Backdoors and Security Flaws are ways to circumnavigate normal digital security or access permissions to get access to data that you shouldn’t have direct access to. The difference is backdoors are intentionally created or left there at the request of a government or other authority so that the “good guys” will always have a way in if they need to get someones information. This is very obviously not great as it is very hard to prevent backdoors from getting leaked or abused like the reports of NSA agents caught with people’s nude photos from iCloud and other cloud storage platforms.

As to where they come from, security flaws are generally oversights in the software design just like locking all the doors to your house but leaving a window unlocked.

As far as an example, as to what a flaw “really” is, as always there’s a [relevant XKCD](https://xkcd.com/1354/) about the HeartBleed vunerability.

A backdoor isn’t so much as a security flaw, as it is an act of criminal intent, or criminal negligence. As for security flaws, the simple answer is, “Programmers are not always thorough”. Most security flaws are the result of developers ignoring well-documented best-practices. It’s the very rare flaw which is discovered in compliant, peer-reviewed code.

Before you come away with the impression that I’m just shitting on programmers, the usual reason this happens is not because developers are lazy, but rather that most shops do not devote enough time and resources to security. The industry average is ~10%, and it’s been climbing year over year, but in my opinion, even 10% is woefully inadequate. In my opinion, fully half of your team’s time and resources should be devoted to ensuring your code is secure, because an insecure feature is worse than useless.

A backdoor is an intentional security flaw built into a system by a programmer with the intention of being used to allow them access to the system while bypassing regular security.

Hence the term, they are entering through the back door instead of the front door.

This is either done for troubleshooting purposes, or it’s malicious to allow them unauthorized access to the system.

An example would be building in a master password hidden in a program that always works even if the account doesn’t exist.

Generally speaking a backdoor in a program is a bad idea no matter how well intention. Because sooner or later someone else will find it and abuse it.

Where does the ability for someone to walk in to your house through the front door when you forget to lock it come from? Ultimately it boils down to mistakes made by people who are trying to protect something private.

Computer systems are very complicated, but the computers that run those systems take things literally. Clever people take advantage of those complicated systems to make the computers do what they’re asking and not always what the program writers intended.

My favorite example of a flaw or “hack” comes from the early 2000s and doesn’t involve computer systems at all. It used to be that with a cell phone, you could sign-up for a plan where the nights and weekends were free but you paid by the minute during the day. Someone in the US on the west coast figured out that if they registered with an east coast address, their nights and weekends would start three hours earlier at 2:00 PM instead of at the intended 5:00 pm because of the differences in time zones. The employees that came up with or “wrote” the nights and weekends plan did not expect someone would lie about where they lived, and thus a hack was born.

Computer systems behave just like this, and they take things like dates, times, and locations exceptionally literally. Someone skilled in the art can understand where likely flaws are, and then press on different defects (sometimes combining multiple flaws together) to get the result they want.

Most of the security flaws in computer programs come from developers using unsafe programming languages where it’s very easy to make a mistake working with the computer memory.

There are safe languages, but they’re very resource-hungry, as in they consume a lot of RAM and the processing power. So, either safe but inefficient, or unsafe and fast.

Programming languages are evolving though and getting better at being both safe and efficient, but adoption of new languages is slow. Microsoft, for example, has been working on Windows for at least 25 years, and migrating to a new programming language with such huge product is very expensive.

The rest of security flaws are design errors, as another comment already stated.

Another angle to this is, software developers are usually not security engineers. They are not thinking like security engineers. And designing good security mechanisms makes their work very painful. So usually they create a product and then fix security flaws when the users find them, by which point it’s a little too late, but better than never.

backdoors are intentionally built in, usually for development and diagnostic purposes. and sometimes unintentionally forgot to be removed for release.

security flaws from…hackers discovering new and inventive ways to attack systems. whether it be sending in special data, sending multiple data sets at once, or coordinated attacks.

boss tells you “i need you to program a feature that when the input is is a formula expression X, the output will be the value of the expression” i.e. when X is “2+5*2” then output will be “12”

ok that sounds simple. rather than try to run thru a whole algorithm of parsing the expression, i’m going to be quick about it so i can do other projects. I’ll just run this function that’s built into the programming language called evaluate(). it’ll take the thing and just run up the math for me. done.

yea…except evaluate() also runs more than just math expression. it runs programming commands. allows you to read data, send data.

Both come from programmers. Backdoors are intentionally put in and are a form of security flaw. Other security flaws are unintentional and usually exist because of carelessness.

The fundamental security flaw with all computer systems is people. That’s the weak link, according to Jenny Radcliff, UK-based social engineering consultant. She refers to the security threats that people pose as the three Ms: mistakes, mischief and malice. You’d be hard pressed to find a recent attack that didn’t have at its core one of the three Ms.

What we know from research is that 91% of cyberattacks start with a phishing email, which means 91% of cyberattacks start with someone mistakenly clicking on a malicious email link. I don’t think many people intentionally click on a phishing link, although if they did, it would still be one of the three Ms: either mischief or malice.

Since we know the fundamental flaw behind computer security is people, perhaps the more important question is, what can we do about it? First, you have to give up the idea that any computer system can ever be 100% safe. A determined insider with the right access, who’s intent on malice, is extremely difficult to stop.

What can be done to minimize the chance of a hack is something called defense in depth. The idea behind the defense in depth is very simple. Put up a bunch of different types of barriers instead of just relying on one. This way, no matter what attack vector the enemy chooses, you’re covered.

So, for instance, should you conduct employee security awareness training? Yes. Should you enforce policies like least privilege? Yes. Should you deploy phishing prevention technology? Yes. By themselves, they’re good. Together they’re better, but not perfect.

The fundamental flaw behind computer security is people. And unfortunately, that’s the most challenging threat vector there is.

ELI5:

Backdoor: You have a lock on your house. The previous owner (or government) have kept a key, just in case…

Security flaw: You have a lock on your house. It looks good, but it’s actually a crappy lock you can open with a bent paperclip if you know how.