I deliberately leave a loophole in the code. Is it illegal?

This is a 「 Attacking Coder」 Of the 699  Article sharing

source ：Python Programming time

“

It is necessary to read this article 4 minute .

When I was shopping in Zhihu yesterday , See such a problem ：

I saw three very interesting answers , Share it with you .

The first is the answer to prevent the backdoor from being buried after the project is delivered without receiving the final payment ：

Answer master ： A maverick pig
link ：https://www.zhihu.com/question/531724027/answer/2487270093

In his early years, he did outsourcing projects for an enterprise , Customize one Android Systematic ROM. Development costs 16 ten thousand , One year maintenance cost 2 ten thousand .

The development cost is paid in three installments , Deposit 4 ten thousand , Production environment ROM deliver 8 ten thousand , Make the final payment after acceptance and delivery of the source code 4 ten thousand .

Production environment ROM Left a hand before delivery , Added timestamp verification , Mixed in the driver ,6 It cannot be turned on after months .

Sure enough , After that 4 The other party hasn't paid the balance for months , Obviously, there is nothing wrong with it , The source code is not intended , Maintenance costs are also saved . Every Dunning is prevaricated with various reasons .

It's over again. 2 Months , The buried thunder exploded , Their downstream customers began to complain . Only then can I get back the remaining money .

Don't bother to say the name of this company , A very famous company , It is estimated that many people have used their products .

If you don't keep this hand , It's estimated that you'll be dumbfounded , After all, lawsuits in Taiwan Province are hard to fight . under these circumstances , This is called self-protection , Not against the law .

This answer reminds me of my private job many years ago , The experience of disappearing after the software developed for others is delivered , When I was young , I don't know how to set a time limit ··· Don't say the , It's tears to say more .

Come back , It's really like this respondent to get a back door , Is it illegal , Answer the Lord, it doesn't count , We have to analyze the specific problems , Only when the court says , However, this practice is still more dangerous , Be careful .

How does the law define this kind of problem , Take a look at the big guys in the network security industry TK The answer of the Pope ：

Answer master ：tombkeeper
link ：https://www.zhihu.com/question/531724027/answer/2539891264

There is no law in China that only punishes the back door itself . The main reason is “ back door ” It is difficult to define objectively .

such as , Is the automatic update mechanism a backdoor ？ Is the hot patch mechanism a backdoor ？ Is the remote maintenance mechanism a backdoor ？ There is a problem with broadband at home , You call the customer service number of the operator , The operator can remotely adjust your optical cat —— Is this the back door ？

So now the law is dealing with issues related to backdoors , It is based on the use of behavior . You left the back door , Never use , Don't worry . Used to do bad things , Then you will be convicted and sentenced according to what bad things you have done .

The back door hidden in the code belongs to junior players , Let's see what the high-end back door looks like ：

Answer master ： sea
link ：https://www.zhihu.com/question/531724027/answer/2487130220

Ken Thompson At Bell Labs , He can always install on one Unix Hacking into someone else's account on your server , No matter how others change the account password, it's useless , At that time, IQ burst tables were gathered in Bell Labs 、 Scientists with excellent professional knowledge ,Ken Their behavior undoubtedly made them very unhappy .

Someone analyzed it Unix After the code of , Found the back door , Recompile and deploy Uinx, But the thing that made them collapse happened again ,Ken They can still hack into their accounts , This matter puzzled them .

Until 1983 year ,Ken Won the Turing prize , The secret was solved at the Conference , It turned out that the password back door was written by him C Compiler embedded , And the one at that time Unix Your machine must pass through this C The compiler can only run after compiling , So no matter unix How to modify it is useless , After all, it needs to be compiled .

It happened a few years ago Xcode Ghost event , It is operated in a similar way , So the black hole left by the real God , Ordinary people simply cannot prevent , Unless you meet the same God , And they told you where it was , It is possible to crack . This is why some units , People don't connect to the Internet , Because I don't know whether the installed system has any loopholes left by others .

Low level code level

Intermediate ones are on the tool chain

Advanced at the compiler level

Ultimately, inside the machine , This is simply impossible to prevent .

So be nice to programmers .

This reminds me of an incident that happened not long ago ： There are hacker organizations IDA Poison inside .IDA It is an important software for security personnel to conduct reverse analysis , Poison it , It belongs to those who engage in security by targeted attacks , It's beyond defense .

Ladies and gentlemen , Have you ever had the experience of hiding backdoors in your code , Let's talk about it in the comment area ？

End

Cui Qingcai's new book 《Python3 Web crawler development practice （ The second edition ）》 It's officially on the market ！ The book details the use of zero basis Python Develop all aspects of reptile knowledge , At the same time, compared with the first edition, it has added JavaScript reverse 、Android reverse 、 Asynchronous crawler 、 Deep learning 、Kubernetes Related content ,‍ At the same time, this book has obtained Python The father of Guido The recommendation of , At present, this book is on sale at a 20% discount ！

Content introduction ：《Python3 Web crawler development practice （ The second edition ）》 Content introduction

Scan purchase

You'd better watch it