23

This is a followup to the comments in this question. Thanks to Oddthinking for bringing up the issue.

Ken Thompson gave a famous speech upon receiving an award titled "Reflections on Trusting Trust" In the speech, he described inserting an almost impossible to detect trojan horse in the C compiler and the login command.

Although the paper is written as if the whole thing was a gedanken experiment, there is little doubt (I think) that Ken really implemented the artifact. In his own words n that paper: "I would like to present to you the cutest program I ever wrote".

Moreover, there are a lot of sources and folklore in the Internet suggesting that the thing was not only written, but also distributed. Is there any statement made by the author explicitly denying (or accepting!) that?

Community
  • 1
Dr. belisarius
  • 426
  • 1
  • 5
  • 13
  • 1
    The [Jargon File](http://www.catb.org/jargon/html/B/back-door.html) (not peer-reviewed and with no references) claims "Ken Thompson has since confirmed that this hack was implemented and that the Trojan Horse code did appear in the login binary of a Unix Support group machine. Ken says the crocked compiler was never distributed. Your editor has heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name “kt”." – Oddthinking Sep 28 '11 at 15:44
  • I should add: I am not yet convinced, but I am at least open to being convinced. – Oddthinking Sep 28 '11 at 15:55
  • @Odd I've read that article before, but I thought it was a joke ... – Dr. belisarius Sep 28 '11 at 15:59
  • @Odd Regarding you mind-openness: That is the way to go, of course! – Dr. belisarius Sep 28 '11 at 16:01
  • 1
    I dont know there is anyway to be sure that the login hack was the Ken Thompson Code rather than someone who created something that duplicated the effects. While effectively the same thing the implications would be far worse if it were the KTC that was released. – Chad Sep 28 '11 at 17:32
  • @Chad That is why I asked if KT made a statement about that, and not if the (eventually released) trojan was his. – Dr. belisarius Sep 28 '11 at 17:42

1 Answers1

31

According to Ken Thompson, he built the compiler that did this, and never distributed it.

From: Ken Thompson <ken@google.com>
Date: Wed, Sep 28, 2011 at 6:27 PM
Subject: Re: Was compiler from "Reflections" ever built or distributed?
To: Ezra Lalonde <ezra@usefuliftrue.com>


build and not distributed.

On Wed, Sep 28, 2011 at 11:35 AM, Ezra Lalonde <ezra@usefuliftrue.com> wrote:
> Hi Ken,
>
> I've seen various sources on the internet claiming that the "trojan horse"
> compiler you mentioned in your talk "Reflections on Trusting Trust" was
> actually built, and some further claiming that it was distributed.
>
> I'd like to know if these claims are valid.
>
> Thanks for your time.
>
> Cheers,
> Ezra Lalonde
Ezra
  • 1,241
  • 12
  • 8
  • 2
    I think this is an absolute and definitive answer. Congratulations for your initiative (going up to the real source) – Dr. belisarius Sep 29 '11 at 22:47
  • 2
    Wow, I happily concede I was totally wrong. I love it when I am proved wrong! – Oddthinking Sep 30 '11 at 01:23
  • 3
    @ezra - If it was distributed and being exploited do you think that he would tell you? That was the whole point of his lecture. – Chad Sep 30 '11 at 17:08
  • 2
    @Chad As with any event without known consequences, you could only speculate. That was the reason of the detailed question writing: `Is there any statement made by the author explicitly denying (or accepting!) that?` – Dr. belisarius Sep 30 '11 at 18:37
  • It would be fairly trivial to implement such a thing, even if he did not write one. – forest Jan 17 '21 at 05:42