Comment by hnlmorg

12 hours ago

Yes, and my point is that hasn’t been the case in my experience.

It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.

It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.

  • > It's because you (like me) aren't quite as paranoid as security people are.

    I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.

    My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.

    And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.

    > It's really a matter of context. Security people tend to only be involved when things are already nefarious

    I’m guessing you’ve not worked with many “security people”?

    You’d be surprised how much of their day-to-day is mundane.

    • Oh i've worked with plenty. Maybe they knew more than they let on but they were (and are) convinced that every little belch is a full on attack.

      I know their day to day is just as mundane as the rest of ours it's their "Step 1" approach that i've seen to be entirely different. I assume it's probably a software bug, they assume it's an exploit.

      1 reply →

  • I'm a security people. I can say with confidence that a tiny, tiny, tiny, tiny fraction of these security issues are deliberate. Almost all of them are just dumb mistakes because making good software is really hard and really, really expensive and there is no market incentive to make good software. You don't need to get hired at the safe factory to build an elaborate back door into the production line if safes are actually just cardboard boxes, you know?

    It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.