First, Mr Levy starts out with:

"A backdoor is normally understood in computer security circles to refer to a system vulnerability

deliberately put in place by system designers or operators such that it would allow them to bypass

normal security checks. The "wemilo" password discovered in the Cart32 shopping cart software last

week is an example of a genuine backdoor."

Then Mr Levy goes on to say:

"The first one is the fact that the documented "piranah" web account created when you install this package has an undocumented default password. "

Finally:

"Neither of these vulnerabilities fits the description of a backdoor. "

Sounds to me as if the default password is, in fact, a "backdoor", according to the definition that Mr Levy himself put forth. In fact, Mr Levy points out that:

"The "wemilo" password discovered in the Cart32 shopping cart software last week is an example of a genuine backdoor."

Perhaps one default password constitutes a backdoor and another does not. If this is the case, Mr Levy, can you please point out why?

My final comment is that there is a lot of talk about the media spreading FUD (fear, uncertainty, doubt) through their sensationalizing of stories and events regarding computer or network security. Mr Levy's article has a subtitle that begins by denouncing "security companies", yet the only example that he puts forth is a statement made by ISS. Certainly, Mr Levy, there are other security companies out there...

H. Carvey

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/25/1565#1565