For decades the dominant paradigm in crypto and security research would be:
- to claim that security vulnerabilities occur accidentally, ignoring major questions such as why there are so many of them and why the “bad scenarios” repeat so many times,
- concentrate security research on topics of secondary importance, or those which have no importance whatsoever and sometimes making serious topics an absolute taboo,
- propaganda of type: open source is secure, insecure is secure (good example), etc. and lot of other unbelievably stupid statements on which it is not allowed to disagree.
In general my nearly 20 years of experience in this sector have been appalling and I deplore the low level of ethics in this research community, toxic concentration of power and money and all the forms of scientific bias caused by that.
This is now changing after the Snowden revelations.
A major paper on the topic of subversion of random number generators has been published. RNGs are really THE place where cryptographic protections could be and were subverted, a lot more easily than elsewhere. In contrast it is very hard to subvert a symmetric cipher or a hash function.
Some citations:
“The study of subversion of cryptographic systems — how to undetectably and securely subvert them, and how to defend against subversion — is a central one”.
This paper concentrates a lot of attention to the question of immunization: how to a backdoor-ed RNG can be used securely or rendered inoffensive: for example due to post-processing or by having an auxiliary input.