Lunduke
News • Science & Tech
The creator of UNIX built a Trojan Horse which let him log in to any UNIX machine.
And nobody knew about it for years.
May 05, 2024
post photo preview

Back in 1984, the Association for Computing Machinery presented Ken Thompson with a “Turing Award” for his many contributions to the world of computing.

And for good reason.

Ken worked on Multics, co-created UNIX, created multiple programming languages (Bon and B — which directly led to C), co-created the Plan 9 operating system, UTF-8, and on and on.  If anyone deserves an award for advancing computing... it's Ken Thompson.

But we’re not here today to talk about those extraordinary contributions to computing.

No, sir.

We’re here to talk… about his acceptance speech.

Because that speech revealed a truly fascinatin computer virus that Thompson had created years earlier… for the C compiler.  One which gave him a backdoor into UNIX itself.

The Speech

He titled his speech “Reflections on Trusting Trust”, and the basic premise is this:

“To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.”

To prove his point, Ken told the tale of how he had — years earlier — created what was, essentially, a computer virus that infected the C compiler (cc) and the UNIX login program.

Seriously.

This is real.

Ken could gain control of most UNIX systems

It worked, essentially, like this:

Ken modified cc (the C compiler on UNIX systems) so that — only when it was compiling UNIX’s “login” program — it would inject a small “backdoor” (into “login”) that would allow him to log in as any user on the system if he used a predefined “password”.

Which is, obviously, a pretty big security hole.

However…

That sort of "universall password" code would be likely to be found during even a rudimentary code review of the C compiler. Or, heck, even by any casual programmer who happened upon that section of the code.

What Ken did next was… devious.

Hiding his UNIX backdoor

He needed to make sure that, should anyone find his nefarious code in “cc”… that his backdoor would live on.

So he then added functionality to “cc” so that it would detect if it was compiling itself (because the C compiler was compiled… in the C compiler)… and insert code into the compiler that would add… itself.

Which means…

Even if the source code is removed from “cc” project… the code (for adding both the login backdoor and the “keep adding this to the C compiler” bits) would get “invisibly” injected into “cc” every time it got compiled by an already infected build of the compiler.

So… as long as there was an unbroken chain of using the C compiler from that point onward, the UNIX login backdoor was unlikely to be effectively removed.

Brutal.

According to Thompson:

“The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.”

The Moral of the story

As Ken Thompson put it…

“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”

Did this make it out into the wild?

I know what you're thinking.  "Is this code still out there?  How many systems were impacted by this?"

What we know: This bit of naughty code was released to at least one machine (used by a UNIX support group). This has been confirmed by Ken, himself.

However, it is believed that the code went no further than that machine.

But... do we know for sure?

Do we actually have a high level of confidence that the modified “cc” and “login” went no further than that support group UNIX box?

No. No, we do not.

In fact, according to Eric S. Raymond

“[I have] heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name “kt”.”

BBN.  That's Raytheon.  A critical DARPA researcher -- one which was instrumental in the early days of ARPANET.  A huge amount of software came out of BBN.  Heck, even the first Text Adventure game came from there.

If UNIX machines at Raytheon BBN were infected... the possibility of infected versions of those files making it to other sites is incredibly high.

Truly wild

Which leads to a (rather amusing, and mildly terrifying) bit of historical trivia:

Ken Thompson — one of the co-creators of UNIX — intentionally created a trojan horse that infected both the C compiler and the “login” program of UNIX systems.

What’s more… it went undetected for years.  We wouldn't even have known about it, if he hadn't told us he created it.

And we truly have no clue how widespread that trojan became.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
22
What else you may like…
Videos
Podcasts
Posts
Articles
Adobe Scaling Back DEI, Dropping Diversity Quotas

The Photoshop maker appears to be dramatically reducing their focus on Diversity, Equity, & Inclusion - which is making some Adobe employees very grumpy.

00:17:09
The Gov Defunded the CVE! And Then it Didn't! (It Gets Weirder.)

This story of how the Common Vulnerabilities & Exposures Database almost (supposedly) went offline is truly bizarre. Leaked Board Emails. A Billion Dollar Defense "Charity" and more.

00:21:53
Godot Game Engine Discord Adds Mandatory "Consent to Being Recorded" for Audio Chats

Remember when the Godot Game Engine mass banned Conservatives from their project? We'll they're back at it, now imposing potentially illegal audio recording "for moderation".

00:08:54
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

Which do you like better for the look of The Lunduke Journal?

The whole video in color... or Lunduke in Black & White (with the rest of the video in color)... or everything in Black & White.

Take a look at the samples, then vote.

I've found my next fun retro project! It's an idea I've been kicking around for ages, and with all this talk about people "getting pwned" and even friends and family getting hacked recently... I just want to be off-line more. More than that, I would like to use software that I actually know what it's doing. Software that doesn't require gigs of dependencies. Software that's simple, yet practical. Now on DOS, I use Vim... and it kinda stinks. The Backspace key doesn't work like on other systems, I don't see an easy replacement for th ".vimrc" file on Linux (and Windows), and seriously that infuriating BEEEEEP every time you do something it doesn't like. But the alternatives are Edit (which is awesome but has no word wrap), or a word processor like Word 5.5 or WordStar (which are also awesome but can't really do plain-text files). So... what the puck? Why not? I've kicked the idea around so much you'd think it was my punching bag. Time to actually play with coding it!

And ...

post photo preview

Yay SSL and TLS certs will have their validity reduced by 2029 to 47 days, or 10 days if you use DCV's!

Someone is going to be renewing SSL certs for their entire job by then I'm certain of it.

Grrrr 😠😠😠

https://www.theregister.com/2025/04/14/ssl_tls_certificates/

Support The Lunduke Journal (with Bitcoin matching through Friday!)

April has been an absolutely wild month so far — filled with leaks from Adobe, Red Hat, IBM, & Microsoft. Huge DEI-related Big Tech news. The works.

Many stories that not one other Tech News outlet has the cajones to cover honestly — Tech news stories which, without The Lunduke Journal, would never get told at all.

(And April is only half way over. Crazy!)

All of this is possible because of support from you. The Lunduke Journal never takes a dime from Big Tech. This allows The Lunduke Journal to cover any topic (and any Big Tech company) honestly… without fear of getting cancelled.

In order to pull off this feat (which is fairly unique in the world of Tech News), every month or so we run a two day pledge drive. Nothing crazy. Just a few discounts on subscriptions, send out a “hey, you should subscribe” email or two, and — boom — we remain independently funded and can afford to keep every single show 100% free from advertisements.

Pretty good deal, eh?

Well, this month we’ve got something extra cool.

Matched Bitcoin Donations

A very well known, and very awesome, nerd is offering to match all Bitcoin donations (and Bitcoin subscriptions) made over the next 48 hours. Up to a total of 1 BTC.

No strings attached. Other than, and I quote, “Just keep pissing them off.” (I’m also not allowed to breathe a word of his identity to anyone… which, if you knew who he was, you’d probably say, “Yeah, that’s a good idea.”)

Seriously.

If The Lunduke Journal brings in 1 BTC between now and 12:01am on this coming Saturday? He’s going to match that with another 1 BTC. Heck. Even if we only bring in a small fraction of a Bitcoin, it’s still a fantastic opportunity for The Lunduke Journal to get ahead on future funding.

So scroll down. Pick a way to contribute (if you haven’t already). Any option is fantastic (there’s a few discounts in there).

Of course, if you’ve got some Bitcoin burning a hole in your pocket, consider either making a one time BTC donation (or pick up a Lifetime Subscription with BTC). Because it gets doubled. And that is amazing.

Make a One Time Donation

Want to toss in a one-time donation to The Lunduke Journal? There’s a few great options!

Via BitCoin:

Send any amount of BTC to the following address:

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with to let us know it was you! You can choose to keep your donation anonymous if you prefer. (Either way, all BTC donations get included in the matching deal.)

Via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Click “GIVE ONCE”.

  3. Enter any amount you like.

Looking for a subscription? Scroll down for options!

50% Off Yearly Subscription:

50% off a Yearly subscription to The Lunduke Journal via both Locals and Substack. (This includes full access to the community Forum.)

That’s $2.25 per month. Pocket change.

The Famous Lifetime Subscription:

The "World Famous Lunduke Journal Lifetime Subscription" is exactly what it sounds like. Pay once and get full access to The Lunduke Journal. For life. A great way to support Big-Tech-Free Journalism.

(This includes full access to the community Forum.)

New Lifetime Subscriptions are available, for $200, from now through Friday, April 18th.

The Lifetime Subscription can be obtained via Locals, Substack, or using Bitcoin. All three options work great and are super easy.

How to get a Lifetime Subscription with Bitcoin:

You can obtain a Lifetime Subscription via Bitcoin. Save a few bucks with this option, as Bitcoin processing has fewer fees associated with it. (Plus this gets effectively doubled for the next two days.)

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with the following information: What time you made the transaction, how much was sent (in Bitcoin), and the email address you use (or plan to use) on Locals.com or Substack.com.

How to get a Lifetime Subscription via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Select "Give Once".

  3. Enter "200" into the amount field.

  4. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

How to get a Lifetime Subscription via Substack:

  1. Go to Lunduke.Substack.com/subscribe.

  2. Select the “Lifetime Subscription” option.

  3. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

If you would also like full, Lifetime access to Lunduke.Locals.com (which is included):

  1. Make a free account on Lunduke.Locals.com.

  2. Email “bryan at lunduke.com” with the email address you use on both Substack and Locals (can be different email addresses).

  3. Lunduke will toss you an email once your account is set to full lifetime status on Locals.

50% Off DRM-Free, MP4 Downloads:

Want to be able to download every show The Lunduke Journal releases (and watch them on whatever device you like)? Yeah. You can do that. For 50% off.

Note: This DRM-Free download option does not include access to the Forum. This option is strictly for downloading the episodes.

Once again:

The Lunduke Journal would not be possible without your support. Every subscriber, of every type, makes a massive difference in bringing Big-Tech-Free Tech Journalism to the world.

Thank you.

-Lunduke

Read full Article
Help The Lunduke Journal fight against the Tech Goliaths

The corrupt Tech Foundations of the world — WikiMedia, The Linux Foundation, Mozilla, and the rest — have received hundreds of Millions of dollars in donations. The Big Tech giants bring in Billions and Billions ever year.

And there is only one Tech News outlet that is pushing back against these woke, dirty organizations… The Lunduke Journal.

One nerdy David. Against an army of well-funded, woke Tech Goliaths.

Without your support, The Lunduke Journal would not exist.

And, without The Lunduke Journal, many Tech News stories simply would never be told.

From now, through Friday, March 28th, we are running The Lunduke Journal pledge drive.

Make a one time donation (with multiple options, including Bitcoin) — and help keep The Lunduke Journal publishing commercial free, Big-Tech-Free news.

Or grab a discounted subscription and get a few fun perks:

  • Access to the exclusive Forum.

  • Access to exclusive shows (such as Q & A’s).

  • Warm Fuzzy Feelings (tm) that you’re supporting truly independent Tech Journalism.

Scroll down to find the option that works bet for you. Give only what you are able. Together we will tell the Tech News stories that no other Tech News outlet has the guts cover — together we will hold these Tech Goliaths accountable.

Make a One Time Donation

Want to toss in a one-time donation to The Lunduke Journal? There’s a few great options!

Via BitCoin:

Send any amount of BTC to the following address:

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with to let us know it was you! You can choose to keep your donation anonymous if you prefer.

Via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Click “GIVE ONCE”.

  3. Enter any amount you like.

Looking for a subscription? Scroll down for options!

50% Off Yearly Subscription:

50% off a Yearly subscription to The Lunduke Journal via both Locals and Substack. (This includes full access to the community Forum.)

That’s $2.25 per month. Pocket change.

The Famous Lifetime Subscription:

The "World Famous Lunduke Journal Lifetime Subscription" is exactly what it sounds like. Pay once and get full access to The Lunduke Journal. For life. A great way to support Big-Tech-Free Journalism.

(This includes full access to the community Forum.)

New Lifetime Subscriptions are available, for $200, from now through Friday, March 28th.

The Lifetime Subscription can be obtained via Locals, Substack, or using Bitcoin. All three options work great and are super easy.

How to get a Lifetime Subscription via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Select "Give Once".

  3. Enter "200" into the amount field.

  4. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

How to get a Lifetime Subscription via Substack:

  1. Go to Lunduke.Substack.com/subscribe.

  2. Select the “Lifetime Subscription” option.

  3. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

If you would also like full, Lifetime access to Lunduke.Locals.com (which is included):

  1. Make a free account on Lunduke.Locals.com.

  2. Email “bryan at lunduke.com” with the email address you use on both Substack and Locals (can be different email addresses).

  3. Lunduke will toss you an email once your account is set to full lifetime status on Locals.

How to get a Lifetime Subscription with Bitcoin:

And, finally, you can obtain a Lifetime Subscription via Bitcoin. Save a few bucks with this option, as Bitcoin processing has fewer fees associated with it.

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with the following information: What time you made the transaction, how much was sent (in Bitcoin), and the email address you use (or plan to use) on Locals.com or Substack.com.

50% Off DRM-Free, MP4 Downloads:

Want to be able to download every show The Lunduke Journal releases (and watch them on whatever device you like)? Yeah. You can do that. For 50% off.

Note: This DRM-Free download option does not include access to the Forum. This option is strictly for downloading the episodes.

The Lunduke Journal would not be possible without your support. Every subscriber, of every type, makes a massive difference in bringing Big-Tech-Free Tech Journalism to the world.

This truly is the last bastion of independent Tech Journalism.

Thank you.

-Lunduke

Read full Article
February 24, 2025
post photo preview
12% of Tech Workers Believe macOS is Based on Linux
Over 70% believe in at least one common Myth of Computer History.

The following data was derived from the 2025 Tech Industry Demographic Survey, which included over 12,000 respondents -- from across companies and organizations throughout the Tech Industry -- surveyed during February of 2025.

 

Ready to have your mind blown?

According to those surveyed:

  • Nearly 12% believe that macOS is based on Linux.
  • Over 70% believe in at least one common Myth of Computer History.
  • The most commonly believed myth (at 52%) is the myth that "the first computer bug was a real bug (a moth)".

 

Those who took the survey were presented with 6 common (but debunked) computer history myths... and were asked to select the myths which they believed to be true and factual historical statements.

Here is the breakdown of how many believed in each myth.

 

 

One rather fascinating piece of data: Those percentages held steady for nearly every demographic group within the survey.

For example:

Roughly 12% of respondents who prefer Linux, believe macOS is based on Linux.  The same was true of Windows users, C / C++ programmers, and those who perfer the Firefox Web Browser... no matter what sub-group was looked at... that number stayed roughly steady (around 12%).

The one outlier appeared when I looked at how many myths a person says they believe in... grouped by generic political leanings (Left, Centrist, or Right Leaning).

 

Notice that the percentage of respondents who "Believe at least one myth" or "Believes 4+ myths" stays roughly consistent (with only mild variances) across all three political groupings.

But, if you look at the "Believes 3+ myths" data, there is an 8% spike among those who identify as "Left Leaning".

While all surveyed were likely to believe at least one myth, "Left Leaning" respondents were slightly more likely to believe up to 3 myths (of the 6 presented).

 

The Myths of Computer History

 

For those curious, here are the 6 myths included in the survey (with links to debunk each of them).  

 

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals