[Cryptography] how reliably do audits spot backdoors?
ianG
iang at iang.org
Thu Dec 26 02:35:40 EST 2013
On 25/12/13 20:09 PM, Phillip Hallam-Baker wrote:
> But that type of code review is only possible for closed source where
> someone is being paid or in an exceptionally highly motivated open
> source project.
>
> I can't slap the authors of OpenSSL and tell them to document their
> stuff, let alone force a rewrite
Which is the problem. People *talk about open source being safer* but
they have no mechanism to really make it safer, other than (windmill)
"you can make it safer if you just contribute..."
Bug bounties have been tried, but they seem to be inherently blunt tools.
We need some sort of flow of value that rewards the hard slow effort of
code review. Something like a bitcoin mining algorithm, where the proof
of work is the review. Bugcoin?
iang
More information about the cryptography
mailing list