Ask Slashdot: Using SSH on non-US Sites for Crypto Development?

cesarb droppped this interesting question in my inbox, that I would like to share with you all: "I would like to know if a developer in the U.S. could use telnet or SSH to a box outside the U.S. and help developing a code that uses crypto. If he types a whole file of source code for a crypto algorythm, this of course is export; however, if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes and the actual text you typed (like the new name for the function), and what appears on your screen was just imported but never exported back. This would allow things like the kernel, Mozilla or anything else to be developed with crypto outside the U.S. but by people inside the U.S., and so would stop the last piece of usefulness in those silly U.S. crypto export restrictions." Would something like this work? Are there any other solutions for U.S. citizens developing strong cryptography to share there work with others abroad?

Re:(offtopic)food in Europe

They have hamburgers in europe? I had to look for hours to find a restaurant in Britain that served burgers... (And the one they served (with "real" meat) tasted much worse than any vegetable fake I've ever forced myself to eat...). ;-)

(sarcasm) PSSST - It's the genetics that make it taste good.

suggestion: shut up

and hippocrits like you make me want to yell "You don't have to read damn article"

moot

If you were to use an encrypted means for editing code overseas, and the encryption employed is indeed strong, then the whole point is moot. Who's to know you were modifying crypto code? This could create a chicken-and-egg problem, except that there is already strong enough crypto overseas, because not everything technological has to originate in the US...

Slaves not allowed to make changes

...is what a truely free project in that field replies to every single line of code posted to them from americans, I think the project was SWAN (anybody to confirm or correct this?). They also seem to have come to the conclusion that the wonderful american governement seems to consider their citicens brains as state property even when they are abroad - but who am I to make nasty remarks, over here in europe the situation will probably get as worse as in the U.S. of A. in some years, just as it did in other fields where we were all to quick to follow our transatlantic brethren, and Im not only talking about McDonalds here...

Re:Slaves not allowed to make changes

[jcr]

The project is called free S/WAN (for Secure Wide Area Networking). Hugh Daniel is running the project, and he is scrupulously careful not to edit any of the code himself, or to accept any code written in the USA or by US citizens. When the Berstein case has been successfully concluded, then we'll be able to tell the JBT's to FUCK OFF and let us write whatever the hell we want to write. -jcr

Re:Slaves not allowed to make changes

[GlowStars]

Yep, that was SWAN.

Re:another way to do it

yes, but now I'm larger than you and have six nipples ;)

intellectual property / technology transfer

The method of transfer is immaterial. Be it a file, a fax, a telephone call, a letter. It doesn't matter. If you are a US citizen in posession of intellectual property dealing with encryption, you are under the jurisdiction of the US justice system. You may also be under US jurisdiction if you are not a US citizen. Consult your local embassey for details.

Any transfer of intellectual property and technology by US citizens to a foreign party is subject to the laws of the US. No break.

Re:intellectual property / technology transfer

Printed, human readable material (such as source code, even if it's in a font well suited for OCR, and with checksums ;), is considered speech, and protected by the first amendment.

Re:intellectual property / technology transfer

[MassacrE]

What about the book publication of PGP? They printed out VOLUMES of PGP code, sent it oversees, and started scanning it in like mad. Hence, international PGP.

silly laws

just describing these scenarios makes you realize how silly these laws are...

Why not diff?

I don't see why this is any easier or more legal than just sending a diff. You're only sending corrections, not the actual code. If one is legal, the other is, and diff is easier. Any reason telnet would be better? And now you can use your own editor of choice without wasting all the bandwidth (minor for vi or text-emacs; serious for X)

Re:Why not diff?

Would be pretty hard to draw the line. What if the original file had a single comment line in it. Just '/* This is the crypto module */". The diff would be the entire meat. In between this and a single changed character, where do you draw the line?!? I bet the US law isn't about code, it's about knowledge. If you export the single char that will make it work, you export the knowledge. By the way, I'm not a US citizen and think this law is st*pid. My vote would be for the rest of the world to develop a better crypto, and make sure it's so good it becomes the defacto standard. A nice pun would be to license it to the world, but explicitly forbid import into the USA...

Nice try, no luck

Sorry, but it's also illegal for a U.S. citizen to work on crypto outside the U.S. Nice try, though.

Re:Nice try, no luck

Not to sound too skeptical, but this is the first I've heard of U.S. Citizens not being allowed to work on encryption overseas. Any references for this?

Methinks this would be a BIG soverignity issue; as a general rule, you are bound by the laws of the country you are in.

Re:Nice try, no luck

Just a thought. How about a U.S. citizen working in a foreign country that does not expidite American criminals back to the U.S.? Of course, this would mean that the American could not return to America (or a country that does expidite U.S. criminals) until the statute of limitations expired, but by then hopefully the law would have changed.

Re:Nice try, no luck

An American citizen can't work on crypto even if outside the US?!?! That seems absurd. If you're outside the jurisdiction of the US, how can the US enforce its laws on an individual. I'm aware I must report all income even if outside the US, but what I do with my time, on the soil of a foreign, sovereign power should clearly fall under the jurisdiction of said foreign, sovereign power and *not* the US. I would not have "exported" anything but myself. If such sillyness were actually true, then something is rotten in which begs the question, "What is the real agenda of the US and why are they so scared of cryptography?" One unsolicited theory would be that if you have truly industrial strength crypto in the hands of indivuals world-wide there is no papertrail. Without a trail to follow, you could send money and information anywhere you wanted without fear of intrusion or meddling and no one would be the wiser. So you just got $10000 for some work you did but it was sent secure to an account somewhere on the web, digicash or something similar. No one knows so why report it to the IRS. Why even keep a bank account anymore for that matter, strong crypto could make them obsolete. Suddenly, the IRS is reporting huge losses in revenue after each tax season. The banks are losing customers, or worse, all customers demand their cash at the same time so that it can be moved to a secure, anonymous cash-system and the banks will go belly-up on the spot (those who know know that any bank on the planet would go under if the majority of its customers closed their accounts on the same day). With crypto and without a papertrail, governments and financial institutions would crumble(period.) Munch on that one...

Re:Nice try, no luck

[Eric+Green]

Check DejaNews, the appropriate portion of the regulation is posted to sci.crypt and crossposted later (by me) to talk.politics.crypt. U.S. citizens are prohibited from exporting crytography, and are prohibited from providing technical assistance, and if overseas are prohibited from working on products that would require an export permit within the U.S.

Regarding sovereignty the United States Government holds that if you are a U.S. citizen, you must obey U.S. law no matter where in the world you are. The USG has been known to kidnap U.S. citizens in foreign countries in order to bring them to trial here in the U.S. if they peeved the USG enough. Heck, they don't even have to be U.S. citizens -- anybody remember Manuel Noriega, who was (quite illegally) kidnapped and brought to trial in Miami for crimes that did not violate Panama law and that were committed within the borders of Panama?

-E

Re:Nice try, no luck

[acb]

I seem to recall that one of those cypherpunks who runs some kind of crypto company in Anguilla or somewhere renounced his US citizenship a few years ago to be able to legally work on exportable crypto.

Even if you don't have a high enough Noriega factor to justify kidnapping, if you're a US citizen and export crypto from the US or work on crypto overseas, you'd best be wary about catching any flights that stop over in US territory.

Re:Nice try, no luck

[loudici]

well i did not know that..but i guess the SSH/telnet/whatever does not work either..

i am not a lawyer, but using telnet to write crypto programs on an european computer seems to qualify as 'working on crypto outside the US'

laurent

Re:Nice try, no luck

[UnknownSoldier]

I think you meant:

It is illegal for a U.S. citizen to work outside the U.S. (land), because the U.S. citizen is still under the jurisdiction of the United States (the legal entity)

The question is, WHERE is the jurisdiction of the U.S. defined?

From the Constitution, Article 1, Section 8:
... To exercise exclusive Legislation in all Cases whatsoever, over such District (not exceeding ten Miles square) as may, by Cession of particular States, become the Seat of the Government of the United States, and to exercise like Authority over all Places purchased by the Consent of the Legistlature of the State in which the Same shall be, for the Erection of Forts, ...

The above shows that the jurisdiction of the United States (legal entity) is ONLY 10 miles from inside Washington, DC.

Please look up ex-patriate in Black's Law Dictionary, and look at the 14th amendment in the Bill of Rights for a solution.

Re:crypto import is legal, right?

And more importantly, who cares if Linus looks at it... he's not going to be exporting back out of the country, so it doesn't really matter...

Re:Thoughts.

But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.

You are mistaken here... Developing cryptography is no where near illegal. It is perfectly fine for a US citizen to send a piece of paper via Air Mail or whatever to someone else in another country describing a piece of cryptography. The point is that you cannot export the software (currently). So you completely missed the point: Do letters and cursor movements amount to software? They in and of themselves are not, but when applied to a file residing in France, they modify and help develop cryptography software.

Has anyone ever tried . . .

shipping a nuclear bomb overseas, one tiny little piece at a time? I don't think the feds would let that one slip through the cracks. :-)

Mossmann (who is too lazy to login and thinks all IP export laws are incredibly stupid)

Re: Reexport is also illegal

but, in this case, as I understood, you aren't DLing and editing the file, you are editing the file remotely (eg. vi while telnetted in) which means you export the keystrokes NOT the code... Still, it sounds like riskey ground, I'd just move if it was that important for me to code this...

Common misunderstanding

One misunderstanding I am reading here in these comments is whether US law applies to a US citizen on foreign soil or if it only applies to a US citizen in the US. Fortunately, for many reasons, US law applies to any US citizen anywhere in the world so long as that person retains his or her citizenship. This means that if I go to Canada and code strong crypto, I will still not be allowed to export this in an electronic form. I attended an excellent talk at Waterloo University where we were lectured at about the rediculousness of US export restrictions. The point about the restrictions placed on US citizens regardless of their locations was one of the more emphasized notes.

On the issue of whether contributing keystrokes is considered export, I would imagine so. Although you can claim that typing the first '#' in

#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/ ^.|\W//g,print pack('H*'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die"$0 [-d] k n\n")&~1)/2)

should not be considered export, a reasonable person would conclude that the 300 people who got together to type this in a letter at a time conspired to create strong cryptography software, which would be illegal to export.

Re:Common misunderstanding

[cananian]

I assume you're planning on claiming the above perl is speech, not code?

RSA has if i remember correctly

if memory serves, a few years back RSA funded a company in Japan to reverse engineer its technologies. No Americans involved, just Japanese researchers. Not patents violated, as RSA owns them. Now they are making hardware with RSA technologies in it and selling it to governments and corporations all over the world. Personally, I think if we simply ignore the stupid American laws regarding crypto and get crypto out there in the rest of the world, being developed mostly by foreigners, Americans will EVENTUALLY wake up to the only thing stronger than their domestic security paranoia: GREED. Every tech advance/dollar that is made outside the States by people working on crypto will further the fact to the Americans that they are only holding themselves back from reaping profit, not protecting themselves.

Telnet in, telnet out?

For that matter, what if (for instance) a Canadian in Canada telnets into the US, telnets from there to (for instance) the Bahamas, and then commences coding? Does the US have any say in the matter? Does it change the nature of the original question to take this scenario into account?

-Nater

Re:Telnet in, telnet out?

Yes, the US Government/Law would be involved. You, the Canadian, have exported technology to the United States (to the owner of the American system) and then caused it to be re-xported to the Bahamas.

That's by-the-book. It's unlikely that the US Gov't would charge anyone in this case, since the person they'd really want is the Canadian (and Canada likely would tell the US what to go do with themselves).

Remember, you as the operator of your computer, are to some extent, responsbile for what people do with it (you created the account for the Canadian, right?)... same with spam as with crypto.

What if you exported marijuana and your American friend just took the box (not opening it or anything... in fact, totally oblvious to what was in it) and mailed it to the Bahamas? Same sort of thing.

-Derek

how much do they really care about this law?

These laws are so stupid. It seems that those who wrote/enforce them are under an illusion that only US citezens are capable of creating military grade encryption! Who invented encruption in the first place? Many could consider the enigma machine (patented London early 19something), and later improved upon by the Germans in WW2 as the first example of "strong" encryption.
Whenever i have wanted to circumvent expo restrictions from websites that attempt to enforce them, i simply use the US navy web proxy. (Guess what, i am not american!). The laws are merely there so some stuck up government types can sit there and feel superior to other countries, just like keeping the right to bear arms in the constitution, so some crazed 14 year olds can go around killing their fellow school children. Get over it is what i say.
p.s. i think the law probably doesnt specifically cover the export of source code, but more likely the export of the algorithm.
Sometimes the road is long, and then you realise you are on a roundabout

Re:Even more questions...

As I understand it, Microsoft's Crypto API implementations are exportable under ITAR because the exported implementations allow only crippled (40 or 56 bit key length) crypto to work.

Re:draconian law has no limits

There are no gray areas with draconian laws. This law did not originated from impartial sources. It was not intended to be debated or questioned in any manner. This thing was pushed on us for *one* reason. It's the thin edge of the wedge. Start off with some non-sensical, export laws and then follow through until crypto is *poof* gone! The govt wants to, and will kill crypto. That's all there is to it. Look at ESCHELON..where the fuck did ESCHELON come from?? I don't remember voting for that goddamn thing! All this shit is going on behind our backs, so as voters we have no control over it.

Re:Hmmmm...

Random people? I think not. 12 people who could not figure out how to get out of jury duty. So that usually means retiree's (who won't 'Get' the remote access thing), unemployed people and such.

Randall Schwartz's 3 felony convictions were for copying a file from one Intel machine to another. That's:
1) 'theft' (the from machine)
2) altering (the to machine)
3) altering (the log file that noted it).

Never mind that the data never left Intel, the farmers and retirees and gov't workers didn't "get" computers and he'll never vote in a national election or get a gun permit or get work at places that worry that a 3count felon is applying.

So you are sitting IN the US doing work that's put OUT of the country. It's that export happening as you type?

Try this: Take a trip to canada and do it. Better, go to the Caymans and learn to SCUBA dive during the breaks; you'll be much more relaxed for it.

Better, hire someone from a free country. Make it obvious: "we'd love to give all this work to local folks, but the law forces us to pay foreign workers."

Kiddie porn?

kinda like kiddie porn? It's illegal to look at and (obviously) to take part of in any way. Or is it like sticking your hands over the border into a different country and working on something - hey no laws are being broken. But in this case, your input and display device are both on US ground, so US laws apply...

Not Quite Moot

Of course, that assumes that your cryptographic system is as secure as you believe it is. A significantly advanced organization wouldn't have a problem cracking such cryptography. Unless you happen to be Ron Rivest, I'd be inclined not to trust your mechanisms (unless you want to make some close friends for the next 10-20)...

Re:Not Quite Moot

[DJerman]

A significantly advanced organization wouldn't have a problem cracking such cryptography.

Ah, but to persecute ... er... prosecute you they have to admit they can break it, thus spurring the rest of us to use an actually-secured system. Much better to let a hacker do something that's going to get done anyway than to lose the ability to eavesdrop on all the naughty emails and whatnot they're really after.

Re:It depends. Oh yeah?

Well, then, we must do what we must - fight the powers that be.


yeah, boooyyyy.....

Hi there!

Um, am I the only one who makes a conscious effort not to give a flying monkey f*ck if there are export laws on crypto? Who honestly in their right mind would be careful enough to make sure only to tidy up code by changing a comment here or there or, bravely, altering a function declaration. Careful enough or, stupid enough. I can't seem to make my mind up on that one. Toodles kids.

Re:if they want to nail you, they will

Your right, not that i dint allready know that, but yeah, if they want to get you, they will, but i heard somewhere that reno wants to give the fbi the power to break into anybodys house who they suspect using enctyption and steal their hard drive, and place a permanit bugging device, i think i saw it on www.lucianne.com

Non export export

What is a new protocal was made where a conection would be atempted of every leter +3 for shift,ctrl and alt and you connect if pressed and don't if not. No packets are sent to the other copmuter just the opening are closing of a port. It would be vary slow but may me in the law because nothing is leaving.

Re:Crypto export regs

Okay. So any work on crypto in the U.S. simply gets exported on paper. Isn't PGP doing this? Put it in an easily scannable font, with a checkdigit on each line. A little slower, but you can do all your development in the U.S., send it in a book to someplace with no restrictions, and they can scan it and post it on a website, as sourcecode and/or compiled. What's the problem?

Re:Thoughts.

Remember it is only the electronic export of crypto that is the problem. PUNCH CARDS??????? Holes in paper are not vary electronic I would like to see the expert witness for teh state saying "Yes, the stack of paper you handed me is indead electronic paper."

Bleah

You start off so on track and then totally lose touch with reality. I don't want to start a flame war, but you do give some reason to think that you are an intelligent being, so I will try to briefly explain why you are wrong. Your statements regarding cryptography are right on, but then you feel the need to throw in this: "The laws are merely there so some stuck up government types can sit there and feel superior to other countries, just like keeping the right to bear arms in the constitution, so some crazed 14 year olds can go around killing their fellow school children. " Please. The politicos that want to prohibit us from using (let alone exporting) decent crypto are... guess what? the same ones that are working overtime to take away our right to bear arms. And for the same reason. Because they thrive on dependance, and control, and crypto, like small arms, frustrate their desire to control us and make us dependent. The media reports instances of children being shot with fervour - even though such instances are far less common than those of children being beaten to death or run over with cars. Shortly before that idiot shot up the daycare (wounding 5 if memory serves) a man in neighboring area killed more children in a very similar incident which I would bet you didn't hear about. That's because he didn't use a gun, he used a car, and the self-appointed "elite" don't want to take away our cars. The shoot-em-ups also cluster in a few areas you might notice, if you would study them a little - those are areas where law-abiding citizens don't carry arms. The empire state building shooter traveled all the way from florida to new york before he started firing, and this was no accident - in florida there would have been a decent chance of his victims shooting back, but in new york that was not a worry. A high school kid a few months back tried to shoot up his high school in mississippi - but his assistant principle had a pistol of his own and the incident ended quickly without the kind of damage that was done in littleton - I guess you probably didn't hear about that either? Where I live every household contains what anti-gunners would doubtless describe as an "arsenal" - generally a shotgun or two, 3-4 rifles, and a handfull of pistols, along with sufficient ammo for each. Crime is extremely rare here. It is the areas where citizens are forbidden from possessing the means to defend themselves where the predators congregate and flourish. 50 years ago there was nothing uncommon about a child taking his rifle to school with him, and the sort of violence on the news here now was not even imaginable. In the US today we have a lot of violent people, and a lot of violence, and this is a problem, but it is exacerbated, not helped, by "gun control" (the politically correct term for victim disarmament.) The real reasons are numerous, and need to be addressed, but it is not the availability of weapons, nor does restricting that availability have any positive affect. I gather (perhaps incorrectly) that you are european? You might want to look into the availability of weapons and the crime rate in switzerland. Regards,

Bleah (oops, in readable form this time)

You start off so on track and then totally lose touch with reality. I don't want to start a flame war, but you do give some reason to think that you are an intelligent being, so I will try to briefly explain why you are wrong.

Your statements regarding cryptography are right on, but then you feel the need to throw in this: "The laws are merely there so some stuck up government types can sit there and feel superior to other countries, just like keeping the right to bear arms in the constitution, so some crazed 14 year olds can go around killing their fellow school children. "

Please.

The politicos that want to prohibit us from using (let alone exporting) decent crypto are... guess what? the same ones that are working overtime to take away our right to bear arms. And for the same reason. Because they thrive on dependance, and control, and crypto, like small arms, frustrate their desire to control us and make us dependent. The media reports instances of children being shot with fervour - even though such instances are far less common than those of children being beaten to death or run over with cars. Shortly before that idiot shot up the daycare (wounding 5 if memory serves) a man in neighboring area killed more children in a very similar incident which I would bet you didn't hear about. That's because he didn't use a gun, he used a car, and the self-appointed "elite" don't want to take away our cars.

The shoot-em-ups also cluster in a few areas you might notice, if you would study them a little - those are areas where law-abiding citizens don't carry arms. The empire state building shooter traveled all the way from florida to new york before he started firing, and this was no accident - in florida there would have been a decent chance of his victims shooting back, but in new york that was not a worry. A high school kid a few months back tried to shoot up his high school in mississippi - but his assistant principle had a pistol of his own and the incident ended quickly without the kind of damage that was done in littleton - I guess you probably didn't hear about that either?

Where I live every household contains what anti-gunners would doubtless describe as an "arsenal" - generally a shotgun or two, 3-4 rifles, and a handfull of pistols, along with sufficient ammo for each. Crime is extremely rare here. It is the areas where citizens are forbidden from possessing the means to defend themselves where the predators congregate and flourish. 50 years ago there was nothing uncommon about a child taking his rifle to school with him, and the sort of violence on the news here now was not even imaginable.

In the US today we have a lot of violent people, and a lot of violence, and this is a problem, but it is exacerbated, not helped, by "gun control" (the politically correct term for victim disarmament.) The real reasons are numerous, and need to be addressed, but it is not the availability of weapons, nor does restricting that availability have any positive affect.

I gather (perhaps incorrectly) that you are european? You might want to look into the availability of weapons and the crime rate in switzerland.

Regards,

Re:Bleah (oops, in readable form this time)

you might want to look at the UK, where hand guns were made illegal after a guy shot up a school UK : Several children die - ban handguns US : Several children die - post 10 commandments Well its an interesting difference... Q: how many teenage parties in UK feature shootings. How many in US? How many more people have to die?

Re:Bleah (oops, in readable form this time)

You're refering to the Dunblane incident.

Re:Bleah (oops, in readable form this time)

How many in Switzerland? Answer--none. Way more guns than U.S.

Re:Bleah (oops, in readable form this time)

In fact, I believe that all adult males not convicted of a serious crime or insane are reauired to have an assault rifle and ammo in their house at all times. Officers get a pistol as well. The government used to subsidize ammo costs to encourage people to practice shooting. The guns issues are complicated, but several things are clear:

It is a cultural issue. Number and distributions of guns are not relevant in cross-cultural comparisons.

In the US, the more guns, especially concealed handguns, the less crime.

Re:Who gives a shit?

Talk to Kevin Mitnick. If and when the government decides to make an example of you, you are f-ed. These laws work not because of enforcement, but because of the threat of enforcement. If you want to spend 4 or 5 years in jail, without bail, while your lawyers argue about how these laws are "wrong" or unenforcable, go ahead.

Re:first posts....

First reply to your First Post message!

Re:Change the laws, don't circumvent

Who cares. If what I'm doing doesn't harm others in the process, then to hell with it. Fuck the government, they are hypocritical, anti-freedom assholes with far too much power.

Re:Beefed up or crazy?

hello there, a question: are you confident that the US gov would have the balls to destroy entire year-classes and entire herds of livestock in the event that bovine scrapie got started over here in the US? I'm not.

bgh in burgers aside I think there's already enough to worry about from e.coli contamination at meat processing factories. Don't laugh so loud friend, you've got nothing to brag about.

Re:Change the laws, don't circumvent

|___|
|

Re:Linus is from Finland....

But he lives in California

Question?

If I am not an American citizen and I enter the United States with my notebook computer with the latest zillion bit encryption program, can I take the same computer back out?

In my case, since I am a Canadian, living in Canada, I can in fact take my computer back and forth since it is legal to export strong encryption to Canadian citizens in Canada. But what if I am from Europe? What happens when I try to go home?

Curious in Toronto

the feds

You know more and more rage is mounting against the government and it's minions (FBI, CIA, NSA, etc), which of course is only good. They are monsters. To be brutally honest it brings a smile to my face when I here that some of them have been killed. Personally I think that the "Branch Davidians" should have fought to the death rather than just burning up. I don't advocate the murder of people, but to me these federal agents don't even qualify as people anymore. If only they would back the fuck off and show a little respect, since respect is indeed a two way street, then there wouldn't be nearly the number of problems today. I could live in peace knowing that what is legal today will still be tomorrow rather than wondering what kind of new oppressive shit they are cooking up for us in the bullshit names of "anti-terrorism" and "the children." Come on, even "the children" hate the feds. Don't believe me? Ask them. I remember all throughout high school students saying that they don't pay attention to politics when asked by a teacher because "I hate the government." The only protection the children need is protection from the monsters in Brainwashington, DC which is located in the United Police States of America. Pissing off people is not good public policy. Freedom with resposibility is the only way to make for a peaceful society. If they showed me respect by not trying to cram oppressive legislation (such as cryptography export BS) down my throat then I would feel much better about this country and the authorites. Seeing as this doesn't happen I am quickly losing respect for the government. Actually it's already gone. No you shouldn't be exporting nuclear weapons and such but cryptography? Come on. Some say the next major war will be fought on US soil, I can only hope they are correct.

Re:the feds

fuck you

Re:Just automate the OCR process..

What if you photo-reduce your code page by page into microdots and artistically arrange these in a jpeg of Samantha Fox blowing a donkey. Wouldn't it be a violation of your 1st amendment rights if they said you cannot tranfer that file to requesters in foreign domains? Wouldn't the Aclu come to your side? wouldn't PETA?

I think if thousands and thousands of cypherepunks export cryto at the same time, those whose surnames begin with the letter A will just be eligible for parole by the time Zeb Zimbalist is entering the penalty phase of his trial.

If ppl wanna work on crypto so dang badly---

.....EMIGRATEIt's the only logical alternative --and i haven't seen mentioned once. If you folk really believe your gov has betrayed its promise to preserve your liberty, you're cowards to live in its shadow.

criptyr stuff i made!!!!

hay i think this cryptigrafy stuff is so cool man!!!!! i just made a crypter thing!!!! its cool!!!!! now i can crytograf my nuking messages so no one knoes what they say@!!!!! im trying to hack into a site right now with ws-ftp!!!!!!! when i get in i will put it on the site wif some of my punters!!!!!! it will be cool!!!!! z3r0kewl453@aol.com mail me!!!!!!

can't other countries make thier own crypto?

Can't other countries make their own crypto? Why should they have to rely on the united states for their crypto puposes? And is the U.S. authorized to bully other countries into not developing crypto? - - P. S. I am a slashdot user, my nick is miahrogers, but i can't log in because my dns server still hasn't upgraded yet, so deal with another anonymous post

Re:Thoughts.

Well, I can see that someone working on a nuclear weapon would be considered a traitor, but the point here is whether or not a encryption should be considered as important to state security. I mean, someone helping to develop a kids toy, even during a war, for an opponent probably won't be convicted as a traitor. Remco

What do you think?

You will spend the rest of your life wearing an orange jumpsuit shackled up in a small cell with some big faggot in their with you who will brutally rape your ass and pump your anal cavity full of cum.

Re:another way to do it

Good lord, there may be hormones in there but at least we know how to cook it. I had more crappy steaks and hamburgers in europe in the nine months I was there than I care to remember. I'm sure I was just too poor to get the good stuff but everywhere I went it was either bleeding or burnt to a crisp.

Fries though, they know how to make fries. Now if I could just find some decent mayo I'd gain those 10 pounds back.

Re:Who owns who?

>And how fscking arrogant can the US be?! Does the >NSA, CIA, whatever-A think that no one who lives
>outside the US is SMART enough to make better >cryptogrophy software than the US?!

If they're that SMART, they don't need your
help. The govt doesn't interfere with them,
it just doesn't want its own flunkies helping
them.

Re:Even more questions...

"The main question I keep comming back to is, what defines the crypto?"

If you look at the export regulations, the BXA allows export of sufficiently weak crypto (56bit DES, IDEA, 512bit RSA) of certain types. Before you can export even this weak crypto, you have to obtain what they call a 'License Exception ENC' -- part of the procedure involves obtaining a validation string from the NIST and verifying that your software encrypts this string correctly; I believe that the purpose of this is to ensure that your software implements the specified weak crypto algorithm correctly, so that it's easy for the govt. to crack it if necessary. You also have to make your software such that it cannot be extended to perform stronger encryption (such as through double encryption) or contain hooks ... this is a real pain to implement. So what you describe above may be out.

bastard

you know what? fuck you. encription is wrong and you must obay patents for your own good. the gov needs to listen in to make sure ur not selling drugs or being a terrorist. so fuck you, i like being safe and secure and i dont mind losing dumb freedom. as long as i can watch mtv and eat at mcdonalds then i dont care about freedom its a lame concept. freedom, fuck it and FUCK YOU

Re:bastard

[JonK]

Shame this was posted by AC: it'd have been worth at least +3 mod. points for outright satirical brilliance...
--
Cheers

Jon

Source?

"Irregardless of "export," it's a felony for an American to provide "technical assistance" to foreigners about crypto."

What's your source for this? As I understand it, it's perfectly legal for an American citizen to say, take part in a Cryptography conference abroad and present papers etc. An analogy: guns are weapons and are export controlled, but that doesn't mean an American can't go abroad and help build a gun.

The NSA doesn't like it, but they can't do anything about it; there was a case described in the Bruce Schneier's 'Applied Cryptography' where (I'm not sure whether I've the details perfectly straight) the NSA tried to stop a researcher from presenting RSA for the first time at a conference abroad, but NSA backed down in the end.

its to help you

laws are there to help you. it is for you to be safe from terrerists and child pornogafers. they need to get rid of free speach so they can outlaw all cripto. free speach is old and noone needs it anymore since we are got away from britan. plz remember laws help you not hurt you unless ur a bad person!

Resources

How much money does drug lords have? As much as M$? More than RSA? Can they hire enough mathematicians and programmers anywhere in the world to make their own strong encryption system? Sometimes (OK, a lot of times) goverment looks plainly stupid.

Re:another way to do it

Unless, of course, you actually grow your own food...
I'd probably be too lazy to do it myself, but
my parents' ever expanding vegetable garden is a
beautiful thing.

Re:Bullshit

I believe you can also export encryption code in non printed forms via rocket. Otherwise NASA would have a rather hard time of it ;-)

Mission control to apollo, please start typing in volumes 1 - 3 of the crypto code ;-)

It's "illegal"

(By the way, this is Ungrounded Lightning Rod posting. The new server seems confused about me and will neither let me log in or recreate the account.)

It doesn't matter if you export it all at once or one character at a time. It's still exporting. It's even exporting if you go outside the country and type it there. (You "exported" this "munition" carried in your head.)

Sounds crazy? Yes! But no more crazy than calling an algorithm a "munition". (Or calling it a "process" in order to get around the prohibition on patenting a mathematical algorithm.)

It's a fake debate!

Just don't ask. As a UNIX admin contractor and user here in Europe I can tell ya we got all the stuff mentioned, use SSH and the lot. Funny how you can find "things" that are suddenly becoming restricted on a mirror site or an old university ftp server somewhere else in the world. As far as we are concerned, it does us no harm. Especialy in France an other places. In fact, most places (employers) don't even check what we implement. Besides, you can grab GOST or other similar Russian re-inforced DES, Israeli or anything else (some good stuff around). Working recently with people in the Space industry also exposed me to stories where let's say our american counter part was acting "paranoiac" just because we know and devellop similar technologies (VSAT, transponders, burst transmittion) already which we thought were "basic harmless stuff". Even better, you know GSM had a degree of imprecision artificialy induced in its civilian version. Well the russians used GSM in their tanks and produced reliable military type receivers. They've just cracked the system and exploited it. You could buy them! The world is just way too big to worry about those things. If you are a politician and you wanna go back to the middle ages, well though luck, just try to unplug the net, you'll see what MCI, AT&T BT and other will tell ya and the pressure they'll apply politicaly, cause that is who really runs the net now.

Re:It's a fake debate!

I presume you mean GPS, rather than GSM - although to add to the confusion, GSM basestations can use GPS for network synch timing. Also, GSM supports the use of A5 encryption - which is anything but strong.

Civil Disobediance

Tell Rosa Parks she should've just changed the law herself..
Bullshit~ You've got a moral obligation to ignore unjust laws...THEN work to change them!!

Re:Civil Disobediance

[unicorn]

What I said, is that you should move to change them. Rosa Parks did that. In her case, making a statement, by standing up to them, was how she worked to change them.

You guys are willing to make a stand just like hers. Only you're too chickenshit to even identify yourselves by name on a forum like Slashdot. I assume you'd never consider putting yourself in harms way, the way Rosa Parks did.

I don't have a problem with actively opposing laws, but don't hide in the shadows, and try and sneak around the laws. If you're think they need to be changed, stand up. Oppose the laws openly. And then fight for your right to do what you feel needs to be done.

Re:Civil Disobediance

[Chandon+Seldon]

I know of no move that I personally could possibly make to change US fedral anti-crypto-export laws.

I do know that if I was connected to a non-us box thorough a well-incrypted connection, the fact that exporting crypto is illegal would become irrelevent.

Trying to change a law is nice, but the USA has 260+ *million* residents, the most I can do is try to suggest civil disobediance when it makes sense, and suggest lobbying government groups when that makes sense.

Resistance takes time and effort. When you just want to get work done, ignoring useless laws works better. If you ever get started organizing a group of people for the purpoise of actively protesting that set of laws, e-mail me, I'll probably want to join in -- but myself alone trying civil disobediance would be pretty much stupid (can you say getting tagged as a malicious "Hacker" and getting my PC taken away?). Attempting to lobby against the laws myself would be like banging my head against a stone wall, (Painful, time consuming, and not worth doing)

What makes you think this hasn't already happened?

Duh!

Exporting ideas is NOT illegal!

Where do you think the fundamental public-key algorithms came from?

They were originally published in peer-reviewed math journals, which can be found in any library in- or outside the United States! As yet, mathematicians don't require a prior authorization of NSA to publish their results in math journals, so are you saying that publishing a math paper in an internationally accessible peer-reviewed journal should be classified as "aiding foreign nations to develop technology"? I don't think so, and I hope you don't either.

So what is it - the ideas ARE exportable but the actual code is not? Why is the US government trying to enforce the unenforceable, while at the same time allowing US mathematicians to publish their papers in international journals? It doesn't take a genius to code something that's described in great detail in a math paper.

Re:Technical assistance

Yes, but US citizens already HAVE helped foreign individuals with crypto code by inventing the algorithm and publishing it in a math journal in the first place!

If there's nothing wrong with inventing a new crypto algorithm and publishing it in an internationally-accessible math journal, then what's wrong with helping foreigners code it? Or does the US government think that all foreigners are stupid and cannot write a program by themselves unless helped by people from the US?

We are as civilized as you!!

Europe is full of McDonalds, Burger Kings, KFC's, Pizza Hut's etc! We are not savages! The Hamburger was named after a German city. So were the Frankfurter, the Wiener etc.

There may be another way..

Most European countries wont expidite someone to acountry where he might receive the death penalty, so you could combine the cryptography work with something really outrageous, like smoking pot, showing a picture of an exposed boob to children, or teach evolution in Kansas

Re:if they want to nail you, they will

Whats that line in your national anthem again? "Land of the free" i think it goes....

BSE (way off topic)

It's not a virus in the modern sense of the word. Creutzfelt Jabobs disease (and BSE, it's bovine form) is caused by a single infectious protein (prion). The protein is identical (or in the case of a cross-species infection: very similar) to a normal protein that is present in nerve cells, but organised in a different (wrong) shape. In that wrong shape it catalyses the transformation of the normal protein to the infectious one. Furthermore, the protein in the infectious form does not fit into the enzyme intended for degrading the protein, so the infectious protein accumulates inside the nerve cell, until it dies, spreading more infectious protein.

Belgian fries + mayo

Sure we've had all that madcow and dioxine chicken scandals... But Belgium still makes the best so-called "French" fries in the world (they were invented in Belgium anyway, ask the French they'll tell you), and we only serve them with mayo.

Re:Belgian fries + mayo

[avdp]

Only with mayo?
Hell no! As a belgian I am proud to say that most "fritterie" havea very wide variety of sauces one can put on "french" fries... Including a sauce called "american" which i have never seen in the states....

Exporting crypto software - another way?

You may recall that pgp was exported in book form: the source code was printed on paper, which was scanned and OCR'ed outside the US. Therefore, no electronic export of the software.

I understand it took some time to proof-read all that OCR'ed code, presumably because OCR software isn't 100% perfect. I thought of a way to make it easier, and I want to ask what you think.

Express each byte of the source file in hex. Surely it must be easier to scan the characters 0 to 9, and A to F, rather than the whole ASCII character set, with all that punctuation etc.

At the end of each line, you could put a checksum digit. Then, if the OCR fails on that line, it can be flagged for checking by the human operator.

The result should be source code which compiles first time (maybe!). What do you think?

David Nelson, dave@nutters.org

Re:Thoughts.

You are of course, dead wrong.
This is *exactly* what RSA did to get their algorithm exported out of the US.

Re:if they want to nail you, they will

in the real world, you dont think, you know besides, in high schools, they dont even teach the decleration if independnce, or the constatution, exept the basic gyst of both ppl of the land of the free, will never be free i vote that we change all are clocks back to 1984

Re:Wouldn't count on nitpicky details

True. The bastards will come after you if they want to. Right or wrong, it's gonna be hard to fight the US's single biggest organization (gov't, that is) and if they make something up to nail you on, like they have Microsoft, there's no one to save you by calling their accusation foul. (No, MS ain't innocent, but they could have found something *real* to nail 'em on for chrissakes. Redhat bundles software, Caldera does, Corel does, AOL bundles, Apple bundles...etc etc etc, but MS cannot?)

"A state without criminals has no one to exercise control over, but legislation can always create as many criminals as you want." ---Christopher Hallaxs

Re:Just automate the OCR process..

Why not just stick a CD in the post? Nobody would be able to trace the person sending it, and provided you send it to isn't a US citizen, they wouldn't be breaking the law.

It's already been done.....

PGPi 6.0 'originates' outside of the US (legally/technically/loopholely speaking) and incorporates strong encryption.

Pssst ! Hamburgers were "invented" in Europe ...

& named after a german city: Hamburg ... ;) and well, the genetics don't make the food taste better but make em better to produce. Aromatics additives create the taste ... (or did you believe industrial potatoes or flesh would taste of something pure ?) I don't know in which part of Britain you were, but in Germany we have an mcdonalds in every city above 14000 inhabitants... burgerking & pizza hut & multistore same way. Some even speak of an American invasion ;). Asian fastfood is rare (but there are a lot of non-fastfood asian restaurants), for hispanic restaurants you have to go to a bigger city. Instead, we have masses of italian & turkis food, as well as some indian restaurants and of course, german ones...

Re:The key here is "aid to foreign nationals"

Well, gee,

I know it is foolish to go where I intend, but here goes:

gcc and other compilers "aid foreign nationals" in developing strong crypto - lock those developers up.

IDE's, etc. "aid foreign nationals" in developing strong crypto - lock those developers up.

computers, etc. "aid foreign nationals" in developing strong crypto - lock those developers up.

information on logic and mathematics (if posted in the net) "aid foreign nationals" in developing strong crypto - lock those developers up.

giving help with the generation of electricity "aids foreign nationals" in developing strong crypto - lock those developers up.

providing healthy food and clean water "aids foreign nationals" in developing strong crypto - lock up the peace corps and all of those other un-american volunteers and businessmen (cant' give it away, sell it, or teach its production.)

while we are at it, promoting a clean environment "aids foreign nationals" in developing strong crypto - after all, if we poison the place so bad that they all die, then they wouldn't be able to develop strong crypto, so anything we do that slows down our ruining of the world for mankind's use is aiding those nasty foreign nationals.

I woke up today with my head in a daze.

Write Your Local Congressperson

Make sure that you all write your local congressperson supporting all bills allowing more exports of encryption and threaten to vote against your congressperson if they vote for a bill which limits cryptography or suggests key escrow. Even emailing your congressperson is effective. Charles Leeds Libertarian

NOPE CAN'T DO IT LEGALLY

The government considers that the export of ideas relating to cryptology. This is also against the law. American citizens are basically only able to develop cryptographic algorythms for national use without government consent. The exporting of ideas, services, or products relating to cryptology is severly illegal in this country without prior government consent.

Thx,
Some Guy in a FED building

Who cares?

Who is going to know, or care for that matter? Is the ATF going to burn down your house with smoke grenades? Oh wait, thanks to the GPL and shit you probably include your name. HAHAH. j00 r scr00ed

Re:Even more questions...

56-bit DES is exportable. Triple DES just means encrypt with DES, encrypt result with another key, encrypt that result with a third key. This is equivalent to 112-bit encryption. All you need is standard DES, and put it in a batch file. MD5 and other secure hashes are exportable, being just one-way functions. However they can easily be used for reversible encryption if applied correctly--see Schneier. Digital signatures such as DSA are exportable. But they can be used effectively as strong encryption using Rivest's chaff and winnow protocol. The government is fighting a losing battle. Technology will outpace regulation.

Asking those who have experience in that stuff

Would someone simply mind asking any OpenBSD developer how they tackle with that everyday issue? (in their perspective, it just gotta been dealt with before)

Er, correciton here gang.

Switzerland has fewer guns per capita (and obviously total) than the US. The US is first, Switzerland is second.

I'm not sure exactly what your point was, but it's true that there's not a corrolation between firearm density and death toll.

To me, the obvious answer is that it's not the number of guns that's a problem, it's the stupidity of the people. The solution would be not to let the stupid people have guns.

Unfortunately that would mean banning guns in the US. Cursed cyclical reasoning.

A question that I have often pondered myself, but:

As a question that I have often wondered myself, I have spent some (granted, not a lot) of time thinking about this. My conclusion: it would not violate the letter of the law.

Nevertheless, as stated earlier, if you intend to test this you will be spending a lot of time/resources in court, and a victory certainly not guaranteed to be easy.

The first obstacle would be trying to describe exactly what your doing to the court - these are the most technically literate people all of the time. Second would be in conflict with the spirit of the law. Finally, look at our friend Kevin.

Re:import& Export?

Take your laptop to canada, or mexico for the weekend and work on it. Or plan a vacation to another country where you can do that. Another method could be to take a boat ride into international waters...(100miles from us shores or so) and then use a satelite link to update the code ?

export the diffs as a printout...

You can work on the software in the US, and then print it out and export the printouts of the diffs. then simply scan the diffs in the other end..tedious but completely legal. note that PGP is exported that way.

Re:draconian law has no limits

If you are naive enough to think that the USofA is a "free" country, man, you've got a cruel lession coming, (Waco, Kennedy, Crypto, Gun control, Etc.) It's leading up to Krystalnacht.

libcrypt?

(Really by *gnp* [gregor@focusresearch.com], but when I tried to log in it seemed broken). So, how much of the support code for creating things such as RC5, RC6, TWOFISH, etc. can be legally exported? How about creating a library and a "glue" language that can be leveraged to put together good crypto easily? So, anyone anywhere can hack, import, and export the lib, and a small amount of redundant work needs to be done within each paranoia domain to have a locally-sourced implementation of each algo. Any takers?

Even worse?

What if you are a US citizen, in the US, talking to a computer in the US (on US soil, embassy, or otherwise American), but at least some of your data is routed through a foreign computer?

Wrong Issue : illegal to write plugins?

1) Strong encryption is out the bottle so I don't care. So is it now a point that strong click and point encryption does not get out the bottle. 2) MS has/is making it hard to add crypto addins/ dropin replacements, and US folks are encouraged to play ball. 3)Is it a crime to document how to add a plugin, that bypasses any MS magic frontends? Afterall, writing a program to see whether its allowed to run is stupid - thats what ACL's are for. Thats where the money is, and the present stance is huring. I'll sure Norway will fill the gap - too bad they don't play ball...

Re:Pssst ! Hamburgers were "invented" in Europe ..

>burgerking & pizza hut & multistore same way. Some even speak of an American invasion Is Burger King not British?

Missing the "point"

The purpose of ITAR is clearly to make it as difficult as possible for an "enemy" to make use of "miltary grade" encryption. If you export a change of function names such that the new exported function name makes it easier for said "enemy" to figure out how to accomplish miltary grade encryption then you are working against the purpose of the ITAR controls on encryption. Regardless of if it is right or wrong/legal or illegal, there are members of U.S. goverment that are dedicated to enforcing the *purpose* of crypto export laws. These people are not interested in "loop-holes" and are ready to make your life hell for "missing the point."

Please please please read the US crypto policy FAQ from the EFF archives.

OpenBSD solution

Since we are the guys who have the definitive collection of crypto source in tree, what we do is literally fly/bus people over the border for a concentrated time of working on crypto stuff.

No problem with any interpretation of "export regulations."

Export in printed form - they did this!

> importr is legal > Export in Electronic form is illegal > Export in non-electronic form is legal > Print the diffs!!! Didn't they once send out the printed source for PGP 5 or something with checksums written by each line to make it easy for a computer with a scanner to read it and check it? Very clever. Aren't there plenty of competent people in Europe to develop this for import into the US afterwards?

Re:Export in printed form - they did this!

[dorjelorand]

The EFF did this with Deep Crack (the machine that broke the DES record a while back). They published a book with complete specs, in a machine-readable font, with checksums on each line, and on the cover it says, "Scan this book!"

I saw John Gilmore's talk at the RSA conference in January. He said the loophole is that they can ban software exports as munitions, but banning a book would be censorship.

So yeah, print the diffs, but use a good OCR font and give each line a checksum.

Dave

"Technical Assistance" is a felony

Irregardless of "export," it's a felony for an American to provide "technical assistance" to foreigners about crypto.

Companies and organizations like mozilla.org have to keep their noses clean, so they can't even provide minor help like bugfixes to free-world crypto efforts. A single person could probably get away with it, though, especially if you were careful (e.g., anonymous encrypted mail with the bugfix, etc.) (Not that I would ever publicly encourage someone to commit a felony, of course!)

However, most of the major free-world crypto development efforts will not accept help from Americans, because under American law that then "taints" their effort as an American product, confusing the issue further. This is not just a technical worry; the US assumes its laws apply in all countries.

I say do it

[Micah]

SCREW stupid laws. Just don't get caught. :-)

(No, I'm not doing it, I'm not a crypto guy. So if you're the feds and are chasing me, you're just wasting your time.)

D'Oh! I stand corrected!

[Micah]

Wow, that was convincing. PLEASE guys, quit programming cryptography! The only people who should have cryptography are the US Government(TM) and Microsoft! If anyone else has it, he might be tempted to become a terrorist or a child abuser!

This is caught by US Export Controls!!!

[dbandel]

I am a US citizen and wanted to do exactly the same thing. According to Julie Lever an Analyst at the DOC in the crypto export division, you need a license to do this (I'm in the process of obtaining one). I have servers in Panama I access via SSH. Even building SSH on them (d/l directly from Finland) is grey area. What she says is that _I_ doing the work constitute exporting encryption technology because I am a US citizen. I cannot even do the work if I live in Panama as long as I'm a US citizen.

Re:Embassies?

[Alex+Belits]

Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation.

Not everyone who lives in US is an US citizen, and a lot of programmers are not (me, for example), so formally the "technology" or "expertize" doesn't belong to US in the first place.

Breaking law even to contribute

[Eric+Green]

You're breaking the law even to contribute technical assistance. However, the USG has a "gentleman's agreement" not to prosecute where it feels that they'd lose on First Amendment grounds. But where is the border line? Do YOU want to be the test case who spends the next five years in jail waiting for trial?

-E

Doesn't matter, law covers you if overseas

[Eric+Green]

The regulation says that if you're an American citizen overseas and working on a product that would require export permission here in the 'States, you're breaking the law. For that matter, an American citizen re-keying the code into a system upon arrival overseas would be breaking the law (since he would be providing technical assistance).
For that matter, even printed on paper it's technically against the regulation, except that the regulation allows "academic discourse" and if you print a few academic notes to go with the code it slips through that loophole in the regulation. But don't think you can add a few academic notes and post the source to the USENET, the requirement is that it be printed on paper in order to qualify as "academic discourse", though the Bernstein case is trying to qualify source code in electronic form distributed as part of a book as "academic discourse" too (and he has a good case, but the USG will drag this out forever).

Anyhow, it's all a blatant violation of the First Amendment, but the U.S. government doesn't believe in the Constitution anyhow (see the RICO statutes, which violate the 5th Amendment, for another example), so it doesn't matter.

-E

Re:It depends. Oh yeah?

[Eric+Green]

Flee the USA if you wish, but expect that if you peeve the USG enough, they'll go out and kidnap you in order to bring you back to trial. Heck, Noreiga was president of his whole damned country and you saw how well he fared when the USG decided to kidnap him in order to bring him to trial in Miami (for acts legal in Panama, that occured within the borders of Panama). What makes you think that a little pipsqueak like you or me stands a chance if they get peeved?

-E

Authentication, yes, encryption, no

[Eric+Green]

The problem is that most strong authentication mechanisms depend upon public key encryption, which IS export controlled. So, for example, let's say you want to only run binaries which are signed by Red Hat Software or by your Corporate Information Center. They would "sign" the binary by encrypting the MD5 of the binary using their private key, then before you run the binary you check the binary to make sure its MD5 matches the MD5 decrypted using their public key. Thus you can insure that you got a trusted binary and not some barfled one.
The problem is that even though this would recieve an export license if you applied for one (because it is an authentication scheme, not an encryption scheme), you cannot include source code, because the source code would be capable of being "misappropriated for non-authorized uses". The GPL means that thus this capability won't go into the kernel.

In other words, the US Government is propping up Microsoft here, since Microsoft can include this capability in their OS. (If they gave a damn, which they apparently don't). But that figures, the US Government is also giving Microsoft huge export subsidies too, at the same time that they're suing Microsoft for monopolistic acts. Quite a government we have, eh?

-E

Re:Authentication, yes, encryption, no

[Tim+Dierks]

Actually, most signature schemes aren't just encryption in reverse. It's true that this is a rough analogue to how RSA signatures work, but DSA doesn't work this way at all, and since it's patent free, that's what would be used in such a scheme for Linux, most likely.

Bernstein Case

[Eric+Green]

This is the Bernstein case, and was about posting the source code that went with an academic paper. See the EFF home page (http://www.eff.org ) for more info.

As far as I know it's still tied up in court. I'll just note that the regulations allow academic discourse but unless it takes place on paper and ink the USG doesn't believe it's academic discourse. Bernstein is trying to pry a hole in the rule to say that academic discourse can take place over the Internet too. That still won't help Red Hat export a product that incorporates encryption. (SuSE, on the other hand, has no such problem, since they are not an American company -- in other words, the USG is putting American companies at a disadvantage).

-E

Re:The Bottom Line

[Eric+Green]

Not exactly. Source code AS ACADEMIC DISCOURSE is free speech -- in one particular circuit court, and the decision is being appealed. Source code outside of academic discourse is another story altogether. See http://www.eff.org for more info on the Bernstein case.

-E

Re:What "Exactly" are the laws on US Crypto...

[Eric+Green]

The U.S. Code of Federal Regulations is online at:

http://www.access.gpo.gov/nara/cfr/index.html

-E

They do, that's the problem.

[Eric+Green]

Other countries do have their own crypto. That's the problem. American companies are at a disadvantage because they cannot put strong crypto into their products, while foreign companies can.

The most beloved product by all Unix system administrators is 'ssh', which does encrypted rsh/telnet connections instead of sending passwords in plain text. It was done in (guess what!) Europe, and in fact is illegal to use in the United States unless you buy it from a licensed vendor (because it incorporates the RSA algorithm, which is patented, though only in the United States).

Of the candidates for the AES data encryption standard, a 128-and-256-bit-key encryption standard which will be required to be used by all government agencies and contractors as the replacement for 56-bit DES, three of the five finalists were coded entirely outside of the United States. We may soon be using foreign encryption code to run the U.S. Government!

--E

I don't, but my employer does.

[Eric+Green]

I don't personally care. If the Federal Government wants to prosecute me because I've been fuddling around on sci.crypt and posted some thoughts about Diffie-Hellman in a place where foreigners could see, it, screw them.

But dozens of people rely on my employer for their living, and he's not going to jeopardize his company by saying "screw you!" to the government. So he's not going to export a product containing strong encryption in violation of the regulations, because they could fine him millions of dollars and throw the whole executive staff in jail, in which case the company is kaput and everybody who's not in jail is out of a job. So he cannot compete with European companies who CAN sell products with strong encryption.

So the final status is that we will have two products: A US/Canada product with strong encryption, and an overseas product which does not have encryption (because the export regulations also require that we track where each copy is sold to make sure it's not re-exported to a company on the "forbidden" list -- hell, we ship these things en-masse to distributors, how'n'hell do we know where they've been sold to?!). So we will be at a disadvantage compared to European competitors. Pisses me off, personally, I think I have great code in one utility that I'd love to release as Open Source, but nobody will ever be able to see it because of those @#$% export restrictions :-(.

-- Eric (EST's crypto expert "because somebody had to do it").

The fiction is "academic discourse"

[Eric+Green]

The fiction is that publishing papers is "academic discourse" and thus is protected by the First Amendment, while source code in electronic form is a "mechanism" and thus covered by the commerce clause. Actually, even publishing papers internationally would technically be against the law that prohibits "technical assistance" to foreign nationals, if I'm reading the draconian CFR correctly, except that the Justice Department has issued a directive that they won't prosecute cases that clearly are First Amendment cases.

See the EFF site for the Bernstein case, which is trying to get source code classified as academic discourse too.

-E

Academic discourses vs. technology export

[Eric+Green]

Academic discourse is protected under the First Amendement, according to the DOJ, and thus will not be prosecuted under the regulations even if foreign nationals can see it. Bernstein is trying to get source code classified as academic discourse (see the EFF home page).

Atomic bombs are export-controlled, but as a U.S. citizen you cannot go to Pakistan and help them with their atomic bomb project. The notion is that this is like yelling "Fire!" in a crowded theatre -- i.e., that the purpose of the speech counts, you can yell Fire! all you want to in the privacy of your own home or in a cow pasture, but not where it can harm others.

The RSA incident may be from "The Codebreakers", I don't remember it in Schneier (though I have not memorized Schneir -- yet -- so it may be in there).

-E

Re-coding okay, using US source code isn't :-(.

[Eric+Green]

Keypunching or scanning the code in off of a printed research paper (note that a printed "book" with a few lines describing the algorithm and the rest being the algorithm qualifies as a "research paper" as far as the US DOJ is concerned) is okay, and the USA cannot put you in jail for doing so since you are not a US citizen. You can in fact put your code up for grabs on the Internet. See http://www.replay.com for an example.

On the other hand, while you will not be prosecuted for using false pretenses to gain access to U.S. code and then putting U.S. code on international servers, the authors of that code may very well be prosecuted. Phil Zimmerman (PGP) spent years with the hounds of the US Government on his tail. In addition, many countries do have recipricol agreements with the US that they will not re-export US code in exchange for various special favors. Canada is an example, that is why only a version of Kerberos 4 re-coded from the "bones" by foreign nationals is part of OpenBSD, even though Kerberos 5 is available from the worldwide crypto archives (via the same print-out-then-scan-back-in mechanism). The difference is that Kerberos 5 was not re-coded from the "bones" and thus qualifies as U.S. code as far as Canada is concerned.

-E

Re:Pandora's box was opened *way* back guys

[Eric+Green]

Err, block ciphers of 128 bits or greater are safe for the time being. The output of known good block ciphers, such as the five AES candidates, is statistically indistinguishable from random noise. The only real attack that can be made is differential attacks, and that appears to be a problem only for DES, which is why the NIST is retiring DES in favor of a new American government encryption standard (the AES candidates). If you use Bruce Schneir's "TwoFish", a derivative of "Blowfish" and the best known of the AES candidates, you can pretty much be assured that you're safe -- all of the five AES candidates have been extensively cryptanalysed (especially by their competitors, all of whom are looking for a weakness in the others' algorithms!).
RSA public key encryption, on the other hand, could be succeptible to new solutions to the underlying "factoring problem". (Public key encryption uses the product of two large strong primes and relies on the difficulty of factoring very large numbers to provide its strength). There are varieties of public key encryption which use exponential equations distributed over a field (ElGamal) or elliptic curves (see http://www.certicom.com/ for info there) as the underlying "hard problem" rather than the factoring problem, but they have not been as widely cryptanalysed. Actually, elliptic curve cryptography is just now getting to the point where I think it's been analysed enough to be safe, but any public key encryption algorithm implicitly has a relationship between the public and private keys, so public key encryption is always succeptible to new revelations in mathematics, and the NSA has some of the best.
Which won't help them crack a message encoded with 256-bit TwoFish! But I would say that 512-bit RSA is toast, and 1024 bit probably would take the NSA spooks only a few days at most on their big specialized RSA cracker machines. (But note that someone "inside" has stated that the NSA doesn't even need to crack RSA for the most part, because people's computer security is so bad that usually they can walk right in and intercept the cleartext BEFORE they're encrypted).

_E

The law covers technical assistance too.

[Eric+Green]

According to the regulation as recently posted to sci.crypt, even helping someone outside of the country with their crytographic product is illegal. And you can't even move to Mexico (which has no encryption restrictions) and get away from the long arm of American law -- the regulation says that if you're outside of the U.S. and either develop or help someone make a product that would be export-controlled within the U.S., you can be prosecuted. Before you say "so what, I'm in Mexico!", the U.S. government has been known to *KIDNAP* American citizens overseas in order to prosecute them here... hell, they don't even have to be American citizens, they kidnapped Manuel Noriega and prosecuted him here too, quite illegally I might add, the man was a scumbag but that doesn't excuse it.

-E

Re:Thoughts.

[MassacrE]

The difference is that while both Encryption and Nuclear Technology can be used productively (privacy, energy), only Nuclear Power can actually be used as a weapon. Encyrption's categorization as munition is completely bogus, it is only considered that to prevent it from being exported, because government likes the ability to find out what people are saying. In the end it just hurts business, because privacy is a NEED in international markets. You send contract negotiations in plain text, your competitor is going to win.

Re:sources, please?

[Frank+Hecker]

Is it illegal for a US citizen to develop and freely distribute a Tcl/TK front-end to a non-US-developed command-line crypto package? I don't think so. If you know otherwise, please refer to the legal source.

I guess you're referring to the "crypto-specific API" case, where your application invokes encryption functions through some sort of "crypto-specific" interface, and thus may be considered export-controlled even though it contains no crypto code. The restrictions on this are really enforced on a case by case basis, as the regulations don't really cover every question about what is a crypto-specific interface and what is not. However for my best guesses on the matter see question 5 of the Mozilla Crypto FAQ. I include references to the relevant sections of the Export Administration Regulations, but unfortunately the links in the FAQ are no longer working; check the GPO's online version of the EAR.

Lawyer: I'm not even going to touch this

[hawk]

What you need is legal advice from a seasoned criminal lawyer who is also well grounded in D.C. politics. And even then, you won't know for sure until the first cases reaches the Supreme Court.

This is playing with fire. Even if it's legal, expect to spend years and millions in court.

Re:Lawyer: I'm not even going to touch this

[aqua]

Speculation is perfectly fine. It's just hazardous to act on those speculations. Significant distinction.

Re:Lawyer: I'm not even going to touch this

[the_tsi]

I second what hawk says. I think everyone should avoid any kind of speculation on this unless you have a significant law background.

-Chris

Re:Lawyer: I'm not even going to touch this

[Cyno]

What kind of country do we live in where you have to have a degree in law and politics to be able to write code?!?!?! We need to do something 'bout those old poloticians who think they can invade our privacy, put backdoors in mainstream OSs, or police the internet. Next they'll be policing the intranet with some sort of blackbox ethernet spy to let them know what you've been browsing just like Australia.

Don't bother going there...

[Matthew+Kirkwood]

Follow anything like this to conclusion, and you will just convince yourself even further that the crypto export/import/usage laws are thoroughly ridiculous.

I always thought that law was somewhat like a mathematical proof, where legislators attempted to capture their intention elegantly, and without holes.

It seems that reductio ad absurdum doesn't really apply in this case, though.

Matthew.

Re:Don't bother going there...

[aqua]

Those who make laws in the US are very often former attorneys, or in some cases law enforcement officials or ex-military officers. Granted lawyers are intelligent people, but those who hold legislative office are generally subject to no deep understandings of anything other than bureaucratic and other governmental process. So to put it mildly, they don't seem content with a canonical cover of a set of laws.

But, looked at another way, most legislators have placed their entire faith in their own laws, and have never learned to deal with defiance. Like Aman Hannesy (sp) said to a judge whilst being prosecuted, "Aw judge, your damn laws... the good people don't need 'em and the bad people don't obey em, so what good are they anyway." Theorize: what would happen if everyone, simultaneously, ceased obeying crypto export laws?

Re:Don't bother going there...

[CmdrPinkTaco]

I think that it would be a great idea if everyone just all at once said "Screw crypto laws," but the reality is - Kevin Mitnick. The gov't would take in some oddball schmuck so that the "hacker" (cringe) community would take notice. We would have another myrtar on our hands and still no resolution. The government is the only authourity in this country with a monopoly on power, if the people try to take away that power, they will essentially hold a public execution. They made the laws, so who better to go above them. This is why our country is crap - we have laws made by people who know little to nothing about the necessity of good security and the importance of cryptography. If people start disobeying the laws, then an example must be set. The gov't uses its power to set this example.
( warning , shameless Microsoft slandering ahead) Of course if crypto did get thrown out, then M$ would develop yet another program to overthrow MP3....I think that would would be a good crack for distributed.net :)
--------------------------------------------

Re:Don't bother going there...

[Eponymous,+Showered]

That Utah Phillips/Ani DiFranco story/song is one of my faves. Their new one is excellent, too.

Re:Don't bother going there...

[eddeye]

Actually I see legislation as the complete opposite of mathematics. It's more like a student trying to bullshit his way into partial credit on an exam by purposefully being vague so he doesn't expose his ignorance. Revising a bill so enough people will vote for it requires watering down specifics with vague and general language as each faction compromises with the others. This fact is demonstrated by the amount of legal squabbling that occurs in courts, since its often left to the judiciary to decide exactly how to interpret the wording of a law. It's also why two different judges can interpret the same law in very different ways: legal language is purposefully ambiguous.

Re:Oh dear.. now I'm scared.

[nstrug]

US dual nationals are liable for US federal tax wherever they reside. If you've never paid US federal tax you are liable for back tax (and applicable fines for non-payment). The IRS and State Department announced about two months ago a joint effort to trace US ex-pats who have not paid tax. Better get down to Grosvenor Square and ask for the citizenship-renouncement form...

Nick

Re:Even more questions...

[copito]

You are not allowed to export encryption technologies, even if they are developed outside the US. In fact the statute is broad enough to proscribe you from doing a private security audit of foreign code and sending them the results.
--

Re:Even more questions...

[copito]

Hit submit button too soon...

You can however link to a site hosted outside the US where non-exportable material is kept. The EFF (I think) fought an one a court battle on this matter.
--

Re:Thoughts.

[EAVY]

Well, I can see that someone working on a nuclear weapon would be considered a traitor, but the point here is whether or not a encryption should be considered as important to state security. I mean, someone helping to develop a kids toy, even during a war, for an opponent probably won't be convicted as a traitor.

If you have proper crypto, it's almost impossible to find out that you do work on nuclear weapons or do other things considered treason. Or just trade kiddie porn. Authorities wouldn't be able to find out so they are afraid of strong crypto that's routinely employed by most people.

Of course, there's a pitfall here, since the smart criminals already have that crypto and use it regularly. The only people who don't have it yet are ordinary people. The terrorist threat won't change because of crypto, but if everybody uses it, authorities will lose their tight control. They don't like that, so they fight it, but ultimately they can't win. They would ruin their economy and people that way.

The next powers that be might well be corporations - but I digress...

am I exporting or telecommuting?

[xeno]

But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally. Obviously there are other legal beartraps one could step on (working as a consultant developing nuclear missle targeting systems for China would probably result in an NSA-funded body cavity search as foreplay). However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken. But there are two issues here: the items being transferred, and the transferring itself. I think there's a way to be safe from both perspectives.

If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law. By the same token (big disclaimer -- IANAL) a US citizen should be able to contribute to a foreign-based project legally by making sure the only tangible thing transferred internationally is knowhow. I.e. using ssh, the non-US-exportable item being developed never originates in the US.

Just to be sure that you've covered the transfer aspect as well, the work relationship also needs to be structured such that there never is an "export" event. One needs to make sure that the contribution takes the form of legal telecommuting to another country to perform work legally in that country. Even if you receive no other compensation than inclusion of one's name in a list of contributors.

IANAL. IANA export specialist. IAN even sure I know who I am.

Re:am I exporting or telecommuting?

[xeno]

Not to beat a dead horse, but doesn't this point bring it full circle -- Isn't this requirement for public disclosure and open contribution what the GPL is all about? While I think there's a good argument to be made linking the very nature of free/open/GPL software development to the academic/open research publication exceptions in the silly US export laws, I hasten to add that I wouldn't want to be the test case.

Re:am I exporting or telecommuting?

[Tim+Dierks]

But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally.
...
However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken.
...
If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law.

Like it or not, sensible or not, what you describe is illegal technical assistance. The only exportable information is that which is clearly public: it has to be printed and it has to be publicly available. Also acceptable is public technical discussion at conferences, etc. Furthermore, some of the other commentors are right: in this area, following what you believe to be the letter of the law in hopes of finding loopholes is not a good idea. Big parts of the law are generally enough written to end with the situation that they mean what their enforcers want them to mean.

sources, please?

[xeno]

Sources, please. Is it illegal for a US citizen to develop and freely distribute a Tcl/TK front-end to a non-US-developed command-line crypto package? I don't think so. If you know otherwise, please refer to the legal source. As other posters have noted, there is a distinction between working on something that would export-restricted from the US (chip design, hemp farming, certain software development, etc, which are not illegal), and working on something where the activity constitutes treason, which most certainly is illegal.

Stateless

[acb]

You could move to Fernando Poo or Stateless. Or one of those heavily-armed floating anarcho-objectivist colonies on the high seas. (Heavily armed to fend off pirates and because foreign governments would be only too pleased if they met with misfortune.)

MS Crypto API

[acb]

Microsoft's Crypto API allows modules of any strength -- as long as they're signed by Microsoft. The compliance part involves MS not signing any strong modules destined for export.

I think HP or someone made a crypto chip that uses a similar mechanism, requiring an authentication code from a central authority to enable features. Thus it can do full-strength crypto in the US, 40-bit cereal-box-decoder-ring crypto outside of the US, and nothing at all in France.

Re:It depends.

[dattaway]

All laws are subject to interpretation. I say its time to get the lawyers involved and perhaps do some digging to see what kind of corruption we really have in the US government behind the "dangers" of encryption.

When I say all laws are subject to interpretation by the courts, let me relate my experience with a personal bad habit a several years back. You see, I liked to drive fast. A lot. From speeding tickets to OJ getting away with murder, I'm sure the principle behind encryption is much more honorable and should be pursued.

My experience with taking things to court suggest anything can be pursued given enough energy for much less than you think. I accumulated *five* speeding tickets in Kansas City. My lawyer told me the law only allowed one instance of getting a ticket reduced to, say, a "parking violation." I got two tickets that week, a 90 in a 55 and a 69 in a 55. I may have interested him with my comment I would like to fight these (perhaps unwisely) to the supreme court. He was intrigued and to make a long story short and a few courtroom visits later, I had no points on my license due to him getting the worst violations dismissed for technical wording. I added up the legal costs out of my pocket was $1055. After that I got rid of my radar detector and haven't gotten a ticket since.

Anyhow, I'm sure this encryption debate is not a boring issue with some powerful, yet isolated government officials. Its time to turn up the heat and see how they react. It has nothing to do with terrorism or child molestors, but may have much to do with government officials stealing secrets from industry and their sideline consulting businesses. I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.

This sounds pretty good

[John+Zero]

I think this could work...
As mentioned, the screen seen while editing is obviously "import", and code never does get exported, as it is abroad all-the-time.

The article's title is a bit misleading, SSH is only a detail in the method, ssl-telnet or any other encryption program could be used.

Re:This sounds pretty good

[hpj]

If the screen imported, isn't the keystrokes exported then. If the are involved in developing krypto (which they obviously are) wouldn't that mean export of krypto technology.

IMHO

Same as a patch

[cout]

Your solution for the crypto stuff is the equivalent of uploading a patch. This is, from my understanding, legal, as there are patches to SSH to let it run under Win32, which can be exported, though the binaries themselves that result from applying the patch cannot be exported. Instead they must be compiled and distributed completely outside the US.

I'm not a lawyer, and I don't claim to be (so you might want to double-check with an expert!), but that's my take, fwiw.

Re:Beefed up or crazy?

[RevDigger]

PBS actually had a cool special on this recently. There were a couple hundred brit cows shipped over here before the US banned their export. Apperantly the FDA (or whoever's lame job this is) has been tracking them down, buyin them up, and incinerating them. No BSE possitive cows have turned up yet tho.

The other cool think I learned is that BSE isn't a virus, it's a funky self-replicating protien. Yes, self replication without DNA. Totally unlike any other communicable disease...

Here's the link. It's worth your time

Click me

moo.

- Digger

Wouldn't count on nitpicky details

[Eric+Smith]

As a US citizen, I wouldn't count on nitpicky details like that to protect me. If the government wanted to bust someone for crypto export, they won't be deterred by this kind of thing. Someone might eventually be acquitted, but only after a lot of legal hassle. Better not to subject oneself to that kind of trouble.

Unless, that is, you want to star in a test case.

Re:Not that simple

[Eric+Smith]

MS seems to always insist that the only reason they are in court is that they bundled Explorer with Windows.

And given that MS executives have expounded on how this is not anti-competitive until they're blue in the face, I've got to wonder whether those same executives aren't kicking themselves now. They now can't make a credible claim that Sun giving away StarOffice is anticompetitive.

not likely

[Bishop]

My guess is no. The US crypto export rules go beyond the simple: "you can't export real crypto." For example if an American wishes to move to Canada to work on cryptography they have to: renounce American citizenship, and WAIT 10 YEARS. This is probably true for Americans moving to other countries as well. This assumes that the American will want to some day return to the US. There is not much the US law can do to you, if the country you are in won't extradite you (Canada will extradite).

Re:not likely

[Keju]

The same rules on exporting crypto don't apply to Canada. An American can move to Canada and work on cryptography if he wishes, so long as it isn't with the intent to distribute it outside of US/Canada.

Re:another way to do it

[Crass+Spektakel]

> it takes more time than SSH but you get to have
> some real food instead of american genetically
> engineered hormone
> grown hamburgers..

And catch Captain Tripps or other funny one-time-diseases while eating british beaf?

Uhm, no thanx :-)

import?

[Al+Wold]

wouldn't that be import when he/she loads up the file and has it sent to the screen? And aren't there policies about that too?

Re:import?

[poink]

Import is allowed




5th post!

Re:import?

[arivanov]

Importr is legal
Export in Electronic form is illegal
Export in non-electronic form is legal
Print the diffs!!!

Re:It depends.

[dath]

I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.

I was so moved that I had to post this short message and say that I agree 100%.

Wow. I was just thinking this myself before I read your reply. It is sad when we as a supposedly "free" country don't even have the right to privacy or the simple right to exchange algorithms or ideas with people in other countries. Write your congressperson! These laws need to be stricken from our books. The Constitution was intended to preserve our freedom of speech, not to take it away!

Methinks its still export

[Ares]

After all, I believe there were issues with software which invoked PGP (such as mailer plug-ins), which only used the interface. I believe patches are a similar situation. Of course, take this as a grain of salt as IANAL.

Re:What "Exactly" are the laws on US Crypto...

[Ares]

Find the original ITAR regulations somewhere on Thomas. Recently, the controls were transferred to Commerce by the Export Arms Regulations. String Cryptographic software has been placed on this list of unexportable munitions by the President. In a nutshell, anyone can write any cryptographic software they want. However, if the strength of said software exceeds 56 bits, I believe, it cannot be exported from the US without an export license from the Commerce Department. US citizens may not acquire said software, take it to Canada, and re-export it from there, however, I'm not so sure Canadian citizens are banned from doing any such thing.

As for where the list of munitions is, I'm not sure.

Why can PGPI.com export the code? At the moment, any printed material is considered to be speech, and may be exported under the First Amendment to the US Constitution. The current manufacturers of PGP simply printed the source code in an easy-to-OCR format, PGPi bought copies of it, and distributed them to Europeans who proceeded to scan and proofread them.

Re:What "Exactly" are the laws on US Crypto...

[Ares]

Doh. Should've checked my copy.

Re:It depends. Oh yeah?

[Darchmare]

Well, then, we must do what we must - fight the powers that be.

"a"

The preceding letter is an excerpt of a piece of a very strong encryption algorhythm, posted to Slashdot where my fine European and Asian compatriots may get ahold of it.

Although I don't support the use of the letter 'a' (there, I did it again) in harming the United States of America, I must support strong crypto.

If the government comes after me for this, I will be forced to purchase a dozen PowerMac G4s and flee the country.

- Darchmare
- Axis Mutatis, http://www.axismutatis.net

Re:It depends. Oh yeah?

[Darchmare]

Maybe, but if I'm lucky they'll let me keep my G4s.

- Darchmare
- Axis Mutatis, http://www.axismutatis.net

Uh, no.

[MenTaLguY]

shipping a nuclear bomb overseas, one tiny little piece at a time? I don't think the feds would let that one slip through the cracks. :-)

Certainly not, if they ever found out, which is the point of this whole discussion in the first place.

Berlin-- http://www.berlin-consortium.org

Nope, sorry.

[MenTaLguY]

It would be vary slow but may me in the law because nothing is leaving.

Nope, the data is still being sent -- it's just encoded in the ACK sequences then. In fact, modulating ACKs is one popular way to quietly get data out of non-airwalled "secure" networks, hence we use fun devices like NLS pumps to prevent that.

[ n.b. if you actually care about something, don't ever put it on a machine even remotely near an open network, firewalls, NLS pumps or no. Airwalls are the only way. (and even then they're not totally secure due to human factors) ]

Berlin-- http://www.berlin-consortium.org

Checksums are already used

[MenTaLguY]

At the end of each line, you could put a checksum digit. Then, if the OCR fails on that line, it can be flagged for checking by the human operator.

This was done for the PGP book and others.

Berlin-- http://www.berlin-consortium.org

Hamburgers were "invented" in New Haven, CT

[piggy]

Now, I don't vouch for the veracity of their claim, but there is a restaurant named Louis Lunch in New Haven, CT which claims to have invented the hamburger. They do not allow ketchup in the building -- in fact, the only toppings they allow are freshly sliced tomatoes and onions, and cheese. They serve it on toasted bread, not a bun. No fries.

While their claim is farfetched, they have been open for over a hundred years.

Then again, there is a pizza ("apizza") place -- Pepe's Pizza -- in New Haven which claims to have invented the pizza pie. I have it on great authority from another pizza place that it was invented in Brooklyn, perhaps at John's Pizzeria. And of course any Italian you meet will have their own deluded notion that pizza refers to the dough used, and it was invented in Italy. Oh well.

The moral of the story is: when in New Haven, eat your burgers at Louis Lunch and your pizza (white clam is the best!) at Pepe's.

Beware of anyone who claims to have invented anything culinary.

Russell Ahrens

Nope. You can't do anything.

[The+Mayor]

Working on strong cryptography is not covered by export laws. It is covered by munitions laws. In the same way that an American citizen cannot work on a nuclear bomb project for Iraq, an American cannot work on cryptography for a foreign company or for a foreign open-source movement.

Basically, American citizens are not allowed to directly transfer intellectual property, whether it be code or simply ideas, concerning strong crypto to foreigners. Of course, Americans can simply write a book with these ideas and/or code. The First Amendment to the US Constitution is still stronger than the munitions laws. This is, in fact, exactly what Phil Zimmerman (he is the guy that wrote PGP, right? my memory is getting weaker these days...) did... he published the source code to PGP in the form of a book.

Telnet == illegal Web gambling ??

[Darlock]

If I get this correctly, telneting into an offshore box and contributing "data" would be the equivelent of doing gambling over the net.

In both cases you would be contributing something that is illegal in your own country to another country. Data for crypto and money for gambling.

Someone had mentioned that if you were helping a country with crypto and they were using it for nuclear weapon technology, you would be counted as a traitor if there was a war. What if the offshore illegal site you were gambling on was using it's profits to buy nuclear weapons. In both cases you would be contributing to your country's enemy.

Darlock (from Canada)
---------------------------------------

A child is walking along the beach at low tide.
The beach is covered with thousands of star fish stuck up on the sand as the tide moved out.
The child walks along, picking up one star fish at a time and tossing it out into the ocean.
An old man comes along and says. "What are you doing, you can't possibly save them all.
You are wasting your time. What you are doing doesn't matter".
The child with joy in his face picks up another star fish, throws it into the ocean and says, "It matters to that one."

Laws prevent exporting "expertise", as well.

[Falsch+Freiheit]

If you go and find the stupid crypto export regulations, you'll also discover that they technically make it illegal for a US citizen with crypto expertise to travel outside of the US and sell (or give away) their crypto expertise there.

The loophole you think you've found just isn't there.

US Law forbids its citizens from exporting crypto expertise (or crypto work) as well as actual crypto binaries. If you're currently a US citizen and you want to export some crypto expertise, I think the only way you can do it is by leaving the US, becoming a citizen of another country and renouncing your US citizenship. Otherwise you'd be breaking US law and extradition might be possible.

Change the laws, don't circumvent

[unicorn]

That is a bad attitude to have. If everyone decides to only follow the laws, that they agree make sense, you will have anarchy.

If you don't approve of the rules, work to change them. Don't just pick and choose which ones to obey.

Pretty sure it's phenominally illegal

[unicorn]

About a month ago, Forbes had an article about Protegrity, a Swedish company that does crypto related work.

One of the paragraphs in the article:

"Unlike Protegrity, American encryption companies have to engage in some fancy footwork to stay legal. "It's like defusing mines--one wrong turn and the mine could explode," says Stewart Baker, a partner in the law firm Steptoe & Johnson in Washington, D.C. For instance, if only two of a firm's engineers, one in the U.S. and one abroad, were to exchange insights about an encryption algorithm, the U.S. government could shut the company down, fine it $1 million and jail its employees."

Seems pretty cut and dried. If just talking about it theoretically is enough to get a company in deep, I think that coding, even over a terminal connection, would be just as bad.

Protest has to start somewhere.

[unicorn]

A single person, can provide the genesis of a movement.

If you expect things to change, at some point, someone is gonna have to make a move to get things changed. It's very rare, for laws to spontaneously disappear.

Re:Protest has to start somewhere.

[unicorn]

I'd start a movement around it, if I was that worried about it.

I do think the laws are flawed. But I don't think that just ignoring laws that are flawed, is a solution to problems. Anarchy is not a favorite of mine.

I was mostly just incensed, at an anonymous coward comparing poor downtrodden programmers, to Rosa Parks. I never realized before, what a mistreated underclass computer professionals are.

Re:Protest has to start somewhere.

[unicorn]

"Dude, even anarchy would be better than the current system in the USA."

Are you insane? You'd rather have no protection form anyone/thing. Than what we currently. have?

I freely admit that some of what the Gov't does, is pretty dumb. But I much prefer what we have now, to total anarchy.

Re:Protest has to start somewhere.

[Chandon+Seldon]

Both true.

But, that single person must be willing to expend an aful lot of effort on fighting the law, if you just want to get work done, you want to expend effort on work, not fighting.

Why don't you start a movement to fight stupid crypto laws?

Re:Protest has to start somewhere.

[Chandon+Seldon]

Dude, even anarchy would be better than the current system in the USA.

-- Insert big rant here about how the Legal system sucks because a normal citizen has no chance to understand the laws because there are too many of them and they're in legalese and that the only solution is to simplify the entire legal system to the smallest possible system --

Realy though, it's easier to just ignore a lame law than to try to deal with it.

Simple, move to Canada

[Plasmoid]

Just move to Canade, you can still pass crypto across the border to the US with next to no restrictions and still export it. Plus free helthcare will be able to deal with your stress of paying taxes.

Re:Eat Our Meat!!!

[EJB]

So you're actually having a problem with a big political power acting self-righteously just so they can feel important?

And you're a US citizen?

Can't be, right? ;-)

Back to the books!

[Cid+Highwind]

>To exercise exclusive Legislation in all Cases
>whatsoever, over such District (not exceeding
>ten Miles square)
(Italics mine)
What you missed is that the congress also exercises joint jurisdiction over the rest of the United States (granted in the "necessary and proper" clause of the Constitution).

Please look up "Dual Soveriegnty" in your law dictionary.

IMHO, IANAL, and all other disclaimers apply.

Re:Back to the books!

[Repton]

• IANAL: I Am Not A Lawyer
• IMHO: In My Humble Opinion.

HTH. HAND.
--
Repton.

Re:Back to the books!

[UnknownSoldier]

Cool, had never heard of "Dual Sovereignty" before. Hey, thx for the opportunity to learn something.

You wouldn't happen to be a sovereign?
If you are, or are in the process of learning about sovereignty, feel free to email me at mpohores@sfu.ca as it sounds like we might want to exchange some info.

Re:Back to the books!

[supz]

IMHO, IANAL I'm a little behind on my abbreviations. What do these mean?

Re:Thoughts.

[vr]

But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?

Free world or not; developing nuclear technology should be wrong if it's for your own nation or a foreign one.

Re:Canada?

[Dast]

"Articles like this make me want to yell, 'we're not all freakin american!!'"

Which is why the poster said a "a developer in the U.S." This doesn't apply to you.

If you don't like the article, don't post a comment to it.

Re:Thoughts.

[sachmet]

It's sort of ironic you chose nuclear secrets for this sort of discussion, because this ties into national news as well. (National news? The big blue room? Aieee!)

There was an incident at Los Alamos labs where a person had access to nuclear secrets in an encrypted channel, and then copied them to an unencrypted channel and send them to China. When you look at it, it's what you're talking about - "secrets" that should not be exported from the US (crypto or nuke) being sent to another country for development of a "program" there. That's what this boils down to. And in the case of nukes, people have resigned and others may be indicted and convicted of espionage.

On the other hand, I can't help but wonder if anyone working on SSH or the like is in the United States, and if that violates any laws...

Re:Ummm, this won't work...

[WonkoTSane]

Thank you. I was wondering how long it would take someone to realize that when you type in your changes, you are EXPORTING that code. You type here, and your code TRAVELS down the wire to Iraq. Surely the govenment needs to know about subversive activities, and I for one am glad that there are humble, concerned people like the FBI, CIA, and J. Edgar Hoover wathcing over my e-mails to my friends and family. I am sure they wouldn't ruin your professional reputation to protect their privelige. I am sure that they wouldn't trump up espionage charges, and lock you up for the rest of your life. Have a nice day!

The Bottom Line

[Ex+Machina]

Didn't someone decide that source code is free speech and therefore protected...? So wouldn't this be a non question?
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]

Re:crypto import is legal, right?

[dammitjim]

Why would Linus have to look at it? He deals with kernel additions mostly, right?

crypto import is legal, right?

[dammitjim]

There's no restriction on importing strong crypto INTO the US, is there? If not, why doesn't the Linux community just agree to restrict all strong crypto development to people who aren't going to get in trouble for it and have US-based developers focus on other projects? We all get to benefit from the proceeds, so what's the difference?

Re:crypto import is legal, right?

[dammitjim]

The point is, we all want good crypto available to everyone. So why try so hard to circumvent an obviously dumb law?

The irony is, of course, that by not allowing US developers to export their code, the US government is discouraging US crypto development when they THINK they're protecting US assets. That means that non-US technology has a better chance for sucess.

If developers don't bother to develop the software within the US, nobody gets in trouble, the NSA's greatest fears are realized (which is fun), and we all get better crypto protection.

Re:crypto import is legal, right?

[rde]

Do you want to be the one to tell Linus he can't look at the crypto code?

Re:crypto import is legal, right?

[cananian]

we've brought this up many times on linux-devel, and in fact there *is* a maintained set of 'crypto' patches for the kernel which are maintained overseas. Linus doesn't want to incorporate it into the main code base because of the huge hassle it would cause every single person who mirrors the kernel. And, of course, the main distribution site has been in the US for quite some time (kernel.org and it's predecessors) which complicates things quite a bit.

Re:Embassies?

[FireReaper]

Right. And when you return from your hard day's work at the foreign embassy and return home, you will most likely find several darkly clothed individuals who represent the US government wanting to have a pleasant "chat" with you.

Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation. Whether it is by travelling several hundred miles or just across the street, you are basically giving technology to another foreign power. Embassy's only provide protection if that country decides to accept you. But since you will be willingly leaving the building everyday, that just means there will be people waiting for your return to dole out your punishment, if you have violated the law(s) through your activities.

One thing I don't get is why no one here admits Crypto is munition when everyone here admits that it should be used as such. Is it just denial?

- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Crypto as Munition.

[FireReaper]

One of the main reasons there is such a stint over crypto is that it is considered a munition. So exporting it is tantamount to exporting live rounds, according to the law.

Here's something interesting: Quite a few posters here would suggest that such an association of crypto with munitions is silly. That crypto isn't like live rounds or armour. But if that is the case, then why is it that crypto is referred to as a technology to "protect" us from the government's eyes and ears? Why the mention of ssh for "protected" and "secured" channels of communication. Obviously cryptography is being used as a tool, one which proves to be as effective as a gun, flak jacket, armoured tank, or missle silo.

With cryptography, you can potentially run an underground operation without being detected. Your paper trail would take decades to decode or decipher, during which time, the statuet of limitations would expire. With cryptography, the order to assasignate would never be heard by anyone other than the person the message was intended. It is the cloak which pairs with the dagger. The stealth camouflage.

Yet there are still some people who argue that the idea of crypto being a munition is silly. Fine. Whatever.

The law is there not because the government thinks US citizens are the brightest folk on the planet. It is to offer a means to punish those who would think to leak the secrets, weapons, technology, secret keys, etc to other nations either out of sheer ignorance or for personal gain.

Powerful encryption is just as important as the latest technological advancement in military technology. It is useful if you have an understanding of how to use it which is on par or better than others who are using it. It is EXTREMELY beneficial if you are the only nation which holds control over it.

The laws cover US citizens no matter where they go. Or at least tries to. Some peope praise it for saving their asses when they get into trouble in other countries. Those same people scream their head off when those same laws follow them when they want to do something illegal outside of the jurisdiction of the states.

If you ran a company and needed to keep clientele secrets for a living. What would happen if your employees had a habit of going home with a headful of those secrets and tells them to a friend when off duty and off company grounds? Just because they aren't working, does that mean the rules and regulations won't apply until they check in again? Does THAT make sense? No. The rules would apply even after work hours and off company grounds. It is the nature of the situation which creates the necessities for these laws. Due to one viewpoint or another.

The ironic thing, of course, is that these laws were probably created by the very same type of people who are now seeking their removal. And in time, these new people will bring about laws which will become targets of yet another generation with different viewpoints.

Basically, if you don't like it, talk to your representatives. Send letters. Send emails. Change the law. It IS your right. Better that than sneaking around hoping to not get caught because you think the law is evil.

- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Thoughts.

[FireReaper]

So, what you are saying is that someone, in this case, a US citizen, is participating in the development of cryptography, yes?

And while that isn't a big deal, we add into the stew the note that this person is physically in the states.But the databases and code he is working with are outside of the states.

This has some ramifications. Namely, the person in question is developing cryptography. But not only that, he is helping a foreign organization develop it outside of the states. But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.

If the problem is somewhat hard to see, let's use another example. Nuclear weaponry and technology.

Let's say our friend is a US citizen and through an encrypted channel, is helping an organization in another nation work on nuclear weaponry. Sure, he doesn't have any documents on this side of the border and sure, all the work he is doing is stored remotely. But what do his actions amount to?

I'm not sure in our current state of "peace", but if it were during a war, this person would be considered a traitor and if caught, would be held for treason.

I'm not saying it is right or it is wrong. But the aiding of foreign nations to develope technology which could in turn be used against the states isn't exactly smiled upon.

But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?

On a side note, a knife painted like a banana is sort of silly, but it is still a knife and by that token, still dangerous and something to be respected. Even if the wielder is nothing more than a clown.

;)
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Re:Thoughts.

[lalartu]

Seeing as sending the keystrokes could be viewed as export, I don't think you could do it.

As for being a US citizen and coding outside the US it appears to have been done relating to at least one ssh product. TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro by Robert O'Callahan roc+tt@cs.cmu.edu

Although the last update was Dec 98 so it is possible that he is now in jail.

excerpt:
"November 3, 1998: A lot of people have been asking me when TTSSH will support SSH 2.x. Unfortunately SSH 2.x is a very big, complex protocol and looks a lot of work to implement from scratch. Also, it looks like it will be hard to integrate all its features into Teraterm without significantly modifying the design of the main Teraterm application. There's no way I'll have enough time overseas in the foreseeable future to undertake this project, sorry. I hope there are other people with more time and freedom... "

That seems to indicate that the work was done outside the US.

As for other forms of export, I would guess that you could always do what was done by theEFF or with PGP.
Remember it is only the electronic export of crypto that is the problem.

Re:Thoughts.

[meridian]

i believe ttssh was developed in australia what parts of ssh are actually developed and therefore non-exportable from usa.. is it the rsa authentication routines?

Re:Thoughts.

[MindStalker]

Not true, any form of crypto export is illegal. I could print a book with crypto source code and it would be illegal (except in certain jurisdictions of the second court of appeals, (have to wait till server is completly back up to look that up again))

Re:Thoughts.

[KevF]

Not quite true - there's a book called Cracking DES that was written by the EFF in the USA, and then sold all over the world. It contains the source code to the DES algorithim and plans on how to construct a chip to crack it, all of which can be scanned in anywhere in the world and OCR'd and compiled.

Hmmmm...

[BJH]

You would be following the letter of the law rather than the spirit. If the US Government did happen to take an interest in you, they'll drag you into court anyway - and they just might win (try explaining your reasoning to a group of twelve random people and see how many of them get it.)

Interesting idea, though...

if they want to nail you, they will

[mr_burns]

There are some pretty vague and broad laws regarding computers and crime on the books in the US. If I remember my "Hacker Crackdown" (Sterling) correctly, title 18 of the United States Code has sections for this. One states that it is illegal to own or know how to own/operate a device which can be used to gain unauthorized access to a US gov interest computer. So, technically, since the government has computers on the web, it is illegal to own a computer which can connect to the internet. It is also illegal to KNOW how to use the internet.

It doesn't matter if what you're doing on the net is legal or not. The US Government can arrest you simply for knowing how to connect. Similar logic follows for the phone system. Since the government uses the public phone network, then the phone switches are government interest computers, and owning or knowing how to use a telephone is therefore illegal in the US.

I've never seen this enforced, but the law's on the books (section 1029, title 18 USC if I remember correctly). Code crypto all you want. If you are caught talking on a public phone, you can still be arrested.

Re:Thoughts. (misleading attribution)

[lalartu]

rather, Robert O'Callahan wrote TTSSH the extension of TeraTerm Pro, sorry if that was misleading.

This guy got tatooed for nothing?

[sammy+baby]

Boy. I bet this guy must have been pissed when he realized he could leave the country after all.

BXA

[vrazhumin]

I had the "pleasure" of attending a BXA (Bureau of Export Administration) conference on the subject of encryption export, though it has been a year or more ago, and the information presented may be a bit dated. The fun part was that there was a representative of the NSA at the conference.

Basically, the NSA wants to keep the "knowledge and capability to produce strong encryption technologies" out of the hands of other nations. Of course, according to the BXA, that "other nations" thing is actually broken down into several catagories of other nations. Canada, UK, Australia and such are better than Lybia, North Korea and the like. You can do different things with the different categories of countries.

What it boils down to is that, regardless of your physical location, transferring encryption knowledge or capability to another country is a Bad Thing, regardless of how it is done. Working in the US and doing stuff for another country is uncool in their eyes. For those of us with international WANs, we also must be careful what the other nations can see on our domestic networks - if they can get to any encryption software, that constitutes export. FYI - they also cover foreign nationals working in the US, and Joe Blow taking his laptop with PGP installed abroad.

If you want to know what you can and can't do, contact the BXA. They mentioned this several times in their presentation - they are there to help you understand the laws, and they claim to be very happy to help you with your questions (though I have never personally had the experience.) As rapidly as things change, if you're not involved heavily with encryption export, you are likely to not have the correct information. Even the folks at BXA are on their toes, but they know who to contact for the latest dirt (the NSA, I presume...)

Hope this helps some.

Re:first posts....

[Bombcar]

Why not make it so that Anonymous Cowards can't post (only reply to other comments) until the first ten or so are in?
http://www.bombcar.com It's where it is at.

Re:Eat Our Meat!!!

[RJ11]

Very very true. Main point being that Americans are constantly eating whereas in France there are simply 3 meals. I'm just pissed about not being able to get good non-pasteurized cheese here in the states! Stupid FDA...

It depends.

