Search This Blog

Monday, December 30, 2013

On Features, Bugs, and Trapdoors

John Stewart of Cisco posted a very interesting blog entry discussing the differences among features, bugs, and backdoors. He categorizes them by intent (features and backdoors are intentional, whereas bugs are not) and transparency (features are disclosed to customers “at the start”, bugs are disclosed after being identified, and backdoors are not disclosed). This raises an interesting point about third parties.

Suppose a company builds a product using supplies obtained from a third party (the “supplier”). That supplier inserts something into the software (or hardware) allowing them access to the computer on which it is used. This is a backdoor to that supplier. But how would we classify it, using John’s categories?

In this case, the company and their customer are in effect both “customers” of the supplier. But the company is an intermediary, which makes it both customer and company in the sense that John is talking about. So, the supplier might disclose a feature of its product to the company, which may not disclose that feature to the customer (perhaps it is not something that the customer needs to know, or the company thinks it unimportant). What is it — a feature, bug, or backdoor?

In this case, I think you need to have two answers: one for the supplier to company relationship (in which the company plays the role of customer) and one for the company to customer relationship. Unfortunately, the ultimate customer must rely on the company to protect him or her. And the company must rely on the supplier to protect it, and its customers.

What makes this really tricky is when the “third party” is neither the supplier nor the company and does not disclose the change to anyone. If someone else (the “interceptor”) changes the product on its way to the company (or from the company on the way to the customer), then the change is completely unintentional on the supplier’s or company’s part, but quite intentional on the third party’s part. So, which is it — a feature, bug, or backdoor?

This is most likely not an academic question, as some government agencies have been accused of doing this. The current accusation making headlines is that the U.S. National Security Agency can do this).

Probably the simplest way to handle this is to look at these terms from the point of view of the customer. In this case, the interceptor’s addition is not a feature (as it is not transparent to the end customer), nor is it a bug (as some entity made the change quite intentionally). So it is a backdoor. But this analysis is unfair to the supplier and the company, as they did nothing intentionally. So again, to them too, it is a backdoor, and they are as much victims as the customer.