Hacker News new | past | comments | ask | show | jobs | submit login

"Never attribute to malice that which is adequately explained by stupidity"

- Hanlon's Razor [1]

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor




As a corollary to Occam's Razor, this is always a good heuristic to remember. It is also important to keep in mind that heuristics can sometimes be misleading and should not be followed blindly.

Hanlon's Razor, like Occam's Razor, is most useful in cases where we there isn't any other evidence that points to a specific answer.

In the case of internet security, we do have a significant amount of evidence that several national spy agencies have been corrupting security of networking hardware and software. With projects like BULLRUN and the RSA/Dual_EC_DRBG scandal, we even know they went as far as pay businesses to do exactly this kind of weakening of their product's security features. This is especially true for this kind of low-end, discount product; a business with low profit margins is probably easier to bribe.

All else is not equal, so it is reasonable assign a high probability to spy agency involvement. This isn't proof, of course, but neither is Hanlon's Razor.


> All else is not equal, so it is reasonable assign a high probability to spy agency involvement.

This requires determined effort to ignore the level of sophistication on evidence in the same reports of nation-state level attacks which you cite. Everyone who's read them noted a consistently high level of attention paid to making sure that attacks were both targeted and concealed.

Using “super” as both a username/password for a million devices is the kind of thing you'd expect from incompetence; with the NSA I'd expect something like what they actually did with Dual_EC_DRBG, where the device would show every sign of appearing to be secure but someone with knowledge of a particular constant could save significant effort when cracking the crypto. The last thing they want is for you to notice & patch the hole because some random spammer started exploiting it.


The NSA is not the only spy agency in the world.


You might have missed that the examples cited in the post which I assigned were all NSA programs. That said, any serious program is unlikely to make a rookie mistake like this.

The one remotely plausible explanation would be something like this being a way for a mole to spin a backdoor as an innocent mistake. Even that's stretching it a bit because this is so easy to find that it'd have a pretty high risk of exposure – if you're going to invest that kind of time, a more subtle bug is only a minor increase in difficulty.


You can be also try that


But what that really says, is that between malice and stupidity, the odds are most often for stupidity. Garden variety stupidity is much more common than clever malice. There is no reason to rule out clever malice entirely, however.

If you're going to be Bayesian about it, use Hanlon's Razor as your prior, then update that. In other words, you should default to that, unless you have very good reasons.


Fair enough - this is too obvious, a lot more effort would be applied to obfuscate a deliberate backdoor




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: