Les <hlhowell@xxxxxxxxxxx> wrote: > >On Thu, 2010-12-16 at 17:21 +0000, JB wrote: >> JB <jb.1234abcd <at> gmail.com> writes: >> >> > ... >> >> We should be careful with judgements about software backdoors and their >> implementers. >> >> They can be life- or cause-saving, literally, in extreme circumstances (when >> much or many depend on ability to communicate with others/outside world). >> >> For that reason, I would expect a gifted dev or "white hat" be able and ready >> to introduce, maintain, and distribute a backdoor very quickly, if a need >> arises. >> >> It is a "Cui bono ?" situation. >> There are "good" and "bad" backdoors and their implementers. >> And so is a "revelation" about them. >> >> JB >> >> > >I don't see the message you are responding to, but what do you think >would justify a back door? And are you including administrative >operations a back door? Is it impossible to administer a properly >designed system without a back door? > It never should be 'impossible' to administer a program with a trap/back door. As a matter of fact, no program in production should have such a feature. Many games are shipped with 'debug' codes in them that fast become cheats and are discovered in a matter of minutes. Imagine if you were using a critical program and a rouge were to get elevated to admin level just by looking at the code with a hex editor (and the biggest safety hazard is the people who work for your company.) > >Some times good intentions and even debugging leads us astray. Code >gets "left behind" that should not, or enabled when it should not, or >even inadvertently promulgated when it should not. > >It has been shown that software can be developed and built into a >compiler that will insert a back door into any code compiled by it. The >original intention was debugging, but the technique has other >applications, not all good. > Yes. This is very true and you really don't want this in a production environment. > >Do you know if your code includes such a back door? How would you >detect it? > Reviewing the source and with a lot of help, the compiled program. This is how white/black hats find them. The problem is what is the likelihood of your userbase finding it? If it is a world-wide game, pretty good. If it is a custom application for your company and you have good controls in place and trustworthy people, not so likely. It all depends. The key is not to have them there in the first place. You don't need the trouble and publicity when you are 'cracked' or breached, either by an intruder or a 'trusted' employee, or both. People tend to want ease, and with ease comes additional areas that you can be expoited. It all depends on whether you desire this (some gaming companies actually publish their cheat/test codes) or not (you don't want me mucking around in your encrypted Quickbooks files.) To put this in focus, if you are a gamer and you want to move to the next level, back doors are your friend. If you are a multi-million dollar company with many trade secrets, you don't want one trap door into your company's secured files. James McKenzie -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
