|
It seems highly likely that most of the people answering "No" (including myself) are just not among the few who _do_ know about the back doors.
-- Being innovative means not being afraid to get fired.
|
|
|
|
|
BluePineNeedles wrote:
just not among
or they are among them..
Pandoras Gift #44: Hope. The one that keeps you on suffering. aber.. "Wie gesagt, der Scheiss is' Therapie" boost your code || Fold With Us! || sighist | doxygen
|
|
|
|
|
Yes, but technically speaking there are various forms of a back door which the survey doesn't project in it's questioning. For example it simply states a configuration to override security settings, in those terms the IE security zones fall into that category. You can turn off security and put low security for all web pages.
The new Windows Firewall can be turned off. To this survey that would also be a "backdoor", but it's documented. In this questioning I had to say yes, we do provide settings to lower security and a lot of products do just that as well. So anyone who answered that question is probably talking about settings more along these lines and they aren't nesscarily bad.
Someone on this board mentioned sending data from a backdoor to another company that wrote their web pages (That actually wouldn't fall into this survey since the question says "security override settings" and that wasn't a setting or override! It was just a back door!). This would probably go along the lines of bad and was probably not documented. However the security settings I mentioned above could also not be documented but not be bad. Perhaps the survey should be a little worded better because everyone thinks that not answering "no" is a bad thing when it really doesn't have to be which in the end really makes the results of the survey not very useful because someone could be talking about turning off a fire wall and another person could be talking about stealing company secrets.
8bc7c0ec02c0e404c0cc0680f7018827ebee
|
|
|
|
|
Or, as in our case, it's more like a front door.
sa password in plain view in a text file!
<Shakes head>
Don't worry, nobody lives forever.
|
|
|
|
|
What's your web app URL?
|
|
|
|
|
Hopefully not your handywork though, right Bernhard?
|
|
|
|
|
Lol, what stupid developer would do that (I know they still exist)
|
|
|
|
|
I am seeing worst SA password is (roll drums)……… "password", isn't great security. And the best is the trading system that keeps his users password just spell backwards….
Please someone help me .
|
|
|
|
|
FRAUD.
Any company releasing software and accepting a customer's money for the use of that software, had better be up front about everything that the software does. Back door entrances or other security bypass's are plain and simply fraud on the part of the company that develops/sells the software. How would you like to find out that the 'master' key for all of the locks on your home was available to your home builder? Or worse, discover this after experiencing a robbery or worse in your own home.
I have no problem with software that includes these 'features'. I just think it is very important that you make your customer aware of these features, before they plunk down their dollars.
Chris Meech
I am Canadian. [heard in a local bar]
Remember that in Texas, Gun Control is hitting what you aim at. [Richard Stringer]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
|
I think its more aimed at the MS exaxmple.
For example one our products needs a key to activate it, but there are hidden ways to disable the key request. We use this in an emergency if we have a problem with activation for example. We realise it can be exploited by hackers, but then they'd probably just hack the activation anyhow, so theres little difference.
The activation works for the most part and in the rare cases when something goes wrong, we have a way out. We do it this way because we don't feel genuine customers should be penalised because somethings gone wrong with the activation feature! Its bad enough they have to activate the damn thing in the first place!
--
The Obliterator
|
|
|
|
|
This is actually a pretty good example of my point. You have licensed software to customers and have not explained all of the software's functionality to them. Obviously I understand why. I just don't agree with it. If and when some of your customers learn of the ability to turn off activation, some of your customers are going to bolt. Seriously how do you expect that this secret will remain so?
Chris Meech
I am Canadian. [heard in a local bar]
Remember that in Texas, Gun Control is hitting what you aim at. [Richard Stringer]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
Why will they bolt? I don't understand.
It doesn't impact them in any way other than mean they can use the software without paying for it. If we advertised the secret they could do that anyway!
Its not like having a backdoor to get into their data without entering their password for example - that would impact the product and is something we don't do.
--
The Obliterator
|
|
|
|
|
Obliterator wrote:
Why will they bolt? I don't understand
Because they have paid for a feature, activation, which can be bypassed.
Obliterator wrote:
Its not like having a backdoor to get into their data without entering their password for example - that would impact the product and is something we don't do.
I agree. It's not a backdoor and so a data loss risk is not present.
But I still think it's like anything else you may purchase. If after you have forked over the dollars, you discover that you could have purchased the same product elsewhere for a lot less money, you would not be going back to the company that you purchased from. In your case, once your customers find out that the software can be activated without having to pay for an activation fee, they are going to be feeling the same way.
Chris Meech
I am Canadian. [heard in a local bar]
Remember that in Texas, Gun Control is hitting what you aim at. [Richard Stringer]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
Chris Meech wrote:
Because they have paid for a feature, activation
I wuld have hoped they were paying for the application and not the acitvation.
Regards,
Brian Dela
Blog^
Co-author of The Outlook Answer Book... Go on, pre-order^ it today!
Regular Expression Library builder^
|
|
|
|
|
I worked on updating a friend's website that had been developed by a reputable company. One of the pieces was a booking system that would email the details of the customer to their email address...and to the company who developed the application.
Essentially all the private information customers were giving to my friend's business was also being sent straight to the software company that built their site. I was gob-smacked.
cheers,
Chris Maunder
|
|
|
|
|
We've included overrides, switches, etc... but in our debug builds only; and these are often removed, or should be, prior to our actual release "just in case". Most of our switches, however, are not for security by-pass, but rather "feature" by-pass to enable/disable things (just in case something doesn't work right).
I'm guessing this is how most "switches" end-up "in the field" ... a developer adds one in for "testing" and fails to remove it ...
:..::. Douglas H. Troy ::..
Fold with us|Development Blogging|viksoe.dk's site
|
|
|
|
|
I voted for the last option, but I was frankly surprised to see the second last option garner a substantial percentage of votes.
So, those of you who voted No, unless you count the one I put in , what kind of a backdoor did you introduce?
Cheers,
Vikram.
http://www.geocities.com/vpunathambekar
"You still have the coolest name on CodeProject." — David Wulff to me.
|
|
|
|
|
I'm always analysing my code for any security issue. I've never included any security back-door I personally know about.
You should ask this question to microsoft employees .
Don't try it, just do it!
|
|
|
|
|
You looking for some ideas? LOL
|
|
|
|
|
Seriously, though, No. My guess is that many people voted for that tongue-in-cheek.
Cheers,
Vikram.
http://www.geocities.com/vpunathambekar
"You still have the coolest name on CodeProject." — David Wulff to me.
|
|
|
|
|
Sometimes special users that have full access.
|
|
|
|
|
To bypass possibly lengthy security and logging routines for debugging.
I know its probably not good but if MS can do it, So can I
Jon
|
|
|
|
|
We don't use any backdoors, although different keys can have different levels of access.
For obvious reasons I'm not going to say any more than that, other than that working on security stuff is challenging in a pretty unique way.
Anna
Riverblade Ltd - Software Consultancy Services
Anna's Place | Tears and Laughter
"Be yourself - not what others think you should be"
- Marcia Graesch
"Anna's just a sexy-looking lesbian tart"
- A friend, trying to wind me up. It didn't work.
|
|
|
|
|