Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Crypto Packages Demolished

Posted by simoniker on from the security-is-all-relative dept.

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

6 of 404 comments (clear)

  1. CIPE by dnoyeb · · Score: 5, Informative

    When I investigated CIPE for the first time two days ago, I read somewhere on the site that it didn't work yet, or that it provided no security. How can you critize a package for being insecure when they tell you it is?

    Did I miss something?

    1. Re:CIPE by cmowire · · Score: 5, Informative

      The CIPE FAQ claims that CIPE is "Industry Strength".

      --
      Gentoo Sucks
  2. Re:What a great Quote by stinkfoot · · Score: 5, Informative
    it's a reference to an episode of "The Brass Eye" by Chris Morris, brilliant comedian and media hacker. here's a transcript:

    http://www.glgarden.org/foreverman/brasseye.html

    (if you're impatient, click "page 2" and search for "sound wave".)

  3. Debian to the rescue! (Re:GPG is also a disas...) by Anonymous Coward · · Score: 5, Informative

    Package: libgpgme11
    Description: GPGME - GnuPG Made Easy
    GPGME is a wrapper library which provides a C API to access some of the GnuPG functions, such as encrypt, decrypt, sign, verify, ...

    Can I hump your skull now?

  4. I think I see why these haven't been fixed. by RealAlaskan · · Score: 5, Informative
    From Freshmeat: CIPE
    Rating: 8.35/10.00 (Rank N/A)
    Vitality: 0.01% (Rank 4941)
    Popularity: 2.72% (Rank 1001)

    VTUN
    Rating: 8.55/10.00 (Rank N/A)
    Vitality: 0.02% (Rank 2787)
    Popularity: 2.69% (Rank 1017)

    Neither of these projects are dead, quite, but neither is terribly active, either. Sourceforge shows one developer for CIPE, for example.

    As an earlier post said, crypto demands skills which aren't generally available, in an unusual combination. Many competent eyes make bugs shallow. Many competent coders make bugfixes quick. It looks as if those packages haven't drawn the competent eyes and coders yet.

    Maybe Mr. Gutman's post will draw some good folks who are able to do the work to these projects. Or maybe it will inspire the maintainers to simply let them fade away. Either way, we're better off for his efforts.

    A third possibility is that folks will just not care. Gutman tells us:

    - These programs have been around for years (CIPE goes back to 1996 and vtun to 1998) and (apparently) have quite sizeable user communities without anyone having noticed (or caring, after flaws were pointed out) that they have security problems.
    This kind of thing needs to be fixed or abandoned; bad security is worse than no security
    --
    See what I've been reading.
  5. False by malaba · · Score: 5, Informative

    VTun has been updated
    in 2002 and 2003.
    Check their homepage:

    http://vtun.sourceforge.net/

    Maybe only small update.