"a quirk of the U.S. legal system meant that cryptography was, until the late 1990s, placed on the U.S. Munitions List, alongside semi-automatic firearms and tanks."
This was no quirk. The US government made deliberate efforts to limit the availability of encryption software, even adding it to international export control lists where it previously did not exist:
We should remember that DJB was a key person in making cryptography fully legal in the US.
«The State Department was unsympathetic to Bernstein's situation and told Bernstein he would need a license to be an arms dealer before he could simply post the text of his encryption program on the Internet. They also told him that they would deny him an export license if he actually applied for one, because his technology was too secure.
The Electronic Frontier Foundation pulled together a top-notch legal team and sued the United States government on behalf of Dan Bernstein. The court ruled, for the first time ever, that written software code is speech protected by the First Amendment. The court further ruled that the export control laws on encryption violated Bernstein's First Amendment rights by prohibiting his constitutionally protected speech. As a result, the government changed its export regulations.» From https://www.eff.org/about/history
I believe (citation needed :-)) there was (is?) restriction on the maximum length of private key. This was arrived at based on the computing resources available with NSA so that they be able to break a cypher by brute force.
There's a very interesting passage in the book "The Code Book" towards the end as to how the inventor of PGP was harassed by slapping him with charges under Arms Export Control Act[1].
Zimmermann's law [2] is also very relevant to be mentioned here.
Yeah. I seem to remember the limit being 64-bit at the time, although maybe it was only 56-bit. Netscape used to have different download links for "American" and "International" users and put up a stern warning on the US link saying that international users couldn't grab it.
So, of course, everyone just downloaded the American edition... :)
There was the RSA t-shirt which supposedly could be classified as a munition because the source code on the shirt would provide a high enough level of encryption:
PGP released a really nicely bound version of their source code typeset in an OCR font that they exported because a book would theoretically fall under the First Amendment:
Instructions to produce a nuclear bomb also fall under the First Amendment.
There was a contradiction in the laws. That's hardly novel or unprecedented. The higher courts pretty much spend all day dealing with contradictions in laws.
Cryptography is a defensive weapon. Zero-days on the other hand, are an offensive weapon. There are distinctions between helmets and clubs, you know, and the law should recognize these.
There are also laws against defensive items being owned by civilians as well. I disagree with them, but when I had an officer friend tell me my dragon skin armor I bought and used in Iraq was technically illegal now that I am a "civilian", that was one of the moments when I realized how much damage the national security state has done to the constitution.
I expect incoming comments about the LA bank robbery in 3, 2, 1...
I think danielweber is referring to systems designed to intercept and destroy ballistic missiles, not to ballistic missiles used for defensive purposes
>The kind of cryptography that lets people communicate securely?
I don't know of any other kinds of cryptography...
>Belongs on the same list as physical objects that intended to pierce walls and flesh?
War has a lot less to do with shooting people and a lot more to do with information than you seem to appreciate.
The public algorithms are public and there is no need or usefulness in export restrictions now on things known worldwide (and the usefulness of such restrictions was gone for a considerable time before they were lifted).
This seems a bit harsh, perhaps. Bletchley park was still in the minds of many people. It would have been conventional wisdom to keep this stuff away from "bad guys". Recall, gps was spoofed at this stage as well for civilian purposes. The other issue--although perhaps unsaid--is that ultimately this may have hastened tactics to make HW unsecure, and to collect undisclosed/zero day expoits in widespread SW and other things that could compromise a comms system that was perceived to be secure.
It kind of made sense during the pre-Internet Cold War days when the only people with use for strong cryptography were nations and their militaries. These days it's just silly.
The US makes a lot of money from the government allowing defense contractors to sell the stuff they design for it to its allies as well. The munitions-export provisions exist because, although we aren't too worried about our allies reselling the tents or latrines we send them to our enemies, we really don't like the idea of having the guns we've manufactured pointed back at us.
A secure softphone implementing http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography is a lot more like a gun than it is like a tent or a latrine, in terms of what an enemy nation that gets their hands on it will do with it.
The "Taliban" were never armed by the US. There were some members who were US allies during the Soviet-Afghan war. Just like they are some members of the Northern Alliance, US ally during the Afghan campaign, that were allies of the Soviet Union.
In the end one war ended and groups broke up. Then the next war came and alliances had changed.
The names may have changed but the people didn't. We funded Gulbuddin Hekmatyar, and provided numerous FIM-92 stingers which after the war was over turned into the buyback fiasco, where many of these stingers were never recovered.
Not to mention the third-party plausible denability effect, through which arms may not have passed directly to "Muj" or Taliban, but were supplied by the US.
So to say the "Taliban" were never armed is completely factually incorrect, both in relevance to the Soviet war and the current one.
If you want to learn more about the US involvement as the number one arms dealer in the word, the revised Shadow Factory book is out and worth the long read.
> So to say the "Taliban" were never armed is completely factually incorrect
By this logic the US has armed every one of its enemies. I said the US never armed the Taliban. You are saying that through enough backchannels and shifting alliances the US did arm the Taliban. Now who is being obtuse?
The US funnelled hundreds of millions of $ through Pakistan to help fund the Mujahideen in Afghanistan. The CIA also provided direct support, in training and weapons, etc.
Here's an Afghan with a Stinger missile (and there are lots of similar photos), not sold on the open market then, could realistically only have been acquired in bulk with US government assistance:
So, would that also cover citizens? As in, if I made my own encryption method and then supplied that to some friends overseas, would that be violating munitions exporting if crypto was still covered?
Essentially, yes. A well educated person with the motivation and no cooperation from existing tech is very much capable of making the state department rather unhappy by exporting their own creation.
Few things are more valuable in war than the secrecy of long distance communications. Though we haven't been at a conflict which posed any credible threat for the better part of a century, holding on to technological advantages when they're fresh is in our best interest and in the best interest of the American Peace we have going.
It's fairly unfortunate that a majority of computer technology is imported from foreign manufacturers for many reasons, but export control isn't really one of them.
Supercomputers, yes ... general components... not particularly.
In a lot of ways 'modern' computer technology isn't all that essential. It certainly isn't present in a whole lot of our military hardware because of realities of acquiring and maintaining such hardware _and_ the lack of an exponential increase of computing needs to match capabilities.
In fewer words, computer technology is valuable, but not extremely so. Restricting the flow of anything remotely related to consumer computer tech wouldn't have much benefit, even if it were possible considering most of it is made in Asia.
Then just focus on basic computer technology. Restricting the export of semiconductors in the early 60s could have created a significant advantage for the US, but would be absurd to support a decision like that.
Military benefit alone is not enough to justify an export restriction, one has to consider the cost on society as a whole. The cost of restricting the export of cryptography is too large to justify.
The processors and basic hardware have been mostly commodity since the mid 90s, the interconnects and related technology have mostly been specialized hardware though you could always do grid computing with Ethernet and the like.
True. Things like the Crays have their own, specialized interconnects and OS (on work nodes). A lot of things that aren't trying to be in the top can use fiber channel for similar results, though.
Does "ultimatum" and "raft of complicated last-minute changes" not raise anyone else's tinfoil paranoia alarms?
Those commits should get significant scrutiny, because it sounds like US/CA govt were given an indirect opportunity to push whatever changes it wanted AND rushed code isn't necessarily the best either.
I read that part as the approval process required X changes that the OpenSSL team had to implement themselves. I don't believe the approving party was asking the OpenSSL team to commit code they were supplying.
I find it a great shame that literally a handful of independent individuals take on responsibility compensated at a minuscule fraction those that directly benefit from it: ISPs, Certificate Providers (particularly certificate providers, absolving themselves of accountability for potential loss) and Hosting Providers.
I find no shame in people choosing to give something away without asking for compensation.
I find no shame in an economy which contains a significant amount of resources given gratis by choice.
I do find shame in the insistence that everyone who gets a whiff of usefulness of some creation owes the creator (or the descendants of the owner of the creation) a toll.
Yes, but GP wasn't advocating some sort of Disneyesque intellectual property regime. On the contrary, GP is pointing out that a lot of big, rich companies and their investors have been freeloading off the volunteer work of these 2 guys. So it's a "shame" in the sense of being an unfortunate situation. It's not illegal. Maybe it's not even unethical. But it is a damn shame.
That's a consequence of being open source. All the main open source licenses mean that anyone would be able to use OpenSSL without paying a cent to the creators.
Advocates of open source often claim that creators of open source software can make money by selling services to users, like consulting services. As this article (and others) describe, this approach also didn't work that well for the OpenSSL team.
My perspective is principally the harmony or conflict of the open source -ness of OpenSSL, and the Tragedy of the Commons https://en.wikipedia.org/wiki/Tragedy_of_the_commons of all using a resource while few feeling the need to compensate.
It is interesting that open source has often found solutions around this 'tragedy' - ownership (contributing or forking) vs access (using) - but I feel a shame that those that work hard towards creating a public good (OpenSSL) only receive recognition when things go wrong, while those that have criticised (the possibly competing consultancies, perhaps) have themselves not forked or recreated a better solution, as it seems having the ability, confidence or willingness to carry the risk to credibility (for a better solution), or knowingly taken advantage of an exploit, is more profitable than giving back.
tl;dr I admire these Steves and other contributors very much, and wish they get what they deserve. I guess the world of Star Trek is still somewhat way off.
Another possibility is that CommercialSSL becomes a product that takes a page from the Oracle playbook and panders to selling to these large enterprises, with little care for the needs of smaller businesses.
As a creator and a consumer, I think one has to not resent giving away something. Don't expect compensation, but ask for it if it's necessary to accomplish something as a stretch goal up from free. Also, there is value derived from street cred and it's better than a résumé.
You would've thought that after getting bitten by it, the Zucks, Brins, etc. of the would would've been happy to kick in a few million a piece to ensure part of the critical underpinning of their services is a bit more bulletproof.
Without having any idea of the numbers otherwise, could this not be a reasonably cost-effective approach to security? Making sure the OSS projects you draw on are properly funded so they can shoulder some of the security responsibility must be easier than employing your own army of security savants to do the same thing internally? I'd love to hear more info on whether this is or isn't a good approach.
I suspect that most corporates use FOSS not because of any philosophical support for it but simply because it's cheap and available.
If it's going to start costing them money then it would raise the question why not spend that money internally where they have complete control of the direction of the project and where only they (rather than their competitors) will get the benefit from it.
That's not to say that what you say isn't workable, just that it's not aligned with much default corporate thinking which makes it somewhat less likely.
Right but the amount 3.9 million to support not only OpenSSL but multiple other projects is so miniscule relatively speaking it is astounding. This "civilization"s priorities are so ludicrous. 3.9 million is probably a tiny fraction of the amount Google earned through ads selling blowjob videos last year.
Buzzfeed seem to be partly rebranding themselves with high-quality long articles. I thought this was excellent: http://www.buzzfeed.com/bensmith/tom-lehrer (and posted it to HN to no avail). So yes, we've upgraded Buzzfeed from banned (stories get auto-killed) to lightweight (stories get a penalty, which moderators can override). A moderator saw the OP and marked it as solid.
Lightweight sites are an uncanny valley for HN. We can't un-penalize them without the site being overrun with fluff. But we don't want to miss any solid articles, either. It requires human intervention to tell the two apart, and we neither see everything nor necessarily see things in time.
I have some ideas for writing software to help with this conundrum, but won't be able to get to that (or the dozens of other things on our list) until my ongoing moderation-comment blitz subsides.
Serious question: Does the HN moderating staff have any ethical concerns about supporting Buzzfeed, regardless of article quality? Not even delving into their business model (which can be politely defined as "parasitic"), I'd guess at least half of all their content is blatantly plagiarized... at best "lightly" ripped from others. Last time I checked they also continued to use copyrighted and restricted licensed content without permission or payment.
That, unfortunately, is true of many of the most commonly posted sites to HN. Our policy is to keep the rip-offs off the front page, and whenever possible replace them with links to original sources. That's harder than it sounds. Banning all of these sites, though, wouldn't be good for HN, assuming they also produce substantive work.
Buzzfeed have done themselves very considerable harm with their earlier tactics. Enough that I look on the URL with extreme prejudice.
I've got a custom CSS I apply to the site (I refer to it as "unbuzzed") which strips all the viral crap from it. And checking quickly w/o my CSS applied, I see that while some of the site's content may be quality, much of it still matches my recollection of it.
Given that, I feel that supporting the site in any way condones a behavior which is, IMO, very highly toxic.
I'd prefer "banned unless moderator overrides" be in place, and I think actually, keeping the ban in place would be even better. It's weaponized clickbait.
As for lightweight stories: they're, net net, toxic.
If there's lightweight coverage of a topic, there's almost certainly a heavyweight coverage somewhere. Almost always upstream (source study, report, release, comments), occasionally in a detailed analysis commentary.
My focus for much of the past year and some has been "big issues": population, resources, sustainability. Of which a significant component is energy. The good news is that there's huge amount of research going into advanced energy technology: new methods of capturing, converting, storing, or using it. And virtually ALL of it is absolute, total, complete, 2000% bullshit in terms of actual informational value.
In one case (the Haberno enhanced geothermal well project in Australia), I found that reading the company in question's own financial filings with the Australian securities regulator was far more informative than the ... whitewashed is putting too pretty a face on it ... completely useless press "progress" report. If attaining 2% of your initial generation goal in 5x the time and 10x the budget is "success", well, I don't know what to say.
The problem is when the crap reporting of useless bullshit makes it difficult to see through crap reporting of the good stuff out there. The US Navy Research Lab's recently (past month) publicized research on electricity-to-fuel synthesis from seawater was abysmal. But the underlying technology and story are actually among the better prospects out there in terms of not only providing moderate-scale liquid fuel sources for the future, but very large (national or global) potential, with high-but-tractable costs, and with applications to utilizing surplus intermittent generating capacity for fuel synthesis and long-term storage (diesel fuel stores well). But the 1) profusion of crap elsewhere and 2) abysmal quality of the reporting on this technology made this almost impossible to see.
I still think my own write-up (which could use some improving) is among the best there is on the topic:
>Enough that I look on the URL with extreme prejudice. //
Which is fair enough, but do you think HN should be pandering to your prejudices? Isn't it better to ignore all prejudices and judge the story on the text, information, presentation it carries?
You can flag stories, you can link a better source within the thread, but ultimately you have to trust the community to regulate itself or seek a differently structured community.
Personally I'm finding the more I learn about the editorial policies of HN the more worried I am - I thought it was meritocratic, without grudges and prejudices but instead I find that there are secret editorial policies and over-bearing moderations.
Fine if HN is to be curated then let that be clear, post a list of banned sites for example; don't pretend it's user moderated when the postings are being heavily censored. [I'm not saying curation is wrong, just that it makes it a different beast and that secretly moderating the content and having ban-lists and such is wrong IMO].
The site has always been curated, from day one. What's changed is not that there are new secret policies, but that the moderators are now sharing them with you; HN is more transparent today than it has ever been.
If you want a pure user-generated user-moderated experience, that's fine and totally reasonable. Go to Reddit. That's what they're about. HN is not Reddit.
Which is the point, it's never been explicit IMO that shadowbanning and URL black lists are part of the site. Finding out that's the case is unnerving, what other manipulations are going on under the hood that normal users aren't aware of. That's why I say IMO, to be forthright, one should make these things publicly known - there should be a page giving the list of moderators, what powers they have, what URLs are banned, what procedures (like shadowbanning) are used, ...
The FAQ says there are editors, and indeed it tells us now that there are 30 of them. It says they can edit, ban users; but it doesn't say that they block entire sites or anything of that sort. It doesn't mention hellbanning/shadowbanning and such.
The little inklings of the secret undercurrents strongly suggest that there would be, for example, manipulation of story rankings and such. I'm not saying that happens but with such an opaque system it seems most likely. The feeling starts rising then that one is in a "Disney for adults" where you're being manipulated to the extreme but you're not really conscious of it.
"Little inklings of secret undercurrents" strikes me as pretty silly (though delightfully written!) since I've done nothing for the last month but plaster the site with transparency and feedback. I have a list of dozens of things we can do to make HN better, and haven't been able to get to any of them since becoming public as moderator—I've been doing nothing but answering questions, explaining things, and worrying about answering questions and explaining things.
If, after massive effort, some people still accuse us of every insidious practice in the book, I'm doubtful that the lesson to draw is "try harder". It might be, if (a) there were a hope of convincing everybody, (b) it weren't very costly, and (c) it didn't prevent us from doing other important things. But (b) and (c) are definitely not true, and it's looking sadly like (a) isn't either.
As I just wrote above: I'm more than happy with the methods of shadowbanning / hellbanning and of URL blacklists.
Noting these more prominently in the HN FAQ, or simply noting that this is a managed site, wouldn't be a bad thing IMO. The black hats have already figured it out, the driven-snow innocents will have their bubbles gently burst, and those of us who've been around the block a few times will just nod sagely.
NB: not to say that some hellbans / shadowbans don't seem to be perhaps misapplied. One thing I've encountered on many systems is that while blocks and bans are features, they don't leave a trace (or much of one) as to when the block/ban was instituted, or why. Google+'s "block" feature (and management of it) are among the worst I've encountered. Reddit's moderation log isn't a complete solution but at least provides a complete registry of what admin actions have been undertaken, by whom, and when.
I'm also a big fan of time-outs, both automated and manually applied. Minutes, hours, days, weeks, months, years/forever.
Yes, since you joined you've been vocal and overt in your editing practices so far as I've noticed, and that's appreciated.
I'm reacting - I thought this site centred around values where merit rose above appearance. The implementation of a block list for certain domains seems to move sharply against that. Perhaps I missed the memo where it was mentioned that certain sites are banned from submission to HN. If a domain is getting spammed to the submission page then I can understand it being blocked but interesting stories/commentaries can centre around rubbish and abusive domains; I thought we [HN] rode above all that, that's all.
Blocking low quality domains is a good thing to some extent, it's just not being aware that's how the site runs that makes it surprising/unnerving. Steering the site to maintain focus requires controlling the submissions accepted, of course; just I thought this was being done using flagging and upvotes [alone] in the open. Ergo, my reaction. Maybe like finding your straight-laced lawyer has nipple-rings.
All the stuff you're talking about has been the case not only for years, but since the beginning of HN. I'll venture, also, that what you'd actually get if HN worked the way you imagined it did is a much, much lower-quality site. Indeed, HN would never have been HN. You're free not to believe that, of course.
There certainly are some drawbacks to transparency!
The shadowbans and blacklists are sort of an open secret (though this wasn't always the case). I'd prefer a bit more transparency on this.
Truth is, though, that it's virtually impossible to run any user-contribution-based forum without such controls. Turns out that most people aren't assholes, but there's just enough that things go pear-shaped without controls.
It's something I've long pondered, turns out, reading up on Geoffrey West and his scaling effects that both positive and negative scale effects follow pretty much the same growth laws, they just have different constants. For cities, both economic activity and crime will rise with size, at about the same rate. Which means that though there's a greater economic benefit to larger cities, you'll also have to increase police spending.
My point is that Buzzfeed, still, commits the crimes for which I first indicted it (if only in my own mind). Which for numerous and profound reasons I see as a Very Bad Thing.
Tossing the occasional sacrificial treat to those who prefer real meat, while continuing to attach their weaponized clickbait to their site's pages, does nothing to redeem them.
I'm aware that dang is a mod here, though I'd share my PoV. He's welcome to consider it or not. But I flagged this item and will continue to do so for other Buzzfeed, or similarly weaponized-clickbait-laden sites.
As for banning sites -- HN has apparently been doing that without significant notice to date. If you've got an issue with that, take it up with dang.
I feel that a mix of user-selection and site editorial voice is one of the few ways that a site or channel can maintain its focus -- see the degredation of numerous reddits (e.g., /r/dataisbeautiful is rather much more "data is interesting". I've not seen a truly innovative graphical presentation of data there for quite a while, and numerous craptacular infographic presentations (prohibited by subreddit guidelines) where the primary focus seems to be that the underlying data, or more usually, the subject of the underlying data, is intruiging. While that's fine and good, it's not the focus of the subreddit.
Others I can think of do markedly worse.
A good curation system will balance what's happening in the outside world, reader interests, and editorial voice. There's no surefire method, there's an art to it. I actually really like several of the posts dang's submitted (which I'll note go through the same moderation queue everything else does), even the ones which don't hit the front page.
Buzzfeed, AFAIK, was blacklisted from HN for awhile, but it looks like the new mod regime has taken off the blanket ban...and that's a good thing. The majority of Buzzfeed is still linkbait but they do have sections written by real reporters, with some of the best writing and research I've seen from online outlets. My personal favorite was this in-depth exoneration of MSG: http://www.buzzfeed.com/johnmahoney/the-notorious-msgs-unlik...
disclosure: one of my former colleagues is a Buzzfeed editor (http://www.usatoday.com/story/money/columnist/rieder/2014/02...), and he's been in charge of hiring an investigations team. He's a Pulitzer winner himself and just hired one of this year's Pulitzer winners, as well as a Pulitzer finalist (HN user jsvine)...the late Michael Hastings was doing investigative reporting for Buzzfeed before his untimely death. So the investment they're putting into non-listicle-journalism is non-trivial.
It's really too bad that they're mixing the in-depth coverage and the crap on the same domain. It indelibly taints their better articles with the stink of their low-quality drivel. On the whole, the site is a worthless spam farm that steals content from reddit and other sources. The existence of a handful of good stories isn't enough to overcome that reputation.
Buzzfeed has some great longform articles too. Their piece on the history of the AUMF is great (especially for those who weren't paying attention/were too young to care at the time).
IMHO, the original title reflects the tone and content of the article. I didn't feel cheated when I clicked on it, so I don't really consider it linkbait.
I actually liked the original title better, as it communicated the main point of the article -- that a ton of critical infrastructure is riding on the shoulders of a very small number of people -- better. Changing it to "Steve Marquess and Stephen Henson of OpenSSL" doesn't really get that point across, since it doesn't make clear that Marquess and Henson essentially are OpenSSL.
EDIT: It is definitely refreshing to see editorial decisions like this being explained clearly, though, and the community being asked to provide feedback. So my thanks to dang for that, even if we disagree about the title :-D
There are a lot of really interesting problems and projects in the world that nobody is interested in paying for. If you want to do these interesting things, you have to do it outside of the marketplace.
Alternatively, there is a trade-off in selling your labour in the marketplace: you are no longer in a position to dictate the terms of your labour, and you potentially lose control over the product of your labour.
> Honestly, I don't get why super talented people work for free.
In some cases it's a better way of accomplishing what you want than doing it for money. If you want to give people more security, for example, you'll probably get a wider audience and more impact with FOSS software.
Should Tim Berners-Lee have charged for his new idea? You might not be reading this in a web browser if he did.
I think being genuinely talented at something usually comes with an inability to sell oneself. The super talented types enjoy solving problems and learning complex things much more than they care about making money, and probably doubt their own ability.
> In fact, a quirk of the U.S. legal system meant that cryptography was, until the late 1990s, placed on the U.S. Munitions List, alongside semi-automatic firearms and tanks.
Should this be in the past tense? I thought crypto exports from the US were still restricted.
it's still restricted, but not on the munitions list anymore:
Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. This order permitted the United States Department of Commerce to implement rules that greatly simplified the export of commercial and open source software containing cryptography, which they did in 2000.
It looks like most of the OpenSSL team[1] is outside the US, except Marquess, the businessman. It looks like OpenBSD is developed and released from Canada.[2]
I tried reading the Wikipedia article you linked, and something from the Bureau of Industry and Security[3], and my eyes glazed over. I think the upshot is developing an open source crypto library in the US just won't work.
Have you ever tried inventorying the free software you use and paying a fair price for it?
I looked into it for a small IT business. For one thing, the list was very long, longer than I expected; just consider browser extensions. For another, inventorying the free software and especially making all those small payments is very time-consuming. Finally, the costs add up. Given the money and especially time involved in paying, I wouldn't be using a lot of these programs (again, think of browser extensions).
I know micro-transactions aren't a new idea, but our payment system is a debilitating bottleneck; transactions are far too slow for the speed at which I can obtain new products. What happened to micro-transactions?
"Marquess, a consultant for the Department of Defense"
Maybe I haven't been following this close enough but has anyone questioned whether or not it is perhaps a conflict of interest to be a consultant for the "Department of Defense" while also being a principal contributor to a project like OpenSSL?
I think it's about the only way to do so. Navigating a complex bureaucracy like the DoD requires an insider's knowledge. Not everyone who works for complex bureaucracies is evil; many are trying to help them be better (or at least direct its energies at things that are productive to the public).
The bigger problem that seemed to surface through this article is the sense of the "ubercoder" who singlehandedly runs a major project because they can't work with anyone else. I don't know if it was sensationalized by the author of the article, but it does strike me as a major problem in a lot of open source software. IMO, something like OpenSSL is important enough that it should be run by a non-profit.
This was no quirk. The US government made deliberate efforts to limit the availability of encryption software, even adding it to international export control lists where it previously did not exist:
http://cryptome.org/jya/wass-suks.htm