When Groklaw spreads FUD, and PJ, knowing the truth, prefers the FUD version, should we be happy because all is permitted with Microsoft-bashing?
I am unhappy about a lying Groklaw, a dishonest PJ.
You may remember the time it was reported Microsoft admitted its programmers deliberately planted a secret password, along with the comment "Netscape engineers are weenies". They were fired, but it wasn't Microsoft that discovered the problem. It was finally discovered by two security experts three years after it had been planted. The Wall Street Journal's account of the incident said the file, called "dvwssr.dll'', was planted on Microsoft's Internet-server software with Frontpage 98 extensions. "A hacker may be able to gain access to key Web site management files, which could in turn provide a road map to such things as customer credit card numbers," The Journal reported. Later, there were clarifications issued that it was a cypher key, not a password, and they admitted to a bug, not a back door, which didn't make everyone feel better. Contrast that sorry tale (or others, such as this one involving Intel) with the above-mentioned failed attempt to insert a backdoor into the Linux kernel. Which methodology proved more secure? There is no need for theories when real-world events have already eloquently spoken.
Let us read this evil text. It occurs in a Linux-Microsoft comparison. The reasoning goes like: Look at Microsoft, they had a backdoor planted for years and nobody knew. Then look at Linux, people tried to plant a backdoor but it was discovered almost immediately.
But did the event referred to really happen? No, it did not. PJ avoids that problem by not claiming that it happened, but that it was reported. Yes. True. Withdrawn few days later, but it was reported. She conveniently quotes the Wall Street Journal's account, while very quickly afterwards it became clear that almost everything in that account was incorrect.
What does this mean for the Microsoft bashing above? It should read You may remember the time it was incorrectly reported that Microsoft programmers had planted a secret password. - Yes, we recall. Contrast that sorry tale ... - What sorry tale? The only sorry tale here is that of PJ being dishonest.
Could it not be ignorance rather than dishonesty? A reasonable question, we all like PJ. But when the inaccuracy was pointed out she did not remove the incorrect text but added a link that describes how this did not happen but could easily have happened in a closed source context. So the present situation is that she attacks closed source with lies and she knows it.
How disappointing. PJ started as a reliable paralegal who collected facts. Today she is a Linux advocate who prefers stories above facts as long as they reflect negatively on Microsoft.
This message caused a media storm. Panic everywhere. Slashdot 06:30AM refers to the Wall Street Journal, an article by Ted Bridis (but adds three hours later: Update: 04/14 09:02 by J: It's been a busy day for some programmers at Microsoft and elsewhere. The word as of 3:30 EDT, according to Russ Cooper, is that "there is NO VULNERABILITY IN DVWSSR.DLL.").
This Wall Street Journal article can still be found online, e.g. quoted by zdnet:
Panic indeed. Almost every web-hosting provider threatened.MS admits planting secret password By Ted Bridis The Wall Street Journal Online April 13, 2000, 5:00 PM PT Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites worldwide. The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as-yet-unidentified employees. The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft urged customers to delete the computer file--called "dvwssr.dll"--containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions. While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password. Two security experts discovered the rogue computer code -- part of which was the denigrating comment "Netscape engineers are weenies!" -- buried within the 3-year-old piece of software. It was apparently written by a Microsoft employee near the peak of the hard-fought wars between Netscape Communications Corp. and Microsoft over their versions of Internet-browser software. Netscape later was acquired by America Online Inc. One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy." Despite his unusual moniker, he is highly regarded by experts and helped publicize a serious flaw in Microsoft's Internet-server software last summer that put hundreds of high-profile Web sites at risk of intrusion. Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." "It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly. In an e-mail to Microsoft earlier Thursday, Rain Forest Puppy complained that the affected code threatened to "improve a hacker's experience." Experts said the risk was greatest at commercial Internet-hosting providers, which maintain hundreds or thousands of separate Web sites for different organizations. Lipner said the problem doesn't affect Internet servers running Windows 2000 or the latest version of its server extensions included in Frontpage 2000. The digital gaffe initially was discovered by a Europe-based employee of ClientLogic Corp. (www.clientlogic.com) of Nashville, Tenn., which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee. When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry."
But why should one precisely? What is wrong? Very soon Russ Cooper, who hours earlier had called this a "serious flaw" declared "NO VULNERABILITY", and shortly afterwards said that he could not reproduce the problem, and finished his note with "I apologize for how things transpired".
Rain Forest Puppy, who had started the panic, wrote a contemplation about how and why things had gone so wrong. A fragment:
So, I start to ask myself, where did the actual hype come from?
So I quest, searching, travelling past self doubt, skirting around fear,
stopping only at McDonalds for a #2 extra value meal (super-sized),
when I come across the original Wall Street Journal article by Ted
Birdis[3]. Ah, yes, I think this is the place.
I can only guess to the process. My advisory provides a basis for
the problem. But if I was Ted, I would consider that a report from an
unconfirmed party. I am not Ted, but this is what I think he thought.
I would go straight to the source--Microsoft. Which, not surprisingly,
he did.
"The manager of Microsoft's security-response center, Steve
Lipner, acknowledged the online-security risk in an interview
Thursday and described such a backdoor password as "absolutely
against our policy" and a firing offense for the
as-yet-unidentified employees." [3]
Straight from the horses mouth. Proceeding to the other end of the
horse...
"Russ Cooper, who runs the popular NT Bugtraq discussion forum
on the Internet, estimated that the problem threatened "almost
every Web-hosting provider."
"It's a serious flaw," Cooper said. "Chances are, you're going
to find some major sites that still have it enabled." Lipner of
Microsoft said the company will warn the nation's largest Web-site
providers directly." [3]
Well, I found that interesting. While my advisory may have served as
the seed, it was not only confirmed by the direct party responsible, but
supported by a second opinion.
There's no doubt to me where the 'hype' came from. It's right there.
Lipner said "yep", and Russ said "it's widespread". How was anyone to
know they would change their minds later? So this was confirmed.
And it was Russ who hyped up the widespread appeal to this...I remind
myself that my advisory stated it was minimal at best.
...
Paul Schmehl sums up:
Russ Cooper tries to defend himself:Based on rfp's analysis of events (and information I had knowledge of previously), I believe the entire blame for this fiasco can be placed at the feet of Steve Lipner, who, in his interview with Ted Birdis is quoted as saying, "[Lipner] acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and "a firing offense for the as-yet-unidentified employees." Obviously, this statement acknowledges "facts" which don't exist. There never was a "backdoor password" in dvwssr.dll. Were I in Russ Cooper's shoes, and Birdis called me to comment on a story that was "confirmed" by Lipner, I would naturally assume it must be true since an official MS spokeman had confirmed it to the press. If it were not true, why on earth would Microsoft admit to the charge?
And RFP obliged showing that his original version was even more restricted than the published version, and should not have caused this hype.RFP's **ORIGINAL** advisory, the one that was seen initially by Attrition, Microsoft, and WSJ was **SUBSTANTIALLY** different than the one he sent to Bugtraq and other lists. In the interest of fairness and honesty, Attrition might publish that **original** advisory?
Microsoft came with a new advisory, but the recommendation stays: delete Dvwssr.dll. Advisory 2. Advisory 3.
An analysis of the final situation.
So, the conclusion of our investigation of April 2000: Microsoft: large panic, no backdoor. RedHat: backdoor. But such conclusions do not suit PJ or Groklaw.