Friday, October 5, 2007

About "Backdoors" ...

Again, inspired by the PGP WDE Bypass Issue ...

I am not the only one in the world that uses the term "backdoor" in a generic, non-cryptographic, opposite of your-favorite-national-security-or-mafia-organization-is-going-to-get-you sort of way.

Here are several sources that are considered (at least somewhat) reputable:

Princeton's Wordnet:
"an undocumented way to get access to a computer system or the data it contains"
Wikipedia (supposedly the opinion of the general public, mind you)
"A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining covert access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program and/or hardware device."
Search Security/Tech Target:
"A back door is a means of access to a computer program that bypasses security mechanisms."
F-Secure (in the context of malware):
"Backdoors are remote administration utilities that open infected machines to external control via the Internet or a local network."
Albany University's Information Security glossary:
"Normally installed by a virus or worm, a backdoor is a alternate method of accessing a system."
The Net Guy (whoever that is-- Google had his definition):
"A means of access to a computer system that bypasses security mechanisms, installed sometimes by an authorized person, sometimes by an attacker. Often installed by programs called Trojans horse programs."
And one of my favorite ones, in light of everything recently:
"Also called a trapdoor. An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. A backdoor is a potential security risk."

Search for yourself. While the use of the term may have prompted a media over-hype, I was not out of line in my word usage. [I removed the term from the parent post anyway, because I do not wish any harm to PGP as a company.] Rarely, if ever, is "backdoor" synonymous with paranoia surrounding an agency having access to your private keys, except ... perhaps ... maybe in a slashdot thread.

UPDATED: Adobe's PDF vulnerability is a current event that illustrates how other people in the "security community" use the word "backdoor" beyond just mathematical-cryptographic access control bypasses.

No comments: