Slashdot Mirror
US Encryption Ban Would Only Send the Market Overseas (dailydot.com)
Patrick O'Neill writes: As U.S. legislatures posture toward legally mandating backdoored encryption, a new Harvard study suggests that a ban would push the market overseas because most encryption products come from over non-U.S. tech companies. "Cryptography is very much a worldwide academic discipline, as evidenced by the quantity and quality of research papers and academic conferences from countries other than the U.S.," the researchers wrote.
We have pushed many of our industries overseas again and again with heavy government regulations. While OSHA, workers comp, EPA, etc. minimum wage, etc. laws and regulations may have some sense, we have to realize that these same laws also reduce employment and push industries overseas and make many of our overseas competitors more competitive. If we could create a 100% safe society through passing safety and employment laws we may have to satisfy ourselves with 100% unemployment as well.
You would have thought that our government would have learned when they attempted to ban PGP, decades ago.
For those of you who don't remember, the software got classified as a munition, people who sold it could be arrested as arms trafficers. Downloads instantly moved from US servers to those in Finland (and elsewhere) and the end result was a big spectacular nothing.
Calmer heads prevailed, in the long run.
The technology is out there, the knowledge of how to do encryption is impossible to stuff back into the bottle.
Don't take life too seriously; it isn't permanent.
Cryptography is, ultimately, mathematics.
People who want to poke holes in crypto fundamentally don't understand that the math is out there for all to see.
So, flash back .. what, 20 years? When the US treated crypto as munitions and you couldn't export it. Now the US wants to break it, control it, and regulate it. And if people shift to other technologies, the US will be left with nothing but wishful thinking, and crypto they can't do anything with.
Indeed, wait for the marketing glossy to say "now, 100% American spying free!!!"
Oddly enough, if you make yourselves untrustworthy, nobody will trust you.
The people who want to spy on everybody don't understand this fact. You can't keep the benefits of crypto if you've ruined it. And trusting the spies will be the only ones who have broken into your stuff is utterly moronic.
The heads of these spy agencies are too ill-informed about the technology to understand the stupidity of what they say. All they see is a need for nobody to have any secrets from them -- and to them, a big fuck you.
Lost at C:>. Found at C.
These guys are morons.
We pushed crypto development to South Africa for FreeBSD back in the early 1990's to get around ITAR restrictions: "you can import, but you can't export".
We will happily route around this brain damage, too.
P.S.: The way to get better cryptographers in other countries is to make cryptographers criminals in the U.S.; obviously, it will not do fuck all to actually stop cryptography from happening, it'll just be that our people end up being shit at it compared to their people.
See I remember this shit. My very first exposure to any kind of encryption at all involved finding out about PGP and wanting to try to port it to my system.
Multiple versions of the same library? why? They didn't DO anything different at all, just one was produced in the US and one outside so nobody had to go to prison for sharing well understood fucking math with people who already knew it.
Politicians are fucking neanderthal pinheads. Let them make their laws, they will do nothing but make laughing stocks of themselves....AGAIN.
"I opened my eyes, and everything went dark again"
What I believe is more effective at convincing them is to point out that even if banning strong encryption genuinely made law enforcement's job easier in absolutely every way they expect it to, if law enforcement can read your confidential data, however benign they might claim to be, then potentially, so could someone else.... someone with less benevolent intentions, and law enforcement would actually be *further* burdened with the task of keeping those who are innocent protected from predatory criminals who would seek to exploit the now weaker security systems that everyone is supposed to use, as mandated by law. The net effect is that the law enforcement has *more* work to do... not less, and the general public's safety is weakened, not improved. The only ones that can possibly come out ahead in the game are those who break the law.
File under 'M' for 'Manic ranting'
I remember the days of the Clipper Chip, and of the prohibition on exporting strong crypto. I remember getting a package from Checkpoint in Ramat Gan, Israel (over international DHL, I believe it was) that was slathered with warning stickers that said it could not leave the USA...when it originated from Israel.
I remember in 2000, doing an IV&V of a VPN solution that did something really funky with their key generation, such that they were allowed to export strong (based on bit size) encryption without having to do key escrow. They put some of the key generation material in the handshake exchange...which means it went in the clear. I shit you not. Oh, and also, their algorithm had no forward secrecy...which was the whole point. Anyone who had sniffed the session could go to the operator of the VPN with a warrant, and have them re-generate the key that was negotiated between the two endpoints...making it possible to decrypt the session. Of course, this came along with a whole metric shitload of security problems, like the fact that compromising the VPN concentrator and pulling a little data off of it would give you the ability to decrypt any session that included that concentrator (we never got to the point of seeing if we could get the same effect by attacking the client). Basically, the whole thing was just a big pile of bitch cock, just waiting for disaster. (We also found a one-packed DoS, a buffer overflow, and other things...all unauthenticated attacks.)
And the best part? The client for whom it turned out I was doing this IV&V. It was the United States Secret Service...specifically the protective detail for the incoming Bush administration. This pig-fucker of a VPN solution was going to be used to protect the President of the United States. That was fun to find out...at the outset of the engagement, we thought our client was the Treasury Department in general (which was kind of true, in a way). When we had "The Meeting" to tell them what a disaster the solution was, they told us who we were really working for in specific. I really needed a drink after that meeting.
Needless to say, the Secret Service ended up going with a different solution.
And now here we are again...with different people but the same organizations bringing up the same dogshit reasons to try and justify demanding the same dumb-shit idea be implemented...backdoored encryption. I find it so incredibly interesting that, when it came down to it, the US Government wouldn't rely on a solution like that to protect themselves, but they would insist that the rest of us accept it for our own use. It makes me want to spew a litany of every obscene word and phrase I can remember, in alphabetical order.
For your security, this post has been encrypted with ROT-13, twice.
I think the headline was missing something:
"US Encryption Ban Would Only Send the Market Overseas".... Again.
They tried this ITAR ban on exporting encryption back in the 1990s and people just moved open source software projects to overseas servers and were careful not to openly contribute encryption code to those projects.
It is complete idiocy and fatally undermines US national security to ban encryption or put restrictions on its use. The US has the most to lose security-wise by making it harder to secure communications in the US. Everything we do and say is track-able online.
For every potentially missed terror cell you might find by trolling through unencrypted communications, there are millions of government employees walking around vulnerable to having their personal (and official) communications hacked by all sorts of state sponsored and non-state sponsored groups all because the government has put pressure on providers not to make communications "too secure".
I don't want terrorists to kill people, but I also don't want to have our national security so vulnerable as collateral damage.
Isn't a ban on encryption a ban on free speech?
It seems to me that encrypted communication is akin to two people having a conversation in Klingon. If a third party, a police officer, were to interrupt the conversation shouting, "Hey! Speak English! You must be understood!", then that would clearly be a violation of first amendment rights. I cannot imagine a judge would allow the police officer to use a defense of, "Well, they could have been planning terrorism." If the conversation is electronic, and the government does not know what is being said, then it still seems absurd to me for that to be illegal.
Banning encrypted communication is akin to banning all foreign languages, made-up languages, and baby talk. Speak English, little baby, you must be understood or the cops will get you! Absurd.
NAFTA etc. are working exactly as designed, inspiring a race to the bottom in terms of quality of living and wages.
This is nonsense. NAFTA has had the opposite effect. American and Canada have kept their environment and safety protections, while Mexico has improved dramatically. Moreover, Mexican labor conditions have improved the most in the Maquiladoras along the US border. They didn't pull us down. We pulled them up.
If you want to make software that uses cryptography available worldwide, you're already incentivized to develop it in a foreign country and import it to the US. There's no restriction on using foreign cryptography in the US, but there are legal hurdles you have to jump if you want to export cryptography from the US.
OpenSSL themselves mentions exporting as an alternative to costly legal counsel:
"The only other safe course of action would be to pay non-U.S. citizens to develop the cryptographic software overseas and import it into the U.S., as imports are not restricted. Foreigners who benefit financially from this situation refer to the U.S. “export jobs, not crypto” policy." https://www.openssl.org/docs/f... (page 145)