[geekcrypt] Re: Back door competition

  • From: Niklas Lemcke - 林樂寬 <compul@xxxxxxxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Fri, 6 Jun 2014 12:46:06 +0800

On Fri, 6 Jun 2014 00:36:47 -0400
Bill Cox <waywardgeek@xxxxxxxxx> wrote:

> I really am paranoid.  As another poster said, "My paranoia goes to 11."
> We may already have an NSA plant on this list.  How can we succeed while
> working with an NSA plant?  If he's good, he may create really difficult to
> detect back doors, and even if we find them, they will look like an
> innocent mistakes.  Is there any defense?  The only way I can think of is
> diligent code review.  How can we tell if we're doing a good job?
> I think it might be a lot of fun to see which of us can succeed in
> inserting a back door without the others noticing.  Every week each
> developer (core developer?) would publish a warrant canary containing an
> encrypted code snippet, as well as the key to the prior week's code
> snippet.  The code snippets would either say "No back doors were inserted
> this week", or show exactly where the back door is with an explanation.
> Any time one of us finds a back door, we should raise the alarm.  The
> person responsible for the back door should then reveal the decryption key,
> proving to us that he had planned to reveal it next week anyway.
> Whenever one of us gets away with an undetected back door, the next week
> everyone would know about it (and obviously remove it).  We could call that
> "wining", and having our back door detected "losing", and even keep tallies
> of wins and losses.
> Anyway, it's just a though.  It's a sort of a QA for cryto.
> Bill

I am completely in love with that "thought" of yours! It'll keep
everybody on the run, while also offering good learning opportunities
for the rookies / non-core developers.

Let's do it. Maybe once every week would be a little short. Maybe every
two weeks? 

What do the others think?


Niklas Lemcke - 林樂寬

At the time of writing, no warrants have ever been served to me, Niklas
Lemcke, nor am I under any personal legal compulsion concerning the
CipherShed project. I do not know of any searches or seizures of my

Attachment: signature.asc
Description: PGP signature

Other related posts: