[Cryptography] how reliably do audits spot backdoors? (was: Re: RSA is dead.)
Bill Cox
waywardgeek at gmail.com
Mon Dec 23 01:06:59 EST 2013
Well, first, It's David Wagner. Had we set up this test with me inserting
the bugs and David Wagner finding them, I think the results would have been
different.
However, IMO, David Wagner's bugs would not have survived a year of open
source review, given that it was confined to 100 lines of code. That code
might be a serious mess, but people can usually grok that kind of
complexity.
With that said, God only knows what back doors exist in gksu. Crypto code
should be as simple as possible. Why does gksu need multiple threads that
all violate the GTK rule that only the main thread can muck with UI
widgets? It's only a simple dialog with two buttons! Why does it even
need multiple threads? If I do say so myself, I am awesome at reading and
groking code, and gksu is one of the only Linux projects I've had to read
that I could not understand. Code like that in the crypto system makes me
want to set my hair on fire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/38a38512/attachment.html>
More information about the cryptography
mailing list