
John Gilmore: NSA obstructed development of IPSEC Crypto in Linux Kernel - teamgb
http://linux.slashdot.org/story/13/09/07/195241/john-gilmore-analyzes-nsa-obstruction-of-crypto-in-ipsec
======
ewoodrich
You could skip the depressive nostalgia-inducing (and not in a good way)
Slashdot thread, and link the source:

[http://www.mail-
archive.com/cryptography@metzdowd.com/msg123...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html)

Although, that had just been submitted by danieldk:
[https://news.ycombinator.com/item?id=6346531](https://news.ycombinator.com/item?id=6346531)

So maybe you had a reason to make us sift through /. noise.

~~~
contextual
Slashdot was my homepage for many years, and it's still a refuge from Hacker
News from time to time.

------
raintrees
One of the posters re-posted a comment that this is a fragment of:

"The Internet was built on, and runs on, trust. Every postmaster, every
network engineer, every webmaster, every system admin, every hostmaster,
everyone crafting standards, everyone writing code, trusts that everyone else
-- no matter how vehemently they disagree on a technical point -- is acting in
good faith. The NSA, in its enormous arrogance, has single-handedly destroyed
much of that trust overnight."

Commerce also runs on trust. The US dollar bill is a promise backed by debt...

In one case, I am seeing more evidence not to trust the US authorities. In the
other, I am seeing evidence not to trust the US financial structure.

This current age is getting really strange/disquieting/fragile to me... (I
reside in the US) Am I one of only a few? Or many?

It's feeling like that slippery slope when conspiracy theories start being
found out as truth...

~~~
harrytuttle
A conspiracy theory is actually a hypothesis which has not been proven at the
end of the day. To label any hypothesis as a conspiracy theory without proper
investigation is bad science however ridiculous it sounds.

The problem is not that a hypothesis has been proven but the fact we've been
trained to accept that labelling something as a conspiracy theory means that
we don't need to test it again and that those who are involved are not
credible.

That applies to a lot of things that we think are gospel. We've been fed
'facts' without proper evaluation for a long time.

Even the traditionally crazy things such as AIDS being engineered, holocaust
denial and WTC being an inside job are fair cop for scientific investigation.
I'll probably get downvoted for being rational on that one which will
illustrate my point.

------
Sami_Lehtinen
IPsec is complex, so complex that it doesn't work properly. Go in shop, by 10
different firewalls, and then try to cross connect those using IPsec. I'm sure
you're going to have fun time. After you manage to get the SAs connected,
you'll find out that those tunnels work unreliably, connecting, disconnecting,
state machine & key renegotiation totally broken etc. If it's not crap on
paper, at least it is in reality. I've been using IPsec with over 50 different
devices and I find it to be real pain point. Some devices do not offer all
options in UI, but still have hidden values for those built in, which you
don't know and need to figure out by trian and error. Devices like ZyWALL
(Zyxel) and WatchGuard, StoneGate (Stonesoft) etc, have constant probelms with
IPsec. If you want real challenge, things get much worse if you're using
aggressive mode and dynamic IPs with DDNS etc. Then it's total disaster, even
many firewalls from same manufacturer won't work properly. I just now have two
ZyWALL USG 1000 boxes, that can't maintain reliable IPsec main mode tunnel
between those, even if there's no network issues. There's simply something
wrong with the software. Old whines:
[http://www.dslreports.com/forum/r25350958-Zywall-35-vs-
USG-1...](http://www.dslreports.com/forum/r25350958-Zywall-35-vs-
USG-100-IPsec-issues) About null cipher downgrade attacks, simply don't allow
"multiple proposals", then what's specified has to be exact match. (Or in some
cases, there' list of options, which means that any option like null sipher
isn't allowed.)

------
lobo_tuerto
And here is the link to the real content: [http://www.mail-
archive.com/cryptography@metzdowd.com/msg123...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html)

------
sillysaurus2
Bad headline. Here's what he actually said:

"Our team (FreeS/WAN) built the Linux implementation of IPSEC, but at least
while I was involved in it, the packet processing code never became a default
part of the Linux kernel, because of bullheadedness in the maintainer who
managed that part of the kernel. Instead he built a half-baked implementation
that never worked. I have no idea whether that bullheadedness was natural, or
was enhanced or inspired by NSA or its stooges."

~~~
snogglethorpe
Yeah, while it's unfortunate that it happened the way it happened, his
conclusions/insinuations seem a tad ridiculous.

Similar stories happen _all the time_ for features with zero connection to
security or the NSA. It's simply a sad fact of human nature and society that
people act this way; conspiracy theories are not necessary (and are often
harmful, as they distract from the real, if boring, issues).

"Never attribute to malice that which is adequately explained by stupidity"
and all that.

~~~
marshray
Sometimes the stupidity cannot be adequately explained by stupidity.

~~~
mbreese
If you try to make something idiot-proof, they'll just go and find a bigger
idiot.

Never underestimate the human capacity for stupidity.

~~~
marshray
We're talking about some of the most respected and professional protocol
engineers of the public internet here, not some global "biggest idiot"
contest.

~~~
teeja
_John Gilmore (born 1955)is one of the founders of the Electronic Frontier
Foundation, the Cypherpunks mailing list, and Cygnus Solutions._

I should be such an 'idiot'.

~~~
snogglethorpe
Er, but the "stupidity" being hypothesized in this case is not John Gilmore's
but rather the kernel maintainer he thinks was showing "malice."

There are tons of people out there, yes, even kernel maintainers, who are
technically skilled and smart but for whatever reasons, prove to be bad at
tasks like this and make bad decisions. It's usually not a conspiracy, and
John Gilmore's vague handwaving isn't a very convincing demonstration that it
was in this case either... :]

~~~
marshray
[http://www.mail-
archive.com/cryptography@metzdowd.com/msg123...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html)

 _Every once in a while, someone not an NSA employee, but who had longstanding
ties to NSA, would make a suggestion that reduced privacy or security, but
which seemed to make sense when viewed by people who didn 't know much about
crypto. For example, using the same IV (initialization vector) throughout a
session, rather than making a new one for each packet. Or, retaining a way to
for this encryption protocol to specify that no encryption is to be applied._

------
eks
I'm really beginning to think that the Snowden leaks came up too late, and the
"intelligence-industrial-complex" might already be too big to dismantle.

~~~
teeja
They're funded through our 'representatives'. And (going by Sensenbrenner's
statements lately) they'll have something to say about that when Congress
rejoins.

~~~
hga
Our representatives (no scare quotes needed) in the House came rather close to
voting for a meat ax curtailment of the NSA the very first post-Snowden chance
they got, and most importantly the vote didn't break on any of the usual lines
like party or region.

I'd say it's _way_ too soon to count out the normal political process, and
there's recent history of the Congress doing the right thing:
[http://en.wikipedia.org/wiki/Church_Committee](http://en.wikipedia.org/wiki/Church_Committee)

------
miga
Why not sue over waste of resources in US economy, and facilitating further
computer crime?

------
bsullivan01
I am thinking that we shouldn't take it personally(other than the fact that
they made systems vulnerable to hackers, Chicom spies etc.)

If their job is to crack codes, our job should be to make unbreakable codes.
Nothing personal, just bidness ;)

------
threeseed
All I see here is a lot of claims with zero evidence. And some of those points
e.g. a non encrypted mode seem entirely reasonable for testing purposes.

And wouldn't end to end encryption be pointless if you are trying to secure a
mobile connection since the NSA has hooks into the provider's core
infrastructure ?

~~~
brokenparser
Of course not, your logic system is inverted. Charlie intercepting
communications is exactly why Alice and Bob should employ end-to-end
encryption.

