Forwarded message:

Subject: how to release code if the programmer is a target for coercion Date: Wed, 14 Jan 1998 08:41:16 EST From: Ryan Lackey <rdl@mit.edu>

Tim May brought this issue up recently -- if someone develops a greatest- thing-since-sliced-bread Eternity package, then releases it. it's pretty likely that they will eventually be approached by (mi6/mossad/CIA/KCIA/etc.).

What's likely to happen?

Certainly they could kill you. They could make it look like random street crime, or an accident, or kill you with #16 000 in your pocket just to make it clear what their reasons were (Gerald Bull, Mossad, London, .32acp).

Actualy they killed Bull before he could complete his Super-Gun design and get it built. There is no point to be had in killing the designer after the fact except to advertise their accomplishment except to prevent future work by that person.

More likely, they'd try to coerce you. This could include threats of death, which are best responded to by ignoring them, since they don't gain anything if they kill you. Or torture, which is equally ineffective if they kill you. Or slander/etc. to try to discredit you. (unlikely to work at least among cypherpunks, in the absence of technical attacks as well).

This seems to have worked with several of the programmers at The L0pht (l0pht.com) because of their legal problems. Seems they now do work for the DoJ and other groups in return the various charges that were pending against them were dropped (or at least put on hold).

Most likely, they would try to buy you. This could be by outright offering money for back doors, which would be great if it worked, but is unlikely to happen in the first place.

L0phtCrack is one of the major NT cracking/testing tools currently used by folks. And no, I am not implying it has been compromised only pointing out that because of the relationship of some of the programmers to law enforcement it could have been. I am not aware of the exact timing of the agreement, development, and release of the software.

If offered a bribe, you could go public with that fact (preferably after taking the money :),

Then everyone would want proof and if you couldn't produce it they would simply label you a nutcase. You probably would have mysterious accident after that sort of behaviour. Besides, even if you were to prove it - could you trust the witness protection process?

I was looking around for a solution to this -- Lenny Foner at the MIT Media lab has something for his agents project which might be a solution. A system by which sections of source code are verified by individuals, signed, other sections are verified by others, etc. Then, during

If the agents could infiltrate the development team what keeps them from mounting a mitm attack on the people doing the signing? ____________________________________________________________________ | | | Those who make peaceful revolution impossible will make | | violent revolution inevitable. | | | | John F. Kennedy | | | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|