Comment by hnlmorg
12 hours ago
You’ve got the saying backwards:
“Never attribute to malice that which is adequately explained by stupidity.”
12 hours ago
You’ve got the saying backwards:
“Never attribute to malice that which is adequately explained by stupidity.”
Pretty sure the point was to invert it. :)
Yes, I got their point. My point is that’s the opposite of reality.
The main reason I assumed you didn't is because you linked to Hanlon's Razor and explained it in a way that made it seem like you didn't think the other person knew.
I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.
His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.
5 replies →
Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?
Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.
Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
So I would go with “Never attribute to ignorance that which is adequately explained by malice.”
1 reply →
Looks like this time you interpreted the message in a malicious way.
How? Neither their comment nor mine have anything malicious in their tone nor content.
Unfortunately, explaining a joke won’t make it funny afterward I guess.
1 reply →