[DUG] Backdoors

[Kyley Harris]

BackDoor, Allow someone other than the license holder of the software to
access the software without their permission.

Now this is a rather vague issue. Unless you are writing a secure app,
you don't need a backdoor. If you are writing a secure app and you have
a backdoor, then by definition, it isn't a secure app, which means you
don't really have a backdoor anymore.

Is your database Encrypted? Are all transmissions to and from the app
fully encrypted? There are plenty of frontdoors in the average software.
But seeing as I am talking about protecting the user from invasion of
software, not building invasions, I don't care about database
encryption. That's a physical access issue. Nothing is safe if the
computer is in a deviants hands.

I always write software that would be impossible for me to break into. 
Could I break it if I was sitting on their server with a keyboard? Yes,
who couldn't. Backdoors are when you can get in over a wire without
knowledge of anyone. 

What happens if you forget your pin number? The bank doesn't magically
reset it for you or use a backdoor. How stupid would that be :D Users
who forget passwords talk to admins. Admins who forget passwords get
fired.

-----Original Message-----
From: delphi-bounces at ns3.123.co.nz [mailto:delphi-bounces at ns3.123.co.nz]
On Behalf Of John Bird
Sent: Thursday, 4 May 2006 10:19 a.m.
To: 'NZ Borland Developers Group - Delphi List'
Subject: [DUG] Backdoors

Define backdoor.....

I have two extra functional modes in most of my programs, Boolean flags
set
when a program starts (eg by checking an ini file), so the same EXE file
can
run in different modes, or enable extra functions.

-One set only when running "in-house" and usually used to trigger
generating
log files or extra information for inspecting, used for streamlining
testing
of programs, and such code automatically disabled at sites and will
never
run even if still present in the program.  Such code generally removed
from
final versions.

-Second is a test or "info" mode, can be set at any site for a screen
and I
can tell users to turn this on or turn it off, it sets a program to
display
more information on screen or to a log file.  Again for troubleshooting
problems. Transparent as users can also access this.   Gives
disagnostics
only, or in some cases may disable functions, never enables anything
extra.

As far as backdoor, I presume you mean a extra privileged login or
access
code that the developer has to allow greater access to a live system,  I
have never needed that, as these two transparent ways give me all the
tools
I need to diagnose systems.

If diagnosing a particular obscure problem with client data, then I may
if
needed copy their data onto my system and use the "in-house" mode to
diagnose.  Again this is transparent as it is done with their knowledge
and
agreement at the time and also cannot affect their live data.

What do others do?

John

-----Original Message-----
From: delphi-bounces at ns3.123.co.nz [mailto:delphi-bounces at ns3.123.co.nz]
On
Behalf Of peter at webcentre.co.nz
Sent: Thursday, 4 May 2006 9:47 a.m.
To: NZ Borland Developers Group - Delphi List
Subject: RE: [DUG] In case you're interested (or buy stuff)


> That sounds pretty scary to me.  How many other devs leave back 
> doors???

Never. Not once in over 25 years.

cheers,
peter

===========================================
Peter Hyde, Development Director
* http://TurboNote.com -- top-rated onscreen sticky notes
* TCompress components for Delphi/.NET/Kylix/C++ @
http://webcentre.co.nz
* FREE global search and replace utility: http://turbonote.com/tnTurboSR


_______________________________________________
Delphi mailing list
Delphi at ns3.123.co.nz http://ns3.123.co.nz/mailman/listinfo/delphi


__________ NOD32 1.1461 (20060329) Information __________

This message was checked by NOD32 antivirus system. http://www.eset.com



_______________________________________________
Delphi mailing list
Delphi at ns3.123.co.nz
http://ns3.123.co.nz/mailman/listinfo/delphi