[Asterisk-biz] A question about ethics, I suppose
Michael Giagnocavo
mgg-digium at atrevido.net
Thu May 26 10:40:52 MST 2005
>
>On Monday May 23 2005 19:04, Michael Giagnocavo spake:
>>
>> Even better is leaving a "secret" backdoor, that they AGREE to. Sure, if
>> they hire good enough people they can disable it. But at least it gives
>you
>> some level of security.
>>
>
>This is a BAD IDEA. We're quick to complain about security holes in others'
>software, aren't we? A secret back door won't remain secret for long.
Um, I think you misunderstand. Not a commercial, shipping, "Trojan"-like
backdoor. I'm referring to having a deactiviation, a killswitch, even as
simple as time bomb. I said "secret" (notice the quotes) because you tell
the client it's there.
I.e. "Client, the software has a time bomb and will deactivate in 15 days if
xxx is not received". Or "I have placed code in that allows me to turn it
off over the Internet for the beta code. As soon as payment is received for
the full production system, this will be removed."
Another option is simply making it a licensing system, and leaving pieces of
the system encrypted relying on a key. I've done that with a client I no
longer trusted (on very good grounds). I gave them the full source and
program on a CD with encryption. I wrote the key down on paper, and after
the checked cashed, I gave them the key.
Every circumstance is different (obviously you don't ship retail boxed
software this way!). So "secret" and "backdoor" as just terms for a wide
range of things, and are not necessarily security holes. However, I've found
the to be rather effective in ensuring a client doesn't get too "uppity" ;).
-Michael
More information about the asterisk-biz
mailing list