Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Do You Write Backdoors?

Cliff posted more than 11 years ago | from the is-'kt'-logged-in? dept.

Software 1004

quaxzarron asks: "I had a recent experience where one of our group of programmers wrote backdoors on some web applications we were developing, so that he could gain access to the main hosting server when the application went live. This got me thinking about how we are dependent on the integrity of the coders for the integrity of our applications. Yet in this case a more than casual glance would allow us to identify potentially malicious code. How does this work when the clients are companies who can't perform such checks - either because they don't know how, or because the code is too large or too complex? How often do companies developing code officially sanction backdoors...even if means calling them 'security features'? How often has the Slashdot crowd put a backdoor in the code they were developing either officially or otherwise? How sustainable is the 'trust' between the developer and the client?"

cancel ×

1004 comments

Sorry! There are no comments related to the filter you selected.

Deadlines (5, Insightful)

jimmyCarter (56088) | more than 11 years ago | (#5442192)

I don't know about you guys, but not too many of my projects spare enough time in the project timeline to allow me to write backdoors or Easter eggs or whatever.

The last thing I'm thinking about when rushing towards the deadline is some fancy backdoor into a web app I'll probably never use anyway.

Re:Deadlines (0)

Anonymous Coward | more than 11 years ago | (#5442229)

yeh...i'm already running late....

this guy doesn't have enough on his plate if he/she has time to write backdoors.

Re:Deadlines (0)

Anonymous Coward | more than 11 years ago | (#5442334)

Yet the poster has enough time to read and post on /. during normal business hours.

Re:Deadlines (0)

Anonymous Coward | more than 11 years ago | (#5442364)

how do you know what timezone they're in!?!?!

Re:Deadlines (5, Informative)

Anonymous Coward | more than 11 years ago | (#5442282)

I don't know about you guys, but not too many of my projects spare enough time in the project timeline to allow me to write backdoors or Easter eggs or whatever.

Some people write backdoors to facilitate debugging. They don't have to worry about checking with the customer for various passwords - they just type in "IAMGOD" or some such hard-coded password and they are in.

For the record, I don't approve of backdoors. First, they provide security issues - someone just has to look through the executable for strings. Second, these things are never changed when employees move on.

Re:Deadlines STFU goodie 2 shoes, Tsarkon Redports (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5442286)

You dont write anything. You dont have any projects. Your anectdotal chime in is fucking unwarranted and you fucking know it loser.

You sound like you're one of those fucking project manager fags who use Microsoft Project and think you know fucking anything about programming and projects.

And dead give-away. Web app. What the fuck? Are you one of those people who use frontpage and call making changes to a web page "web programming?" You are such a fucking lamer. You know that? You are a fucking god damn stupid slashdotting asskissing faggot lamer.

I just had to let you all know at least one more time.

You all Slashdot fags have a giant bleeding brain hematoma you fucking cuntcaskets!

You fucking all possess Milo's GREAT Staff of Stupidity; INT -25; Forged when the world was young, when man and bird and beast were one, and death was but a dream! There in this before time stands the hoards of BOOTLICKING SHEEPLE and some Mac faggots!

You are all weird, cuntcaskety miasma of festering caramelized dog shit mediocritomatons; In that what is supposed to be your grey matter in that quagmire cesspool you have going in that vacuous cavern that is your skull.

You Slashdotting fags are all corpulent, zit ridden, unemployed, living at home, loser, sexless, lord of the rings trekker star wars fuckers, and dumb stupid fucking cunts with no TECHNICAL ACUMEN whatsoever.

I will usher in a new PAX ROMANA here on Fuckdot. Fucktards! Fucktardions! FUCKERFACES! HAHAHAHHAHAHAA. You

Perfectly true (-1, Insightful)

Wrexs0ul (515885) | more than 11 years ago | (#5442344)

If you have time to make back doors in software you're not working to the full extent of your paycheque. Better hope your project manager / contract company doesn't find out you have time to slack off like this, they'll either fire you on the spot or increase your work load so you don't have time to practice your 1337 c0d3R 5k!11z. ...Note I'm not referring to useful diagnostic stuff, the article seems to only include mischief code.

Sincerely,

-Matt

Re:Deadlines Microsoft "Programmer" ALERT (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5442352)

Beware people this fucking fag is a Microsoft zealot lamer programmer.

Have you had your dose of Visual Studio you little fucking fagot pussy bitch? You know who Kernighan, Ritchie and Thompson are? CTSS? Multics? Unix? Do you even know how to really program? You fucking ass.

Of course (3, Funny)

Anonymous Coward | more than 11 years ago | (#5442194)

After I saw Wargames, I saw the immediate benefit of backdoors. They're very useful for preventing World War 3... oh, and playing games.

Re:Of course (1)

lasmith05 (578697) | more than 11 years ago | (#5442328)

Actually wasn't the fact that there was a backdoor in the first place the reason that WW3 almost happened in the movie?

this is the fp (0)

Anonymous Coward | more than 11 years ago | (#5442195)

she likes backdoors.

Sure! I wrote one into Slashcode! (2, Funny)

Limburgher (523006) | more than 11 years ago | (#5442196)

How do you think I posted this story? :)

Narf! (0, Offtopic)

DAQ42 (210845) | more than 11 years ago | (#5442198)

Yeah!

Re:Narf! (0)

Anonymous Coward | more than 11 years ago | (#5442207)

sir, ye are a faggot!

FP? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5442199)

Hello!

This backdoor that i put into slash allowed me to get a FIRST POST!!

Yay!.

X

NO BACKDOOR CAN PROTECT YOU FROM MY VOMIT! (-1)

I VOMIT ON FAILURES! (652124) | more than 11 years ago | (#5442306)

YOU FAIL IT!

Never have, never will (5, Insightful)

Anonymous Coward | more than 11 years ago | (#5442200)

If you have to stop and think "is what I'm doing right?" then the answer is usually "no."

Of course, life is never that simple. I'm sure a backdoor has saved someone's ass on more than on occassion, because the admin forgot the root password or whatever. But don't be an asshole.

first post.. ever! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5442202)

Three years and I finally claim first post!

Re:first post.. ever! (0)

Anonymous Coward | more than 11 years ago | (#5442256)

Damn.. I was wrong. How was I ever defeated??

Yes, but only with guest/guest username/password (0)

Anonymous Coward | more than 11 years ago | (#5442203)

I would not want to be unethical.

No, but I bet you look at them... (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5442208)

Like this [osdn.org] one?

Open source, of course (0)

SparafucileMan (544171) | more than 11 years ago | (#5442211)

There is only trust as long as: a) The source is available, i.e., fully disclosed. b) The code is readable and understandable by someone in the purchasing company Meaning, most applications fall far short of these criteria (I'm annoyed...my windows computer is starting to get habitually infected with auto-installing software promoted through IE's interface, something I have no control over).

Re:Open source, of course (0)

Anonymous Coward | more than 11 years ago | (#5442307)

Some where you said yes to an installer, run a spy ware detector like adaware to nix those installs.

Fire the kid. (3, Insightful)

pixel_bc (265009) | more than 11 years ago | (#5442212)

Unless he was acting on some sort of order from you or someone else who can tell him to add something like that, I'd fire him.

I'd also look into opening a criminal investigation.

Re:Fire the kid. (0)

Anonymous Coward | more than 11 years ago | (#5442301)

You should check all other code that he worked on prior to firing him.

microsoft (1, Funny)

tmonkey (531274) | more than 11 years ago | (#5442215)

i believe that our god friend bill had once added a back dor password "netscape users are weenies"

Backdoors (3, Funny)

digipak (647427) | more than 11 years ago | (#5442216)

I've never coded backdoors into any software I've written. I usually don't use them in the future, and if I really need them, I gain access by other means. I can't see a logical reason to add them in, especially if you're job depends on the integrity of your code.

That's disgusting (0)

Anonymous Coward | more than 11 years ago | (#5442219)

I don't really think this is an appropriate Slashdot topic. Bedroom activities are an intensely personal - oh, sorry. Write backdoors. Never mind.

backdoors (1)

inwoo (463512) | more than 11 years ago | (#5442221)

i thought the hbackdoor was the onlydoor...
since when is there a front door

To do what? (5, Insightful)

Ars-Fartsica (166957) | more than 11 years ago | (#5442222)

Contrary to popular belief, most programmers don't get their rocks off by showing their friends how they get in through the 'back door'.

Writing a back door is just more coding. Code for a while and see how much extraneous crap you write just for kicks.

Re:To do what? (1)

Anonymous Coward | more than 11 years ago | (#5442283)

amen

Re:To do what? (5, Insightful)

jpvlsmv (583001) | more than 11 years ago | (#5442373)

Writing a back door is just more coding. Code for a while and see how much extraneous crap you write just for kicks.


Yes, how much extraneous [kernel.org] crap [gnu.org] do programmers [sourceforge.net] write just for kicks [freshmeat.net] ?

--Joe

Microsoft believes in them.. (1, Funny)

macshune (628296) | more than 11 years ago | (#5442223)

Anyone else remember the NSAkey registry entry in Win95?

Re:Microsoft believes in them.. (0)

Tetrik (412055) | more than 11 years ago | (#5442267)

No I haven't. What's that?

Re:Microsoft believes in them.. (0)

Anonymous Coward | more than 11 years ago | (#5442302)

dream on. read bruce schenier's column on it. it was a variable name for a public key, not a backdoor or anything like that. if it were named msbackupkey no one would have cared.

Backdoors (0)

Anonymous Coward | more than 11 years ago | (#5442231)

Yikes... This subject is just asking for a goat link!

No way am I clicking on ANYTHING!

of course (5, Funny)

kurosawdust (654754) | more than 11 years ago | (#5442232)

my code is so tight, the front door and backdoor are on the same hinge! hooah!

Backdoors (2, Funny)

Anonymous Coward | more than 11 years ago | (#5442233)

Only in the BBS Software, did I write backdoors, those kids never registered...had to slap their hands a bit.

Are you a backdoor man? (0)

Anonymous Coward | more than 11 years ago | (#5442234)

Well are ya?

I backdoor all the time.. (5, Interesting)

japhar81 (640163) | more than 11 years ago | (#5442239)

But, thats not to say I lack ethics, am a cracker, or am out to get my client.

How many times have we all heard, duhh.... I forgot my admin password, but I cant reinstall, I need the data.

So yes, I backdoor, and I document it internally (hardcopy stored in a safe). Its just an extra insurance policy for when some moron that I worked for 6 years ago does something stupid.

That said, coding backdoors for the sake of getting access to a web farm so you can host your own services is certainly a bad thing(tm). But hell, what are you gonna do? Everyone backdoors. Don't believe me? Watch someone 'in the know' log in to a random windows box using the System account and come talk to me.

Re:I backdoor all the time.. (1, Interesting)

Anonymous Coward | more than 11 years ago | (#5442295)

Anyone care to explain this "Watch someone 'in the know' log in to a random windows box using the System account" crack to me?

Are you implying there is a 'backdoor' account in all copies of Windows?

???

Re:I backdoor all the time.. (1, Insightful)

J. J. Ramsey (658) | more than 11 years ago | (#5442340)

"So yes, I backdoor, and I document it internally (hardcopy stored in a safe). Its just an extra insurance policy for when some moron that I worked for 6 years ago does something stupid."

Did you ever think of what would happen if a cracker found out about such a backdoor? Just because you do your best to keep it a secret doesn't mean that crackers can't find out about it.

Why would you care? (0, Flamebait)

Ars-Fartsica (166957) | more than 11 years ago | (#5442357)

Its just an extra insurance policy for when some moron that I worked for 6 years ago does something stupid.

And as a former employee, you give a shit why???

Open Source? (5, Insightful)

jcortega (574008) | more than 11 years ago | (#5442240)

this has been one of the biggest arguements towards using open source software. companies can theoretically trust open source software because everyone sees the code and they can easily modify it. my question is though, even though we have the source, do people actually read the thousands and thousands of lines of code in the program they're using or just the parts that would interest them (for modifying/improvement purposes)?

server access? (1)

callmeda5id (627317) | more than 11 years ago | (#5442245)

you develop applications and don't get server access? if that is the case, the client certainly does not want you on the server. hence they wouldn't be too happy about your backdoor....

Just wonder about MS backdoors ;-) (0)

Anonymous Coward | more than 11 years ago | (#5442246)

Guess, that with tons of lines and hundred of coders, there must have backdoors !

Have they ?

-SLK

fuck (0)

Anonymous Coward | more than 11 years ago | (#5442248)

fucky fucky!

Code Review (0)

Anonymous Coward | more than 11 years ago | (#5442252)

The only way to guarantee that this doesn't occur is thorough code reviews. The argument that the project is too large or complex simply doesn't hold water; the larger or more complex a component gets, the more carefully it should be reviewed.

Re:Code Review (4, Insightful)

binaryDigit (557647) | more than 11 years ago | (#5442338)

The only way to guarantee that this doesn't occur is thorough code reviews.

Sorta, the only way to guarantee is to make ALL _checked_in_code_ reviewed. This is generally not a very practical alternative in any project that has real deadlines. What happens during a "code review" (a formal one anyway). People review the code, make comments and the developer(s) go off and make whatever changes. Ooops, gotta now review the code they changed.

Depends on the backdoor. (5, Interesting)

phorm (591458) | more than 11 years ago | (#5442253)

Some of the apps I make have the option to "allow" a backdoor by setting a flag (default on). The client can turn it off if he/she really doesn't trust me, but in most cases they find it useful in case I ever have to bugfix the systems and/or they lose their own passwords.

obligitory (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5442257)

seinneew era sreenigne epacsten

Default passwords are as good as a backdoor (5, Interesting)

saforrest (184929) | more than 11 years ago | (#5442259)

My back door is simply default passwords. My company released an application server last year, and after doing a google search a few months later for a string of text that would appear only on our default web image, I found a half-dozen copies of our software installed at various places.

Out of curiosity, from a personal machine, I tried logging in to as administrator to a few of these machines with the default password our product shipped with. It worked about half the time.

(Of course, one can't take the results of my search as suggesting that half of our customers didn't change their passwords, as the fact that these people hadn't updated the web image makes the fact that they didn't update the admin password wither not so surprising.)

GOATSE... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5442261)

Has a nice backdoor...Won't you go in? :)

TROLL MY OFFTOPIC ARSE!!!

Almost Every One. (1, Interesting)

Anonymous Coward | more than 11 years ago | (#5442263)

Almost all of my applications contain back doors if they are intended for others to use. Back in the BBS days we used to swap programs, and certain people were hated by all. So we'd write programs, and either include 2 versions, one with backdoor, and one without, or just include it in all of them. This would allow us to remotely reboot, get shell access, etc if our enemy happened to load our code. Usually it required a bunch of weird ascii codes to be typed in, as well as a password. We were very prone to checking executables for code such as this, but with alot of nifty tricks, you could hide the backdoors so that they weren't blatantly obvious when looking through the binary file...

Why yes... (2, Funny)

Queelix (635663) | more than 11 years ago | (#5442264)


I'm a backdoor man.

Sincerely,

Jim Morrison

strange (0)

Boromir son of Faram (645464) | more than 11 years ago | (#5442265)

Why don't the companies just write a virtual machine and run the programs in the virtual machine for every possible input and check for backdoors? Seems like an obvious and quick solution to the problem.

Backdoors can be a powerful weapon.

Re:strange (1)

grundy (151557) | more than 11 years ago | (#5442358)

> Why don't the companies just write a virtual machine

Are you insane? Or just in third grade. "Writing a virtual machine" is an insanely complex endeavor, just ask IBM or VMWARE why they charge so much for their products.

Re:strange (1)

matts.nu (94472) | more than 11 years ago | (#5442370)

Why don't the companies just write a virtual machine and run the programs in the virtual machine for every possible input and check for backdoors?

Because that would take a while.

If your server accepts just 32 bits of input then we're talking four billion (count'em) test cases. Most servers accept even more input...

Payment Insurance (5, Interesting)

BadBlood (134525) | more than 11 years ago | (#5442266)

I know a person who owns his own company and writes code on a for-hire basis. He puts in timed expiration code such that if they don't pay him within 30 days of delivery, his code de-activates.

Where I work, we do similar things, but our motivation is to ensure that users are always running the latest version of our frequently updated codebase. We, as developers, do have the ability to run expired code via the backdoor.

just a guess (0)

Anonymous Coward | more than 11 years ago | (#5442269)

Maybe some companies have 2 sets of programmers. One to write the code. The other one to inspect it. Gotta trust your programmers sometime along the line I guess. For if you can't trust em, why did you hire them? And yeah this is the first post, yay :)

Happens everywhere (5, Informative)

matts.nu (94472) | more than 11 years ago | (#5442270)

Here's [phenoelit.de] a list of 1090 backdoors.

Backdoor? (4, Interesting)

RobertTaylor (444958) | more than 11 years ago | (#5442271)

"I had a recent experience where one of our group of programmers wrote backdoors on some web applications we were developing, so that he could gain access to the main hosting server when the application went live."

Its like that theory that BAE /Mcdonnel-Douglas embedded the F15 Eagle fighter plane with a backdoor in its computer systems so if its ever used against the USA it will strangely malfunction.

Unlikely, but interesting concept all the same!

trust... (5, Interesting)

TechnoVooDooDaddy (470187) | more than 11 years ago | (#5442274)

Trust and loyalty used to be my main focus... I trusted that those stock options i was offered instead of a chunk of salary would be good, and the company trusted that i would deliver good software, on-time.

I fulfilled my part of the bargain, but when it came to stock option maturity time, I got laid-off.. The company is still in business interestingly enough, and now posting profits even.

Who do you trust, and how is that trust repaid? I can tell you I no longer have the same sense of loyalty and trust in my employer. Companies are paying on average HALF of what they were for the same work 2 years ago.. Trust... works both ways or it doesn't work at all...

Backdoors, not really... (1)

blueZhift (652272) | more than 11 years ago | (#5442275)

Never wrote any backdoors per se. The closest was an ISAPI web app that needed to have certain users set up in order to work. I created the users in the installation application and later added an administrative user that was supposed to be created by the web master. Well, the web master didn't always keep up with this on new machines, so I just added it to the installation program (with approval).

That was years ago, but I wouldn't be too surprised if the user was still in there somewhere.

Backdoors (4, Interesting)

JSkills (69686) | more than 11 years ago | (#5442278)

Never written one for malicious pruposes before. Thought about it a lot of course - in the same way people fantasize about robbing a bank or hitting the lottery.

But when you think about it, all leaving a backdoor in a system does for you is to provide an opportunity of accessing a system in a way that you shouldn't be. This can lead to trouble down the line.

Clearly, there are legitimate uses for backdoors (to use in case of emergencies, etc.), but unless the backdoor is documented someplace for others in the software development group to be aware of, it's likely the kind of backdoor that is simply not ethical to implement, since it's only usable by one person.

I'm sure people can provide examples that disprove this, but for the majority of situations, as a developer, having a backdoor in a system can only lead to a security breach at some point ...

How to prevent... (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5442280)

Easy:
1) Code reviews.
2) File change diffs emailed to developer mailing list.
3) Group-owned code.

kind of... (5, Interesting)

deander2 (26173) | more than 11 years ago | (#5442281)


I am working on an app for the govt, and yes, I have programmed in a backdoor login, as it's very useful for testing and development.

However, the following are true:
1) management knows full well of its existence
2) BY DEFAULT, it is turned off in any build
3) it is NEVER to be deployed turned on

I think it's a good rule of thumb.

Hire developers directly (3, Interesting)

jpsst34 (582349) | more than 11 years ago | (#5442284)

Though it wasn't explicitely mentioned in the question, I feel that such a situation may be more common when the developers are hired as temporary / part-time help. In this case, you are a client and the developers may be looking to get something more. If you have your own in-house developers, they'll have more stake in the company and the project, and surely would care more about security - both the security of the software and the security of their job. A hired hand could code the backdoor then move on before you ever notice. Your own developers would be more hesitant to do this because if and when it gets noticed, they'll still be easily found in the cube on the third floor, east wing.

Maybe a good idea would be to bring on a full time development staff and pay them good money so they don't feel the need to try to get something more. Oh, and tell me where to send my resume once you create these new full time positions.

Not such a good insurance policy (2, Interesting)

MjDascombe (549226) | more than 11 years ago | (#5442285)

Backdoors can be a good insurance policy, and their theoretical presence might guarentee your continued employment, but if your employers find them, I can guarentee you won't be working there for much longer :P

Depends on how you define "backdoor"... (1)

MasterOfMagic (151058) | more than 11 years ago | (#5442287)

If you mean "backdoor" as in a way for a tech support or other person to get into a system that can be eaisly screwed up by users, then there are many of them around. If you mean "backdoor" by a hole that only a single coder (or small group) of coders knows about so they can stroke their ego, then there are probably are fewer.

If they treat you well (1)

wohoo_gnu_is_great (467298) | more than 11 years ago | (#5442288)

I imagine that this kind of thing happens more frequently in situations where the company doesn't treat its employees well.

Backdoors are nice but.... (1)

Gambrinus (103988) | more than 11 years ago | (#5442292)

A backdoor allows you to make changes and tweaks after the application (or site) goes live but they just aren't worth it. Especially if it ever dawns on the customer that you have made changes (such as a bug fix) without consulting them. If you need to change the software then you need to consult the customer. Period.

If the customer ever figures out that there is a back door or if it is abused by a third party, they will never hire you or your company again.

PHP Web-apps (5, Interesting)

yamcha666 (519244) | more than 11 years ago | (#5442293)

I work for a small startup that specializes in custom web-applications for indy record labels and small-time bands and clubs. Our main product is a all-in-one web-app that will allow the customer to manage their shows, news, mailing list and numurous other things.

We offer several levels of this product, one being shared (get 1 account on our servers) which we control, standalone, and custom standalone (the standalones go on their own servers.) The latter two are designed to have one back-door login account for myself and the other programmer to go in there and edit their settings or database if the customer breaks something.

So there is my 2 cents. Yes, I put small backdoors in my company's web-apps per boss's request.

Re:PHP Web-apps (0)

Anonymous Coward | more than 11 years ago | (#5442362)

arf arf here comes the assgravy train!

Slashdot Has A Backdoor!! (2, Funny)

Anonymous Coward | more than 11 years ago | (#5442294)

And it lives here [goatse.cx] !

This story was just begging for this link!

Not when I need to earn a living! (4, Insightful)

djkitsch (576853) | more than 11 years ago | (#5442299)

I (like many of you) work on a contract basis per project, and I'm contracted to fix any problems with the software as part of the job.

If an intruder breaks into a database through a back door I put in (and let's face it, it is asking for trouble), I'm obliged to spend my valuable time closing the hole.

I'm not of the opinion that it's worth my time and money to show off what a great hacker I am - my clients are really the ones who matter, since they pay my wages, and my skills should be reflected in my work...

Sure... (4, Interesting)

Anonymous Coward | more than 11 years ago | (#5442303)

Backdoors were coded into systems. But only for testing and development purposes. Once the software was being prepared for release, those backdoors would be deleted but in any case, they were usually coded to only work on specific (i.e. the development) machines.


What really concerned me though was when we were supposed to store credit card numbers encrypted in the database and I used a simple replacement cypher as a placeholder. Then, when I later asked about putting real encryption routines in was told "we aren't going to do that".


So customers are really in the dark when it comes to the security of their software.


Rich

Never (1)

geekoid (135745) | more than 11 years ago | (#5442304)

there is no reason for it, except to 'monkey around' behind the scenes, and that always ends up bad.

Wheee!!! (0)

Anonymous Coward | more than 11 years ago | (#5442310)

{--- Insert obligatory Mr. PotatoHead comment here ---}

Sure (1)

kormoc (122955) | more than 11 years ago | (#5442313)

I just add in my usual, #include 'Backdoor.h' and away I go...

Unless it's an embedded app there's just no excuse (3, Insightful)

Art Popp (29075) | more than 11 years ago | (#5442314)

There shouldn't any hard-coded trust between the authors of decent software and the buyers/users of that software. The fact is that any useful information that the backdoor could provide to the coder should be available to the purchaser. If the purchaser wants to trust the coder he needs to run sshd and give the coder and account with access to the application he coded. Why anyone would "reinvent" a secure backdoor when it can be accomplished with Freely available tools to a much greater level of security is just beyond me.

Inadvertent Backdoors (5, Interesting)

egg troll (515396) | more than 11 years ago | (#5442315)

I know of a couple of examples where backdoors were put in for QA purposes and then left in when the product was shipped. Indeed, waaaay back in the day, a Mac IRC client left in a /ctcp command that would let another user execute any command on another ircle user's box!


Doing things like /ctcp B1FF exec /quit made IRC almost unuseable for Mac users for a week or so.


Anyways, my point is that most backdoors put in by developers seem to be accidental rather than intentional.

Hmm... (1)

shayborg (650364) | more than 11 years ago | (#5442317)

Personally, I wouldn't, and I haven't even when presented with the opportunity. However, though I don't know for sure, I flatter myself my sense of ethics is slightly stronger than the average hacker's. I imagine it's a fairly common practice, actually ...

-- shayborg

winxp? (2, Interesting)

rizzo420 (136707) | more than 11 years ago | (#5442327)

ok, i don't think there's a backdoor, but i know windows xp comes installed with a special microsoft tech support user. how do they get to use that user to fix problems? that's what i don't understand. it's really odd i think. i wouldn't be surprised if microsoft started putting backdoors into their software that only closed when you entered a unique serial number that bounced back from an online serial number database. similar to the way Q3A uses the cd key. although i know there are some hacks to the Q3A cd key to allow you to use a pirated copy, so this may not work. i just wouldn't put it past microsoft to do something like that.

possible legal actions? (5, Insightful)

green pizza (159161) | more than 11 years ago | (#5442330)

This thread that gotten me wondering, what sort of legal options would one have should they find an employee coding in backdoors?

Would this be considered felony fraud? The more I think about it, the more I hope so. Think about this -- one coder acting alone could cost a company millions of dollars in lost profit and trust. This would be more than that coder will probably earn in normal income thruout his entire life. I think this is one case where a jury SHOULD seriously consider decades of imprisonment. This isn't a simple case of a kid using DeCSS or defacing a website, this is case of one person destroying the image and trust of an entire company.

Given that Slashdot implies "Linux" (0, Funny)

Anonymous Coward | more than 11 years ago | (#5442331)

I'd say that most slashdotters have "installed" someone's "backdoor" more than a few times.

It's all about design (1)

Chacham (981) | more than 11 years ago | (#5442332)

It's all about design.

If programmers are told to make something work, and there is little design, the entire program is a black box, and not understood until it is looked at completely.

With proper design, the program is understood before it is coded, and the appropriate modules or sections can be looked at easily. Of course testing plays a significant role, but at this point design is far more important.

Unfortunately, most programmers don't want design (probably Ps) and most designers want too much control (probably Js). There needs to be a general respect for the other's gifts for everything to work, and have people want each other's help.

I worked with a guy... (2, Interesting)

leftism11 (177941) | more than 11 years ago | (#5442335)

When I was a consultant at a Big 6 firm (back in the day), a colleague of mine wrote a Windows app for a client. He added code that would cause the application to stop working after a certain date, so that if the client doesn't pay their invoices, he won't update the code, and the app will simply stop working.

I personally considered this to be very unprofessional, and probably not legal, but he claimed that it was perfectly legit. Of course, the client didn't know this, and he never told them (they did pay their invoices on time).

Definitely not my style, but it is evidence to me that it is done on a regular basis.

Yes (0)

Anonymous Coward | more than 11 years ago | (#5442336)

surely they are easy to spot (1)

Rcknight (640267) | more than 11 years ago | (#5442337)

IMHO a company is foolish not to check their code to some extent before it is released, in which case these should be easy to spot.

This of course is a major advantage to open source, you can check for yourself if you are paranoid.

Ultimately though, i think programmers have to be trusted to some extent, and so it will be impossible to completely get rid of this kind of thing.

Code backdoors. (0)

Anonymous Coward | more than 11 years ago | (#5442341)

And keep track of all of them. So if they start to be exploited, bam, get in the backdoor and close them all.

consequences (4, Interesting)

spoonyfork (23307) | more than 11 years ago | (#5442351)

I don't but two guys here did just that last year. It was a customer facing website for a large multi-national corporation. The "backdoor" was caught before going live but they were fired with extreme prejudice.

No not neeeded. (1)

jellomizer (103300) | more than 11 years ago | (#5442356)

In most cases the programmer has access to the server in one method or the other. So a backdoor in the code isnt nessary Unless you consider going to the office behind the firewall or a VPN a backdoor. Except for a back door your program some good logging then you usually can fix the problem better then with a back door and not have such an ovious securicty opening on your system that may be easy for someone to figure out. /cgi-bin/backdoor.pl?me=1234
Oppes now i am in wow!!

I'd like to help, but... (3, Funny)

Lord_Slepnir (585350) | more than 11 years ago | (#5442359)

I'd like to post an intelligent responce, but I need more info. Can I have some people send me a list of back doors they've created so that I can investigate further? thanks

Of course I write backdoors... (1)

DarkHelmet (120004) | more than 11 years ago | (#5442363)

And password is always swordfish...

why would you put in a back door? (2, Insightful)

new death barbie (240326) | more than 11 years ago | (#5442365)

1) if it's not in the requirements, it shouldn't be in the code
2)if it's useful or necessary, then it should be in the requirements. But it's not a back door anymore (maybe a side door?)

backdoors? (0)

Anonymous Coward | more than 11 years ago | (#5442366)

never - unless required by contract.

And even then it's maximum security...

Level of trust... (1)

jason718 (634659) | more than 11 years ago | (#5442375)

How sustainable is the 'trust' between the developer and the client?

As sustainable as what was stated in the contractual relationship between the development company and the client. Backdoors, exploits etc, should not be allowed unless explicitly requested by the client. These 'Backdoors' - however innocent - could be the cause of a financially burdensome exploit at a later date, which I'm sure the client would not appreciate.

This area of functionality is definitely something which should be highlighted as part of the Master Service Agreement or within the Statement of Work. Within your own development team, your team members should understand the implications of introducing such code into clients' projects.

[Disclaimer: I am not an attorney. For legal advice, consult one!]

Legal and not (3, Insightful)

sir_cello (634395) | more than 11 years ago | (#5442376)


Putting backdoors is unethical, but possibly not illegal depending upon how you make your software available (i.e. license terms and conditions). It may only be illegal where you _use_ the backdoor (because you are then technically trespassing on property of another), or if someone else uses the backdoor (you could be held in negligence).

I've been involved in a project where an easter egg was planted (command line interface to a subsystem, and if you enter right command, it will drop into a text RPG). You could get in trouble for this in certain ways:
(a) wasting client money (if the program developed under contract and this functionality is outside of the scope of the development agreement);
(b) negligence/action if something goes wrong with the functionality or leads to lack of performance of the software, etc.

Most have some sort (4, Insightful)

www.sorehands.com (142825) | more than 11 years ago | (#5442378)

Most applications have some sort of back door.

There are different extents to back doors. For example, in some filtering programs, you get admin access. In other programs, you have the ability to log in as a remote user. In another, you can bypass the encrytion passcodes.

Having a remote access backdoor saves lots of trips to a customer site. Having a backdoor for admin access is good when they lose their passwords. Or remotely shutting down the application is good when they don't pay.

There is also the other site to consider, if there is a back door, the application is clearly less secure.

You have to balance the lack of security caused by this by the need for the features the different back doors offer.

You should tell the client about this, but then it is a problem. If you tell people about back doors, some people may try to hack it. Having the remote ability to shut down an application may defeat the purpose.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>