Slashdot Mirror
Europe Sets Encryption free, USA Protests
Jor writes "This (english) article on Telepolis (german site) says that the European ministers of Foreign Affairs are expected to decide next monday (27th) to drop all export regulations regarding encryption software to countries outside the European Union. The article also points out that the USA are pretty pissed off by this decision.
"
Then the shaped charge was invented. Anti-armor tech caught up with armor tech.
Until we come up with better technology to crack encryption (IANACF - I am not a crypto freak), people are SOL trying poke through modern crypto schemes.
But the answer isn't to try and keep people from designing the armor. The answer is to develop a better method of defeating the armor. To try and stop the progression of crypto technology is stupid and, at best, a delaying action. The only benefit the efforts of the US Government will have are on the economics of non-US crypto companies.
what can be explained by stupidity.
In any case, its always been easy to get strong encryption in the US, so your argument makes no sense whatever.
On the flip side, it's always been easy to get encryption out of the US too. The so called export restrictions have always been an ridiculously porous barrier -- not only because the easy but illegal transfer of encryption programs, but because the restricted algorithms themselves have been protected under the first amendment -- if exported in printed form.
I think you miss two important alternative explanations.
(1) Politics.
Politicians are by in large not stupid. They just do stupid things for smart reasons. Export restrictions are symbolic not practical.
Politics is about appearances. If there is an item on the news that grabs everyone's attention, you can expect to congressional hearing pretty soon. That's why we get things like "crime bills". On the theory it's better to be ineffectual than indifferent, do something and if you're lucky and people aren't watching too closely, they may not even notice you are being ineffectual.
On the flip side, it's bad to have the appearance of coddling criminals, welfare mothers or terrorists, so it makes perfect sense (from a political sense) not to be the one caught pulling the plug. Do you think the Republicans would praise Clinton for dropping export restrictions? As a Democrat, I'm very sure that my party wouldn't have kind words for a Republican president who did so.
(2)Inertia
The very ineffectualness of the restrictions is what keeps them going. Nobody in the defense or intelligence estabishment who really understands these issues is going to care much, except for the people whose job it is to enforce the restrictions. Given the political exposure of "weakening" a defense, even if it is obsolete or as in this case merely symbolic, it's much easier to go along and not make waves.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
'But the European Union does not make their policies dependent on the opinion of the United States.'
First up, the opinion of the United States and the opinion of the United States Federal Government tend to differ, I would imagine. With regard to privacy issues, the government has a long history of going against public opinion.
While I like this from a crypto standpoint, I can't help but wonder why the sudden change in policy. It most likely was not due to any kind of public support of crypto, since by and large, the public does not care about this issue.
I'm guessing that corporations have been pushing for this and exerting power to make this happen. While I'm glad they did, it is another example of money buying policy (and for once, not in the US). What happens when these companies exert their influence for the purpose of making the DMCA an international law?
Granted, this is all conjuncture on my part. This story doesn't do into enough detail for me to support these guesses. But given recent events, I still find this pretty scary.
Finkployd
EU Good, US Bad
Shall I Say anymore?
-- Note: These Comments are Generated by ME! Not You! ME!
I'm just pulling your leg a bit about your literary criticism.
The conspiracy theory about encryption doesn't make any sense, because it can't target the people who need to be targeted -- the ornery free-thinkers with IQs higher than room temperature. The political theory does make sense because it fits with the pattern of behavior you can see every day if you look at any successful politician of any particular ideological stripe.
Conspiracies do happen; after all Nixon did try to cover up Watergate and he did use the IRS to force George Wallace to give up his third party. The KISS applies to conspiracies as well as anything else. The Wallace thing was simple, old fashioned blackmail, and worked perfectly. The Watergate thing started simple, but got too complicated to be managed, as it drew in too many of the executive branch. Of course, once he started down that road, he was stuck. The story had more legs than he had expected, and he was stuck with a balooning conspiracy that toppled his presidency.
Complicated conspiracies are simply prone to failure. To posit conspiracies that are complicated and doomed to faiure from the outset is to assume stupidity on the part of the conspirators. I have news for you -- these guys are rich and powerful and get a lot more action than the average geek.
So, you wanted a sound bite? Here it is: The difference between a politician and a geek is that a politician is willing to act stupidly to achieve his ends, whereas a geek is not.
Of course you can never disprove the existence of a conspiracy, especially to someone willing to introduce new propositions to support the conspiracy theory because he likes conspiracy theories. However, Occam's razor favors the straightforward political explanation.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I don't think the FBI,NSA, or any arm of the government can stop US citizens from using encryption precisely because the US government has labeled it a munition. Thus it is an arm and because of the 2nd amendment we have a constitutional right to use encryption. Also by this argument the government can not ask us to give them the keys either as that would be the same as taking our guns from us which is against the 2nd amendment.
Never underestimate the dark side of the Source
bzzt.
A munition is much heavier than the arms that the 2nd ammendment allows. Munitions include shells for heavy artillery and bombs, both of which you most definately are not allowed to own.
A quick glance at the constitution reveals no such restriction....
I'd say you need to re-read it. At the moment the government regulation of nuclear missiles and rocket launchers is a violation of our second amendment rights, BUT it's one that the citizens of the US have chosen to endure the interest of not having weapons of mass destruction available quite that easily. But make no mistake, it IS a violation of the rights set down in the constitution.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
Besides, all of the major encryption standards were developed in the US, so the EU's decision will not really affect distribution of the well-known algorithms
All of the 'standards' (OpenPGP, SSL/TLS, S/MIME) have been published in RFCs. And documents describing almost every algorithm known are available online, either in RFCs, or the conference proceedings where they were first presented. Only code is restricted from export - textual descriptions are fine. And of course reference code for algorithms invented in Europe, Canada and other non-restrictive areas is available too.
in the business sector. .) and general bitching and moaning on the part of industry lobbyists to Congress. Eventually, Congress will have to make amends or risk continuing flack and re-election problems from companies who feel that their interests are being hurt by the current crypto laws. The recent reforms in the crypto laws in the US were a nice, if ambiguous start, but this development may be the flahspoint for a nice, unambigous movement of encryption technology out of the sphere of 'restricted munitions', and back into the hands of people who would like to prevent everyone in the world from reading everything they own.
This is exactly the sort of development that is needed in order to push the US into dropping restrictions on the use of strong crypto. The US govt. has limited concern for the demands of lone privacy advocates and crypto-lovers, but it has a hard time ignoring the concerns of big business, particularly now with the spotlight being on the one's and zero's industry. From the look of the article, a lot of the motivation behind the EU changing these restrictions was economic; companies that have to wait 6-8 months every time they want to sell products containing encryption to someone in another telephone exchange are less competative than those that don't. So this change makes European cryptography exporters (which could include a very wide range of products now a days, not just PGP style personal crypto managers, but also products with embedded protection) more competative. US businesses don't like being less competative than there overseas counterparts. It leads to the creation of "buy American" commercials (in this case, "Encrypt Americans". .
For the short term, I'm not very hopeful. In the longer term, it is inevitable now. Our current policy made no sense even before this. Now, it will be much more difficult for the politicians and bureaucrats to pretend it still makes sense. But, rest assured, they will stupidly resist for as long as they can.
Geeky modern art T-shirts
"Higher-level encryption products, notably PGP, are available free to everybody over the Internet provided that they *say* they are from the US. "
You dont have to `say` you`re from anywhere...
www.pgpi.com
has version 6.5.1i (i = international)
a wholy legal, inside and out of the states, version of pgp.
a.
Some Background on Crypto in Early U.S. History
Encryption is the process of coding and decoding information to ensure its privacy. The encryption of computer data may well be the most powerful tool peaceful individuals have to protect themselves against Big Brother. Predictably, Big Brother is eager to control it. The rationale, as expressed in A Report to the President of the United States (Sept. 16, 1999): "American history has been punctuated by periods in which the National government had to respond to sweeping social, economic and technological developments." Speaking of cyberspace as a "new tool", the government claims that technology raises new issues to which it must respond in new ways.
Buncombe. The issues are the same as they have always been. In 1785, a resolution authorized the secretary of the Department of Foreign Affairs to open and inspect any mail that related to the safety and interests of the United States. The ensuing 'inspections' caused prominent men, like George Washington, to complain of mail tampering. According to various historians, it led James Madison, Thomas Jefferson and James Monroe to write to each other in code - that is, they encrypted their letters - in order to preserve the privacy of their political discussion.
The U.S. Founding Fathers used encryption to avoid government monitoring. Today, the U.S. government has relaxed much of its crypto export restrictions, but after reading the above article I can see we need to be a lot more vigilant about insuring free, unrestricted communications for everyone. The police-state policies of the NSA and FBI need to stop.
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
Do you also recommend that all cars be built like tanks, able to withstand a 60 mph crash?
The point is that while it's a worthy goal to encrypt everything for the heck of it, it is not cost effective. Just like it is not cost effective to install two-inch armor plating and internal gel padding on cars, even though it would cut automotive fatality rates by 90%.
As a security expert, you know that encryption is EXPENSIVE. The only way to bring down the cost of custom encryption devices is commoditization. Just like awesome 3-D graphics has fallen within the reach of the masses due to commoditization (anybody remember the $15K+ Elsa & E&H cards that rendered 50K triangles/sec? It wasn't that long back). You basically want a DES (or, more likely, AES) encryption chip on each motherboard.
For this to happen, we need the following:
1) A publicly accepted AES standard. All AES standards require hardware implementations, and I believe all the final proposed candidates have efficient hardware implementations.
2) A cheap chip (or, even better, build it into the mobo chipset).
3) A well-defined API to this device. I assume 2 and 3 will go hand-in-hand.
4) Intel or VIA (through Asus, Abit & others) to buy into this and start building it on their chipset. Alternatively, Once one manufacturer does it, all the others will, too. It's just too big a competitive advantage.
-- Before you moderate: Do you really believe somebody called 31337 d00d has anything useful to say?
I'd like to see Slashdot, for example, have the option of being served up on 128-bit SSL. I mean all the pages on the site. It would probably be best for the slashdot folks if this were done with hardware encryption support.
For one thing, encrypting all one's casual traffic helps to provide cover for people who really do have something to hide.
I recommend using a web hosting service which provides secure shell login access. One such web hosting service is Seagull Networks. Here is how I retrieve my POP mail through SSH port forwarding. The tip entry gives BeOS specific instructions but the basic idea should work on any platform for which SSH is available.
And yes I know my email is sent to seagull in the clear, but what this does is generate encrypted traffic (generally a good thing) and also prevents my ISP from snooping on me unless they hack into my hosting service.
If you work in a company and are concerned that your employer may be snooping on your personal email (you're not mailing out your resume are you? Know how an ethernet sniffer works?) then you should definitely use SSH for your mail.
Also on my laptop I use PGPDisk to encrypt my Quicken Checkbook and source code on NT, and the Linux Encrypting Kernel to encrypt source code on Linux. If someone steals my laptop, my clients won't have all their trade secrets stolen too.
Mike
-- Could you use my software consulting serv
The funny thing is that the other slashdot article doesn't appear on the mainpage of slashdot, even though it's new enough that it really should.
Perhaps this is a bug in slashdot? That would explain why the other article has only four posts in it....
The reason that the FBI wants to keep crypto out of the hands of the citizens is indirectly our own fault.  We clamor that we want security and safety and we bitch and moan when our law enforcement (part of our government) doesn't provide it for us.  The war on drugs, the crackdown on guns are simply responses to people's fear and insecurity.  Crypto does make law enforcement's job tougher and that is a fact that everybody should just accept. 
Personally, I'll take the freedom to use crypto in any way that I see fit and I'll argue that even those that wish to use crypto in a way that is counter to my beliefs should be allowed to do so.  The benefits far outweigh the problems that it brings.
"When you trade freedom for security you get neither" - Thomas Jefferson
From: WhiteHouse
To: Joe Public
The Whitehouse, on behalf of the United States Goverment would like to clear up a few rumors that have been causing an uproar with the citizens of this Great Country.
There was been some acusations and rumors going around that the White House and the United States Goverment are not fully happy with the state of the union. To clear this up, and to fully put out or offical statement on this, on behalf of the United States Goverment we would like to state for the record "We are really fucking pissed".
I know this may come to a surpise to most of the citizens of this Great Country, but ever since the CIA and rosewell conscripies, the Goverment and the White House of this Great Nation of ours, have not really been getting any, and this makes us really pissed off. We (the United States Goverment) watch our citizens going day in and day out getting laid by great looking women, and on behalf of the United States goverment I would like to say "Where is my booty, why don't I get any hoes?" and also like to add "And the United States Goverment is pissed about this"
Thank you for taking the time to read this press release and hope this clears up any details the American public might not be aware about.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Many rulings in Europe do come about because of big company pressure, but this almost smacks of something else.
Prediction:It means that the European crypto stuff will become the world standard.
Thus all that US investment and current export regime which hurts the consumer in Europe as well as companies can be ignored as a free to export crypto will be more attractive to both US and European countries.
IMO this is an excellent move for Europeans, both in business and the consumers.
So maybe the EU did it _knowing_ it would piss the US off, and with the _express_ intention of reducing the US' control of crypto.
An Eye for an Eye will make the whole world blind - Gandhi
Before that they started opening mail - that's why people would put those elaborate wax seals on their mail .... and before there was an organised mail delivery system intercepting mail was hard ....
My point is that there's been an ongoing technological battle between those who want their privacy and those who want to breach their privacy .... it's been going on for centurys .... maybe the spooks will give up when we're all using quantum entanglement to comunicate .... or maybe they'll juts get a lot more spooky :-)
> For example in the UK it is actually illegal to do encryption in hardware You mean like the nCipher device which performs RSA and DH operations in hardware? Produced in Cambridge (not the one in MA)? A little more care required before you post inaccurate stuff like that It is not illegal to perform encryption in hardware, software or via two packs of playing cards in the UK. Much to the security services' annoyance.
The US (in particular the FBI and probably the CIA/NSA) wants to keep encryption out of the hands of USians. (The reason doesn't matter for the purposes of this post). The best way to do this is to keep there from being any "encryption infrastructure" and the best way to THAT goal is to keep from having any standards.
And if you disallow exports, you can't create a world-wide standard. But whoops, the EU allows exports now, so we can standardize on that.
So the US is pissed for two reasons:
1) The EU will be the encryption (and thus privacy, etc) standards-bearer for the 21st century. This causes loss of money and face for the US.
2) The US can't keep EU encryption out of the hands of USians unless it also bans encryption imports. And since that action isn't compatible with the nominal "munitions" argument, it would tip their hand too much.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Ok, so first, the EU enacts privacy laws that do a good job of protecting the privacy of citizens. Then, it sets crypto free, which also helps with the first goal, making sure that information that is transferred is secure.
Meanwhile, the US goes on with its laissez faire "privacy" laws (feel free to collect anything you want, and to cross-correlated to your heart's content). Furthermore, we have these lame crypto export restrictions, making secure interoperability on the Internet difficult.
Can anyone call the United States the "Land of the Free" without a touch of sarcasm?