Slashdot Mirror
US Encryption Ban Would Only Send the Market Overseas (dailydot.com)
Patrick O'Neill writes: As U.S. legislatures posture toward legally mandating backdoored encryption, a new Harvard study suggests that a ban would push the market overseas because most encryption products come from over non-U.S. tech companies. "Cryptography is very much a worldwide academic discipline, as evidenced by the quantity and quality of research papers and academic conferences from countries other than the U.S.," the researchers wrote.
We have pushed many of our industries overseas again and again with heavy government regulations. While OSHA, workers comp, EPA, etc. minimum wage, etc. laws and regulations may have some sense, we have to realize that these same laws also reduce employment and push industries overseas and make many of our overseas competitors more competitive. If we could create a 100% safe society through passing safety and employment laws we may have to satisfy ourselves with 100% unemployment as well.
You would have thought that our government would have learned when they attempted to ban PGP, decades ago.
For those of you who don't remember, the software got classified as a munition, people who sold it could be arrested as arms trafficers. Downloads instantly moved from US servers to those in Finland (and elsewhere) and the end result was a big spectacular nothing.
Calmer heads prevailed, in the long run.
The technology is out there, the knowledge of how to do encryption is impossible to stuff back into the bottle.
Don't take life too seriously; it isn't permanent.
Cryptography is, ultimately, mathematics.
People who want to poke holes in crypto fundamentally don't understand that the math is out there for all to see.
So, flash back .. what, 20 years? When the US treated crypto as munitions and you couldn't export it. Now the US wants to break it, control it, and regulate it. And if people shift to other technologies, the US will be left with nothing but wishful thinking, and crypto they can't do anything with.
Indeed, wait for the marketing glossy to say "now, 100% American spying free!!!"
Oddly enough, if you make yourselves untrustworthy, nobody will trust you.
The people who want to spy on everybody don't understand this fact. You can't keep the benefits of crypto if you've ruined it. And trusting the spies will be the only ones who have broken into your stuff is utterly moronic.
The heads of these spy agencies are too ill-informed about the technology to understand the stupidity of what they say. All they see is a need for nobody to have any secrets from them -- and to them, a big fuck you.
Lost at C:>. Found at C.
These guys are morons.
We pushed crypto development to South Africa for FreeBSD back in the early 1990's to get around ITAR restrictions: "you can import, but you can't export".
We will happily route around this brain damage, too.
P.S.: The way to get better cryptographers in other countries is to make cryptographers criminals in the U.S.; obviously, it will not do fuck all to actually stop cryptography from happening, it'll just be that our people end up being shit at it compared to their people.
I remember the days of the Clipper Chip, and of the prohibition on exporting strong crypto. I remember getting a package from Checkpoint in Ramat Gan, Israel (over international DHL, I believe it was) that was slathered with warning stickers that said it could not leave the USA...when it originated from Israel.
I remember in 2000, doing an IV&V of a VPN solution that did something really funky with their key generation, such that they were allowed to export strong (based on bit size) encryption without having to do key escrow. They put some of the key generation material in the handshake exchange...which means it went in the clear. I shit you not. Oh, and also, their algorithm had no forward secrecy...which was the whole point. Anyone who had sniffed the session could go to the operator of the VPN with a warrant, and have them re-generate the key that was negotiated between the two endpoints...making it possible to decrypt the session. Of course, this came along with a whole metric shitload of security problems, like the fact that compromising the VPN concentrator and pulling a little data off of it would give you the ability to decrypt any session that included that concentrator (we never got to the point of seeing if we could get the same effect by attacking the client). Basically, the whole thing was just a big pile of bitch cock, just waiting for disaster. (We also found a one-packed DoS, a buffer overflow, and other things...all unauthenticated attacks.)
And the best part? The client for whom it turned out I was doing this IV&V. It was the United States Secret Service...specifically the protective detail for the incoming Bush administration. This pig-fucker of a VPN solution was going to be used to protect the President of the United States. That was fun to find out...at the outset of the engagement, we thought our client was the Treasury Department in general (which was kind of true, in a way). When we had "The Meeting" to tell them what a disaster the solution was, they told us who we were really working for in specific. I really needed a drink after that meeting.
Needless to say, the Secret Service ended up going with a different solution.
And now here we are again...with different people but the same organizations bringing up the same dogshit reasons to try and justify demanding the same dumb-shit idea be implemented...backdoored encryption. I find it so incredibly interesting that, when it came down to it, the US Government wouldn't rely on a solution like that to protect themselves, but they would insist that the rest of us accept it for our own use. It makes me want to spew a litany of every obscene word and phrase I can remember, in alphabetical order.
For your security, this post has been encrypted with ROT-13, twice.
Except the police aren't there to protect you....they are there to protect "the state"
Isn't a ban on encryption a ban on free speech?
It seems to me that encrypted communication is akin to two people having a conversation in Klingon. If a third party, a police officer, were to interrupt the conversation shouting, "Hey! Speak English! You must be understood!", then that would clearly be a violation of first amendment rights. I cannot imagine a judge would allow the police officer to use a defense of, "Well, they could have been planning terrorism." If the conversation is electronic, and the government does not know what is being said, then it still seems absurd to me for that to be illegal.
Banning encrypted communication is akin to banning all foreign languages, made-up languages, and baby talk. Speak English, little baby, you must be understood or the cops will get you! Absurd.
If you want to make software that uses cryptography available worldwide, you're already incentivized to develop it in a foreign country and import it to the US. There's no restriction on using foreign cryptography in the US, but there are legal hurdles you have to jump if you want to export cryptography from the US.
OpenSSL themselves mentions exporting as an alternative to costly legal counsel:
"The only other safe course of action would be to pay non-U.S. citizens to develop the cryptographic software overseas and import it into the U.S., as imports are not restricted. Foreigners who benefit financially from this situation refer to the U.S. “export jobs, not crypto” policy." https://www.openssl.org/docs/f... (page 145)