[cryptography] Tahoe-LAFS developers' statement on backdoors

Marsh Ray marsh at extendedsubset.com
Thu Oct 7 01:39:35 EDT 2010


On 10/06/2010 06:42 PM, silky wrote:
>>
>> The core Tahoe developers promise never to change Tahoe-LAFS to
>> facilitate government access to data stored or transmitted by it. Even
>> if it were desirable to facilitate such access—which it is not—we
>> believe it would not be technically feasible to do so without severely
>> compromising Tahoe-LAFS' security against other attackers. [...]

You guys are my heroes.

> How will you stand by this if it becomes illegal not to comply though?

As an American software developer myself, I guess I need to consider 
this too. I could imagine a US open source developer might choose to:

1. Quit developing security software and take up a new line of work, 
say, selling 0-days to the Russian Business Network. This is probably 
what much of the US data security industry will be reduced to, since 
obviously no one will want to buy backdoored data security products and 
services from US companies anymore (well, except outsourcers audited for 
conformance to US government procurement standards).

E.g. MIT Kerberos and Heimdal:
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29#History_and_development

The term "non-US" will once again be the universally recognized mark of 
effective cryptography. It's really a win-win for the former Eastern 
Block, as they'll gain a huge market as US purchasers begin obtaining 
their critical data security products from them.

Remember when the best stuff always seemed to come from ftp.cs.hut.fi?

2. Comply by forking the codebase to a new "Backdoored-Tahoe-LAFS", 
(which of course nobody would ever use). Commit code to that repository 
and the free world could pull your patches out of it, if they want to. 
Of course, as a developer your source code management overhead would be 
twice as difficult as everyone else's. So you'd probably be doing the 
small, menial tasks and end up marginalized as the direction of new 
development gets set overseas.

3. Emigrate to England where they apparently have other methods of 
cryptanalysis.

4. Adopt a cool hacker alias (e.g. "Bobby Tables") for all your 
development work. Dress like someone from The Matrix, and add the 
glasses-nose-mustache disguise for good measure. Send all your email 
through spam relays, and originate all your network traffic from 
sympathetic human rights activist offices in China. Be sure to obtain 
all your development software from warez sites too.

5. Protest the law, loudly and publicly. Become too well-known to 
prosecute for offenses of questionable constitutionality, grab headlines 
whenever possible. Get yourself accused of criminally deviant behavior 
by multiple Swedish women simultaneously, then un-suspected, then 
arrested in absentia, then re-suspected, and so on.

6. Quietly continue developing secure software and services and be 
subject to selective prosecution according to how the political winds 
blow in the future.

Welcome back to the bad-old-days.

Except this time, it's cloud-based services, too.

- Marsh



More information about the cryptography mailing list