[Cryptography] RSA is dead.

James A. Donald jamesd at echeque.com
Tue Dec 24 02:03:10 EST 2013


 > On Dec 22, 2013, at 4:59 PM, Bill Cox <waywardgeek at gmail.com> wrote:
 >> Nonsense.  Most other equally capable developers should be able to
 >> discover a backdoor with far less effort to hide it.  Reading other
 >> people's code is a skill that some people never acquire, but it's
 >> generally easier to understand someone else's code entirely than to
 >> have created it from scratch.
 >>
 >> If the code is so obscure that this is not the case, that code
 >> should not be used in crypto.  I'll just point out that gtksu falls
 >> exactly into this category, yet we continue to use it... it really
 >> deserves to be retired.  Open source is *very* helpful, but if the
 >> people with the decision power over what to include are far more
 >> ignorant than the coders... well then just forget security.

On 2013-12-23 08:55, Jerry Leichter wrote:
 > Have a look at some of the entries in the Obfuscated V contest (to
 > write innocent-looking code that actually cheated one of the
 > candidates).  My favorite is
 > http://graphics.stanford.edu/~danielrh/vote/mzalewski.c - just one
 > of many.  Come back and tell me how "capable developers" will easily
 > find malicious code hidden in simple, clean-looking C code.

If this code had been presented to me in a code review, in three
minutes I would have said:
	Huge unnecessary macro.  Remove.  Code
	review over.  Fix it and bring it back.
And given the developer a stern look.

When the code came back I would have said, after about a quarter of an
hour or so, inner variable hiding outer variable.  This is a bug, I
don't need to try to see what effect this bug will have on the code,
it will result in something strange and horrid, and if it does not
result in something strange and horrid now, it will the next time
someone edits your code.

So, though normal code review takes about one hundred lines an hour,
the hidden vote miscounting would have been removed in twenty minutes
of my time.

Not having the developer in front of me to be roasted, took thirty 
minutes of my time.



More information about the cryptography mailing list