[geekcrypt] Re: Back door competition

  • From: Pid Zero <p1dz3r0@xxxxxxxxx>
  • To: "geekcrypt@xxxxxxxxxxxxx" <geekcrypt@xxxxxxxxxxxxx>
  • Date: Fri, 6 Jun 2014 07:46:03 +0100

I'm a little dubious about actively trying to weaken the code for fun. What
if we forget a backdoor? I'm just as concerned about initial TLA
involvement, but other than have every other dev check each other's work or
write the same code in parallel I can't see how you'd get around it.
Decentralising so that as few devs as possible have access to accept
commits and sign the binaries (I.e. Segregation of duties & least
privilege) are good practices to adopt to mitigate any mole impact.

In either event rebuilding trust is going to be difficult within the
established community without the potential for the scandal that would
arise if one of us were found to have knowingly inserted a backdoor which
we forgot about and was later exploited by a TLA like the NSA!

On Friday, June 6, 2014, Bill Cox <waywardgeek@xxxxxxxxx> wrote:

> On Fri, Jun 6, 2014 at 12:46 AM, Niklas Lemcke - 林樂寬 <
> compul@xxxxxxxxxxxxxx
> <javascript:_e(%7B%7D,'cvml','compul@xxxxxxxxxxxxxx');>> wrote:
>> I am completely in love with that "thought" of yours! It'll keep
>> everybody on the run, while also offering good learning opportunities
>> for the rookies / non-core developers.
>> Let's do it. Maybe once every week would be a little short. Maybe every
>> two weeks?
>> What do the others think?
>> Niklas
> Two weeks works for me.  Also, it would be fun to track how many back
> doors we each find.  We could begin to get a sense for who is good at
> creating back doors, and who is good at finding them.  I'm guessing they
> will be different people :-)  This might also provide a useful metric for
> developer performance.  The #1 value a core developer brings to the team,
> IMO, is trust in the code, and this could help us understand who is most
> able to create that trust.  That could help a lot when it's time to promote
> a developer to core-developer.
> Bill

Other related posts: