How easy is it to find a backdoor in software?

2    20 Jan 2016 17:37 by u/revofire

Take the new Brave browser or a Linux distribution for example. That should effectively be their full source code. So how likely is it for an NSA backdoor to be found if there was one?

I know the NSA prefers hardware tapping because that's more effective in general. However if they needed to do largescale spying on short notice, couldn't they just pay off a company and have the backdoor added? Then what? Is it possible for us to find or how would they hide it?

Because at compile time they could add in the backdoor and never include it in the source but devs work in with the source will notice extra pics after its compiled, or not? The dlls can be encrypted for all of the information so no one will ever know even if you were comparing final builds with the official one. You'd see a difference but you wouldn't know what it is.

8 comments

1 u/luckyguy 21 Jan 2016 05:04

The Brave browser is luckily or unluckily using npm for everything in it. They aren't just copy pasting some crypto code that could be altered with no one likely seeing it. I would say that it's not easy. Often it involves subtle errors in the random number generator that compresses the number of private keys it can produce. You take that with some data produced as output to the encryption and you can find the key. It involves some level of semi-brute force and very complicated math so the likelihood any of us would be able to use it is pretty small. You would have to have a lot to gain like if you were part of a criminal outfit or if you were the NSA.

I'm really exited about brave. I got some errors trying to run it so I haven't seen it yet. Did you get a successful build?

0 u/NoRagrets 21 Jan 2016 05:58

if you were part of a criminal outfit or if you were like the NSA.

FTFY

1 u/revofire [OP] 21 Jan 2016 07:13

I signed up for the beta. I for one do think the NSA can do it. It's their job. Their employees literally do this for a job so it's going to take someone doing this with equal determination to expose them it would seem.

1 u/404_SLEEP_NOT_FOUND 22 Jan 2016 20:32

It's probably way easier to put one into software than it is to find one. The old needle in a haystack proverb.

0 u/revofire [OP] 23 Jan 2016 19:02

True true. Just throw the needle in, you don't have to find it but they do. Lol