On Fri, 6 Jun 2014 00:36:47 -0400 Bill Cox <waywardgeek@xxxxxxxxx> wrote: > I really am paranoid. As another poster said, "My paranoia goes to 11." > We may already have an NSA plant on this list. How can we succeed while > working with an NSA plant? If he's good, he may create really difficult to > detect back doors, and even if we find them, they will look like an > innocent mistakes. Is there any defense? The only way I can think of is > diligent code review. How can we tell if we're doing a good job? > > I think it might be a lot of fun to see which of us can succeed in > inserting a back door without the others noticing. Every week each > developer (core developer?) would publish a warrant canary containing an > encrypted code snippet, as well as the key to the prior week's code > snippet. The code snippets would either say "No back doors were inserted > this week", or show exactly where the back door is with an explanation. > > Any time one of us finds a back door, we should raise the alarm. The > person responsible for the back door should then reveal the decryption key, > proving to us that he had planned to reveal it next week anyway. > > Whenever one of us gets away with an undetected back door, the next week > everyone would know about it (and obviously remove it). We could call that > "wining", and having our back door detected "losing", and even keep tallies > of wins and losses. > > Anyway, it's just a though. It's a sort of a QA for cryto. > > Bill I am completely in love with that "thought" of yours! It'll keep everybody on the run, while also offering good learning opportunities for the rookies / non-core developers. Let's do it. Maybe once every week would be a little short. Maybe every two weeks? What do the others think? Niklas -- Niklas Lemcke - 林樂寬 At the time of writing, no warrants have ever been served to me, Niklas Lemcke, nor am I under any personal legal compulsion concerning the CipherShed project. I do not know of any searches or seizures of my assets.
Description: PGP signature