Adding Vulnerabilities to Your Code for Fun and Profit

The issue of coders purposely adding time bombs and backdoors to their code has been a potential problem for almost as long as programs have been written.  One of my favorite historical exploits is the one described by Ken Thompson about a modified version of the Unix C compiler.

A programmer’s motives for embedding such exploits into their own code can range from wanting to seek revenge for a real or imagined slight, to retain access to a resource, just to see if it can be done, and of course, to make steal money typically with applications that deal with money.

But Bruce Schneler, in his recent blog posting “The Vulnerabilities Market and the Future of Security“, describes an emerging way for unscrupulous coders to monetize vulnerabilities purposely baked right into the code, or at the very least, not report discovered vulnerabilities to their employer.

One Response to “Adding Vulnerabilities to Your Code for Fun and Profit”

  1. Um, wow. If anyone can think of a single better argument for the open source development model, do let us know.

    Look what else just came across Slashdot. This is also not really possible in open source. Moles don’t like it in the open.
    http://www.pcpro.co.uk/news/security/375169/could-us-cyberspies-have-moles-inside-microsoft

    Yes, I’m paranoid. But yes, they’re after us.

Leave a Reply

Panorama theme by Themocracy