-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bill, I agree, that we need a review-process by the team before any code is merged into the main-line. I don't have experience with this kind of back door competition. Do you know any other project performing a kind of back door competition and could we re-use their process or tools? Kind regards, frehberg On 06.06.2014 06:36, Bill Cox wrote: > I really am paranoid. As another poster said, "My paranoia goes to 11." We > may already have an NSA plant on this list. How can we succeed while working with an NSA plant? If he's good, he may create really difficult to detect back doors, and even if we find them, they will look like an innocent mistakes. Is there any defense? The only way I can think of is diligent code review. How can we tell if we're doing a good job? > > I think it might be a lot of fun to see which of us can succeed in inserting a back door without the others noticing. Every week each developer (core developer?) would publish a warrant canary containing an encrypted code snippet, as well as the key to the prior week's code snippet. The code snippets would either say "No back doors were inserted this week", or show exactly where the back door is with an explanation. > > Any time one of us finds a back door, we should raise the alarm. The person responsible for the back door should then reveal the decryption key, proving to us that he had planned to reveal it next week anyway. > > Whenever one of us gets away with an undetected back door, the next week everyone would know about it (and obviously remove it). We could call that "wining", and having our back door detected "losing", and even keep tallies of wins and losses. > > Anyway, it's just a though. It's a sort of a QA for cryto. > > Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTljOMAAoJEJHkRciZLMhMh6sP/3HRlqAQbgG5surCIMUYhP1c 0pV4uf6rNcJoeGbQoVKHqur331U7h6CO3gNrMy4UlFRC5wCmH+Iqw8yXNmsgvezk VLyS6RgkPj2PYIP7XQFmOGM8MdDLKdOq5cShIk8YATq5s9UCtkpoWurobbpcoKY5 Wczp7RK8FSpR3ow2atQtszrRJkNuqIFLT6ZOeKncQ5kK+8TqMiHzcKfm8cVGbQB5 3fytnT2otRoibvfcAYaPKpKda+XtlG0wmpjrrKl/vTG9hPIyBdg3prLxqamEeZUG 78eltn5OH6n/aQ/y06mg4PmBqoED2GphmTnd5UGMc9V0L6FhtIzRUJGW8DAjg65k cWXjL/NW28rbet0VYBenj2DROxKaerV5Roa9+PcAQZbnPfADhKyOCooCGOFocZJt /D87nQUeEu26RkVkSLD5ew8iiqUxvjNRdSKn11G6GF9e3Je7d4164d1NHq051rt1 JHRmtRdpNYy1PggVcESRi+m+ERxBmhPSt5PcwyhR/pCljg7VH6aSLpirZoYTih9R WaiJ6cWhbb5FYIO2h4duoIXqwYG4ypa7/Wr8jAZeCM98I8Voia5xvMhn4G1ftb65 hqNLBAgwGw214tKxLSVPTd3CPHKt8KUITqygvFHXYfaRJlh3sIAx2lgBA4quQndQ 9EswCr7QnUeobIN9fca+ =dfSs -----END PGP SIGNATURE-----