Changing Religeon

Steve Jenkin sjenkin at
Wed Mar 6 12:47:03 EST 2002

The 'self replicating trojan' is no myth.
Ken Thompson added code to a C compiler that recognised 'login' and
added assembler code so he could always log in [as root?]
He then added code that did the same for the compiler & hid the 'login'
And then removed the hacks from the compiler source - so the insertions
replicate in the executable 'cc', but cant be found by code inspection.
[Nor could you devise a test for the backdoor in the login program]

His paper (1983) is called 'Reflections on Trusting Trust'.
His conclusion: If you didn't create the whole thing, you can't really
trust it.


Sam Couter <scouter at> wrote:

> Date: Mon, 4 Mar 2002 21:38:28 +1100
> From: 
> To: linux <linux at>
> Subject: Re: Changing Religeon
> It doesn't really matter though, I'm not really a fan of Pascal, so I'm
> not likely to use the compiler. I only asked out of interest, and
> because I recommend caution when downloading binaries. The old urban
> myth about Dennis Ritchie's (??) self-replicating trojan in the compiler
> comes to mind. Check the Jargon File for "back door":=20
> Be careful... One entry leads to another, and before you know it you've
> wasted a whole afternoon reading parts of the Jargon file and wetting
> yourself laughing.
> --=20
> Sam "Eddie" Couter  |  mailto:scouter at
> Debian Developer    |  mailto:eddie at
>                     |  jabber:sam at
> OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Steve Jenkin, Unix Sys Admin
PO Box 48, Kippax, ACT 2615
0412 786 915

More information about the linux mailing list