Symantec Restricts Crypto Export

PhilK writes "Symantec is now refusing to sell LC5 (the Windows password cracking tool, previously from @stake) to anyone outside of the USA and Canada, claiming new Homeland Security laws. Symantec declined to field questions on the rationale for its policy and whether it applies to other products." From the article: "Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government."

Re:ITAR Revisited?

[Decius6i5]

This isn't news. When encryption software was removed from the ITAR list it was added to the Commerce Control List instead. Encryption export in the US is regulated by BIS "Dubya and Company" didn't do this. This has been the case since the Clinton years. And, no, the government isn't completely confused about the Internet, and they don't think these regulations are useless.

Cryptoanalytic items are more strictly controlled then encryption items because the regs are immature. Few people actually make and export them, and most cryptanalytic stuff is designed for snooping on people and not protecting computer security. The regs are designed with snooping equipment in mind. I don't think Lopht Crack is the droid BIS is looking for, and I figure Symantec could probably get a license to export it if they tried. Furthermore, I figure that if you had an open source cryptanalytic program you could probably distribute it online with the same sort of TSU notification you have to do when you ship open source cryptography software. However, IANAL, so don't take my word for that...