[Cryptography] Back door competition for TrueCrypt fork?
Bill Cox
waywardgeek at gmail.com
Fri Jun 6 08:46:21 EDT 2014
I need your guys opinion on the following idea. I think it would enhance
security to have a back-door competition to keep our core developers
security auditing skills sharp. However, there is some strong opposition
to the idea. What do you guys think?
This is my slightly spelling corrected email sent to the list yesterday:
---------- Forwarded message ----------
From: Bill Cox <waywardgeek at gmail.com>
Date: Fri, Jun 6, 2014 at 12:36 AM
Subject: Back door competition
To: geekcrypt at freelists.org
I really am paranoid. As another poster said, "My paranoia goes to 11."
We may already have an NSA plant on this list. How can we succeed while
working with an NSA plant? If he's good, he may create really difficult to
detect back doors, and even if we find them, they will look like innocent
mistakes. Is there any defense? The only way I can think of is diligent
code review. How can we tell if we're doing a good job?
I think it might be a lot of fun to see which of us can succeed in
inserting a back door without the others noticing. Every week each
developer (core developer?) would publish a warrant canary containing an
encrypted code snippet, as well as the key to the prior week's code
snippet. The code snippets would either say "No back doors were inserted
this week", or show exactly where the back door is with an explanation.
Any time one of us finds a back door, we should raise the alarm. The
person responsible for the back door should then reveal the decryption key,
proving to us that he had planned to reveal it next week anyway.
Whenever one of us gets away with an undetected back door, the next week
everyone would know about it (and obviously remove it). We could call that
"winning", and having our back door detected "losing", and even keep
tallies of wins and losses.
Anyway, it's just a though. It's a sort of a QA for cryto.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140606/7c7cda0b/attachment.html>
More information about the cryptography
mailing list