Lunduke
News • Science & Tech
The creator of UNIX built a Trojan Horse which let him log in to any UNIX machine.
And nobody knew about it for years.
May 05, 2024
post photo preview

Back in 1984, the Association for Computing Machinery presented Ken Thompson with a “Turing Award” for his many contributions to the world of computing.

And for good reason.

Ken worked on Multics, co-created UNIX, created multiple programming languages (Bon and B — which directly led to C), co-created the Plan 9 operating system, UTF-8, and on and on.  If anyone deserves an award for advancing computing... it's Ken Thompson.

But we’re not here today to talk about those extraordinary contributions to computing.

No, sir.

We’re here to talk… about his acceptance speech.

Because that speech revealed a truly fascinatin computer virus that Thompson had created years earlier… for the C compiler.  One which gave him a backdoor into UNIX itself.

The Speech

He titled his speech “Reflections on Trusting Trust”, and the basic premise is this:

“To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.”

To prove his point, Ken told the tale of how he had — years earlier — created what was, essentially, a computer virus that infected the C compiler (cc) and the UNIX login program.

Seriously.

This is real.

Ken could gain control of most UNIX systems

It worked, essentially, like this:

Ken modified cc (the C compiler on UNIX systems) so that — only when it was compiling UNIX’s “login” program — it would inject a small “backdoor” (into “login”) that would allow him to log in as any user on the system if he used a predefined “password”.

Which is, obviously, a pretty big security hole.

However…

That sort of "universall password" code would be likely to be found during even a rudimentary code review of the C compiler. Or, heck, even by any casual programmer who happened upon that section of the code.

What Ken did next was… devious.

Hiding his UNIX backdoor

He needed to make sure that, should anyone find his nefarious code in “cc”… that his backdoor would live on.

So he then added functionality to “cc” so that it would detect if it was compiling itself (because the C compiler was compiled… in the C compiler)… and insert code into the compiler that would add… itself.

Which means…

Even if the source code is removed from “cc” project… the code (for adding both the login backdoor and the “keep adding this to the C compiler” bits) would get “invisibly” injected into “cc” every time it got compiled by an already infected build of the compiler.

So… as long as there was an unbroken chain of using the C compiler from that point onward, the UNIX login backdoor was unlikely to be effectively removed.

Brutal.

According to Thompson:

“The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.”

The Moral of the story

As Ken Thompson put it…

“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”

Did this make it out into the wild?

I know what you're thinking.  "Is this code still out there?  How many systems were impacted by this?"

What we know: This bit of naughty code was released to at least one machine (used by a UNIX support group). This has been confirmed by Ken, himself.

However, it is believed that the code went no further than that machine.

But... do we know for sure?

Do we actually have a high level of confidence that the modified “cc” and “login” went no further than that support group UNIX box?

No. No, we do not.

In fact, according to Eric S. Raymond

“[I have] heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name “kt”.”

BBN.  That's Raytheon.  A critical DARPA researcher -- one which was instrumental in the early days of ARPANET.  A huge amount of software came out of BBN.  Heck, even the first Text Adventure game came from there.

If UNIX machines at Raytheon BBN were infected... the possibility of infected versions of those files making it to other sites is incredibly high.

Truly wild

Which leads to a (rather amusing, and mildly terrifying) bit of historical trivia:

Ken Thompson — one of the co-creators of UNIX — intentionally created a trojan horse that infected both the C compiler and the “login” program of UNIX systems.

What’s more… it went undetected for years.  We wouldn't even have known about it, if he hadn't told us he created it.

And we truly have no clue how widespread that trojan became.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
22
What else you may like…
Videos
Podcasts
Posts
Articles
FreeBSD Dealing With Profane Anti-Jewish Contributor

Edward Tomasz, a FreeBSD contributor for over 18 years, advocates for the "hunting" of Jews and used the FreeBSD Wiki to spread hate. The FreeBSD Core Team has responded.

00:28:05
Canonical Responds to Sex Offender Employee Defacing GitHub Wiki

"We regret the remarks made by [our employee]", says Canonical (parent company of Ubuntu Linux). Regarding his assaults of children: "At the time of hire, [he] had served his sentence."

00:24:25
Is Linux a "Pedo Bar"?

Does the world of Linux and Open Source welcome and protect rapists, pedophiles, and general degenerates?

00:20:56
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
July 11, 2025

YouTube is targeting low effort and AI content for scrutiny. They will likely not be monetizable.

Good. Low effort reaction channels who steal content and AI mills should get nothing.

https://timesofindia.indiatimes.com/etimes/trending/youtubes-new-monetization-rules-what-changes-and-what-doesnt/articleshow/122348994.cms

16 hours ago

HiFi Moved Me to Tears

I have experienced HiFi for the first time in my life and it moved me to tears - literally. I have long read and watched reviews of HiFi equipment and listened to the descriptions and wondered - what am I missing? I have liked all my pedestrian gear and don’t have budget for much better - but is there anything actually going on with HiFi? Yes, yes there is. At least, and at last, I have experienced the minimal of HiFi with my new Hifiman Edition XS planar magnetic headphones. They debuted 4 years ago at $500ish and now go for $269. I bought my pair on Prime Day sale for $239. No $200 headphone sounds as good as a $1000 pair - but time marches on. These sound like what you needed to pay $1000 for five years ago.

The difference between these and any gear I’ve had before is both subtle and a leap. My Airpods Max have very nice sound as do my wired Phillips Fidelio X2HR’s. The latter being open back and optimized for great music listening experience, the former ...

post photo preview
July 10, 2025

Was That Amazing Video in Your Feed Real or AI? Tech Platforms Are Struggling to Let You Know
https://archive.ph/Y2jhE

"...
Kalshi, the prediction-market startup that lets people bet on current events and pop culture, ran an ad on YouTube TV during last month’s NBA Finals that was generated entirely with Veo 3, according to a Kalshi spokesman.

The ad, which depicts a series of gamblers enthusing about their bets, cost $2,000 to make and has accumulated 19 million views, the spokesman said.

By the time discerning viewers see an alien chugging beer at a college party, they may realize that nothing in the Kalshi ad is real. But it wasn’t labeled as AI.
...
Google says it automatically attaches small visual watermarks to nearly all content created with its Gemini app, which includes Veo; this content also includes digital metadata identifiers that can be used to automatically label it as AI. The ads from Kalshi and Coign appear to have run without any visual marks, however, and videos created with ...

50% off The Lunduke Journal (including Lifetime Subscriptions) for one more day!

To all of you amazing nerds who have signed up for a new Lunduke Journal subscription today, thank you! You make The Lunduke Journal possible!

If you haven’t snagged yours yet, the “50% off everything, even the Lifetime Subscriptions” deal is available today and tomorrow (through Saturday, May 31st).

  • 50% off Monthly — Now $3 / Month (was $6 / Month)

  • 50% off Yearly — Now $27 / Year (was $54 / Year)

  • 50% off Yearly MP4 Downloads — Now $27 / Year (was $54 / Year)

  • 50% off Lifetime Subscriptions — Now $100 (was $200)

All the details on how to grab each type of subscription is right here. There’s also an audio podcast and video of me rambling about it.

Once again, thank you for all of the support. It truly does make a difference.

-Lunduke

Read full Article
50% off The Lunduke Journal (including Lifetime Subscriptions) through Saturday!

About 3 weeks back we had a deal where every new subscription to The Lunduke Journal was 50% off. Monthly, Yearly, Lifetime… all of it.

And — holy cow! — was that a success. Broke the record for most new subscribers to The Lunduke Journal in a single day. By a mile. Two days in a row.

Never seen anything like it. The amount of support all of you showed for truly independent Tech Journalism was off the charts.

You know what? Let’s try that again. Now through the end of May (which is Saturday, May 31st — the day after tomorrow):

  • 50% off Monthly — Now $3 / Month (was $6 / Month)

  • 50% off Yearly — Now $27 / Year (was $54 / Year)

  • 50% off Yearly MP4 Downloads — Now $27 / Year (was $54 / Year)

  • 50% off Lifetime Subscriptions — Now $100 (was $200)

Choose whichever option feels right for you. All the details and links are below.

Every one — big or small — directly funds the work of The Lunduke Journal (with zero overhead). Every option includes full access to the community Forum. And, of course, every type of subscription keeps The Lunduke Journal ad-free and Big Tech free.

Remember: 50% off is only through Saturday, May 31st. The next day (Sunday, June 1st) the prices all go back to normal.

50% Off Yearly or Monthly Subscription:

50% off a Yearly or Monthly subscription to The Lunduke Journal are available via both Locals and Substack. (This includes full access to the community Forum.)

That means $3 / Month. Or $27 / Year (which works out to $2.25 / Month).

Via Lunduke.Locals.com:

Via Lunduke.Substack.com:

The Famous Lifetime Subscription:

The "World Famous Lunduke Journal Lifetime Subscription" is exactly what it sounds like. Pay once and get full access to The Lunduke Journal. For life.

Now, through Saturday, May 31st… you can snag one at a crazy discount. Normally these are $200… but you can grab one for $100. (You can also pay more if you’d like to donate a little extra.)

The Lifetime Subscription can be obtained via Locals, Substack, or using Bitcoin. All three options work great and are super easy. Scroll down and choose your option.

How to get a Lifetime Subscription via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Select "Give Once".

  3. Enter "100" (or more) into the amount field.

  4. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

How to get a Lifetime Subscription via Substack:

  1. Go to Lunduke.Substack.com/subscribe.

  2. Select the “Lifetime Subscription” option.

  3. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

If you would also like full, Lifetime access to Lunduke.Locals.com (which is included):

  1. Make a free account on Lunduke.Locals.com.

  2. Email “bryan at lunduke.com” with the email address you use on both Substack and Locals (can be different email addresses).

  3. Lunduke will toss you an email once your account is set to full lifetime status on Locals.

How to get a Lifetime Subscription with Bitcoin:

You can also obtain a Lifetime Subscription via Bitcoin.

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with the following information: What time you made the transaction, how much was sent (in Bitcoin), and the email address you use (or plan to use) on Locals.com or Substack.com (or both).

50% Off DRM-Free, MP4 Downloads:

Want to be able to download every show The Lunduke Journal releases (and watch them on whatever device you like)? Yeah. You can do that. For 50% off.

Note: This DRM-Free download option does not include access to the Forum. This option is strictly for downloading the episodes.

Make a One Time Donation

Subscription not enough (or not your thing)? Want to toss in a one-time donation to The Lunduke Journal? There’s a few great options!

Via BitCoin:

Send any amount of BTC to the following address:

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with to let us know it was you! You can choose to keep your donation anonymous if you prefer. (Either way, all BTC donations get included in the matching deal.)

Via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Click “GIVE ONCE”.

  3. Enter any amount you like.

You Make This Possible

A huge thank you to all of the subscribers who have made The Lunduke Journal possible. Because of you, we have been able to do true Tech Journalism — to tell the stories that no other Tech News outlet has the cajones to touch.

And to all of you new Lunduke Journal subscribers (which, wow, there’s a lot of you): Welcome to the last bastion of truly independent, Big-Tech-Free, ad-free, non-Woke Tech Journalism.

-Lunduke

Read full Article
50% off Monthly, Yearly Subscriptions! Lifetime Subs for $100! Let's get everyone subscribing to The Lunduke Journal!

The number of free subscribers to The Lunduke Journal has absolutely exploded — across a bunch of platforms — which is truly amazing. The real Tech News is spreading farther than ever.

In fact, the free subscriber growth is so utterly massive, that if even a tiny fraction of you became a paying subscriber… The Lunduke Journal would become comfortably financially set for a very long time. Able to continue reporting on Big Tech — and corrupt Tech Foundations — well into the future.

All without taking a penny from Big Tech.

With that in mind, let’s do something awesome… something that will make Big Tech really grumpy.

Let’s get as many people subscribing to The Lunduke Journal as possible. Right now. This week. Let’s make this Big-Tech-Free, Non-Woke Tech News publication financially set for a good, long time.

To give everyone a kick-in-the-butt to help make that happen, I’m going to discount absolutely every type of subscription in a crazy way — through Friday, May 9th.

  • %50 off Monthly — Now $3 / Month (was $6 / Month)

  • %50 off Yearly — Now $27 / Year (was $54 / Year)

  • %50 off Yearly MP4 Downloads — Now $27 / Year (was $54 / Year)

  • %50 off Lifetime Subscriptions — Now $100 (was $200)

That Lifetime Subscription one is crazy.

Seriously. Make a one-time donation of $100, and be subscribed to The Lunduke Journal… for life. (This includes full access to the community Forum.)

If even 1% of the new free subscribers who have joined in the last month take advantage of this… The Lunduke Journal will be fully funded through the end of this year. And then some.

Let’s make it happen. Scroll down. Pick which ever subscription type works best for you. Then high-five yourself for making Big Tech grumpy.

Just be sure to do it by the end of the day on Friday, May 9th. The prices all go back to normal after that.

50% Off Yearly or Monthly Subscription:

50% off a Yearly or Monthly subscription to The Lunduke Journal are available via both Locals and Substack. (This includes full access to the community Forum.)

That means $3 / Month. Or $27 / Year (which works out to $2.25 / Month).

Via Lunduke.Locals.com:

Via Lunduke.Substack.com:

The Famous Lifetime Subscription:

The "World Famous Lunduke Journal Lifetime Subscription" is exactly what it sounds like. Pay once and get full access to The Lunduke Journal. For life.

And now, through Friday, May 9th… you can snag one at a crazy discount. Normally these are $200… but you can grab one for $100. (You can also pay more if you’d like to donate a little extra.)

The Lifetime Subscription can be obtained via Locals, Substack, or using Bitcoin. All three options work great and are super easy. Scroll down and choose your option.

How to get a Lifetime Subscription via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Select "Give Once".

  3. Enter "100" (or more) into the amount field.

  4. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

How to get a Lifetime Subscription via Substack:

  1. Go to Lunduke.Substack.com/subscribe.

  2. Select the “Lifetime Subscription” option.

  3. After checking out, Lunduke will toss you an email once your account is set to full lifetime status. (This usually happens within a few hours.)

If you would also like full, Lifetime access to Lunduke.Locals.com (which is included):

  1. Make a free account on Lunduke.Locals.com.

  2. Email “bryan at lunduke.com” with the email address you use on both Substack and Locals (can be different email addresses).

  3. Lunduke will toss you an email once your account is set to full lifetime status on Locals.

How to get a Lifetime Subscription with Bitcoin:

You can also obtain a Lifetime Subscription via Bitcoin.

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with the following information: What time you made the transaction, how much was sent (in Bitcoin), and the email address you use (or plan to use) on Locals.com or Substack.com.

50% Off DRM-Free, MP4 Downloads:

Want to be able to download every show The Lunduke Journal releases (and watch them on whatever device you like)? Yeah. You can do that. For 50% off.

Note: This DRM-Free download option does not include access to the Forum. This option is strictly for downloading the episodes.

Make a One Time Donation

Subscription not enough (or not your thing)? Want to toss in a one-time donation to The Lunduke Journal? There’s a few great options!

Via BitCoin:

Send any amount of BTC to the following address:

bc1qyjakve8fywm8pz2v99v57yhjj0vzr2vjze6fcq

  • Email "bryan at lunduke.com" with to let us know it was you! You can choose to keep your donation anonymous if you prefer. (Either way, all BTC donations get included in the matching deal.)

Via Locals:

  1. Go to Lunduke.Locals.com/support.

  2. Click “GIVE ONCE”.

  3. Enter any amount you like.

You Make This Possible

A huge thank you to all of the subscribers who have made The Lunduke Journal possible. Because of you, we have been able to do true Tech Journalism — to tell the stories that no other Tech News outlet has the cajones to touch.

And to all of you new Lunduke Journal subscribers: Welcome to the last bastion of truly independent, Big-Tech-Free, ad-free, non-Woke Tech Journalism.

-Lunduke

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals