[Cryptography] RSA is dead.
Jerry Leichter
leichter at lrw.com
Sun Dec 22 17:55:25 EST 2013
On Dec 22, 2013, at 4:59 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> Nonsense. Most other equally capable developers should be able to discover a backdoor with far less effort to hide it. Reading other people's code is a skill that some people never acquire, but it's generally easier to understand someone else's code entirely than to have created it from scratch.
>
> If the code is so obscure that this is not the case, that code should not be used in crypto. I'll just point out that gtksu falls exactly into this category, yet we continue to use it... it really deserves to be retired. Open source is *very* helpful, but if the people with the decision power over what to include are far more ignorant than the coders... well then just forget security.
Have a look at some of the entries in the Obfuscated V contest (to write innocent-looking code that actually cheated one of the candidates). My favorite is http://graphics.stanford.edu/~danielrh/vote/mzalewski.c - just one of many.
Come back and tell me how "capable developers" will easily find malicious code hidden in simple, clean-looking C code.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131222/779d6ef3/attachment.bin>
More information about the cryptography
mailing list