"Jake Appelbaum" <jacob,AT,appelbaum,DOT,net>, cipe-l,AT,inka,DOT,de|
Re: About P.Gutmann's critique of CIPE - etc. etc.|
Fri, 26 Sep 2003 11:39:43 -0300 (BRT)|
List, Hans, Jake:
I agree with Jake's point of view entirely.
If the Open community as a block one day begins to agree to the Hans
theory of "wants_best_do_it_yourself and maney_or_nothing", Linux as OS -
for example - could be at the very first line of code, hopefully we have
people like Linus - himself, Alan Cox, Marcelo Tosatti and many others and
we all were using Redmond Perl's...
If Olaf gets out from the devel team, i start right now to migrate to
FreeS/Wan or OpenVPN: I don't beleive to the integrity of a creature that
is abandonned by it's creators in the middle of the journey. Or the
project is perceived to arrive "where we dream" or we better go fishing.
Nothing more disappointing than use or contribute to something that we do
not have faith or trust. even for free.
> On Fri, 2003-09-26 at 13:56, Hans Steegers wrote:
>> Some remarks:
>> 1. Appelbaum:
>> >People depend on software like CIPE and it can cost them dearly if
>> >situations like this aren't fixed. It's not always about business
>> >either, sometimes lives are at stake. Those people might not stand up
>> >and demand something be done, but someone should...
>> This is an extreme exaggeration.
> So are you going to tell me that there has never been a situation where
> this has occurred? I highly doubt it my friend. I know otherwise.
>> If you are using CIPE in situations where
>> "lives are at stake", you are a poor security consultant.
> That's right, if I was, I would be.
> Thank goodness, I however, do not use CIPE when something is actually
> important beyond a simple network tunnel. There isn't any need to come
> down on me for your own assumptions.
>> You should have
>> evaluated CIPE yourself in the first place and you should have found
>> yourself it isn't a heavy-weight security protocol: the protocol
>> document is
>> quite clear about that.
> It's funny. I have evaluated it myself, I assume you have also. I liked
> it for it's ability to tunnel over networks using UDP. I really liked
> that. I am however, not a cryptography expert and I didn't take a look
> at any of the code. What really bothered me was in my first email to the
>> Now a bored immature KIWI-crypto researcher blurbed
>> a poorly researched opinion, suddenly the sky comes down.
> It really doesn't matter about those negative part of your statement on
> his character. Let just focus on his knowledge. He has some really
> important things to say and regardless if you dislike his delivery
> method, they are not incorrect entirely.
> It's great that you dislike it and that you engage in it by the way.
> Showing your true colors and all that.
>> Parrotting this researcher and _demanding_ "this gets fix" _NOW_ and
>> critizing Olaf for not responding immediatly,
> Oh please. Can't you do anything other than insult? It's really just a
> waste of bits and bytes.
> Should I have been like you? Playing down CIPE's claims? No, I think
> that to be irresponsible. CIPE claims to be of the highest industry
> standard. You claim that this (Guttmans letter) could be a M$ FUD
> I demanded that it gets fixed now because the direction that it had
> taken on *this* list was one that was terrible. People thinking it was
> secure enough because there wasn't an exploit available right now. I
> mean what is all this "theory" crap, right? If I can't code the exploit
> myself, then I have no ground to back it up?
> I am not the only person that was put off by Olaf not responding. Not
> even a response to tell people he knew about this was given for *three
>> and comparing CIPE with "snake
>> oil" is maybe not amazing: security experts/consultants often create
>> with the clueless to sell "fake security"..
>> I have seen too many of them.
> Again with these insults directed at me. Am I creating fear? I simply
> wanted to get the word out about what was happening.
> The feedback from nearly every single person on this list minus one
> person (Eric M. Hopper) really put me off at the time of writing. It
> said to me that someone with some serious know-how spoke up (briefly)
> and other people tried to down play it.
>> Please read the GPL: "provided as is".
> Yes. I know this. Industry standard security protocol, as is.
>> If you want it changed, change it and
>> submit your patches: that is what O.S. software is about. _Not_
>> In your resume you are bragging of your programming skills. So do some
>> work instead of demanding others to do it for you.
> I agree, if I wanted to change it in that way, I would add a patch or
> two. Perhaps even help redesign the protocol. But I am not arrogant
> enough to pretend that my programming skills are up to claims of
> "industry standard" in the cryptography field. I think that I am smart
> enough to figure it out, but it's clear to me that it's not good enough
> at this moment. The main problem here is that it seems some people can't
> make this distinction on their own. I would rather steer clear of the
> responsibility that comes with making very strong claims.
> If you feel that my statements were unreasonable, that the CIPE main
> developer shouldn't have responded ASAP, that it's all unfair and
> incorrect, I disagree. That's alright with me, I don't have to get along
> with everyone in the world.
>> O.S. developers are not
>> the unpaid slaves of profiteers.
> Oh how funny you are, calling me a profiteer!
>> And if you need a heavy-weight security
>> protocol go shopping somewhere else,
> Yes, that was what I imagined needed to be said, out loud for everyone
> to hear. The claims of being "industry strength" are not true. Thanks
> for confirming.
> A statement that if you need something that isn't easily cracked, messed
> with or otherwise useful for anything but kids playing in tree houses
> with string on cans, go somewhere else.
>>instead of playing the fox in a
> I feel like you might be a little bitter, no?
> That's really alright with me. I wanted to make a statement of the
> events and publish them to people with an interest in that. It served
> it's purpose. People that want to know about CIPE being secure can make
> their own decision with many of the facts laid out before them, no back
> Jake Appelbaum <jacob,AT,appelbaum,DOT,net>