<div dir="ltr"><div>I need your guys opinion on the following idea. I think it would enhance security to have a back-door competition to keep our core developers security auditing skills sharp. However, there is some strong opposition to the idea. What do you guys think?<br>
<br></div>This is my slightly spelling corrected email sent to the list yesterday:<br><div><br><div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Bill Cox</b> <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com">waywardgeek@gmail.com</a>></span><br>
Date: Fri, Jun 6, 2014 at 12:36 AM<br>Subject: Back door competition<br>To: <a href="mailto:geekcrypt@freelists.org">geekcrypt@freelists.org</a><br><br><br><div dir="ltr"><div><div><div>I really am paranoid. As another poster said, "My paranoia goes to 11." We may already have an NSA plant on this list. How can we succeed while working with an NSA plant? If he's good, he may create really difficult to detect back doors, and even if we find them, they will look like innocent mistakes. Is there any defense? The only way I can think of is diligent code review. How can we tell if we're doing a good job?<br>
</div><br></div>I think it might be a lot of fun to see which of us can succeed in inserting a back door without the others noticing. Every week each developer (core developer?) would publish a warrant canary containing an encrypted code snippet, as well as the key to the prior week's code snippet. The code snippets would either say "No back doors were inserted this week", or show exactly where the back door is with an explanation.<br>
<br></div><div>Any time one of us finds a back door, we should raise the alarm. The person responsible for the back door should then reveal the decryption key, proving to us that he had planned to reveal it next week anyway.<br>
<br></div><div>Whenever one of us gets away with an undetected back door, the next week everyone would know about it (and obviously remove it). We could call that "winning", and having our back door detected "losing", and even keep tallies of wins and losses.<br>
<br></div><div>Anyway, it's just a though. It's a sort of a QA for cryto.<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Bill<br></div></font></span></div>
</div><br></div></div></div>