<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: Hans Steegers <steegers,AT,steegers,DOT,nl>, cipe-l,AT,inka,DOT,de
Subject: Re: About P.Gutmann's critique of CIPE - etc. etc.
From: Jake Appelbaum <jacob,AT,appelbaum,DOT,net>
Date: 26 Sep 2003 14:59:11 +0200
In-reply-to: <003901c38425$3fcf1c20$d620a8c0@pcw_hans.hnsasd.priv>
References: <003901c38425$3fcf1c20$d620a8c0@pcw_hans.hnsasd.priv>

On Fri, 2003-09-26 at 13:56, Hans Steegers wrote:
> Some remarks:
> 
> 1. Appelbaum:
> >People depend on software like CIPE and it can cost them dearly if
> >situations like this aren't fixed. It's not always about business
> >either, sometimes lives are at stake. Those people might not stand up
> >and demand something be done, but someone should...
> This is an extreme exaggeration.

So are you going to tell me that there has never been a situation where
this has occurred? I highly doubt it my friend. I know otherwise.

>  If you are using CIPE in situations where
> "lives are at stake", you are a poor security consultant. 

That's right, if I was, I would be.

Thank goodness, I however, do not use CIPE when something is actually
important beyond a simple network tunnel. There isn't any need to come
down on me for your own assumptions.

> You should have
> evaluated CIPE yourself in the first place and you should have found
> yourself it isn't a heavy-weight security protocol: the protocol document is
> quite clear about that. 

It's funny. I have evaluated it myself, I assume you have also. I liked
it for it's ability to tunnel over networks using UDP. I really liked
that. I am however, not a cryptography expert and I didn't take a look
at any of the code. What really bothered me was in my first email to the
list.

> Now a bored immature KIWI-crypto researcher blurbed
> a poorly researched opinion, suddenly the sky comes down.

It really doesn't matter about those negative part of your statement on
his character. Let just focus on his knowledge. He has some really
important things to say and regardless if you dislike his delivery
method, they are not incorrect entirely.

It's great that you dislike it and that you engage in it by the way.
Showing your true colors and all that.

> Parrotting this researcher and _demanding_ "this gets fix" _NOW_ and
> critizing Olaf for not responding immediatly, 

Oh please. Can't you do anything other than insult? It's really just a
waste of bits and bytes.

Should I have been like you? Playing down CIPE's claims? No, I think
that to be irresponsible. CIPE claims to be of the highest industry
standard. You claim that this (Guttmans letter) could be a M$ FUD
campaign. 

I demanded that it gets fixed now because the direction that it had
taken on *this* list was one that was terrible. People thinking it was
secure enough because there wasn't an exploit available right now. I
mean what is all this "theory" crap, right? If I can't code the exploit
myself, then I have no ground to back it up?

I am not the only person that was put off by Olaf not responding. Not
even a response to tell people he knew about this was given for *three
days*.

> and comparing CIPE with "snake
> oil" is maybe not amazing: security experts/consultants often create fear
> with the clueless to sell "fake security"..
>  I have seen too many of them.

Again with these insults directed at me. Am I creating fear? I simply
wanted to get the word out about what was happening.

Why?

The feedback from nearly every single person on this list minus one
person (Eric M. Hopper) really put me off at the time of writing. It
said to me that someone with some serious know-how spoke up (briefly)
and other people tried to down play it.

> Please read the GPL: "provided as is".

Yes. I know this. Industry standard security protocol, as is.

>  If you want it changed, change it and
> submit your patches: that is what O.S. software is about. _Not_ _demanding_.
> In your resume you are bragging of your programming skills. So do some real
> work instead of demanding others to do it for you.

I agree, if I wanted to change it in that way, I would add a patch or
two. Perhaps even help redesign the protocol. But I am not arrogant
enough to pretend that my programming skills are up to claims of
"industry standard" in the cryptography field. I think that I am smart
enough to figure it out, but it's clear to me that it's not good enough
at this moment. The main problem here is that it seems some people can't
make this distinction on their own. I would rather steer clear of the
responsibility that comes with making very strong claims.

If you feel that my statements were unreasonable, that the CIPE main
developer shouldn't have responded ASAP, that it's all unfair and
incorrect, I disagree. That's alright with me, I don't have to get along
with everyone in the world.

>  O.S. developers are not
> the unpaid slaves of profiteers. 

Oh how funny you are, calling me a profiteer!

>  And if you need a heavy-weight security
> protocol go shopping somewhere else, 

Yes, that was what I imagined needed to be said, out loud for everyone
to hear. The claims of being "industry strength" are not true. Thanks
for confirming. 

A statement that if you need something that isn't easily cracked, messed
with or otherwise useful for anything but kids playing in tree houses
with string on cans, go somewhere else.

>instead of playing the fox in a
> henhouse.

I feel like you might be a little bitter, no?

That's really alright with me. I wanted to make a statement of the
events and publish them to people with an interest in that. It served
it's purpose. People that want to know about CIPE being secure can make
their own decision with many of the facts laid out before them, no back
peddling.

-- 
Jake Appelbaum <jacob,AT,appelbaum,DOT,net>

Attachment: signature.asc
Description: This is a digitally signed message part


<< | Thread Index | >> ]    [ << | Date Index | >> ]