Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Restricts Crypto Export

Posted by Zonk on from the bad-old-days dept.

PhilK writes "Symantec is now refusing to sell LC5 (the Windows password cracking tool, previously from @stake) to anyone outside of the USA and Canada, claiming new Homeland Security laws. Symantec declined to field questions on the rationale for its policy and whether it applies to other products." From the article: "Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government."

11 of 186 comments (clear)

  1. Re:Maybe it provides an excuse for something by Anonymous Coward · · Score: 1, Informative

    It's unconstitutional, exactly what we have come to expect from the current regime.

  2. Hasty Generalization by Anonymous Coward · · Score: 2, Informative

    "Back in the day, crypto was classified as munitions under ITAR."

    It still IS controlled (US Department of Commerce) and has been for a while; check your facts.

    "foreign companies are perfectly able to develop their own products"

    That is not the point. The point is that you don't want US companies AIDING foreign companies in creating cryptography systems to which the details are not known. Yes, I know, the strength of crypto lies in the mathematics not how it is done (read source); but having the algorithm details is also important.

  3. Imposed? by HardCase · · Score: 4, Informative

    Although the Reg article claims that Symantec appears to have had the restriction imposed by the government, both Symantec and the Register seem to have things a little bit wrong.

    For starters, section 5A002 of the ECCN covers hardware. Perhaps Symantec meant section 5D002, software. 5D002.c.1 covers their situation. But the list of restricted countries hasn't changed for quite a while - it's the usual gang: Syria, North Korea, Sudan, etc. It seems to me that Symantec is being a little lazy here. Yes, they have to have an export license to sell the software outside of the US, but the restrictions aren't any more onerous than they were in 1999, when the EAR was updated to move cryptographic software from munitions to commerce.

    Oh, and this "news" is almost a month old.

    -h-

    1. Re:Imposed? by mpapet · · Score: 2, Informative

      Mod parent up.

      Having personally gotten a crypto product approved for export, this fellow is right on.

      What's interesting to me is this is most likely a "business decision" more than anything else. A Suit at Symantec put a stop to this potentially evil tool for no other reason than it's too small potatoes for them to deal with the risk of it being used by bad non-Americans versus the sales numbers.

      What this also suggest is there's a bit of a figurative "circling of the wagons" at Symantec. It suggests very hard times coming to Symantec.

      In America, the Americans spy on you!

      --
      http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  4. Re:OLD!!! by Barny · · Score: 2, Informative

    There is a way for it to be put on /. without going through the front page?

    --
    ...
    /me sighs
  5. Re:Oh come on... by ncc74656 · · Score: 2, Informative
    Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

    It gets even easier than that. Just grab this, put it on a floppy or CD-R, boot it, and follow the prompts. IIRC, the current version works with everything up to at least WinXP SP2. It'll unlock any account and clear the password; after that, you can boot normally and set whatever password you want.

    --
    20 January 2017: the End of an Error.
  6. Re:Oh come on... by optimus2861 · · Score: 2, Informative
    I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

    Shameless karma-whoring, coming right up:

    Emergency Boot CD. Has a Windows password-reset tool on it. Run it, shows you the list of accounts, pick one, reset its password to anything you want.

    So, anyone care to start a pool on how soon the US requests my extradition for posting that?

  7. Re:ITAR Revisited? by Decius6i5 · · Score: 5, Informative
    This isn't news. When encryption software was removed from the ITAR list it was added to the Commerce Control List instead. Encryption export in the US is regulated by BIS "Dubya and Company" didn't do this. This has been the case since the Clinton years. And, no, the government isn't completely confused about the Internet, and they don't think these regulations are useless.

    Cryptoanalytic items are more strictly controlled then encryption items because the regs are immature. Few people actually make and export them, and most cryptanalytic stuff is designed for snooping on people and not protecting computer security. The regs are designed with snooping equipment in mind. I don't think Lopht Crack is the droid BIS is looking for, and I figure Symantec could probably get a license to export it if they tried. Furthermore, I figure that if you had an open source cryptanalytic program you could probably distribute it online with the same sort of TSU notification you have to do when you ship open source cryptography software. However, IANAL, so don't take my word for that...

  8. TSA/Customs? Don't make me laugh... by Noryungi · · Score: 2, Informative

    Here is something really funny for you: I also travel with several CDs (music and/or data) in my luggage. I have never been stopped, not just once, by the US customs.

    I mean, seriously, what's to prevent me from slipping the Symantec CD-ROM in a little Case Logic CD folder, among dozens of other CDs? Do you really think the customs officer are going to check me? Do you think they are going to review each and every CD in my little folder, looking for the illegal-to-export LC5 CD? (short answer: NO).

    What about copying an image of the CD on the hard disk of my laptop? Sure, they check laptops, but only to make sure that this is really a computer and not a disguised bomb.

    Of course, if the NSA (hi, guys, and thanks for reading this!) decides I am an international terrorist, I am in trouble the next time I set foot in the USA. But I think right now, they are too busy spying on US citizens to bother with me... ;-)

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  9. Symantec killing LC5 product line by Anonymous Coward · · Score: 1, Informative

    Dear LC Customer,

    The purpose of this letter is to notify you that Symantec Corporation is discontinuing its L0phtCrack (LC) product line and will no longer provide product code updates, enhancements or fixes to this product line.

    Key dates in this process are listed below.

    Last Date to Order LC5: February 28, 2006

    Last Ship Date: March 3, 2006

    Customer Help Until Date: December 16, 2006

    Symantec will continue to use reasonable commercial efforts to provide available customer support by email to US and Canada based customers who purchased L0phtCrack (LC), products through the dates indicated above. As a courtesy to LC customers, we offer customer help via email regarding product usability inquiries through December 16, 2006.

    An FAQ for Licensed Users of L0phtCrack (LC) Products is also attached to help answer commonly asked questions. If you have additional questions about our notification, please contact us by email at mailto:Americas-LCcustserv@symantec.com.

    Thank you for your support.

    Sincerely,

    Sales Operations

    Symantec Corporation

    FAQ for Licensed Users of L0phtCrack (LC) Products

    Question: What versions of the L0phtCrack (LC) product line are impacted by this Sunset Plan?

    Answer: All versions of LC product line are impacted as described in this notification to customers. Symantec will discontinue its sale of the current and previously available versions of the product as well as its provision of product upgrades, updates and fixes for all versions of the product effective per the dates mentioned above.

    Question: Why is the LC product line being discontinued?

    Answer: The LC product line no longer fits into Symantec's future product strategy. As a result, Symantec will not be applying any future development resources to this product line and will discontinue all sales.

    Question: What form of customer support is available to licensed users/customers of LC products?

    Answer: LC Customers did not pay for technical product support as part of their LC license agreements, and Symantec does not offer technical support for this product line. Customers based in the US and Canada can inquire about general product use/usability by email to Americas-LCcustserv@symantec.com through December 16, 2006. Customers who re-install their licensed copy of LC and need an Unlock Code can submit an email request to Americas-LCcustserv@symantec.com with the following information through December 16, 2006:

    LC version number (2.5, LC3, LC4 or LC5):

    If LC5, please indicate if you've purchased the Professional or Administrator edition:

    LC Serial Number:

    Company Name:

    Complete Company Address (street, city, state/prov, zip/postal code):

    Company URL:

    Nature of Business:

    Commercial or Public Sector (if Public Sector, please specify government, military or police):

    Contact Name:

    Contact Phone Number:

    Question: Can LC licensed users continue to use LC products after this Sunset Plan notification has been sent to Customers?

    Answer: Professional and Administrator users have perpetual license to use the LC product they purchased. Consultant users have one year license from date of product receipt to use the LC product they purchased.

    Question: Where can the customer get more information about LC5 and the FAQ Documentation about the product?

    Answer: LC5 product information is available with the software installation of the product under the Help menu. Licensed LC customers may also submit product inquiries to Americas-LCcustserv@symantec.com with the following information through December 16, 2006:

    LC version number (2.5, LC3, LC4 or LC5):

    If LC5, please indicate if you've purchased the Professional or Administrator edition:

    LC Serial Number:

    Company Name:

    Complete Company Address (street, city, state/p

  10. Official Secrets Act by Anonymous Coward · · Score: 1, Informative

    The UK Official Secrets Act covers any material that the government claims is "harmful to national security". There is no public interest defense (there was one, but it was removed in 1989). What's more, it's still a crime even if the information is already in the public domain, and journalists who report such information can also be prosecuted.

    In the USA, whistleblowers are protected by law. In the UK, they're thrown in the slammer.