
The Internet Is Being Protected By Two Guys Named Steve - smacktoward
http://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st
======
trevelyan
"a quirk of the U.S. legal system meant that cryptography was, until the late
1990s, placed on the U.S. Munitions List, alongside semi-automatic firearms
and tanks."

This was no quirk. The US government made deliberate efforts to limit the
availability of encryption software, even adding it to international export
control lists where it previously did not exist:

[http://cryptome.org/jya/wass-suks.htm](http://cryptome.org/jya/wass-suks.htm)

~~~
colechristensen
I may be outspoken on this, but I think that it was an appropriate move to
keep cryptography (or some kinds of cryptography) on such munitions lists.

~~~
VMG
The kind of cryptography that lets people communicate securely? Belongs on the
same list as physical objects that intended to pierce walls and flesh?

I'd also like a more in-depth explanation.

~~~
danielweber
Historically secure communication has been a weapon of war.

[http://en.wikipedia.org/wiki/Dual-
use_technology](http://en.wikipedia.org/wiki/Dual-use_technology)

~~~
HarryHirsch
Cryptography is a defensive weapon. Zero-days on the other hand, are an
offensive weapon. There are distinctions between helmets and clubs, you know,
and the law should recognize these.

~~~
danielweber
(Assuming it works) is ballistic missile defense not a war technology?

~~~
rplnt
The intended use might be defensive, but ballistic missile can be used for
offense.

~~~
wlesieutre
I think danielweber is referring to systems designed to intercept and destroy
ballistic missiles, not to ballistic missiles used for defensive purposes

------
ballard
Does "ultimatum" and "raft of complicated last-minute changes" not raise
anyone else's tinfoil paranoia alarms?

Those commits should get significant scrutiny, because it sounds like US/CA
govt were given an indirect opportunity to push whatever changes it wanted AND
rushed code isn't necessarily the best either.

(Also I'm glad FIPS mode is dead in LibreSSL.)

~~~
tragic
Hmmm... Never ascribe to conspiracy what can be adequately explained by
bureaucracy. The feds love them some standards.

~~~
SeanDav
Once upon a time I used to believe this. Post Snowden, I tend to believe the
reverse.

------
zhte415
I find it a great shame that literally a handful of independent individuals
take on responsibility compensated at a minuscule fraction those that directly
benefit from it: ISPs, Certificate Providers (particularly certificate
providers, absolving themselves of accountability for potential loss) and
Hosting Providers.

~~~
QuantumChaos
That's a consequence of being open source. All the main open source licenses
mean that anyone would be able to use OpenSSL without paying a cent to the
creators.

Advocates of open source often claim that creators of open source software can
make money by selling services to users, like consulting services. As this
article (and others) describe, this approach also didn't work that well for
the OpenSSL team.

~~~
zhte415
Open source > indeed, I agree.

My perspective is principally the harmony or conflict of the open source -ness
of OpenSSL, and the Tragedy of the Commons
[https://en.wikipedia.org/wiki/Tragedy_of_the_commons](https://en.wikipedia.org/wiki/Tragedy_of_the_commons)
of all using a resource while few feeling the need to compensate.

It is interesting that open source has often found solutions around this
'tragedy' \- ownership (contributing or forking) vs access (using) - but I
feel a shame that those that work hard towards creating a public good
(OpenSSL) only receive recognition when things go wrong, while those that have
criticised (the possibly competing consultancies, perhaps) have themselves not
forked or recreated a better solution, as it seems having the ability,
confidence or willingness to carry the risk to credibility (for a better
solution), or knowingly taken advantage of an exploit, is more profitable than
giving back.

tl;dr I admire these Steves and other contributors very much, and wish they
get what they deserve. I guess the world of Star Trek is still somewhat way
off.

------
NamTaf
You would've thought that after getting bitten by it, the Zucks, Brins, etc.
of the would would've been happy to kick in a few million a piece to ensure
part of the critical underpinning of their services is a bit more bulletproof.

Without having any idea of the numbers otherwise, could this not be a
reasonably cost-effective approach to security? Making sure the OSS projects
you draw on are properly funded so they can shoulder some of the security
responsibility must be easier than employing your own army of security savants
to do the same thing internally? I'd love to hear more info on whether this is
or isn't a good approach.

~~~
mattmanser
That happened already, like 4 days ago:

[http://arstechnica.com/information-
technology/2014/04/tech-g...](http://arstechnica.com/information-
technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-
openssl/)

~~~
ilaksh
Right but the amount 3.9 million to support not only OpenSSL but multiple
other projects is so miniscule relatively speaking it is astounding. This
"civilization"s priorities are so ludicrous. 3.9 million is probably a tiny
fraction of the amount Google earned through ads selling blowjob videos last
year.

------
vezzy-fnord
Damn. Never thought I'd see a BuzzFeed article here. About as low as the web
gets.

This is surprisingly good from them, however.

~~~
dang
Buzzfeed seem to be partly rebranding themselves with high-quality long
articles. I thought this was excellent: [http://www.buzzfeed.com/bensmith/tom-
lehrer](http://www.buzzfeed.com/bensmith/tom-lehrer) (and posted it to HN to
no avail). So yes, we've upgraded Buzzfeed from banned (stories get auto-
killed) to lightweight (stories get a penalty, which moderators can override).
A moderator saw the OP and marked it as solid.

Lightweight sites are an uncanny valley for HN. We can't un-penalize them
without the site being overrun with fluff. But we don't want to miss any solid
articles, either. It requires human intervention to tell the two apart, and we
neither see everything nor necessarily see things in time.

I have some ideas for writing software to help with this conundrum, but won't
be able to get to that (or the dozens of other things on our list) until my
ongoing moderation-comment blitz subsides.

~~~
dredmorbius
Buzzfeed have done themselves very considerable harm with their earlier
tactics. Enough that I look on the URL with extreme prejudice.

I've got a custom CSS I apply to the site (I refer to it as "unbuzzed") which
strips all the viral crap from it. And checking quickly w/o my CSS applied, I
see that while _some_ of the site's content may be quality, much of it still
matches my recollection of it.

Given that, I feel that supporting the site in any way condones a behavior
which is, IMO, very highly toxic.

I'd prefer "banned unless moderator overrides" be in place, and I think
actually, keeping the ban in place would be even better. It's weaponized
clickbait.

More:
[http://www.reddit.com/r/dredmorbius/comments/23twec/weaponiz...](http://www.reddit.com/r/dredmorbius/comments/23twec/weaponized_clickbaits_days_numbered_dont_tease_us/)

As for lightweight stories: they're, net net, toxic.

If there's lightweight coverage of a topic, there's almost certainly a
heavyweight coverage somewhere. Almost always upstream (source study, report,
release, comments), occasionally in a detailed analysis commentary.

My focus for much of the past year and some has been "big issues": population,
resources, sustainability. Of which a significant component is energy. The
good news is that there's huge amount of research going into advanced energy
technology: new methods of capturing, converting, storing, or using it. And
virtually _ALL_ of it is absolute, total, complete, 2000% bullshit in terms of
actual informational value.

In one case (the Haberno enhanced geothermal well project in Australia), I
found that reading the company in question's own financial filings with the
Australian securities regulator was far more informative than the ...
whitewashed is putting too pretty a face on it ... completely useless press
"progress" report. If attaining 2% of your initial generation goal in 5x the
time and 10x the budget is "success", well, I don't know what to say.

The problem is when the crap reporting of useless bullshit makes it difficult
to see through crap reporting of the _good_ stuff out there. The US Navy
Research Lab's recently (past month) publicized research on electricity-to-
fuel synthesis from seawater was _abysmal_. But the underlying technology and
story are actually among the better prospects out there in terms of not only
providing moderate-scale liquid fuel sources for the future, but very large
(national or global) potential, with high-but-tractable costs, and with
applications to utilizing surplus intermittent generating capacity for fuel
synthesis and long-term storage (diesel fuel stores well). But the 1)
profusion of crap elsewhere and 2) abysmal quality of the reporting on this
technology made this almost impossible to see.

I still think my own write-up (which could use some improving) is among the
best there is on the topic:

[http://www.reddit.com/r/dredmorbius/comments/22k71x/us_navy_...](http://www.reddit.com/r/dredmorbius/comments/22k71x/us_navy_electricitytofuel_synthesis_papers_and/)

So: my war on Buzzfeed remains.

~~~
pbhjpbhj
> _Enough that I look on the URL with extreme prejudice._ //

Which is fair enough, but do you think HN should be pandering to your
prejudices? Isn't it better to ignore all prejudices and judge the story on
the text, information, presentation it carries?

You can flag stories, you can link a better source within the thread, but
ultimately you have to trust the community to regulate itself or seek a
differently structured community.

Personally I'm finding the more I learn about the editorial policies of HN the
more worried I am - I thought it was meritocratic, without grudges and
prejudices but instead I find that there are secret editorial policies and
over-bearing moderations.

Fine if HN is to be curated then let that be clear, post a list of banned
sites for example; don't pretend it's user moderated when the postings are
being heavily censored. [I'm not saying curation is wrong, just that it makes
it a different beast and that secretly moderating the content and having ban-
lists and such is wrong IMO].

~~~
tptacek
The site has _always_ been curated, from day one. What's changed is not that
there are new secret policies, but that the moderators are now sharing them
with you; HN is more transparent today than it has ever been.

If you want a pure user-generated user-moderated experience, that's fine and
totally reasonable. Go to Reddit. That's what they're about. HN is not Reddit.

~~~
pbhjpbhj
Which is the point, it's never been explicit IMO that shadowbanning and URL
black lists are part of the site. Finding out that's the case is unnerving,
what other manipulations are going on under the hood that normal users aren't
aware of. That's why I say IMO, to be forthright, one should make these things
publicly known - there should be a page giving the list of moderators, what
powers they have, what URLs are banned, what procedures (like shadowbanning)
are used, ...

The FAQ says there are editors, and indeed it tells us now that there are 30
of them. It says they can edit, ban users; but it doesn't say that they block
entire sites or anything of that sort. It doesn't mention
hellbanning/shadowbanning and such.

The little inklings of the secret undercurrents strongly suggest that there
would be, for example, manipulation of story rankings and such. I'm not saying
that happens but with such an opaque system it seems most likely. The feeling
starts rising then that one is in a "Disney for adults" where you're being
manipulated to the extreme but you're not really conscious of it.

~~~
dang
"Little inklings of secret undercurrents" strikes me as pretty silly (though
delightfully written!) since I've done nothing for the last month but plaster
the site with transparency and feedback. I have a list of dozens of things we
can do to make HN better, and haven't been able to get to any of them since
becoming public as moderator—I've been doing nothing but answering questions,
explaining things, and worrying about answering questions and explaining
things.

If, after massive effort, some people still accuse us of every insidious
practice in the book, I'm doubtful that the lesson to draw is "try harder". It
might be, if (a) there were a hope of convincing everybody, (b) it weren't
very costly, and (c) it didn't prevent us from doing other important things.
But (b) and (c) are definitely not true, and it's looking sadly like (a) isn't
either.

~~~
pbhjpbhj
Yes, since you joined you've been vocal and overt in your editing practices so
far as I've noticed, and that's appreciated.

I'm reacting - I thought this site centred around values where merit rose
above appearance. The implementation of a block list for certain domains seems
to move sharply against that. Perhaps I missed the memo where it was mentioned
that certain sites are banned from submission to HN. If a domain is getting
spammed to the submission page then I can understand it being blocked but
interesting stories/commentaries can centre around rubbish and abusive
domains; I thought we [HN] rode above all that, that's all.

Blocking low quality domains is a good thing to some extent, it's just not
being aware that's how the site runs that makes it surprising/unnerving.
Steering the site to maintain focus requires controlling the submissions
accepted, of course; just I thought this was being done using flagging and
upvotes [alone] in the open. Ergo, my reaction. Maybe like finding your
straight-laced lawyer has nipple-rings.

~~~
dang
All the stuff you're talking about has been the case not only for years, but
since the beginning of HN. I'll venture, also, that what you'd actually get if
HN worked the way you imagined it did is a much, much lower-quality site.
Indeed, HN would never have been HN. You're free not to believe that, of
course.

There certainly are some drawbacks to transparency!

------
dang
We changed the title to be less linkbaity. If anyone can suggest a better one,
please do.

~~~
jackalope
IMHO, the original title reflects the tone and content of the article. I
didn't feel cheated when I clicked on it, so I don't really consider it
linkbait.

~~~
smacktoward
I actually liked the original title better, as it communicated the main point
of the article -- that a ton of critical infrastructure is riding on the
shoulders of a very small number of people -- better. Changing it to "Steve
Marquess and Stephen Henson of OpenSSL" doesn't really get that point across,
since it doesn't make clear that Marquess and Henson essentially _are_
OpenSSL.

EDIT: It is definitely refreshing to see editorial decisions like this being
explained clearly, though, and the community being asked to provide feedback.
So my thanks to dang for that, even if we disagree about the title :-D

~~~
dang
Ok, I changed it back. Cheers.

------
socrates1998
Honestly, I don't get why super talented people work for free.

I haven't worked on any open source projects, so maybe that's why I don't get
it, but it just seems that developers often devalue themselves too much.

You see it all the time. Business "idea" types come in and supply the "idea",
while developers do all the work and don't get paid enough.

I just wish as an industry, developers would stand up for themselves more. I
see good, smart and talented people getting walked over too much.

~~~
cmyr
There are a lot of really interesting problems and projects in the world that
nobody is interested in paying for. If you want to do these interesting
things, you have to do it outside of the marketplace.

Alternatively, there is a trade-off in selling your labour in the marketplace:
you are no longer in a position to dictate the terms of your labour, and you
potentially lose control over the product of your labour.

------
pronoiac
> In fact, a quirk of the U.S. legal system meant that cryptography was, until
> the late 1990s, placed on the U.S. Munitions List, alongside semi-automatic
> firearms and tanks.

Should this be in the past tense? I thought crypto exports from the US were
still restricted.

~~~
alternize
it's still restricted, but not on the munitions list anymore:

    
    
      Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. This order permitted the United States Department of Commerce to implement rules that greatly simplified the export of commercial and open source software containing cryptography, which they did in 2000.
    

[http://en.wikipedia.org/wiki/Export_of_cryptography_from_the...](http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#PC_era)

~~~
pronoiac
It looks like most of the OpenSSL team[1] is outside the US, except Marquess,
the businessman. It looks like OpenBSD is developed and released from
Canada.[2]

I tried reading the Wikipedia article you linked, and something from the
Bureau of Industry and Security[3], and my eyes glazed over. I _think_ the
upshot is developing an open source crypto library in the US just won't work.

[1] [https://www.openssl.org/about/](https://www.openssl.org/about/)

[2] [http://www.openbsd.org/goals.html](http://www.openbsd.org/goals.html)

[3] [http://www.bis.doc.gov/index.php/policy-
guidance/encryption/...](http://www.bis.doc.gov/index.php/policy-
guidance/encryption/encryption-faqs)

~~~
wbl
It is possible: open-source code can be exported freely. See
[http://www.bis.doc.gov/index.php/forms-
documents/doc_view/32...](http://www.bis.doc.gov/index.php/forms-
documents/doc_view/328-flowchart-2) for details. You just need to tell them
where it is.

------
hackuser
Have you ever tried inventorying the free software you use and paying a fair
price for it?

I looked into it for a small IT business. For one thing, the list was very
long, longer than I expected; just consider browser extensions. For another,
inventorying the free software and especially making all those small payments
is very time-consuming. Finally, the costs add up. Given the money and
especially time involved in paying, I wouldn't be using a lot of these
programs (again, think of browser extensions).

I know micro-transactions aren't a new idea, but our payment system is a
debilitating bottleneck; transactions are far too slow for the speed at which
I can obtain new products. What happened to micro-transactions?

------
pmorici
"Marquess, a consultant for the Department of Defense"

Maybe I haven't been following this close enough but has anyone questioned
whether or not it is perhaps a conflict of interest to be a consultant for the
"Department of Defense" while also being a principal contributor to a project
like OpenSSL?

~~~
exelius
I think it's about the only way to do so. Navigating a complex bureaucracy
like the DoD requires an insider's knowledge. Not everyone who works for
complex bureaucracies is evil; many are trying to help them be better (or at
least direct its energies at things that are productive to the public).

The bigger problem that seemed to surface through this article is the sense of
the "ubercoder" who singlehandedly runs a major project because they can't
work with anyone else. I don't know if it was sensationalized by the author of
the article, but it does strike me as a major problem in a lot of open source
software. IMO, something like OpenSSL is important enough that it should be
run by a non-profit.

------
celebril
No mention of Steve Jobs?

Disappointed.

Everybody knows that Apple's OS X is the most advanced and secure OS.

If Steve Jobs isn't one of the people who are responsible for protecting the
Internet I don't know who else is.

