Back to Top

Monday, November 17, 2008

Vendor included backdoors

An other reason to make sure that you use your available software to the maximum extent before going out and deciding to remediate your software problem with more software :-)

Vendor included backdoor can appear for multiple reasons, but there are two big categories:

  • "Easter-egg" like feature (some programmer decided to put in a piece of code that accepts a "magic" password (this was the case for example with older versions of Borland Interbase - it was discovered when they open sourced the project)
  • To make the life of support personal easier. While the first type of situations are relatively rare (and companies are actively discouraging them), this second type of backdoors are often consciously included. They win because support calls are handled faster. You win, because your issues are resolved faster. It's a win-win situation, right? Except when you get p0wned using the same mechanism...

So what are the takeaway lessons here?

  • Try to get the most out of your current software before deciding to get more software
  • These support backdoors can exist in many software. Sometimes they are documented but sometimes they aren't. Be very suspicious of support calls when they "magically" fix your problem (ie. with minimal interaction from you). Ask them how they did it and if the method they used is available anytime from anywhere (for example it would be sensible to prompt the user before taking control of the computer).
  • Open source can help, but it isn't immune to this problem (it didn't arise mostly because there is no formal support behind most OSS products, but it is entirely possible that "vendor supported" versions include this "feature").

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.