Re: Security Now Podcast: Windows Metafile Vulnerability a Hidden Backdoor?

[Paul E Condon <pecondon@xxxxxxxxxxxxxxxx>]

On Sat, Jan 14, 2006 at 08:07:49PM -0700, Paul E Condon wrote:
> On Sat, Jan 14, 2006 at 11:05:22AM -0700, Joe Pezzillo wrote:
> > 
> > Security Now Podcast: Windows Metafile Vulnerability a Hidden Backdoor?
> > 
> > "Description: Leo and I carefully examine the operation of the  
> > recently patched Windows MetaFile vulnerability. I describe exactly  
> > how it works in an effort to explain why it doesn't have the feeling  
> > of another Microsoft "coding error." It has the feeling of something  
> > that Microsoft deliberately designed into Windows. Given the nature  
> > of what it is, this would make it a remote code execution "backdoor."  
> > We will likely never know if this was the case, but the forensic  
> > evidence appears to be quite compelling."
> > 
> > (transcript)
> > 
> > http://www.grc.com/sn/SN-022.htm
> > 
> 
> Joe,
> 	You really should believe by now that if you are running Windows
> you are _not_ doing secure computing. Where is there something new in 
> this report?
> 
> Of course, no computer is _completely_ secure. You could be struck by 
> lightening while running Linux or Mac OS, so they are insecure also.
> But to deliberately use Windows and then kvetch about security. Really.
> 

On further consideration, I see a reason for this back door. Corporate
customers want it. Corporate IT departments want to be able to control
the computers within the corporation, and they want to do it from a
central location. Even if the evil empire didn't want to have the
backdoor, their most profitable customers would demand it. The only
place where there is a chance that software with no backdoors exists
is in the open-source community. There there a bunch of guys all over
the world reading the code, looking for flaws and really wanting to
find any that exist.

As to its effect on computers used in vote systems, it is necessary
that all software used and all software used in the generation of the
software used, all of that, must be disclosed. The kind of hidden
backdoors that are really dangerous have already been widely discussed
by the originators of UNIX. The techniques for creating backdoors are
widely known. As a practical matter, the backdoor cannot be found by
black-box testing. (This, also, is widely known among computer
professionals, but not all of them have the integrity to admit it.)
So just using software other than the proprietary stuff of the evil
empire is _not_ _enough_. It is also necessary to have full
disclosure, and prizes for the people who want to actually find flaws
in the software. And, when a flaw is found, rerun any election that
used the flawed software.

When the cost of all this is correctly estimated, it will be found
that paper ballot elections are really cheaper.

-- 
Paul E Condon           
pecondon@xxxxxxxxxxxxxxxx