Security and back doors

The other day I was talking to one of our new Program Managers who comes from a computer security company.  I jokingly said to him "Great!  We use your products, now you can tell us all the back doors to get around your product’s security process."  He replied "There are no back doors, that’s how keep everything secure."  Of course, that’s the way things should be.

Contrast this with the Star Wars Expanded Universe.  I read Timothy Zahn’s Thrawn trilogy many years ago, and one of the characters in the book is Mara Jade, formerly an assistant to the Emperor.  Anyway, one day she is sneaking around in a Star Destroyer and has to access a few rooms.  She happens to know some secret codes that the Emperor had hard-coded into the Star Destroyers.  The theory was that in the event of a coup, the Emperor would not be held hostage to someone changing the security codes on him and that he could always access anywhere he wanted.  Because he had a secret security code hard-coded into the mainframe, he had the ultimate security key so long as he kept it secret.

In a way, I can sympathize with the Emperor.  If I need access to something I don’t want to be locked out in the event I lose my key (such as me forgetting a password) or somehow the password file gets corrupted.  Of course, in the event I become an evil super villain I wouldn’t want one of my henchmen to double-cross me either and lock me out of my own evil super computer system. 

On the other hand, hard-coding a secret code (ie, a back door) is clearly a major security flaw because nobody can keep a secret like this forever.  The fact that Mara Jade knew about the secret code meant that it wasn’t a secret.  Security is only as effective as the people keeping its secrets and if Watergate proved anything, people aren’t very good at it all.  It’s even worse in the case of hard coding it.  If that ever got out you may as well not have any security at all.

Comments (1)

  1. A couple of weeks ago, I posted three posts about security and back doors.  My point was that in