Cryptographic Software in Debian's Main Archive

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

Crypto

[Ashcrow]

Crypto helps aid in privacy, and privacy should be available to everyone no matter who they are or where they live.

Hope it works out

[Mr_Person]

The Debian team has been working on this for a long time. Hopefully it will make installations and upgrades quicker as the servers can now be on the same continent :-).

One thing that was interesting is that under section 740.13(e) of the US EAR, the software can be exported as long as the people that are exporting it file for export notification. Apparently one thing that they were worried about was whether or not the individual mirrors had to each file or if Debian could just file for the main archives and all the mirrors. According to their legal advice that should be okay. Let's just hope that they don't have any legal problems with it in the future.

Re:Hi. Here is Crypto

[Mr_Person]

It's as though they just walked up and handed security to those who don't know how to use it.

It's not like having extra security without knowing exactly what it does is a bad thing. The Crypto section doesn't just contain things like PGP, but important server utilities like SSH, SSL and other things. It's my opinion that SSH should be installed by default (in place of telnet) on every server as it is much more secure. The people you're talking about probably didn't understand exactly how telnet worked and they probably won't understand exactly how SSH works, but they'll still get the benefits of the extra security as will anyone who depends on the servers that they run.

glad to see

[Partisan01]

I'm really glad to see this finally being included into the main archive. I'm also glad to see that they consulted legal sources before charging into any of this. Hopefully they will keep integrating cryptography into the distro more as time goes on. Keep up the good work guys.

And to think...

[ghack]

...most projects are un-aware of the fact that open source is exempt. I suppose projects such as openbsd, based in other countries, still have the advantage though - defining when software is sold for a fee is difficult. is a fee only for media, or for a compilation, etc, still under this open source clause?

Re:And to think...

[Ben+Hutchings]

The advice they received was that reasonable charges can be made for distribution and support (but not for licensing) without affecting the export status of the software.

no real effect

Unless I am missing something, this won't have any real effect on end users. When I request a package to install it, I request it by name and have no idea what subdirectory it is kept in, apt keeps track of this information for me.

Re:no real effect

[Xtifr]

Very nearly true. The main end-user effect will be on the bandwidth-challenged, who will find ssh and SSL-enabled versions of mozilla, galeon, mutt, evolution, and ghod knows what else on their CDs in the future. These people will end up saving a lot of download time (and possibly money if they pay by the minute for being online).

The flip-side of this is that CD vendors in the US might be slightly more reluctant to jump through the hoops necessary to distribute Debian on CD. However, the same hoops are going to be required for any other distros that include non-crippled SSL-enabled apps and the like, so I don't imagine this is going to be a major problem.

Re:no real effect

[Ray+Dassen]

Unless I am missing something, this won't have any real effect on end users.

It will have benefits for end users, though probably not highly visible ones.

Cryptographic software packaged for Debian is available (and has been for a long time already) through non-us.debian.org , but crypto-in-main will make further integration of crypto possible. A number of packages in main will get enhanced functionality once crypto is in main. E.g. CVS can start supporting Kerberos for authentication.

The functionality enhancements made possible by crypto-in-main are not limited to the direct benefits of crypto, as I can illustrate with the Gnumeric package. The Gnumeric spreadsheet can be built to be able to fetch data from databases using GDA, the GNU Data Access library. Currently the Debian package is not built with GDA support. The reason for this is that Debian's GDA packages are on non-US (because their source package requires the PostgreSQL development package; PostgreSQL is on non-US as it is built with SSL support). Once we have crypto-in-main, I can build Gnumeric packages that have GDA support (probably in a separate plugin package).

Re:no real effect

[Dwonis]

Not quite. Because there is crypto software in main, Debian developers now have the option of integrating crypto into the rest of the operating system.

Re:no real effect

[Sentry21]

The flip-side of this is that CD vendors in the US might be slightly more reluctant to jump through the hoops necessary to distribute Debian on CD.

Nonsense, it'll make things easier. They don't have to burn non-US CDs, which makes images easier to find, and as long as they don't ship to the export-restricted countries (which is easier to filter via mail than download), then they're fine.

--Dan

[OT?] Debconf 2002 announced

[illusion_2K]

Perhaps this is a bit offtopic, but Debconf 2002 was also announced today. Will holding it in Canada make a difference crypto-wise? Probably not, but it should be a rockin' good time for participants anyway.

It's also been conveniently scheduled to coincide nicely with the Ottawa Linux Symposium. Other than that, more info will be forthcoming within the next couple of weeks.

IP address based restrictions

[cabbey]

From the lawyer's response:

Simply posting cryptographic software on a server that may be accessible from an embargoed country does not constitute ``knowledge'' that the software has been exported there. Therefore, criminal liability would not apply to the act of posting. We recommend that you perform IP checking and deny downloads to known embargoed countries. This due diligence also would provide a defense to a claim of civil liability. If you find out that your software has been downloaded to a prohibited destination, then I recommend that you block future downloads to that specific site unless and until you obtain a license from BXA.

This is the second time I've seen this "recomendation" come out of a legal organization, in almost exactly the same wording no less. I've got to believe therefore that they are pulling it from some other source, such as an official regulation or other document.

Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close? I mean sure, it's technically trivial to implement this blocking, just a few iptables/ipchains commands, or some entries in the firewall's firmware... but I think getting that list to begin with is nearly impossible. How do you know where the other end of the phone line that is dialed into some modem bank on the other side of the net is?

In the last instance that I saw this (an external server at work) corporate legal was threatening to pull the plug if the admins didn't provide proof they were doing this. After much head scratching and searching the net my sugested response was that they would be happy to implement this just as soon as the legal department provided them with such a list.

I'm told they never heard back from legal on that topic.

Re:IP address based restrictions

[Mr_Person]

Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close?

Well, the Debian announcement says this:

BXA regulations require that you not knowingly export to embargoed countries, as a show of good faith you may wish to consider implementing a reverse IP lookup that identifies the computer requesting the download, and that blocks downloads of the cryptographic archive to countries embargoed by the United States: Cuba (.cu), Iran (.ir), Iraq (.iq), Libya (.ly), North Korea (.kp), Syria (.sy), Sudan (.sd) and Taliban Occupied Afghanistan.

I know it's not an IP list, but it would be fairly simple to impliment - just block those TLD's. I suppose it would slow your server down some, having to reverse resolve every IP that connects to it. As far as updating the list, that shouldn't be too hard - all you have to do is have your lawyer give you a call every time a country is added or removed from the list (how often does that happen?) and just add their ccTLD to the block list. Or, just did a quick Google search and you can get a list from the U.S. Department of State.

Re:IP address based restrictions

[cabbey]

The list of contries is easy to get sure, but as you said: the reverse lookups (1) will kill your server and (2) will open you up to more DOS attacks . Just imagine a dns server that doesn't properly close connections, forcing them to time out, now imagine two or three of them configured into a delegation round robin... a few incoming requests and your machine grinds itself into dust trying to resolve the reverse IP... get enough of those and you'll tie up enough socket resources to choke the machine. Also a reverse DNS entry isn't a requirement, many networks don't provide them. Working from domain names just doesn't seem technically feasible... pulling netblocks from iana maybe more doable, but still isn't even close to 100% accurate.

Re:IP address based restrictions

[Waffle+Iron]

I sleep better at night knowing that through the tireless diligence of webmasters all over the world, running millions of reverse IP lookups every day, there is probably not a single copy of ssh available in any of those countries. Kudos to all those who participate in this grand, impenetrable virtual fortress.

This achievement is a real testament to the vision and wisdom of our leaders.

Re:IP address based restrictions

[fferreres]

No reverse lookups needed. There are publicly available IP mappings databases. If the IP has been assigned to a banned country, then it IS in the list.

I suggest the debian maintainers should check at LEAST this site.

http://caida.org

If you want to testdrive the acuracy of the mappings, why not check if it works fine for your connection. Just inset your IP number and go!:

http://netgeo.caida.org/perl/netgeo.cgi?target=& me thod=getCountry&nonblocking=true";

Re:This advice is bogus.

[tftp]

1. The distributors don't necessarily need to export the product.
2. The distributors are not required to put the crypto components on the CD.
3. There is no GPL violation in not distributing the software in question :-)

Re:This advice is bogus.

[Xtifr]

This restricts people from selling debian.

Yes, but it's the US gummit doing the restricting. Nor is this issue specific to Debian: any distro which includes crypto-enabled software (mozilla, galeon, even mutt) is going to have the same issues. If you want to sell a modern, non-crippled Linux distro of any type from the US, you're either going to have to:

a) sell only to US citizens, or
b) do the paperwork.

Which makes life hard for CD distributors

Apparently, the US gummint doesn't care. If I were a US-based CD vendor, I'd definitely complain to my gummint, but I'm not.

and is in contradiction with the GPL.

No, the GPL has nothing to do with it. The GPL addresses copyright issues. Other legal issues, like patents and other gummint regulations, are outside the scope of the GPL.

Money is spent on being sneaky...

[Futurepower(tm)]

It amazes me that the U.S. government has done as much as it can to try to outlaw privacy. To me, it seems that things are out of control in some parts of the U.S. government. The U.S. spends more on surveillance of everyone everywhere than any country ever has in the history of the world. Money is spent on being sneaky, rather than on making good relationships.

It is futile to try to avoid the export of software, particularly when having it is legal in other countries. Yet taxpayer money is spent on this. The U.S. government, in my opinion, should not try to control the entire world.

More on the extremes of U.S. government policy: What should be the Response to Violence?

This is just a bad idea.

[njdj]

For the Debian end user, getting stuff like OpenSSH has been very easy, contrary to what some posters have said. There is little or no benefit for most end users in this change; and a huge increase in trouble and inconvenience for some end users, who happen to be citizens or residents of a country like Cuba that the Bush regime doesn't currently like.

US crypto regulations are not only a nuisance, they're also volatile. "Things are getting better", we hear. Bullshit. Things are changing unpredictably. Few people (and certainly no software developers) have any idea what US policy will be next year.

The only sensible policy is to keep the crypto archive in a country that has never had export regulations for crypto software (there are many).

better yet, it is and has been!

[twitter]

The good news is that crypto is available everywhere. The bad news is it does not work the way it should.

As US residents who did not know how to program crypto know, crypto is available in outher countries. A few years ago, the easiest way to get secure shell was to get OpenBSD from Canada, or buy something expensive. Programers with access to crypto knowledge could make what they wanted.

One of the main goals of public key encryption thechnology was to aid people in countries likely to be on US blacklists. Giving those people the ability to communicate privatly is much worse for oppressive governments than any improvement in that government's software library. Governments can usually afford programers and have what they want where they want it.

Most countries have proved that crypto is a doubtful tool of subversion. Oppresive countries have made cryptography illegal (yes, I'm refering to past US laws and current UK laws). Those that use it only set themselves up for investigation. Indeed, we can be sure that owning a computer at all in some places will earn you a beating.

I'm happy to see the US going in the right direction for a change. I have and love Debian. One of the best things about it is secure shell. It's great to be able to use and administer my home machines from work or anywhere else in the world without worrying about someone breaking in. "ssh user@mahine -X" run on my lan makes all of my machies transparently usable at once through a single monitor and keyboard. Having this wonderful tool even easier to get is a great step forward. Hopefully the US will consider this one of the weapons to freely distribute from the "Arsenal of Democracy". Go get it!

Yay!

[Mike+Hicks]

Yay! Now I should be able to get this stuff from the nearby and really fast mirror on campus. Ahh..

Now, I just wonder if the FreeS/WAN folks will ever get their code integrated with the standard Linux kernel..

Tremendous effect

[coyote-san]

This will have a huge effect in the long run, since crypto isn't just used for encryption. It's also used for authentication, and is critical in token-based authentication (e.g., smartcards). With tokens, you have strong authentication ("something you have" (token) and "something you know" (passphrase), lacking only "something you are" (e.g., fingerprint)).

This allows you to do some really nice things. You want temporary root access? Sure - put your card in the reader and type in your passphrase. Once you remove the card, root access goes away.

Or you need access to a database containing confidential information? Put in the your card and you gain access to database... but it will be dropped when you remove your card.