Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do You Write Backdoors?

Posted by Cliff on from the is-'kt'-logged-in? dept.

quaxzarron asks: "I had a recent experience where one of our group of programmers wrote backdoors on some web applications we were developing, so that he could gain access to the main hosting server when the application went live. This got me thinking about how we are dependent on the integrity of the coders for the integrity of our applications. Yet in this case a more than casual glance would allow us to identify potentially malicious code. How does this work when the clients are companies who can't perform such checks - either because they don't know how, or because the code is too large or too complex? How often do companies developing code officially sanction backdoors...even if means calling them 'security features'? How often has the Slashdot crowd put a backdoor in the code they were developing either officially or otherwise? How sustainable is the 'trust' between the developer and the client?"

10 of 791 comments (clear)

  1. Deadlines by jimmyCarter · · Score: 5, Insightful

    I don't know about you guys, but not too many of my projects spare enough time in the project timeline to allow me to write backdoors or Easter eggs or whatever.

    The last thing I'm thinking about when rushing towards the deadline is some fancy backdoor into a web app I'll probably never use anyway.

    --

    -- jimmycarter
    1. Re:Deadlines by sql*kitten · · Score: 5, Insightful

      Just this morning, I write a backdoor into a web project. Very often the testing users give me really strange errors that I just can't verify at all. It's useful to have a "master password" that I'll disable later (probably.) Backdoors are most often used for debugging purposes. Fortunately for the users, I'll be the sysadmin when the system goes live, so there isn't much of a risk (yet.)

      If you're the sysadmin, then it's not a backdoor. After all, you could just fire up a debugger on the process and find out anything you wanted, passwords, data, anything. Or log onto the database as the DBA and just query the tables directly. Or place a packet sniffer on the network.

      A back door implies that it gives you something you couldn't and shouldn't have.

    2. Re:Deadlines by Deus_Ex_Machina · · Score: 5, Insightful

      Analogous situation: I have the key to the front door of a building, but it's inconvenient to use the front door so I blow a little secret hole in the back wall and use that instead.

      A back door is a back door because it provides another way into the system which circumvents whatever access controls already exist, totally regardless of who WRITES this new circumvention path, or whether the access controls would have restricted them in the first place.

      You're right that he can't do anything with his back door that he couldn't do as the administrator before (with ingenuity and a lot of time), but you're wrong that he hasn't created a back door.

      DeusExMachina

  2. To do what? by Ars-Fartsica · · Score: 5, Insightful
    Contrary to popular belief, most programmers don't get their rocks off by showing their friends how they get in through the 'back door'.

    Writing a back door is just more coding. Code for a while and see how much extraneous crap you write just for kicks.

    1. Re:To do what? by jpvlsmv · · Score: 5, Insightful
      Writing a back door is just more coding. Code for a while and see how much extraneous crap you write just for kicks.


      Yes, how much extraneous crap do programmers write just for kicks?

      --Joe
  3. Open Source? by jcortega · · Score: 5, Insightful

    this has been one of the biggest arguements towards using open source software. companies can theoretically trust open source software because everyone sees the code and they can easily modify it. my question is though, even though we have the source, do people actually read the thousands and thousands of lines of code in the program they're using or just the parts that would interest them (for modifying/improvement purposes)?

  4. possible legal actions? by green+pizza · · Score: 5, Insightful

    This thread that gotten me wondering, what sort of legal options would one have should they find an employee coding in backdoors?

    Would this be considered felony fraud? The more I think about it, the more I hope so. Think about this -- one coder acting alone could cost a company millions of dollars in lost profit and trust. This would be more than that coder will probably earn in normal income thruout his entire life. I think this is one case where a jury SHOULD seriously consider decades of imprisonment. This isn't a simple case of a kid using DeCSS or defacing a website, this is case of one person destroying the image and trust of an entire company.

  5. Re:Fire the kid. by jridley · · Score: 5, Insightful

    If you designed a system that you personally can break into, then you didn't put enough thought into the security design.

    I personally think it's my responsibility to AT LEAST make sure that I couldn't break into the systems that I build without having knowledge of the passwords or whatever. If I think of a way that I could get in without it, I fix it or contact the person currently responsible for the code and let them know about it and how I think it should be fixed.

  6. Why you never want backdoors by argoff · · Score: 5, Insightful


    1st, when I leave a company that I don't like or a company harms me - I consider that their "punishment" is not having the best man for the job - a backdoor would nullify this high ground and proove that I wasn't the best man for the job. And if a company is good to me, or I like them - than these are the last people in the world I would want to harm or compromize - so either way, it's just plain a poor way of living.

    2nd, I don't know about you, but I worked on more than my fair share of projects where I could tell that the core was written badly, but didn't have the time, resources, or approval to do it the right way myself. There are plenty of things that could go wrong that I can get blamed for even if I do everything right, the last thing I want to do is add something else that can go wrong. No thanks!

    3rd, I want denyability. When I leave a company, I want them to change the passwords, delete accounts, and for the code to be secure. The last thing I want is some breakin or failure put back on me years after the fact. There are plenty of shortcommings in life that can "catch up" with you, even if you do your darndest to be perfict. The last thing in the world I want to do is add some more to that pile.

    4th, I rely on these people for contacts, reference, and refferals. Why risk burning bridges when I don't half too. Why risk a job when if I don't want it I am free to quit. If you don't like a company, why risk going to jail for them. If I must risk going to jail, I would much rather it be for a cause I believe in like that lady who refused to go to the back of the bus.

  7. Re:Always. Always. Always. by ip_vjl · · Score: 5, Insightful

    Wouldn't the better option be to make your application expire a certain number of days after installation UNLESS a code is entered? The theory being that when you recive payment, you provide the code.

    The outcome for you is the same. If you don't get paid, the system locks them out. The outcome for the client is that honest, paying clients don't have hidden (exploitable) backdoors living in their deployed system.