[cryptography] Question About Best Practices for Personal File Encryption

ianG iang at iang.org
Sun Aug 17 15:44:46 EDT 2014


On 17/08/2014 19:39 pm, Ryan Carboni wrote:
> Or in the case of OpenSSL, no one notices the backdoor as it is
> indistinguishable from an obscure programming error.


The difference between a corporate backdoor and an open source backdoor
is likely that when it is finally discovered, the corporate
embarrassment is still easy enough to suppress:  NDAs are a weapon.

Sunlight is your friend.  The many eyeballs thing doesn't really find
any more bugs, it seems, but it certainly guarantees a scandal.  The
agencies don't go where the sunlight is brightest.


> On Sun, Aug 17, 2014 at 5:01 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
> 
>     On 17/08/2014 05:09 am, Jeffrey Goldberg wrote:
>     > On 2014-08-16, at 4:51 PM, David I. Emery <die at dieconsulting.com
>     <mailto:die at dieconsulting.com>> wrote:
> 
>     > I do think, however, that if there are such backdoors, it would have
>     > to be known to only a very small number of people. Too many of the
>     people
>     > who work on Apple security would blow the whistle. So it would have to
>     > be introduced in such a way that most of the people who actually
>     develop
>     > these tools are unaware of the backdoors. It’s certainly possible, but
>     > it does shift balance of plausibility.
> 
>     Right.  As I understand it, the standard way that this is done is to
>     create a special features group in another closely-allied country.  That
>     group secures permission from HQ to do some rework for their "special
>     national needs."
> 
>     That group then inserts in the backdoor, then ships the entire patch off
>     to HQ.  Unless the center is reviewing for obfuscated tricks from a
>     trusted partner, the backdoor slides in, and nobody knows it is there.



More information about the cryptography mailing list