Translation of that German reply about LinuxTag

Werner Koch wk at gnupg.org
Wed Jul 18 10:12:54 UTC 2001 

On Wed, 18 Jul 2001 10:59:43 +0200, Frank Heckenbach said:

> My opinion is that it might be possible to introduce a back door,
> but it would take quite some resources to hide it so good that
> nobody will detect it in the public sources (like if the NSA was

The advantage of free software is that the repudiation of the author or
company would seriously be damaged if a backdoor will be found in a FS
program.  And the backdoor will eventually be found; hopefully a
couple of people are looking at the diffs between versions and ask why
are there changes they don't understand.  There is of course no
guarantee that it will happen but it is much better chance of
detection than with closed-source.

I once thought about adding an harmless backdoor into GnuPG to see how
long it would take to be detected.  But I can't do it because it might
still affect my and the GNU project's repudiation.

And no one should be so stupid to use software from an untrusted
source; that is why I think that it is a good idea to sign tarballs or
to publish md5sums.  Users must get into the habit to check those
checksums and take every mismatch seriously.  There are some problems
associated with it but those can be defeated by using pre-packaged
versions coming from a known distribution (e.g. Debian), the
distribution maintainers will take all needed precautions to check
that a software comes from trusted source.

> making a version of Linux -- hmm, the NSA *is* making a version of
> Linux ... ;-).

That is a pretty good thing for 2 reasons:  They probably have a couple
of good hackers working on it who will and can detect and fix flaws in
the code.  One can be pretty sure that the community will then do a
thorough analysis of the NSA changes to the code base; which for
itself is a very Good Thing.


-- 
Werner Koch        Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH      et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions                                        -- Augustinus

More information about the Discussion mailing list