[rc5] Several Issues...

Stephen Langasek vorlon at dodds.net
Sat Aug 2 23:25:31 EDT 1997


On Sat, 2 Aug 1997, David Chow wrote:

> How can I know there aren't any backdoors to your compiled binaries?  What
> if NSA offered to secretly by this organization over?  And some ideas
> for future projects.

> Firstly - trust you guys at Bovine enough to run these clients on almost
> every computer here.  But how can I know there isn't a backdoor to all my 
> systems - without relying on blind faith?  I know unless you give me the
> source and let me examine and compile it - I will never know.  I was just
> wondering if anyone else has brought up this issue.  Several thousand
> people are banking on a few honest people.  I bet there are many out there
> who decline to donate CPU cycles because of the lack of concrete confidence
> in your binaries. (ie lack of source)

Eeeh, well, you can either 1) probe the systems yourself to make sure it
isn't doing anything it isn't supposed to, or 2) trust those of us who
claim to have done so, observing no aberrant behavior in the process. :)
There are a lot of machines that have put in a lot of hours with this
client, and no one has yet reported the clients doing anything malevolent.
This is, of course, not proof positive, but if there's something
unpleasant hidden in the binary, it hasn't reared its head yet.  And if
you're really paranoid (and your machine's OS isn't a walking, talking
security hole), you can always run the program as a user that can't do any
damage if it goes wild...

> Also, (another unanswerable question) how do we know whether the NSA has
> secretly bought this org over and is using us to crack some keys?  Or whether
> you guys would accept such an offer? (say for a couple of million)  You'd
> definitely get more than $1000 - that is if we crack through.  I know what
> your answer will be as this is (as you may put it) completely out of the 
> question.  I'm mentioning this mainly because of all of us donating time -
> how can we knowfor sure?  I guess we can't.

Because quite frankly, the NSA doesn't *need* our help to do their
cracking.  They're doing plenty of it already, much faster than we are,
they just won't admit to it.  As wonderfully large (prohibitively so, our
opponents like to point out) as this effort seems, it's a drop in the
bucket compared to the processor power that a corporation (or, say, the US
government) could put together.

                             -Steve Langasek
-doink-

----
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.



More information about the rc5 mailing list