The main reason I assumed you didn't is because you linked to Hanlon's Razor and explained it in a way that made it seem like you didn't think the other person knew.
I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.
It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.
It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.
> It's because you (like me) aren't quite as paranoid as security people are.
I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.
My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.
And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.
> It's really a matter of context. Security people tend to only be involved when things are already nefarious
I’m guessing you’ve not worked with many “security people”?
You’d be surprised how much of their day-to-day is mundane.
I'm a security people. I can say with confidence that a tiny, tiny, tiny, tiny fraction of these security issues are deliberate. Almost all of them are just dumb mistakes because making good software is really hard and really, really expensive and there is no market incentive to make good software. You don't need to get hired at the safe factory to build an elaborate back door into the production line if safes are actually just cardboard boxes, you know?
It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.
Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?
Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.
Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
So I would go with “Never attribute to ignorance that which is adequately explained by malice.”
The main reason I assumed you didn't is because you linked to Hanlon's Razor and explained it in a way that made it seem like you didn't think the other person knew.
I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.
His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.
Yes, and my point is that hasn’t been the case in my experience.
It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.
It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.
> It's because you (like me) aren't quite as paranoid as security people are.
I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.
My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.
And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.
> It's really a matter of context. Security people tend to only be involved when things are already nefarious
I’m guessing you’ve not worked with many “security people”?
You’d be surprised how much of their day-to-day is mundane.
I'm a security people. I can say with confidence that a tiny, tiny, tiny, tiny fraction of these security issues are deliberate. Almost all of them are just dumb mistakes because making good software is really hard and really, really expensive and there is no market incentive to make good software. You don't need to get hired at the safe factory to build an elaborate back door into the production line if safes are actually just cardboard boxes, you know?
It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.
Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?
Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.
Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
So I would go with “Never attribute to ignorance that which is adequately explained by malice.”
> I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.
If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.
But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.