

I found that the company I work for is putting backdoor into mobile phones - vgnet
http://security.stackexchange.com/q/15076/1061

======
edandersen
Delete the backdoor code, with a commit message saying you have removed a
security vulnerability. Watch them try to defend leaving the backdoor in the
system (favorite excuse I've heard is 'we need it for troubleshooting!') -
they can rollback the commit if they really want the backdoor in. Send out
resume.

~~~
eli
That seems kinda passive aggressive. Either complain through the proper
channels... Or don't. But being sneaky doesn't help your cause.

~~~
wpietri
That's not being sneaky at all; it's in the commit logs and he can announce
it. It's just shifting the burden of action back to the people who want the
vulnerability. In theory, the same. Practically, very different.

~~~
eli
It's obviously not just a regular commit and everyone involved would know
that. The commit log is not a proper place for a thinly veiled ethics
complaint.

If you think something is wrong, have the courage to say so directly, don't
hide behind a commit message.

~~~
wpietri
As both employee and employer, it's my view that all employees should what
they see as the right thing by default.

Personally, I think the poster should make the change and _then_ announce it.
I'm not saying he should be cowardly. If anything, I think the cowardly choice
is to futz around trying to get consensus an elusive around doing the
responsible thing.

------
gouranga
Doesn't surprise me. In that circumstance, I'd quit via a letter to the
shareholders.

That's what I did when I worked for a large nefarious killing machine provider
when I had a tony stark moment, grew some balls and worked out what they were
doing was utterly wrong.

I informed them that I was bound by British law as well which supercedes any
corporate rules and contracts.

------
nicholasreed
<http://news.ycombinator.com/item?id=3989800>

~~~
DigitalSea
Haha, I was about to point out that I submitted this a day ago as opposed to
this guy submitting it 6 hours ago...

------
JoachimSchipper
Devil's advocate: assuming the company already quietly install updates, and
the backdoor is not secured worse than the auto-update mechanism, this does
not really give them additional capabilities. (Also, the phone likely already
has more serious vulnerabilities.)

Of course, this exchange does suggest bad things about the company's ethics
and competence.

~~~
lolcraft
The backdoor being called "backdoor" by this engineer already implies that it
is not nearly as secure as the auto-update mechanism: the content is not
signed by the company, it can't be disabled by the user, et c. I see no reason
not to trust OP's judgement.

------
goblin89
> I have found out recently that the remote assistant software that we put in
> smartphone we sell can be activated by us without user approval.

Maybe I'm missing something, but it says nothing about what might possibly
happen in case their remote assistant is remotely activated. Also it's unclear
how large is their user base. Everyone kind of assumes serious implications,
though.

IMO if this whole thing is true, it indicates that the company probably
doesn't have good QA and development process in place. Otherwise either such a
bug would not exist (most likely it was left for debugging purposes), or it
would really be a product of an evil intent (and hidden from uninitiated
developers).

------
facorreia
Seriously, is there any significant piece of hardware on stores nowadays that
doesn't have multiple backdoors from application level down to the very
microchips? Like [1].

[1]
[http://articles.businessinsider.com/2011-06-27/news/30048253...](http://articles.businessinsider.com/2011-06-27/news/30048253_1_microchips-
missiles-foreign-chip-makers)

~~~
trafficlight
What's your point? That it's status quo so don't worry about it?

~~~
facorreia
My point is that this is outraging.

There are so many instances of this, it seems each week we hear from another
backdoor like this[1].

[1] [http://it.slashdot.org/story/12/04/26/1411229/backdoor-
found...](http://it.slashdot.org/story/12/04/26/1411229/backdoor-found-in-
arcadyan-based-wi-fi-routers)

------
ben1040
I wonder if it's this Verizon Remote Diagnostics tool that started getting
loaded onto a few phone models a couple months ago.

[http://www.engadget.com/2012/03/20/verizon-updates-
revolutio...](http://www.engadget.com/2012/03/20/verizon-updates-revolution-
with-remote-diagnostics-htc-turns-to/)

------
NonEUCitizen
contact EFF ? quit your job ?

------
naner
_We are not using this option, and it is probably there by mistake._

Aww, sweet innocence.

------
exim
Ask for partnership for not publicizing it :)

------
voxx
please speak up. you should go to anybody and everybody you can and make your
concerns known. it's possible that the people above you don't even know, but
in the event they do, you should probably inform local news or someone.

I'm not saying that you should try and lose your job, but you should make your
disagreement known.

------
moron
I would disclose to a security firm that I felt was trustworthy and let things
go from there.

~~~
gouranga
I'd suggest pastebin rather than a security firm. Security firms will shop you
in 2 mins if they feel it's profitable.

------
f45s8g2
Can't think of a catchy name for it, but maybe the StackExch team needs to
start a "Programmer Confessions" forum.

~~~
rmATinnovafy
A Codefessional?

I have one of those...

~~~
suborbital
yeah it's called #defocus

------
f45s8g2
Can we assume this company is not Huawei/ZTE?

~~~
drcube
He said it was remote desktop software.

~~~
dustywusty
No, he said it was "remote assistant" software in "mobile phones."

