[geekcrypt] Re: Back door competition

  • From: Stephen R Guglielmo <srguglielmo@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Fri, 6 Jun 2014 09:06:39 -0400

On Fri, Jun 6, 2014 at 12:36 AM, Bill Cox <waywardgeek@xxxxxxxxx> wrote:
> I think it might be a lot of fun to see which of us can succeed in inserting
> a back door without the others noticing.  Every week each developer (core
> developer?) would publish a warrant canary containing an encrypted code
> snippet, as well as the key to the prior week's code snippet.  The code
> snippets would either say "No back doors were inserted this week", or show
> exactly where the back door is with an explanation.

I spent the morning thinking about this a bit. The reasoning behind it
is a fantastic idea. However, I think it would have some practical
issues. For future auditing purposes (even if it's just some user
looking at our commit history), we should keep our git repo as "clean"
as possible. If this backdoor-checking project happens, it would need
to be in a separate repo (not just a branch...). I don't think we
should intentionally introduce vulnerabilities into our code either. A
malicious user could use that code (from our git repo) and compile and
distribute or install on unsuspecting users computers, then use the
backdoor. It would (probably) never happen on a mass-scale, but if it
compromises a single person, that's one too many (for an intentional
backdoor). Know what I mean?

I do love the idea of using this to learn, espeically for the more
inexperienced programmers such as myself. Maybe this project can go
forward using private git repos?

Other related posts: