If an adversary gives you a machine learning model and secretly plants a malicious backdoor in it, what are the chances that you can discover it?