He keeps referring to the video encoding vulnerability in WhatsApp as a "backdoo...

pornel · on Jan 31, 2020

It probably isn't, but I don't think we can know whether it was on purpose or not.

If I had to put a backdoor in something, it'd definitely be a buffer overflow. It gives full remote code execution, it may be hard enough to find to be NOBUS, and it has perfect plausible deniability.

UncleMeat · on Jan 31, 2020

The huge majority of applications with any c++ code have some sort of memory safety vulnerability. Codecs are a classic place where this shows up all the time. Why would this vuln out of the literally gazillions of similar vulns be considered a backdoor?

vesinisa · on Jan 31, 2020

Never attribute to malice that which can be adequately explained by stupidity. So - yes, possible in theory, but quite unlikely.

fauigerzigerk · on Jan 31, 2020

"Never" seems a bit much, if you accept the premise that all backdoors would be made to look like accidential security flaws.

But since there are probably a lot more accidential security flaws than backdoors, I agree that erring on the side of stupidity is justified.

ASalazarMX · on Jan 31, 2020

The underhanded C contest has many examples of malicious code that appear like plausible bugs. An intentional but rare buffer overflow would be a perfect backdoor.

bfieidhbrjr · on Jan 31, 2020

“Extraordinary claims require extraordinary proof”

As an aside, this isn’t true. There are many things right in front of us that we dismiss routinely, and “everyone knows” these things are extraordinary/insane/wrong and so on. Usually, if you spend the time to learn about such things you can discover that they’re very normal and provable, you just have to go against the crowd. That’s different from needing extraordinary evidence.

Primarily this seems to be due to disinformation efforts and plain old human biases.