I deliberately left a loophole in the code, is it illegal?

Language 2022-07-11 15:06:06 views: null

When I was browsing Zhihu yesterday, I saw this question:

picture

I saw three very interesting answers and shared them with you.

The first is this answer to bury the backdoor in order to prevent the project from not receiving the final payment after delivery:

In the early years, I did an outsourcing project for a certain company and customized a ROM of the Android system. The development cost is 160,000, and the one-year maintenance cost is 20,000.

The development cost is paid in three installments, the deposit is 40,000 yuan, the production environment ROM is delivered 80,000 yuan, and the final payment is 40,000 yuan after acceptance and delivery of the source code.

The production environment ROM was handed over before delivery, and the time stamp was added to verify it. It was mixed in the driver, and it could not be turned on after 6 months.

Sure enough, after 4 months, the other party did not send the final payment. Obviously, there is nothing wrong with using it. The source code is not going to be required, and the maintenance cost is also saved. Every dunning is prevaricate for various reasons.

After another 2 months, the buried mine exploded, and their downstream customers began to complain. That's how to get the rest of the money back.

Too lazy to say the name of this company, it is quite a famous company, and it is estimated that many people have used their products.

If you don't keep this hand, it is estimated that you will suffer a dumb loss. After all, the lawsuit in Taiwan Province is very difficult. In this case, it's called self-preservation, and it's not illegal.

This answer reminds me of my experience when I took a private job many years ago, and the software developed for others disappeared after being delivered. At that time, I was young and didn't know how to set a time limit. are tears.

Having said that, it is true that a back door like this respondent is illegal. Whether the respondent said it is not considered, and the specific issue has to be analyzed in detail.

So how does the law define this kind of problem? Let’s take a look at the answer of the leader of the network security industry, TK:

There is no law in our country that only punishes the backdoor itself. The main reason is that "backdoor" is difficult to objectively define.

For example, is the automatic update mechanism a backdoor? Is the hot patch mechanism a backdoor? Is the remote maintenance mechanism a backdoor? If there is a problem with the broadband at home, you can call the operator's customer service number, and the operator can remotely adjust your light cat - is this a backdoor?

Therefore, when the law now deals with backdoor related issues, it is based on the use of behavior to convict. You left the back door, you won't need it for the rest of your life, it's fine. If you use it to do bad things, then you will be convicted and sentenced according to what bad things you have done.

The backdoor hidden in the code belongs to junior players. Let’s take a look at what an advanced backdoor looks like:

When Ken Thompson was at Bell Labs, he could always hack into other people's accounts on a server with Unix installed. No matter how others changed the account password, it was of no use. At that time, all the people gathered in Bell Labs were IQ explosions. , Scientists with excellent professional knowledge, Ken's behavior undoubtedly made them very upset.

After someone analyzed the Unix code, they found the backdoor, recompiled and deployed Uinx, but the thing that made them crash happened again, and Ken was still able to hack into their account, which made them puzzled.

Until 1983, Ken won the Turing Award and solved the secret at the conference. It turned out that the password backdoor was implanted through a C compiler he wrote, and the Unix machine at that time had to pass this C compiler. It can only be run after compilation, so no matter how unix is ​​modified, it is useless, after all, it is to be compiled.

The Xcode Ghost incident that happened a few years ago was operated in a similar way, so the black hole left by the real god cannot be prevented by ordinary people. Unless they encounter the same god and they tell you where they are, it is possible to crack it. . This is why some units do not connect to the external network, because they do not know whether the installed system has any loopholes left by others.

low-level code hierarchy

Intermediate on the toolchain

Advanced at the compiler level

The ultimate is inside the machine, and this is simply impossible to guard against.

So be nice to the programmer.

This reminds me of something that happened not long ago: a hacker group poisoned IDA. IDA is an important software for reverse analysis of security personnel. Poisoning it is a person who is targeting security for targeted attacks. It is really hard to prevent.

Ladies and gentlemen, have you ever had the experience of hiding backdoors in the code? Tell us about it in the comment area?

Guess you like

Origin juejin.im/post/7118936823782604813
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com