> All else is not equal, so it is reasonable assign a high probability to spy agency involvement.
This requires determined effort to ignore the level of sophistication on evidence in the same reports of nation-state level attacks which you cite. Everyone who's read them noted a consistently high level of attention paid to making sure that attacks were both targeted and concealed.
Using “super” as both a username/password for a million devices is the kind of thing you'd expect from incompetence; with the NSA I'd expect something like what they actually did with Dual_EC_DRBG, where the device would show every sign of appearing to be secure but someone with knowledge of a particular constant could save significant effort when cracking the crypto. The last thing they want is for you to notice & patch the hole because some random spammer started exploiting it.
You might have missed that the examples cited in the post which I assigned were all NSA programs. That said, any serious program is unlikely to make a rookie mistake like this.
The one remotely plausible explanation would be something like this being a way for a mole to spin a backdoor as an innocent mistake. Even that's stretching it a bit because this is so easy to find that it'd have a pretty high risk of exposure – if you're going to invest that kind of time, a more subtle bug is only a minor increase in difficulty.
This requires determined effort to ignore the level of sophistication on evidence in the same reports of nation-state level attacks which you cite. Everyone who's read them noted a consistently high level of attention paid to making sure that attacks were both targeted and concealed.
Using “super” as both a username/password for a million devices is the kind of thing you'd expect from incompetence; with the NSA I'd expect something like what they actually did with Dual_EC_DRBG, where the device would show every sign of appearing to be secure but someone with knowledge of a particular constant could save significant effort when cracking the crypto. The last thing they want is for you to notice & patch the hole because some random spammer started exploiting it.