There's nothing inherent in Open Source that makes these back doors impossible, nor particularly obvious. Heck, Ilya could have a dozen back doors scattered in the regex code and nobody would notice. (And this is not counting buffer overrun possibilities as back doors) And someone with full repository access could do all sorts of damage.

    We're counting on the honor and integrity of the keepers of the source with the big OS projects jus