undefined | Better HN

0 pointsSquareWheel7y ago0 comments

A backdoor to me suggests an intentional loophole through a level of security. A bug that does the same is severe, but isn't intentional.

At least that's my reading.

0 comments

4 comments · 2 top-level

p1necone7y ago· 2 in thread

But any competently inserted intentional backdoor is going to be indistinguishable from a mistake.

If Cisco had some SecretFBIChinaBackdoor() function somewhere the backlash would be way way worse (or at least an unknown). Whereas at this point it's abundantly clear that serious "non intentional" security vulnerabilities in networking hardware basically go ignored by the market.

SquareWheelOP7y ago

>But any competently inserted intentional backdoor is going to be indistinguishable from a mistake.

Maybe, but without proof it's still just speculation. Real bugs do occur often, and sometimes in sensitive areas.

I understand wanting to be vigilant. In both assuming malice and assuming human error though, you're still forced to make an assumption.

p1necone7y ago

You're not forced to make an assumption, you can just be honest and say you don't know. There's too many comments in this thread effectively saying "it looks unintentional, so it's unintentional".

1 more reply

floatingatoll7y ago

Yes, that is the most commonly used to describe an “undocumented” access credential, regardless of why. This has been used for credentials that were added and forgotten, credentials that were added to permit unauthorized access later, and credentials that were added to permit authorized repairs more readily. These credentials were included in an “undocumented” (or “unpublished” might be more precise) manner and can be used to bypass security, so “backdoor” is correct.

This of course says nothing about whether its inclusion was due to intent, incompetence, and/or malice. (If the private key includes “Comment: hack the planet” then yeah it’s malice :)

j / k navigate · click thread line to collapse