[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.programming

finding backdoors and security holes

gdotone

12/3/2015 2:00:00 AM

How are these guys (generic) find these backdoors and security holes?

Some of the code they are looking at has to be 100s of thousands
line of code.

In the case of Arris's backdoor, what, how?

Any really good books on the subject matter?

Thanks,

g.
12 Answers

robertwessel2@yahoo.com

12/3/2015 7:59:00 AM

0

On Wed, 2 Dec 2015 17:59:33 -0800 (PST), G G <gdotone@gmail.com>
wrote:

>How are these guys (generic) find these backdoors and security holes?
>
>Some of the code they are looking at has to be 100s of thousands
>line of code.
>
>In the case of Arris's backdoor, what, how?
>
>Any really good books on the subject matter?


Half the time you can find security holes just by running the source
through Lint.

Richard Heathfield

12/3/2015 11:05:00 AM

0

On 03/12/15 01:59, G G wrote:
> How are these guys (generic) find these backdoors and security holes?

Do they have the source? If so, imagine trying to find a shoe shop on
Oxford Street (not a particular shop - any shoe shop will do), looking
for a hill in Wales, tracking down a cow in Gloucestershire, or
identifying a crank in sci.crypt. These are tasks of comparable length
and difficulty.

--
Richard Heathfield
Email: rjh at cpax dot org dot uk
"Usenet is a strange place" - dmr 29 July 1999
Sig line 4 vacant - apply within

Öö Tiib

12/3/2015 1:43:00 PM

0

On Thursday, 3 December 2015 03:59:38 UTC+2, G G wrote:
> How are these guys (generic) find these backdoors and security holes?

They search for those.

>
> Some of the code they are looking at has to be 100s of thousands
> line of code.
>
> In the case of Arris's backdoor, what, how?

It was likely deliberately made by author of modem software
for testing and debugging purposes and then forgotten to remove
from production software.

>
> Any really good books on the subject matter?

There are plenty of books about how to prevent attacks and to reduce
risks of security vulnerabilities. These books teach how to look for
those.

osmium

12/3/2015 2:13:00 PM

0

"Öö Tiib" wrote:

> On Thursday, 3 December 2015 03:59:38 UTC+2, G G wrote:
>> How are these guys (generic) find these backdoors and security holes?
>
> They search for those.
>
>>
>> Some of the code they are looking at has to be 100s of thousands
>> line of code.
>>
>> In the case of Arris's backdoor, what, how?
>
> It was likely deliberately made by author of modem software
> for testing and debugging purposes and then forgotten to remove
> from production software.
>
>>
>> Any really good books on the subject matter?
>
> There are plenty of books about how to prevent attacks and to reduce
> risks of security vulnerabilities. These books teach how to look for
> those.

To the OP:
Perhaps if you would limit your question to backdoors you might start
getting useful answers. You gave a sneak path by mentioning security
issues - it's kind of like electricity, it takes the easiest path.

I only have guesses, my guess is that an awful lot of stars have to align to
find a backdoor.

gdotone

12/3/2015 2:55:00 PM

0

On Thursday, December 3, 2015 at 9:13:05 AM UTC-5, Osmium wrote:

> To the OP:
> Perhaps if you would limit your question to backdoors you might start
> getting useful answers. You gave a sneak path by mentioning security
> issues - it's kind of like electricity, it takes the easiest path.
>
> I only have guesses, my guess is that an awful lot of stars have to align to
> find a backdoor.

What do you mean? You gave a sneak path by mentioning security
> issues - it's kind of like electricity, it takes the easiest path."

If a backdoor in a device or software, isn't that a security issue too.

I would love to hear from anyone with insight or just reasonable guess
work (thinking).

osmium

12/3/2015 3:49:00 PM

0

"G G" wrote:

> On Thursday, December 3, 2015 at 9:13:05 AM UTC-5, Osmium wrote:
>
>> To the OP:
>> Perhaps if you would limit your question to backdoors you might start
>> getting useful answers. You gave a sneak path by mentioning security
>> issues - it's kind of like electricity, it takes the easiest path.
>>
>> I only have guesses, my guess is that an awful lot of stars have to align
>> to
>> find a backdoor.
>
> What do you mean? You gave a sneak path by mentioning security
>> issues - it's kind of like electricity, it takes the easiest path."
>
> If a backdoor in a device or software, isn't that a security issue too.
>
> I would love to hear from anyone with insight or just reasonable guess
> work (thinking).

I mean you asked two questions. One about security issues and one about
backdoors. If you ask two questions people will naturally answer the easier
one. A huge number of security issues are well known and I am quite sure I
could find a whole book on the subject by spending a few minutes with
Google. Back doors are a *specific* security issue and the answers are
going to become much more sparse. For example, I have no reason in the world
to believe that my OS (Windows XP) does not contain one or more backdoors.
It is such a behemoth that it takes several CDs to contain a copy of it.

Öö Tiib

12/3/2015 6:01:00 PM

0

On Thursday, 3 December 2015 17:48:40 UTC+2, Osmium wrote:
> "G G" wrote:
>
> > On Thursday, December 3, 2015 at 9:13:05 AM UTC-5, Osmium wrote:
> >
> >> To the OP:
> >> Perhaps if you would limit your question to backdoors you might start
> >> getting useful answers. You gave a sneak path by mentioning security
> >> issues - it's kind of like electricity, it takes the easiest path.
> >>
> >> I only have guesses, my guess is that an awful lot of stars have to align
> >> to
> >> find a backdoor.
> >
> > What do you mean? You gave a sneak path by mentioning security
> >> issues - it's kind of like electricity, it takes the easiest path."
> >
> > If a backdoor in a device or software, isn't that a security issue too.
> >
> > I would love to hear from anyone with insight or just reasonable guess
> > work (thinking).
>
> I mean you asked two questions. One about security issues and one about
> backdoors. If you ask two questions people will naturally answer the easier
> one. A huge number of security issues are well known and I am quite sure I
> could find a whole book on the subject by spending a few minutes with
> Google.

More like whole bookshelf of decent books and a library of crappy ones.

> Back doors are a *specific* security issue and the answers are
> going to become much more sparse.

It is because writing testing shortcuts and back-doors into product code
is considered anti-pattern by most professional programmers. Hiding
maliciously made back-doors is also possibility but may bring charges
to authors. Works of that contest may give inspiration how to:
https://en.wikipedia.org/wiki/Underhanded...

> For example, I have no reason in the world
> to believe that my OS (Windows XP) does not contain one or more backdoors.
> It is such a behemoth that it takes several CDs to contain a copy of it.

Actually so large companies like Microsoft have their quality standards
and enough budget to check, review, test and validate their code-bases
over and over. Deliberate backdoor is possible perhaps only when very
cleverly hidden.

It is far more likely to find some non-deliberate vulnerability in
Windows code. Also it may be more fruitful not to scan the operating
system itself but various third party software that you may run on it.
Some software upgrader, multiplayer game, document viewer or editor,
web browser plugin ... things like that. ;)

Victor Porton

12/3/2015 6:49:00 PM

0

G G wrote:

> How are these guys (generic) find these backdoors and security holes?
>
> Some of the code they are looking at has to be 100s of thousands
> line of code.

One thing which helps, is using a language with increased reliability such
as Ada (including latest 2012 version of Ada).

--
Victor Porton - http://porton...

gdotone

12/4/2015 11:57:00 PM

0

On Thursday, December 3, 2015 at 1:49:33 PM UTC-5, Victor Porton wrote:
> One thing which helps, is using a language with increased reliability such
> as Ada (including latest 2012 version of Ada).
>

I wish Ada was more popular.

osmium

12/9/2015 3:22:00 PM

0

"Richard Heathfield" wrote:

> On 03/12/15 01:59, G G wrote:
>> How are these guys (generic) find these backdoors and security holes?
>
> Do they have the source? If so, imagine trying to find a shoe shop on
> Oxford Street (not a particular shop - any shoe shop will do), looking for
> a hill in Wales, tracking down a cow in Gloucestershire, or identifying a
> crank in sci.crypt. These are tasks of comparable length and difficulty.

I will make a wild guess that they sell shoes on Oxford Street and Wales is
hilly, therefore finding backdoors is a trivial exercise..

I would describe a program that does something other than what was expected
by the user, as having a backdoor. Using that base, one link on Google says
there are 482,000 VW diesels in the US that have backdoors in their
software.

Here's one link describing how that particular backdoor after several years,
was finally found. Sounds like a good base plot line for a movie on the
Airdbus 380 or whatver they call that big thing.

http://www.bbc.com/news/busines...