Slashdot Mirror

← Back to Stories (view on slashdot.org)

John Gilmore Analyzes NSA Obstruction of Crypto In IPSEC

Posted by timothy on from the many-fingers-many-pots dept.

New submitter anwyn writes "In a recent article posted on the cryptography mailing list, long time civil libertarian and free software entrepreneur John Gilmore has analyzed possible NSA obstruction of cryptography in IPSEC. He suggests that packet processing in the Linux kernel had been obstructed by one kernel developer. Gilmore suggests that the NSA has been plotting against strong cryptography on mobile phones."

6 of 362 comments (clear)

  1. I don't feel insane anymore by X.25 · · Score: 5, Informative

    For many years, I just felt that something was wrong, and would do "silly things" (I was an admin, whoops) like setup VPN tunnel, then require everyone to use SSL and client certs to access a service. So people would laugh at usage of VPN + SSL (and then certs on top of it) and ridicule it.

    Spent more than a decade trying to explain to *technical* people why self-signed certs are much more secure than 'commercial' certs, and I could never understand why people couldn't understand what I am saying. Well now I know, they simply couldn't beleive any government would do things we're seeing done.

    Been laughed at quite few times, but I can tell you that noone is laughing right now.

    And now I finally know that I am not a fucking lunatic.

    Thank you Edward Snowden.

    1. Re:I don't feel insane anymore by ledow · · Score: 4, Informative

      I always just assumed such things were good sense.

      For years people fretted over WEP and then WPA being cracked. At no time was I affected. Sure, I bumped up my wireless to use the new systems, but all the time I was using OpenVPN and other software over the link anyway.

      That thing broadcasts through the air - no way I'm trusting a single protocol, and once WEP was dead (and so badly), I certainly never trusted WPA that much either. When that was weakened, WPA2 looked shaky too. But I always had a second layer, and my usage of systems was never affected - there is basically zero overhead on a modern machine of having something like OpenVPN connect automatically over your wireless, even for gaming.

      My servers run SSH2, sure, but the same again. I don't expose the ports and only certain things get access anyway. When you can get to an SSH port, you're looking at key-based authentication with passphrases (not made on the target machine). Bam, saved myself from a ton of port spam, plus all the Debian weak-key shite, plus the problem of my remote server being compromised someone and compromising keys that were generated on it.

      It's a little paranoid, I have to admit, but when that slight paranoia - borne mainly of a desire to understand how these things work and then, when you have a working system, carrying it on throughout your use of that system - was justified, it becomes a reinforced habit.

      And when you have things like VPN daemons running at lower privilege and the only escalation to root being through SSH2 keys over that VPN (and not any other way), then you have a double-protection against things.

      Compromise of any one only gets you so far - a limited user account which can only SSH which a key you don't have, or authentication access to something which you can't VPN to anyway. It's not invincibility, but I assumed most of the Slashdot crowd would be doing similar things, just out of the same basic principle - experimentation, self-teaching, applying the same principles that we should to our work, and distrust (not of people like the NSA, but just that a protocol would eventually have a flaw discovered in it, and getting yourself twice the lifetime out of such systems).

      It's also the reason I've never touched PPTP or IPSEC. Nothing to do with the NSA or GCHQ. I just never trusted their messes as one is now completely compromised and the other was always balancing on a knife-edge anyway.

      Do people honestly NOT have this sort of double-layer protection? I mean, it won't stop GCHQ taking an interest in me, or asking my server host to butt in, but it stops things like simple compromises from ANY source walking straight into systems that they detect are running vulnerable software.

  2. Re:From Yesterday. by bmo · · Score: 3, Informative

    Just navigate to Arrogant-Bastard's profile.

    http://slashdot.org/comments.pl?sid=4173525&cid=44773249

    --
    BMO

  3. Re:History of DES by CRCulver · · Score: 3, Informative

    Just because the NSA toughened some standards in the 1970s doesn't mean they are good guys now. After all, many familiar with the inner workings of the agency have said that the mood there changed greatly after 9/11 to "privacy be damned", and the Snowden documents leaked the other day admit right now that the NSA has inserted backdoors into cryptosystems used by the general public.

  4. Re:History of DES by amorsen · · Score: 5, Informative

    It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES.

    The S-box tweak made DES resistant (well, more resistant) to differential attacks. The shortened key length did not improve security, it reduced security.

    --
    Finally! A year of moderation! Ready for 2019?
  5. Re:Sounds like John Gilmore has called it accurate by EnergyScholar · · Score: 1, Informative

    Parent post was also modded down [by NSA sockpuppets]. It went up to a 5, then down, then up again. Then it was stable at a 5 for while. Just now, about an hour after the story was first posted (when traffic to this thread is dropping, and a forum slide has been initiated on the front page) it was quietly modded back down. Who besides NSA sockpuppets would do that? Here's an exercise: how much would it cost to station paid sockpuppet moderators at every popular online watering hole? Is this number more or less than the available budget?