why we need source code (was Re: RC5 crack)

[Adam Back]

Fabrice Planchon <fabrice at math.Princeton.EDU> writes:
> Comme disait Adam Back (aba at dcs.ex.ac.uk):
> >
> > Also, no source code.
> >
>
> there have been some discussions about that on the list, they seem
> to fair bogus datas sent to the servers. Kind of makes sense, but
> they could at least release the core source without the
> communication protocol...

Yes, and it's inconvenient for a number of reasons:

- those running the rc5 crack don't sign their binaries (presumably
  because they don't use PGP, or don't know what it is or something),
  who knows what you're downloading, virus, disk formatter, what ever.
  If you had source code, you could verify it yourself at least, even
  if there is no signature.

- This problem with taking too few keys, if you had the source, and they
  can't be bothered to write instructions, or even brief usage notes,
  you could at least figure out how to use it from the source

- Having source allows more people to verify it's correctness (saving
  burning keys on subtly flawed code), spot bugs, etc.  Also allows
  others to find speedups.

- The point about stopping bogus keys being submitted, some validity,
  however.

- Another reason I suspect they won't give source is that they want to
  conceal the key from you because they have other ideas about where the
  money should go than perhaps you do.  (They want $1000 for themselves,
  and will give $8000 to project Gutenburg (boring)).

- When I see people worring about concealing protocols, I get this
  urge to insert a tap between the client and server, and post the
  protocol, to remove that worry for them.

Adam
-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`