Symantec Restricts Crypto Export

PhilK writes "Symantec is now refusing to sell LC5 (the Windows password cracking tool, previously from @stake) to anyone outside of the USA and Canada, claiming new Homeland Security laws. Symantec declined to field questions on the rationale for its policy and whether it applies to other products." From the article: "Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government."

Hasty Generalization

"Back in the day, crypto was classified as munitions under ITAR."

It still IS controlled (US Department of Commerce) and has been for a while; check your facts.

"foreign companies are perfectly able to develop their own products"

That is not the point. The point is that you don't want US companies AIDING foreign companies in creating cryptography systems to which the details are not known. Yes, I know, the strength of crypto lies in the mathematics not how it is done (read source); but having the algorithm details is also important.

Imposed?

[HardCase]

Although the Reg article claims that Symantec appears to have had the restriction imposed by the government, both Symantec and the Register seem to have things a little bit wrong.

For starters, section 5A002 of the ECCN covers hardware. Perhaps Symantec meant section 5D002, software. 5D002.c.1 covers their situation. But the list of restricted countries hasn't changed for quite a while - it's the usual gang: Syria, North Korea, Sudan, etc. It seems to me that Symantec is being a little lazy here. Yes, they have to have an export license to sell the software outside of the US, but the restrictions aren't any more onerous than they were in 1999, when the EAR was updated to move cryptographic software from munitions to commerce.

Oh, and this "news" is almost a month old.

-h-

Re:Imposed?

[mpapet]

Mod parent up.

Having personally gotten a crypto product approved for export, this fellow is right on.

What's interesting to me is this is most likely a "business decision" more than anything else. A Suit at Symantec put a stop to this potentially evil tool for no other reason than it's too small potatoes for them to deal with the risk of it being used by bad non-Americans versus the sales numbers.

What this also suggest is there's a bit of a figurative "circling of the wagons" at Symantec. It suggests very hard times coming to Symantec.

In America, the Americans spy on you!

Re:OLD!!!

[Barny]

There is a way for it to be put on /. without going through the front page?

Re:Oh come on...

[ncc74656]

Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

It gets even easier than that. Just grab this, put it on a floppy or CD-R, boot it, and follow the prompts. IIRC, the current version works with everything up to at least WinXP SP2. It'll unlock any account and clear the password; after that, you can boot normally and set whatever password you want.

Re:Oh come on...

[optimus2861]

I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

Shameless karma-whoring, coming right up:

Emergency Boot CD. Has a Windows password-reset tool on it. Run it, shows you the list of accounts, pick one, reset its password to anything you want.

So, anyone care to start a pool on how soon the US requests my extradition for posting that?

Re:ITAR Revisited?

[Decius6i5]

This isn't news. When encryption software was removed from the ITAR list it was added to the Commerce Control List instead. Encryption export in the US is regulated by BIS "Dubya and Company" didn't do this. This has been the case since the Clinton years. And, no, the government isn't completely confused about the Internet, and they don't think these regulations are useless.

Cryptoanalytic items are more strictly controlled then encryption items because the regs are immature. Few people actually make and export them, and most cryptanalytic stuff is designed for snooping on people and not protecting computer security. The regs are designed with snooping equipment in mind. I don't think Lopht Crack is the droid BIS is looking for, and I figure Symantec could probably get a license to export it if they tried. Furthermore, I figure that if you had an open source cryptanalytic program you could probably distribute it online with the same sort of TSU notification you have to do when you ship open source cryptography software. However, IANAL, so don't take my word for that...

TSA/Customs? Don't make me laugh...

[Noryungi]

Here is something really funny for you: I also travel with several CDs (music and/or data) in my luggage. I have never been stopped, not just once, by the US customs.

I mean, seriously, what's to prevent me from slipping the Symantec CD-ROM in a little Case Logic CD folder, among dozens of other CDs? Do you really think the customs officer are going to check me? Do you think they are going to review each and every CD in my little folder, looking for the illegal-to-export LC5 CD? (short answer: NO).

What about copying an image of the CD on the hard disk of my laptop? Sure, they check laptops, but only to make sure that this is really a computer and not a disguised bomb.

Of course, if the NSA (hi, guys, and thanks for reading this!) decides I am an international terrorist, I am in trouble the next time I set foot in the USA. But I think right now, they are too busy spying on US citizens to bother with me... ;-)