Hacker News new | past | comments | ask | show | jobs | submit login
John Gilmore: NSA obstructed development of IPSEC Crypto in Linux Kernel (slashdot.org)
176 points by teamgb on Sept 7, 2013 | hide | past | web | favorite | 28 comments

You could skip the depressive nostalgia-inducing (and not in a good way) Slashdot thread, and link the source:


Although, that had just been submitted by danieldk: https://news.ycombinator.com/item?id=6346531

So maybe you had a reason to make us sift through /. noise.

At the time, the other thread had no comments and no votes so this submission was made to hopefully help raise awareness to what John Gilmore wrote.

Considering your comment is mostly noise about the noise, rather than just the helpful link to the original source, aren't you being just as bad?

Personally I rather like to read Slashdot as at least it has some uplifting comedy which is frowned upon here. HN is like reviewing a technical manual rather than something of interest.

Slashdot was my homepage for many years, and it's still a refuge from Hacker News from time to time.

One of the posters re-posted a comment that this is a fragment of:

"The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight."

Commerce also runs on trust. The US dollar bill is a promise backed by debt...

In one case, I am seeing more evidence not to trust the US authorities. In the other, I am seeing evidence not to trust the US financial structure.

This current age is getting really strange/disquieting/fragile to me... (I reside in the US) Am I one of only a few? Or many?

It's feeling like that slippery slope when conspiracy theories start being found out as truth...

A conspiracy theory is actually a hypothesis which has not been proven at the end of the day. To label any hypothesis as a conspiracy theory without proper investigation is bad science however ridiculous it sounds.

The problem is not that a hypothesis has been proven but the fact we've been trained to accept that labelling something as a conspiracy theory means that we don't need to test it again and that those who are involved are not credible.

That applies to a lot of things that we think are gospel. We've been fed 'facts' without proper evaluation for a long time.

Even the traditionally crazy things such as AIDS being engineered, holocaust denial and WTC being an inside job are fair cop for scientific investigation. I'll probably get downvoted for being rational on that one which will illustrate my point.

I feel exactly the same way. (US citizen here.)

My country abuses its people and can't be trusted.

At least in the past, people had somewhere to flee to (here). Now, I don't know where to go.

It doesn't seem like it's even worth trying to fight it.

There are several movements afoot to regain locality as a source of power. Here in the US Pacific Northwest, there are a number of groups traveling and speaking about bioregions. I have heard from several eloquent speakers of first nations peoples who have a similar, healthy message to impart.

I am beginning to think something like this may be an alternative that I can put my efforts behind: Minimize my interaction with large US government and instead focus on making my small area as healthy as possible, economically, socially, regionally (eco/land), and living being health-wise (plants, animals, AND humans).

This would seem to be an extension of think globally, act locally.

IPsec is complex, so complex that it doesn't work properly. Go in shop, by 10 different firewalls, and then try to cross connect those using IPsec. I'm sure you're going to have fun time. After you manage to get the SAs connected, you'll find out that those tunnels work unreliably, connecting, disconnecting, state machine & key renegotiation totally broken etc. If it's not crap on paper, at least it is in reality. I've been using IPsec with over 50 different devices and I find it to be real pain point. Some devices do not offer all options in UI, but still have hidden values for those built in, which you don't know and need to figure out by trian and error. Devices like ZyWALL (Zyxel) and WatchGuard, StoneGate (Stonesoft) etc, have constant probelms with IPsec. If you want real challenge, things get much worse if you're using aggressive mode and dynamic IPs with DDNS etc. Then it's total disaster, even many firewalls from same manufacturer won't work properly. I just now have two ZyWALL USG 1000 boxes, that can't maintain reliable IPsec main mode tunnel between those, even if there's no network issues. There's simply something wrong with the software. Old whines: http://www.dslreports.com/forum/r25350958-Zywall-35-vs-USG-1... About null cipher downgrade attacks, simply don't allow "multiple proposals", then what's specified has to be exact match. (Or in some cases, there' list of options, which means that any option like null sipher isn't allowed.)

And here is the link to the real content: http://www.mail-archive.com/cryptography@metzdowd.com/msg123...

Bad headline. Here's what he actually said:

"Our team (FreeS/WAN) built the Linux implementation of IPSEC, but at least while I was involved in it, the packet processing code never became a default part of the Linux kernel, because of bullheadedness in the maintainer who managed that part of the kernel. Instead he built a half-baked implementation that never worked. I have no idea whether that bullheadedness was natural, or was enhanced or inspired by NSA or its stooges."

Oh really,

What I read, among other tidbits, is:"Every once in a while, someone not an NSA employee, but who had longstanding ties to NSA, would make a suggestion that reduced privacy or security" and there are a lot of similar tidbits. The headline seems justified.

Edit: per the link in the other thread. http://www.mail-archive.com/cryptography@metzdowd.com/msg123...

Edit2: I'm just saying that the article really does seem to show John Gilmore speculating that the NSA seemed to interfere with IPSEC design and implementation process. I know no more than that.

Yeah, while it's unfortunate that it happened the way it happened, his conclusions/insinuations seem a tad ridiculous.

Similar stories happen all the time for features with zero connection to security or the NSA. It's simply a sad fact of human nature and society that people act this way; conspiracy theories are not necessary (and are often harmful, as they distract from the real, if boring, issues).

"Never attribute to malice that which is adequately explained by stupidity" and all that.

Sometimes the stupidity cannot be adequately explained by stupidity.

If you try to make something idiot-proof, they'll just go and find a bigger idiot.

Never underestimate the human capacity for stupidity.

We're talking about some of the most respected and professional protocol engineers of the public internet here, not some global "biggest idiot" contest.

John Gilmore (born 1955)is one of the founders of the Electronic Frontier Foundation, the Cypherpunks mailing list, and Cygnus Solutions.

I should be such an 'idiot'.

Er, but the "stupidity" being hypothesized in this case is not John Gilmore's but rather the kernel maintainer he thinks was showing "malice."

There are tons of people out there, yes, even kernel maintainers, who are technically skilled and smart but for whatever reasons, prove to be bad at tasks like this and make bad decisions. It's usually not a conspiracy, and John Gilmore's vague handwaving isn't a very convincing demonstration that it was in this case either... :]


Every once in a while, someone not an NSA employee, but who had longstanding ties to NSA, would make a suggestion that reduced privacy or security, but which seemed to make sense when viewed by people who didn't know much about crypto. For example, using the same IV (initialization vector) throughout a session, rather than making a new one for each packet. Or, retaining a way to for this encryption protocol to specify that no encryption is to be applied.

For what it's worth, I wasn't talking about anyone... just commenting on the parent's assertion about stupidity in general.

I'm really beginning to think that the Snowden leaks came up too late, and the "intelligence-industrial-complex" might already be too big to dismantle.

They're funded through our 'representatives'. And (going by Sensenbrenner's statements lately) they'll have something to say about that when Congress rejoins.

Our representatives (no scare quotes needed) in the House came rather close to voting for a meat ax curtailment of the NSA the very first post-Snowden chance they got, and most importantly the vote didn't break on any of the usual lines like party or region.

I'd say it's way too soon to count out the normal political process, and there's recent history of the Congress doing the right thing: http://en.wikipedia.org/wiki/Church_Committee

Why not sue over waste of resources in US economy, and facilitating further computer crime?

I am thinking that we shouldn't take it personally(other than the fact that they made systems vulnerable to hackers, Chicom spies etc.)

If their job is to crack codes, our job should be to make unbreakable codes. Nothing personal, just bidness ;)

All I see here is a lot of claims with zero evidence. And some of those points e.g. a non encrypted mode seem entirely reasonable for testing purposes.

And wouldn't end to end encryption be pointless if you are trying to secure a mobile connection since the NSA has hooks into the provider's core infrastructure ?

Of course not, your logic system is inverted. Charlie intercepting communications is exactly why Alice and Bob should employ end-to-end encryption.

The whole point of end-to-end encryption is to defeat such hooks.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact