Update: Project founder responds below. "SmoothWall does not use shadowed passwords in their firewall implementation. While this is not inherently dangerous as firewall systems are not designed as multi-user, an unauthorized user gaining access to the system via exploitation . . .
Update: Project founder responds below. "SmoothWall does not use shadowed passwords in their firewall implementation. While this is not inherently dangerous as firewall systems are not designed as multi-user, an unauthorized user gaining access to the system via exploitation of an unprivileged process may be able to gain administrative access by copying the password hash, and launching a brute force cracking program against it."

It seems several smoothwall developers have developed an attitude towards accepting criticizm from other security professionals and don't feel this is an issue that deserves their attention. The issue escalated when the lead person responsible for the project called it "Trench Warfare." It seems he doesn't take criticism too well? Is the state of the project in jeopardy? Is there a battle going on between the people developing the project and attitude towards their users? Are there other security holes that aren't being fixed?

Users interested in a system not succeptible to this security vulnerability might try Slackware. Users interested in a web-managable secure solution might try EnGarde.

Update 13:49 EST - Richard Morell, smoothwall project founder, responded to LinuxSecurity.com with the following email. It certainly wasn't our intention to mislead. We report, you decide. There is also a page on their site now that provides their perspective.

  Subject: Factual reporting of the article you posted  Date:    Fri, 18 Jan 2002 17:13:49 +0000  From:    Richard Morrell   To:      dave@linuxsecurity.com    Dave,     I really really really wish a site of the standing of Linux Security would   check its sources. Its really appalling. You've made sweeping statements   about our project that if you please fix then I'd be grateful.    Juergen Schmidt is a noise, an unpleasant but effective noise, a radical   without a cause - he loves stirring it - can't write effective journalism and   hates being made to look what he is - half witted and unable to do basic   research at shell level.    Lawrence Manning the code leader behind SmoothWall responded to Juergen   throughout but Juergen forgot to mention that we twice made him look a dork   by finding flaws in his research, your article today made us look like we   don't care when we do and we work long hours so please correct this once   you've read Lawrences OWN response.        Richard Morrell  Project Manager, Founder AND FUNDER

The link for this article located at SecurityFocus is no longer available.