[geekcrypt] Back door competition

  • From: Bill Cox <waywardgeek@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Fri, 6 Jun 2014 00:36:47 -0400

I really am paranoid.  As another poster said, "My paranoia goes to 11."
We may already have an NSA plant on this list.  How can we succeed while
working with an NSA plant?  If he's good, he may create really difficult to
detect back doors, and even if we find them, they will look like an
innocent mistakes.  Is there any defense?  The only way I can think of is
diligent code review.  How can we tell if we're doing a good job?

I think it might be a lot of fun to see which of us can succeed in
inserting a back door without the others noticing.  Every week each
developer (core developer?) would publish a warrant canary containing an
encrypted code snippet, as well as the key to the prior week's code
snippet.  The code snippets would either say "No back doors were inserted
this week", or show exactly where the back door is with an explanation.

Any time one of us finds a back door, we should raise the alarm.  The
person responsible for the back door should then reveal the decryption key,
proving to us that he had planned to reveal it next week anyway.

Whenever one of us gets away with an undetected back door, the next week
everyone would know about it (and obviously remove it).  We could call that
"wining", and having our back door detected "losing", and even keep tallies
of wins and losses.

Anyway, it's just a though.  It's a sort of a QA for cryto.


Other related posts: