<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "CIPE-list" <cipe-l,AT,inka,DOT,de>
Subject: Re: About P.Gutmann's critique of CIPE - etc. etc.
From: "Hans Steegers" <hsx,AT,dds,DOT,nl>
Date: Fri, 26 Sep 2003 13:56:40 +0200
Reply-to: "Hans Steegers" <steegers,AT,steegers,DOT,nl>

Some remarks:

1. Appelbaum:
>People depend on software like CIPE and it can cost them dearly if
>situations like this aren't fixed. It's not always about business
>either, sometimes lives are at stake. Those people might not stand up
>and demand something be done, but someone should...
This is an extreme exaggeration. If you are using CIPE in situations where
"lives are at stake", you are a poor security consultant. You should have
evaluated CIPE yourself in the first place and you should have found
yourself it isn't a heavy-weight security protocol: the protocol document is
quite clear about that. Now a bored immature KIWI-crypto researcher blurbed
a poorly researched opinion, suddenly the sky comes down.
Parrotting this researcher and _demanding_ "this gets fix" _NOW_ and
critizing Olaf for not responding immediatly, and comparing CIPE with "snake
oil" is maybe not amazing: security experts/consultants often create fear
with the clueless to sell "fake security".. I have seen too many of them.
Please read the GPL: "provided as is". If you want it changed, change it and
submit your patches: that is what O.S. software is about. _Not_ _demanding_.
In your resume you are bragging of your programming skills. So do some real
work instead of demanding others to do it for you. O.S. developers are not
the unpaid slaves of profiteers.  And if you need a heavy-weight security
protocol go shopping somewhere else, instead of playing the fox in a
henhouse.

2. P. Gutmann's Coda to "Linux's answer to MS-PPTP"
In this second posting P.G. backs down a little and doesn't mention CIPE at
all, but acknowlegdes (talking about OpenVPN):
"Overall, the choice of how to handle this [message insertion or deletion]
is a tradeoff: You can either have protection against message insertion
(strictly speaking, message replay), deletion, and reordering, but the first
occurence of UDP unreliability will be detected as an attack by the security
layer and the connection terminated, or you can have the ability to live
with UDP's unreliability, at the cost of not detecting
insertion/deletion/reordering at the VPN level." Which is also applicable to
CIPE.
If you depend on CIPE for protection against "message insertion or
deletion", you are using the wrong protocol.

3. OpenVPN - James Yonan
Your contribution is very informative and OpenVPN looks like an alternative
in many occasions. Being user-space it can use libraries, which is
impossible or undesirable for a kernel module. OpenVPN is promising, but
young and still has to prove itself. And please don't make it a religion.
Tribalisme should be avoided.

4. Olaf's response
I am happy with his response: to the point with only essentials, and
hopefully brings the discussion back to sane proportions.
He deserves respect for his donations to the community and _not_ the
derogatory and insufficient researched criticism from P. Gutmann and
parrots.
I respect his decision to stop maintaining CIPE.

5. Allan Latham,  Damion Wilson, ...
I agree fully: parrotting and panic-mongering doen't help anybody.
If the protocol needs to be changed: only based on credible and proper
research, and not based on ad-hoc panic created by people who never
contributed to the list and/or only profiteered.

6. CIPE is _NOT_ fundamentally flawed and _BEYOND_REPAIR_, but can and
should be improved and there is _NO_ emergency that needs an immediate fix.
If you think otherwise, don't use CIPE, or submit a patch with your fix to
your problem.

7. Mark Smith
I agree: Now is the time to start a developer's thread.

8. I am not going to waste more time with pointless discussions. I am
willing to invest time to help further develop CIPE with people who also
want to do some real work instead of only talking about it.

9. There must be many clueless people on this list: I am receiving an
increasing lot of Gibe.F infected mail from list members since Sept 19.

** PLEASE NOTE: MICROSOFT DOES NOT SEND PATCHES BY EMAIL **
If you believed this (beautifully) faked email, PLEASE DISINFECT YOUR
COMPUTER FROM the Gibe.F worm NOW!

Best regards,

Hans Steegers


<< | Thread Index | >> ]    [ << | Date Index | >> ]