On 17/08/2014 19:39 pm, Ryan Carboni wrote: > Or in the case of OpenSSL, no one notices the backdoor as it is > indistinguishable from an obscure programming error.
The difference between a corporate backdoor and an open source backdoor is likely that when it is finally discovered, the corporate embarrassment is still easy enough to suppress: NDAs are a weapon. Sunlight is your friend. The many eyeballs thing doesn't really find any more bugs, it seems, but it certainly guarantees a scandal. The agencies don't go where the sunlight is brightest. > On Sun, Aug 17, 2014 at 5:01 AM, ianG <i...@iang.org > <mailto:i...@iang.org>> wrote: > > On 17/08/2014 05:09 am, Jeffrey Goldberg wrote: > > On 2014-08-16, at 4:51 PM, David I. Emery <d...@dieconsulting.com > <mailto:d...@dieconsulting.com>> wrote: > > > I do think, however, that if there are such backdoors, it would have > > to be known to only a very small number of people. Too many of the > people > > who work on Apple security would blow the whistle. So it would have to > > be introduced in such a way that most of the people who actually > develop > > these tools are unaware of the backdoors. It’s certainly possible, but > > it does shift balance of plausibility. > > Right. As I understand it, the standard way that this is done is to > create a special features group in another closely-allied country. That > group secures permission from HQ to do some rework for their "special > national needs." > > That group then inserts in the backdoor, then ships the entire patch off > to HQ. Unless the center is reviewing for obfuscated tricks from a > trusted partner, the backdoor slides in, and nobody knows it is there. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography