Re: Security ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Les <hlhowell@xxxxxxxxxxx> wrote:
>
>On Thu, 2010-12-16 at 17:21 +0000, JB wrote:
>> JB <jb.1234abcd <at> gmail.com> writes:
>> 
>> > ...
>> 
>> We should be careful with judgements about software backdoors and their
>> implementers.
>> 
>> They can be life- or cause-saving, literally, in extreme circumstances (when 
>> much or many depend on ability to communicate with others/outside world).
>> 
>> For that reason, I would expect a gifted dev or "white hat" be able and ready 
>> to introduce, maintain, and distribute a backdoor very quickly, if a need 
>> arises.
>> 
>> It is a "Cui bono ?" situation.
>> There are "good" and "bad" backdoors and their implementers.
>> And so is a "revelation" about them.
>> 
>> JB
>> 
>> 
>
>I don't see the message you are responding to, but what do you think
>would justify a back door?  And are you including administrative
>operations a back door?  Is it impossible to administer a properly
>designed system without a back door?
>
It never should be 'impossible' to administer a program with a trap/back door.  As a matter of fact, no program in production should have such a feature.  Many games are shipped with 'debug' codes in them that fast become cheats and are discovered in a matter of minutes.  Imagine if you were using a critical program and a rouge were to get elevated to admin level just by looking at the code with a hex editor (and the biggest safety hazard is the people who work for your company.)
>
>Some times good intentions and even debugging leads us astray.  Code
>gets "left behind" that should not, or enabled when it should not, or
>even inadvertently promulgated when it should not.
>
>It has been shown that software can be developed and built into a
>compiler that will insert a back door into any code compiled by it.  The
>original intention was debugging, but the technique has other
>applications, not all good.
>
Yes.  This is very true and you really don't want this in a production environment.
>
>Do you know if your code includes such a back door?  How would you
>detect it?
>
Reviewing the source and with a lot of help, the compiled program.  This is how white/black hats find them.  The problem is what is the likelihood of your userbase finding it?  If it is a world-wide game, pretty good.  If it is a custom application for your company and you have good controls in place and trustworthy people, not so likely.  It all depends.  The key is not to have them there in the first place.  You don't need the trouble and publicity when you are 'cracked' or breached, either by an intruder or a 'trusted' employee, or both.

People tend to want ease, and with ease comes additional areas that you can be expoited.  It all depends on whether you desire this (some gaming companies actually publish their cheat/test codes) or not (you don't want me mucking around in your encrypted Quickbooks files.)  To put this in focus, if you are a gamer and you want to move to the next level, back doors are your friend.  If you are a multi-million dollar company with many trade secrets, you don't want one trap door into your company's secured files.

James McKenzie

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux