Chad Perrin: SOB

3 July 2007

Quicken: an example of proprietary, closed source software security.

Filed under: Security — apotheon @ 11:22

Russian password recovery tool developer Elcom has discovered a back door in Intuit’s Quicken software. Of all the application types that should not have built-in security vulnerabilities like secret “back doors”, I’d think financial software like Quicken would be near the top of the heap — but Intuit seems to disagree. Of course, Intuit’s password removal service for people who have locked themselves out of their software seems like a legitimate use for this back door, but the fact that the back door provides more than simple password removal capability seems suspicious, as does the fact that Intuit concealed the back door’s existence before Elcom found it.

In case you’re one of those people always inclined to believe in a corporate conspiracy to act in the customer’s best interests, I’ll enumerate some of the implications of something like this:

  1. This gives unauthorized people — at Intuit and in the federal government, for instance — access to your confidential financial data.
  2. It’s an intentionally built-in security vulnerability. If the backdoor exists, someone outside of Intuit can find it and use it — someone other than people you’d trust with that information, such as a malicious security cracker looking to make money with your financial data.
  3. Intuit has been deceiving its customers for at least four years now. The intent was obviously not to provide password recovery for its customers, because while they do provide a password removal service, they don’t tell anyone that the backdoor allows them far more access to the software’s functionality than simple password removal.

Sadly, this shouldn’t be a surprise to anyone. Quicken is closed source, proprietary software provided by a corporate vendor. The implications of that state of affairs should be obvious:

  • The fact that Intuit is a publicly-traded corporate business entity means that you cannot trust the company to act in your best interest. Even if the people in charge this year are trustworthy (which you really have no way of knowing), the people in charge two years from now may be completely different people, and completely untrustworthy. That’s the nature of corporations, and there’s nothing to be done about it unless you find some way to get your software from non-corporate vendors/developers whose nature is not so mercurial from one year to the next due to executive turnover and regularly reshuffling the board of directors. Furthermore, the separation of actors in business from the legal consequences of their actions by corporate law reduces the motivation to avoid unscrupulous behavior, as does Intuit’s dominant position in the financial records application market.
  • The fact that Quicken is closed source, proprietary software is relevant to the fact that, with closed-source software, it’s exceedingly difficult (if not effectively impossible) to be sure that you’re not getting lied to by the software vendor. Furthermore, attempts to discern the inner workings of the software for the purpose of discovering how trustworthy it is has been rendered largely illegal by the Digital Millennium Copyright Act in the United States. Open source software, among other benefits, ensures that any reasonably popular software has enough eyes on it that the vendor/developer can’t expect to get away with back doors, rootkits, and other reprehensible “features” to their software — the way vendors like Sony (remember the rootkit?) and Intuit can. Consider this: for each piece of closed source software in which we (the public) find back doors, rootkits, and other built-in security vulnerabilities, we don’t know how many exist that we don’t find. We do, however, have a pretty good idea how many are in open source software — none.

Keep that in mind when choosing software that manages your confidential data, such as financial records.

I’m guest-blogging at Ameliorations.

Filed under: Metalog — apotheon @ 11:00

In case anyone is just that interested in reading everything I write, I’m now guest-blogging at Ameliorations as well as maintaining SOB. I know that I don’t always keep up a steady stream of new material here, and it might seem like guest-blogging somewhere else would reduce my weblog authoring activities somewhat so that things slow down even more. I’m going to try to make sure that I actually increase my average posting rate here while I’m guest-blogging at Ameliorations, just to make sure that doesn’t happen.

I’m thinking of you, my readers, y’see. Really.

My first post there is called attention, good and bad. It starts with a vanity tour of the positive attention SOB has gotten lately, then dives into the kind of attention one has to give to prospective employers when one is in the job market looking for a new source of filthy lucre. Hopefully, you’ll enjoy it, or at least learn something from it.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License