Re: Program FLIH backdoor - This is a criminal breach of security!

Thu, 01 Mar 2012 07:25:35 -0800

[Cross-posted from ASSEMBLER-LIST]

John Gilmore wrote:
For an ISV to leave such devices in distributed code, in effect to compromise the integrity of its customers' systems is very different; it is, at best, despicable.

This is not just despicable, under today's law, it is actually criminal! Any vendor who does this could be (and should be) jailed in criminal courts and sued out of existence in civil courts.

I do not know who is doing this, but I believe utmost pressure must be brought to bear upon that vendor so that it will commit every resource to removing the breach from its products.

I further believe that every customer of this vendor should demand this.

It outrages me that a customer's trust would be so egregiously violated. I believe that it is the duty of those who do know who this vendor is to name it immediately.






John Gilmore wrote:
The notion that it would be uneconomic to eliminate this device seems to me to miss the point.

Certainly... But I disagree that it would be uneconomical. Now that the knowledge of the existence of this backdoor is widening, both investigations and exploitations are all the more likely. Any money spent on code correction is pretty quickly becoming pretty cheap by comparison...




Dave Cole              REPLY TO: [email protected]
ColeSoft Marketing     WEB PAGE: http://www.colesoft.com
736 Fox Hollow Road    VOICE:    540-456-8536
Afton, VA 22920        FAX:      540-456-6658






At 2/24/2012 08:43 AM, John Gilmore wrote:
I did not make the discovery; and I will therefore respect, for now at least, the discoverer's decision not make the miscreant's name public.

I believe, however, that this name should be made public.  This information should not be confined to the priesthood

Trapdoors are not new, and I suspect that those of us who know how to do so have all made transitory use of similar devices in testing our own code.  For an ISV to leave such devices in distributed code, in effect to compromise the integrity of its customers' systems is very different; it is, at best, despicable.

There had been a tacit assumption that notionally respectable ISVs do not do such things.  That assumption has been undermined, and even responsible ISVs will now have to spend time and energy reassuring their customers that they are not guilty too.

They are all now in the position of a locksmith suspected of burglary.

Reply via email to