← Back to context

Comment by Asraelite

8 hours ago

Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.

That sounds like a fun thing to wonder about, but how could anyone possibly know that for sure?

It's refreshing to see someone around here addressing the compulsively overlooked elephant in the room; plausible deniability. I am not implying it applies directly here, but notice the trend -- it's taboo to even speculate on and often gets rebuke for even hinting at it. The social convention around it is perfect cover. And I am not the only one that knows this. If we were to wake suddenly and realize the scale of relevance here, we'd probably all go full luddite. Call me paranoid though.

  • If this wasn’t Tenda maybe I would be more inclined to agree with you. We are talking about an extremely shitty bargain basement vendor. The three stars on Amazon kind of router company.

    I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.

    Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.

    And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.

    Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.

    • Well, as mentioned (but perhaps not with sufficient emphasis), I wasn’t implying that this case is necessarily some 3-letter agency op. However, things eg(*) CopyFail, XZ Utils / Jia Tan, Intel ME/IME, Heartbleed, Dirty COW, CVE‑2021‑3156, third‑party contractors, supply chains, and the myriad opportunities all around, are but a few examples that leave me cynical. I don’t claim detailed, expert understanding for any of these; however, I’m convinced the majority of such things remain unknown, and a that our perceived malice:incompetence ratio is off.

      I think we could stop reflexively defaulting to “incompetence” when the end result just as easily resembles a deliberate exploit. Plausible deniability is an extremely effective cover when it’s smartly applied.

      I’m not disputing any of your specific technical points; my cynicism is thematic. Even when I try to muzzle it, it tends to get through. The parent comment, though short, is dense with implications about cheap gear, opaque firmware, exposure surfaces I think deserve more sustained attention.

      * A quick, generic, maybe sub-ideal list to harden my point.