[mar77i]

> Imagine a software engineer who has been asked to place a backdoor in some software.

I imagine such an engineer just gets a development plan and doesn't get to see the bigger picture, implying the backdoor. It might only get enabled on integration into a larger codebase, and nobody out of the loop will be able to extrapolate its existence from what they get to know for sure.

Hence I completely agree with the argument of shifting responsibility to the developers. Seems like MS is selling more of that eyewash again.

[Leherenn]

I disagree. I only have one point of data from past experience (not a backdoor, but working on a potentially unethical system), but I would say most developers know exactly what they are doing, or they know deep down but don't try to clarify in order to absolve themselves.

If we go back to backdoors, yes, sometimes, in the simplest cases (e.g. a "root" account), it might get in prod through trickery. But anything more complex and you need to know what you are trying to achieve.