Chad Perrin: SOB

3 July 2007

Quicken: an example of proprietary, closed source software security.

Filed under: Security — apotheon @ 11:22

Russian password recovery tool developer Elcom has discovered a back door in Intuit’s Quicken software. Of all the application types that should not have built-in security vulnerabilities like secret “back doors”, I’d think financial software like Quicken would be near the top of the heap — but Intuit seems to disagree. Of course, Intuit’s password removal service for people who have locked themselves out of their software seems like a legitimate use for this back door, but the fact that the back door provides more than simple password removal capability seems suspicious, as does the fact that Intuit concealed the back door’s existence before Elcom found it.

In case you’re one of those people always inclined to believe in a corporate conspiracy to act in the customer’s best interests, I’ll enumerate some of the implications of something like this:

  1. This gives unauthorized people — at Intuit and in the federal government, for instance — access to your confidential financial data.
  2. It’s an intentionally built-in security vulnerability. If the backdoor exists, someone outside of Intuit can find it and use it — someone other than people you’d trust with that information, such as a malicious security cracker looking to make money with your financial data.
  3. Intuit has been deceiving its customers for at least four years now. The intent was obviously not to provide password recovery for its customers, because while they do provide a password removal service, they don’t tell anyone that the backdoor allows them far more access to the software’s functionality than simple password removal.

Sadly, this shouldn’t be a surprise to anyone. Quicken is closed source, proprietary software provided by a corporate vendor. The implications of that state of affairs should be obvious:

  • The fact that Intuit is a publicly-traded corporate business entity means that you cannot trust the company to act in your best interest. Even if the people in charge this year are trustworthy (which you really have no way of knowing), the people in charge two years from now may be completely different people, and completely untrustworthy. That’s the nature of corporations, and there’s nothing to be done about it unless you find some way to get your software from non-corporate vendors/developers whose nature is not so mercurial from one year to the next due to executive turnover and regularly reshuffling the board of directors. Furthermore, the separation of actors in business from the legal consequences of their actions by corporate law reduces the motivation to avoid unscrupulous behavior, as does Intuit’s dominant position in the financial records application market.
  • The fact that Quicken is closed source, proprietary software is relevant to the fact that, with closed-source software, it’s exceedingly difficult (if not effectively impossible) to be sure that you’re not getting lied to by the software vendor. Furthermore, attempts to discern the inner workings of the software for the purpose of discovering how trustworthy it is has been rendered largely illegal by the Digital Millennium Copyright Act in the United States. Open source software, among other benefits, ensures that any reasonably popular software has enough eyes on it that the vendor/developer can’t expect to get away with back doors, rootkits, and other reprehensible “features” to their software — the way vendors like Sony (remember the rootkit?) and Intuit can. Consider this: for each piece of closed source software in which we (the public) find back doors, rootkits, and other built-in security vulnerabilities, we don’t know how many exist that we don’t find. We do, however, have a pretty good idea how many are in open source software — none.

Keep that in mind when choosing software that manages your confidential data, such as financial records.


  1. Interesting post. Do you know any open source alternatives to Quicken?

    Comment by Jeff Johnson — 3 July 2007 @ 01:23

  2. Sure . . . depending on your exact needs. Check into:

    My personal favorite (since I have fairly simple needs for personal accounting software) is HomeBank, though I’m growing more curious about Ledger too. There’s also a slim little checkbook balancing program called CBB that might be worth looking into, if that’s all you need.

    Comment by apotheon — 3 July 2007 @ 02:37

  3. Cool. Going to check those out. Thanks!

    Comment by Jeff Johnson — 3 July 2007 @ 03:19

  4. Glad I could help. I’d appreciate it if you’d share your experiences with me as you try things out.

    Comment by apotheon — 3 July 2007 @ 04:48

  5. […] If they won’t trust you with their code, maybe you shouldn’t trust them with your money. […]

    Pingback by Chipping the web - Sterling -- Chip’s Quips — 4 July 2007 @ 03:46

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License