[rde]

if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes
In this you'd be safe, imho, only because any anti-crypto prosecutions would be laughed out of court. If you were busted and were forced to use the 'only a few key-strokes' argument, however, you'd be skating on thin ice. After all, all programs could be considered the sum of their key-strokes, and it doesn't matter whether they were written by one person or ten; if you willingly contribute code in a foreign land you're breaking the law.

Re:It depends.

[supz]

I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.

I was so moved that I had to post this short message and say that I agree 100%.

Crypto fine points

[The+Cheese]

The company I work for (which shall remain nameless) has a strict policy on this sort of thing; our hot'n'juicy lawyers have made sure that the policy strictly conforms to US and international law. ANY work done by a US national that is implemented in a project outside of the borders of the US is considered export work. This includes bug fixes, and even commenting on work done by foreign nationals outside the US. In fact, even commenting on software produced by foreign nationals WHILE IN THE US is considered exporting those resources. Consequently, our encryption division looks like a typical shaker community; you shake it, and nothing but white guys fall out.

Re:Crypto fine points

[supz]

What do you have against us white folk? We're good people.

Recursive Encryption...

[Sehnsucht]

How about this? set up a program on port X,
which when sent data will output the data encrypted with a given key using 56bit encryption.
repeat as many times as you want.

since the program does only 56bit, and something else has to rerun it through the program, would this work? after all the program itself is weak - and you'd have a hard time convincing anyone with a brain (hrm thats the crux of the matter tho.. none of the people making laws have em) that the software making use of this service is necessarily using strong crypto - it doesn't have to do it multiple times. and the data output might not be encrypted - you could have a dummy encrypter that spits out the same data, or maybe just gives it a date/time stamp. that way its just a general use port - not a crypto-specific port. then we can have another port and program that feeds the given data x times through the crypto port and returns the results. this isn't crypto-software, since the port could also be used to say, calculate CRCs or MD5 checksums or the like.

The usual disclaimers apply.. IANAL, etc :)

Eat Our Meat!!!

[FatSean]

You must! Or no more cheese-buying! Funny how they object on the hormones in the beef being 'bad for you' when I'm sure all that cheese is a heartattack on a cracker. At least the French will die of a heartattack brought about by foodstuffs craeted by an ancient technology rather than a new one. If you're not French, oh well sorry. This just sounds like the Euros making noise so they feel important...like how the Russians moved first and without direction during the UN 'occupation' of Kosovo...hee hee

Re:Eat Our Meat!!!

[debrain]

Actually, you will likely find lower heart attack statistics in France than anywhere in the world. Red wine being cheaper than the water it's fermented in, and all, they should have plumbing innards like ducts in a nuclear power plant.

(can we say off topic?)

Crypto export regs

[gbroiles]

With regard to crypto software, US export control laws regulate three broad classes of behavior, which US persons (US citizens or green card holders) may not engage in -

1. the export of code which performs crypto for hiding information (crypto for authentication is treated differently), or code which has been specially designed or modified to work with crypto code

2. the transfer of technical data (plans, blueprints, documentation, test specs or results, etc) to a foreign person who will use them to create crypto code

3. providing technical assistance to a foreign person who will use them to create crypto code.

The regs do not restrict the publication and distribution of books on paper (like Applied Cryptography or the PGP source books) but they do restrict publication and distribution in electronic format (like web pages, or Applied Cryptography example programs on disk, or the PGP executables).*

Note that it's not important where the US person is located, nor how they communicate with the foreign person (other than the published printed material exception).

That's what the law prohibits.

It's important to not confuse techniques or strategies which make the likelihood of capture and conviction less likely (like using SSH to hide evidence of an illegal export) with techniques or strategies which comply with the letter of the law while frustrating its intent - e.g., doing work in the US and publishing it on paper, or developing crypto outside the US with non-US persons (Canada and Anguilla are two popular locations) to avoid the US' regulatory reach.

I'm an attorney who has worked on crypto export control issues, but the above isn't nearly complete enough to be legal advice, it's just a very short summary of current law and interpretation. If people need more information, email me and I can give you names of people who do this for a living. (not me, any more.)

* I went to a seminar on crypto export control put on by the BXA, the agency which enforces the regs, and another attorney asked one of the agency personnel to agree that loaning a foreign person a book about crypto did not constitute technical assistance or the provision of technical data, and the BXA person refused to provide an answer one way or the other. I think the First Amendment should protect that behavior, but the USDOJ and BXA have been fighting against the First Amendment in the Bernstein case for 4+ years now, so that may not be worth much.

Re:What "Exactly" are the laws on US Crypto...

[gbroiles]

There's a somewhat out-of-date version available online for free at ; they charge $20/month for access to their electronic searchable full-text version.

The non-military crypto export control regs are at 15 CFR 740 (and subesequent subparts) if you're near a library which subscribes to the US' Code of Federal Regulations.

Re:another way to do it

[Terao]

Well we are just as good att putti'n hormones and stuff in our meat here in europe.
And genetic engeneering? Look at 'em Belgium Blue cows!

Re:Beefed up or crazy?

[MindStalker]

Call me stupid, but I thought mad-cow virus lived in brain tissue. Is there a waiting time or something? cause I can't imagine mad cow staying in your blood stream past a certain amount of time. (though you'd probably be dead by then I guess but thats not the point)

The key here is "aid to foreign nationals"

[jon_eaves]

I am not a lawyer, nor do I play one on TV, the internet or as a book character. This is my opinion and worth exactly what you paid me for it

As somebody who has developed Crypto software outside the USA, I can say that in my opinion if you tried that game, you'd get to have a very close association with Bubba, who'd want to make you his own personal friend.

There is a key part in the US laws regarding "giving aid to foreign nationals" which doesn't necessarily mean that it's actually doing the work, but merely assisting in that work being performed.

Remember, these fall under the jurisdiction of munitions, and if I tell you how to make a nuke, even if I'm not physically present, then helping them make the nuke is (according to the laws) bad.

I was involved in the development of one of the JCE's that are now available outside the USA, to do this, we had to reverse engineer how the code must work, by looking at the interfaces provided by Sun. There's not even any crypto algorithm code in the JCE.

There's a document on Sun's web site relating to the implementation of a cryptographic provider (which is where all the crypto algorithms actually exist) and how it interacts with the JCE. If you are outside the USA, you aren't allowed to download this document because it will assist you in developing cryptography (read munitions).

In summary. I wouldn't do this if you value
being able to walk around outside wherever you want, whenever you want.

Oh dear.. now I'm scared.

[Gid1]

I'm a dual-national (UK/USA), but I haven't been over there since about 1985. I wasn't even born there.

Does anyone know what restrictions/advantages I have as opposed to a normal everyday UK citizen, w.r.t this sovereignty issue?

Re:first posts....

[JEL]

You guys are really ill in your brain ...

What does it matter if its the 20th post ???

cant do it.

[flatrbbt]

As noted previously on Slashdot.
/home is where /house is.

developed by an american

[delmoi]

I belive that the laws apply to anything made *by* an American, in America. I mean, the question of the location of a box is practically retarded. what difference does it make where the actual box your telneting to exists?

You might be on better legal standing if you physically moved the computer, but I seriously doubt that any judge (at least one who didn't question the constitutional merits of the 'law'...) would laugh you out of court if you tried to say that because you were telneting to another country, you were not exporting anything. you still did you *thinking* here

You are still allowed to work on crypto, even download foreign source and play with it. you just can export the results(so if it was GPL, you probably couldn't distribute the results. not with the BSD license though, I think)

I would talk to a lawyer if before trying to physically transport yourself for coding. But it's not really that important for Americans to be able to do this, (for the word, I mean. I realize it is important to Americans themselves). There are many intelligent people in the world working on these problems, they might want our help, but they don't need it.
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Export by hard copy

[The+Big+D]

OK, so if export by hard copy is permitted, (as per these books that have been mentioned - and a couple of T-shirts I've seen) then what is to stop me (living in England) from copytyping the code, compiling, and making available to mirrors around europe? I'm a non-us citizen, it is not illegal to produce crypto software in Britain.
Alternatively, what if people were to publish, on the web on US servers, parts of the code to SSH. I could then cut-and-paste (hooray!) and create a whole program. Noone would have exported any useful code and I would not have imported any useful code.
Maybe the latter would be about as useful in court as "I don't understand the problem. These were only the detonators" though.
thoughts/feedback?

Re:Export by hard copy

[PigleT]

I thought that was how PGP was developed, wasn't it?
I certainly remember seeing things on the pgp website about books of code having arrived and being OCRd in and stuff...

Why do these have to have such stupid export restrictions? Can't they just dump the lot and get a life like the rest of the world?

~Tim
--

another way to do it

[loudici]

another way to do it would be to spend some time in europe and fiddle with us bearded european math wizzes.

it takes more time than SSH but you get to have some real food instead of american genetically engineered hormone grown hamburgers..

laurent

Re:another way to do it

[tlhIngan]

I don't see the relation between organically grown fruits/vegetables and truck-ripening. There may be an indirect relation (i.e., farmer grows organically fruit/vegetables, and customer comes to farmer to buy), but that's limited if you avoid all the big stores and go direct to the farm.

Of course, "organically farmed" (I hate the marketing of "organic" - practically everything living on this rock *is* organic...) means to me that all natural products were used (no chemical based fertilizers, no chemical pesticides, etc. thus, natural fertilizers and using bugs to beat bugs are OK).

Most stuff is "truck-ripened" (including organically grown foodstuffs) because it takes 2-3 weeks just to ship goods everywhere.

Re:another way to do it

[Malcontent]

The fruits and vegetables in the US are engineered and bred for only one trait. Ability to withstand shipment from vast distances. They are picked green and ripen in a dark and cold truck. Compared with the fresh ripened on the vine vegetables one is able to get in the rest of world they taste like cardboard and probably have the same nutritional value. Almost all the meats are injected with some awful thing or another and they too taste like recycled rubber more often then not. I try and buy organic whenever I can, thank god for the organic farmers.

Personally nothing beats Middle eastern countries for freshest best tasting food in the world. Long live the falafel!.

Re:another way to do it

[Malcontent]

"Most stuff is "truck-ripened" (including organically grown foodstuffs) because it takes 2-3 weeks just to ship goods everywhere."

Actually since organic farms tend to be smaller they also tend to be more "local". In my area most of the organic food sold comes from farmers just outside the town and almost all of it comes from in-state. Most of the non-organic vegetables come from california, florida, mexico etc.

Re:another way to do it

[Rhys+Dyfrgi]

So basically, anyone with some math and knowlege of even Basic can never leave the country. That's a good plan, fedgov, real good plan.
---

Re:another way to do it

[ruff]

Well, you would actually have to learn the cryptography concepts overseas before doing any coding, since the crypto export laws state that a collection of synapses in the brain that are oriented in such a way as to provide the potential for the creation of encryption code is stricly a munition and cannot be exported.

Re:Let's kill all US distributions and mirrors als

[Tim+Dierks]

Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:

- strong filesystem encryption (at the kernel level)

- strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)

Actually, strong authentication is fully exportable, so there wouldn't be anything to keep strong execute authentication from being rolled into the kernel.

Technical assistance

[kRutOn]

It's illegal to help foreign individuals with crypto code if you're a US citizen. You can't put in hooks in your programs that is for the purpose of adding in a crypto package even if you don't distribute the crypto code with your package.

Not likely.

[Matt2000]

You are all splitting technical hairs here. If the person in the US logs on to a server and changes some function names, then they are not developing crytography, they are changing function names, so no problem. If they log on and write significant portions of any type of cryptography routine then restricted knowledge is leaving the US through whatever channel, and yes you are probably going to be in trouble. Remember, Cryptography is categorized a munition, so its export is controlled as such. In past cases, just because someone has leaked nuclear secrets over the phone and not actually shipped out any nuclear material does not nullify the export requirements.

Re:Pandora's box was opened *way* back guys

[jonathanclark]

heh. so much misinformation, so little time.

Re:Canada is still "domestic"

[halbritt]

OpenBSD is developed in Canada and incorporates strong encryption right into the kernel. The OpenBSD folks state, and this is essentially hearsay mind you, that encryption technology may be freely exported from Canada provided that the technology itself is free, or for academic purposes. It is in this sense that they claim to be able to allow OpenBSD to be exported to any country.

Re:Canada

[jfunk]

I'm Canadian, so you can't call me ignorant :-)*

What possessed you to post this comment? I'm serious. I don't understand the logic. The US has ignorant crypto regulations hurting important secure projects. This is an idea that might (IANAL, nor am I familiar with the exact wording of the laws) be a loophole around the problem.

To the 'mericun's defense, they didn't post "We're not all freakin Canadian!!" posts on the Canet3 story.

You're doing to Canada what all those flame-happy Linux zealots are doing to Linux. Stop it. Please.

Aren't we Canadians supposed to be polite? :-)*

Not that simple

[yadda+yoda+yadda]

MS seems to always insist that the only reason they are in court is that they bundled Explorer with Windows. As is often pointed out bundling _is_ a good thing (usually by MS supporters). Technically MS may have been in violation simply because of their consent decree. However Netscape _agreed_ that MS should be allowed to bundle Explorer with windows. Note that: - Microsoft refuses to let Windows be bundled with Netscape. Since bundling is good this is bad. By allowing bundling with one browser but not the other clearly does not result in a level playing field. This is unlike e.g. Red Hat, where you can re-arrange the distro any way you feel like. - Other companies (e.g. apple) allow bundled software to be uninstalled. I think this played a part in the DoJ's decision, but it sure up's the agrivation value. - Who cares what apple does anyway? They probably would have been sued by now if anyone could be bothered. Anyway maybe if anybody cared enough about it to sue apple's, then apple may have just decided to give in and give their customers more choice. -

What "Exactly" are the laws on US Crypto...

[Cain_]

If the answer to the question I'm about to pose is an obvious one, I apologize in advance, please forgive my ignorance on this subject, as I am Canadian. It's obvious from the articles and postings that the US has some stupid rules on who can use cryptography and how they can use it, but a lot of these postings are inconsistant with each other. Some say a US citizen can write cryptographic code, but not inside the US borders. Others say that a US citizen can't write cryptographic code at all. Also, what about foreigners that are currently in the US ? Could a Canadian visiting relatives in the states write crypto code on his laptop while there ? I guess I should just ask if anyone could provide a link to a site where the official law is written so I could read the fine print myself. Thanks in advance.

Re:What "Exactly" are the laws on US Crypto...

[cananian]

Bruce Schneier's "Applied Cryptography" book contains both the regs and the munitions list.

Should work

[Adam+Knapp]

I don't remember the specifics but wasn't there a Professor somewhere in the US who publish a encryption scheme on his web site complete with source code who got charged with violating the export restirctions. After a fairly long trial he won on 1st amendment/scientific discourse grounds. I think the first person to try this would get charged but would win their case, especially since the code would never have even existed in the US.(in full anyway)

Re:Canada

[coyote-san]

It's irrelevant anyway since the US and Canada have treaties which make Canada "domestic" for US export laws, and which prohibit Canadians from re-exporting software they picked up from the US.

Re: Reexport is also illegal

[coyote-san]

Under the current US interpretation, it's illegal to do a logical no-op like downloading a file and immediately reuploading the identical file.

Editing a file remotely, instead of downloading it, editing locally, then uploading the changed file might not be considered a legally significant difference since the end results are identical - software exists outside of the US and Canada which didn't exist there prior to your acts.

Bullshit

[coyote-san]

Those comments are completely uninformed. It is completely legal to publish the complete source code to PGP, DES, Kerberos, etc. (either in bound book form, or even source listings), and transport them out of the country.

Not only "can" this be done, O'Reilly has published several books using special fonts designed to reduce OCR records. "Cracking DES" is one well-known example, and AFAIK it has been exported without problems.

The *only* thing that's illegal is to export the exact same material in electronic format. So you can ship a palette full of boxes containing source code, but not a CD-ROM containing the identical material. You can even carry the OCR software out on a disk, since it's not export restricted.

This is why many of us are so frustrated with current US policy. It doesn't stop anyone from exporting cryptographic software, it just makes it such a pain that few people bother. (BTW, when Phil Zimmermann was being investigated for exporting PGP the focus was always on a specific FTP transfer that occured almost immediately after he released his code.)

Let's kill all US distributions and mirrors also!

[coyote-san]

The problem with this reasoning is that you can't re-export cryptographic software, so you can't have US mirrors of these packages. Ditto US-based distributions, for the same reason.

Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:

- strong filesystem encryption (at the kernel level)

- strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)

plus numerous other applications which are currently in userland since the kernel lacks encryption. (SecureRPC, VPN, etc.)

The results of this policy are very much like the driver who slams on the brakes to avoid harming the cute little squirrel running across the street... but causes several injuries to her passengers and the people in the following cars, to say nothing of $50,000 in damage. It's a damn good trade-off, as long as you never take your eyes off the furry little drug-running child pornography terrorists which only you can see.

Canada is still "domestic"

[coyote-san]

Nope, Canada is still considered a "domestic" site for the purposes of ITAR. US law allows export to Canada, but *Canadian* law bans reexport.

What you're describing is crypto developed in Canada alone, which is a grey area. I think the treaties ban it also, but last I heard the current Canadian government didn't have it's head as severely dislocated into its digestive track as the US government.

BTW, before someone else marks this "offtopic" or "flamebait" I believe these treaties date back to the creation of NORAD and the associated consolidated US/Canadian military commands. It made sense in that context, but nothing about treating unclassified software as a "military munition" makes any sense.

Linus is from Finland....

[chazR]

... and Finland is in Europe. And he's welcome back anytime.

Not only Canada

[chazR]

Is the US the only nation to prohibit export of crypto technology? Here in UK we have a number of tools that are a slightly stronger than 56bit. I hope that the US departments responsible for the export restrictions realise that it is possible to do mathematics outside their borders. Until they successfully ban 'foreigners' from doing maths in their own nations, the export ban will continue to be ineffective.

Beefed up or crazy?

[hawkestein]

I'll take my nice sane, bovine-growth-hormone burgers over those mad cow burgers over in Europe... :)

Seriously though, in Canada, you can't donate blood if you've spent a certain amount of time in England for the past while. They're especially paranoid about that here in Quebec.

What about OpenBSD?

[hawkestein]

I was under the impression that OpenBSD was based in Canada so it could avoid the draconian American encryption laws, which would imply that Canadian encryption export law is different from American.

Although I'm a Canadian, I don't really know the details of the law. However, I don't think we have any export restrictions.

Re:What about OpenBSD?

[vyesue]

I was under the impression that OpsenBSD was based in canada because that's where theo lives.

Re:But why?

[Hobbex]

Crypto algorithms are short and sweet (well not always) but Crypto modes and protocols are often complicated and cumbersome, especially if you want the program to be useful.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Hmm... Not quite.

[Chandon+Seldon]

#!/usr/bin/perl

$post_number = 7;

if($post_number != 1) {
$nbsp;print "You are a fragging moron!\n";
}

Hmm... Not quite.

[Chandon+Seldon]

#!/usr/bin/perl

$post_number = 7;

if($post_number != 1) {
print "You are a fragging moron!\n";
}

Re:Even more questions...

[Chandon+Seldon]

The ITAR prohibits the export of 'crypto-enabled' software.

I don't get this. Is EMACS illegal to export? (It sure as heck has "hooks" to plug strong crypto into). What about Microsoft Word. (I wouldn't want to code an implementation of IDEA or something in VB for Apps scripty things, but...). Mabie you see my point... but if those are allowed, then any crypto hook would have to be allowed as long as the interface was sufficiently general.

Heck, screw legality

[Chandon+Seldon]

If you're working on a Free Software project, just do it, and if you think you'd have legal problems just deny that you contributed code to that project. Stupid laws aren't worth obeying!

Re: Reexport is also illegal

[rrogers]

Ok, this brings up another question which is probably still just as illegal, but what if you imported a file, created a diff and sent that out? What if your changes didn't have anything to do directly with the crypto (like working on the front end of someting that hooks into a crypto package)?

"Techical Assistance" is considered a type...

[Winged]

Providing technical assistance, AFAIK, is considered a type of export. Since this law deals with "ideas" as a valuable commodity (hmmm, if this is the case, why can't you copyright or patent ideas, only implementations?), you can't even provide technical assistance to anyone outside the USA or Canada in getting crypto working.

On the flip side, if you're using SSH, about the only practical way* for anyone to know if you're doing anything illegal is to search you out for TEMPEST emissions while you're doing it. <tongue-in-cheek>Hence the concept "It's only illegal if you get caught" :-)</t-i-c>

*: This statement is based on the security of the crypto algorithms used in SSH.

Just automate the OCR process..

[Weezul]

What if I produce jpgs of my diffs or source and
put the immages up for DL? along with some OCR
software and a make file? The question is if
it's a machine readable format, but the non-mechanicalness of a picture may make it more
clear to the judge that they are violating our
first amendment rights.

If that won't work what if I buy a fancy printer
that can put a stamp on it and mail it to a mirror
site in a free country? or do I need to mail it to lots of people for it to be ``publishing.''

Jeff

Embassies?

[XenonOfArcticus]

So, if a foreign embassy allowed you to work on crypto code on their soveirgn soil, wouldn't that be like commuting across the border each day to Canada (or, more awkwardly, Switzerland) to work on code, and returning home for dinner?

Is that legal?

If it is, I could see multi-story embassies becoming data havens for crypto work. Except that nobody would really do it -- political pressures being what they are.

Interesting thought experiment. If you can use it to prove how ridiculous the current laws are, maybe it will encourage their reform.

Hey, I like free strong crypto. But I bet if I had the weight of our government's responsibilities on my shoulders, I'd probably be pretty terrified of free strong crypto too.

Yes, it is still an export.

[robl]

The problem with your argument is that when you think about it, anything transmitted over the internet is really just a series of bytes. The courts have made clear distinctions that what counts is not the fact that you're sending bytes over a T1 line, but what the context and content of those bytes are. The context of those keystrokes he's typing in is, in fact, cryptographic software. And that makes it illegal.

Let's say a developer in the US sends an email with a code fragment including crypto software outside the U.S. According to the courts, this counts as an export violation. However, it is not a violation if he writes his email using plain english to describe the changes without using any code fragments.

The other question you seem to be asking is, "Can you export crypto software imported from other countries?" Still, the answer is no, you can't. Technically, the US sees cryptographic software as a munition, and it is listed with the other munitions restricted for export. So, ask yourself this question: "Would it be illegal for me to export a hand-grenade that I imported from europe without seeking US approval?" No.

The real question is quantum labor

[jovlinger]

The real question here is of course "Where are you on the internet". The answer is obviously "A student came to Moon and asked...". To be hypotetically concrete:

If I am physically in the US (say on an extended vacation) but telecommute to Sweden to program for a firm that has hired me, pays me, and bills its customers in Sweden, where am I working?

Arguably, I am using up more swedish resources (administration of postal services, social security, and what not) than US (a couple of KB internet bandwidth that I pay for explicitly anyway).

The above case would probably be judged that I was working in sweden because I am employed by a company that is clearly in sweden. Now change the gedanken experiment to have me not employed but rather contracting... oooh! now I'd probably be working in the US.

The problem is that old labour laws (IANAL) are to new labor situations like newtonian physics are to quantum. The old way works fine as long as we don't look at the limiting cases, like one person working at a distance. (I couldn't resist a non-locality pun).

I've looked at some laws and they're full of things like preponderance of evidence, and other vagaries that make no sense when applied to an individual.

The short of it is basically that location is a null issue on the internet, and until governments recognize this, we're going to see one absurdity after another.

Ummm, this won't work...

[Robert+Hayden]

If you think about it, you are exporting the code. Granted, it's one keystroke at a time, but it's still going.

Any good prosecutor will nail you to the wall.

good idea.

[prodeje]

or why not just lie and say that you developed the crypto in an embassy?
...

Same results, different method

[Slur]

What if you programmed a laser beam in Thailand to shoot somebody, but you didn't actually go pull the trigger yourself. Could that be considered indirect enough to be legal?

Piling on levels of indirection will not save you from an out of bounds exception!

Yeah, I'm a Mac programmer. You got a problem with that?

Re:Umm Kansas?

[CaptSwifty]

How would you teach evolution in Kansas if you were in some European country? You would have to teach it inside Kansas and then catch a flight to a European country. Well, there is long distance learning...

Who owns who?

[runswithd6s]

This whole topic really ticks me off. Isn't the US supposed to be all about free enterprise, commercialism, and independent thought? Yet, the government creates and enforces laws that are reminescent of the Great Cold War (wasn't really that great anyway). These laws are outdated, behind the times, lagging behind the swift advance of technology.

And how fscking arrogant can the US be?! Does the NSA, CIA, whatever-A think that no one who lives outside the US is SMART enough to make better cryptogrophy software than the US?! If that's the case, I'm embarrased to call myself a US citizen! Oh, but if cryptogrophy (better) is imported, well then, let's have a party!

And HOW can the government interpret work that I might do as having export restrictions? They can dictate WHO I can and cannot release my knowledge too or give my time to simply based off the where I park my rear-end?

And here I thought that Austrailia had some pretty stupid policies. This just tops the cake. I don't work for the government. Who are they do dictate what I do with my time and knowledge? Yeah, yeah. They're the government.

Re:Who gives a shit?

[Cebert]

> Use it. Whats going to happen? The crypto
>police are going to break down your door and
>beat you to death?

Agreed. What REALLY disturbs the hell out of me is, the number of people who are actually fearful of breaking this particular set of laws. There comes times when a given law is unfair, or totally out of touch, and people HAVE to fight it, instead of this "we'll just have to live with it until it gets changed" nonsense. Who's supposed to be running this country? The people! And every day that they let the government trample on our rights is one day closer to the time when we're totally without 'em.

Re:Even more questions...

[Capt+Dan]

I agree that this stuff gets way to complex much too quickly. That's why I'm trying to get some clarification here...


So I write my code using a Plugin Crypto API, which I then publish. That's legal

To my understanding I can then write an encryption module within the confines of the crypto-export rules for distribution with the software.


But then after the code is released, someone else in Uganda writes a crypto plugin that exceeds the crypto laws. Now, I can import that module for my own use. But is it covered by the export laws in any way?


i.e. could I store this new module on my web site, and link it from the download page for other people to use?

Even more questions...

[Capt+Dan]

I've been thinking about this type of thing myself lately. (#$%*@ Cryptonomicon)


The main question I keep comming back to is, what defines the crypto?


Say I and a buddy are developing an editor that encrypts the files when they are written/read from the disk. If he lives in Timbuktu and writes the crypto module, and I in the USA write functions that operate solely on the cleartext, can it be exported? Or is the whole project covered by the crypto laws by default?

Re:Even more questions...

[cananian]

The ITAR prohibits the export of 'crypto-enabled' software. So even writing code with hooks is disallowed. There's been a lot of discussion about doing away with this particular bit of draconia, but I believe it's still on the books.

Re:Even more questions...

[cananian]

The hooks have to be specifically for cryptography in order to be illegal. People get around this by providing general "module" interfaces which can be used for lots of things.... including crypto. Making it crypto specific is a no-no, as far as I know.

Having said this, there are some well-known exceptions: microsoft's crypto apis and sun's java library apis, for example. I don't know if they got a specific license from the gov't, or if the law was loosened. I rather suspect they got a license.

Re:Even more questions...

[cananian]

Ah. The recent /. story on Microsoft's CryptoAPI and the NSA explains. Yes, Microsoft did have to get a license to export the *API*. The price they paid to get the license was installing an NSA back door. So, no, in general exporting APIs is *not* legal.

Re:Even more questions...

[cananian]

The relevant section from the Defence Trade Regulations states:

Part 121 - The United States Munitions List.
Category XIII--Auxiliary Military Equipment
(b)Speech scramblers, privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed to be modified therefore, ancillary equipment, and protective apparatus specifically designed or modified for such devices, components, and equipment.

So if your software is "specifically designed to be modified" into a "cryptographic device" for "encoding and decoding" than export is prohibited. And the definition of export includes:

Section 120.10 Export---permanent and temporary.
Export means:
(4) Disclosing or transferring technical data to a foreign person, whether in the United States or abroad.
(5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.

Canada is not domestic.

[Inoshiro]

Canada can export locally developed encryption add-nausiem...

OpenBSD is authored here, and it uses strong crypto. Hell, Theo's in my home of Cow Town :-)

It's the technology not the code

[dfuess]

The export controls are placed on the technology, not the code. If you export changes in any form which causes the technology to be exported, then I believe you are in jeopardy.

Export restrictions MADE CLEAR

[cananian]

This is really simple. The US views cryptographic software as a munition, just like a gun or a bomb.

If someone has bomb plans on the web, and you fixed them or sent them changes showing how to make the bomb into a better bomb, then you are obviously exporting bomb technology and subject to prosecution. It doesn't matter if you're changing the placement of a single bolt or gutting the chemical explosives and drawing in uranium spheres; you're aiding a foreign national to construct a munition, which is prohibited.

You're allowed to talk about *bomb technology* at technical conferences (although the wording of the export regs would much prefer that said technology *already* be in the "public domain"), but you're not allowed to build any real bombs outside the US or with non-Americans. Them's the laws. Simple, right?

Also makes perfect sense---if you think that crypto is anything like a bomb or a gun.

Phew!

[anatoli]

This should explain a lot.
--

technical assistance

[BDW]

I believe that the export of technical assistance (in this case, fixing bugs) with crypto is also prohibited. The corporate world (RSA, etc.) would have set up this sort of thing long ago otherwise.

US Person

[SecGuy]

The export laws are quite explicit in regulating the activities of a "US Person", regardless of where that person is located (inside or outside of the US.) A US person includes individuals who are US citizens as well as US companies. So, if a US Person is in Canada, or Australia, or Egypt or wherever, if they work on crypto it counts as an export. The whole issue of it being done over the net is a distraction.

Pandora's box was opened *way* back guys

[shockwaverider]

It's irrelevent. The US is trying to hold onto a situation that was lost as soon as Zimmerman posted his code. All the export laws do is legislate against the citizens of a "free" country. BTW - Has anybody heard that the US now has the technology to break practically any block crypto techniques? Of course, the result of anybody drawing attention to this fact would be that nobody would continue to use block cyphers. Wonder if that would piss anybody off in the CIA? . Don't worry tho guys. PGP [international version] is not based on block cyphers and you can continue to use it safely!

T-Shirt

[DreamerFi]

You're probably safe if you print the patches you wrote on a t-shirt that you wear on vacation :-) -DreamerFi

Unfortunately correct - "Technical Assistance"

[billstewart]

This kind of topic has been extensively discussed on the cypherpunks, cryptography, cyberia-l, and other mailing lists.

Unfortunately, Anonymous Coward is correct that, if an American citizen does this, it counts as technical assistance and is therefore as illegal as any other means of providing unlicensed crypto to foreigners (assuming the work is made available for access by foreigners, as opposed to fixing the crypto software at a foreign office of a US company, or fixing a product that was legally exported to a foreign bank or Friend Of The US Military-Industrial Complex.

The validity of US export laws is debatable (at least if you don't take the First Amendment seriously, which the government doesn't, but until it gets totally thrown out we're stuck dealing with it.) Some people are challenging it, and some people take the First Amendment as their defense and ignore it. However, if you're a company that's subject to other regulations, as all corporations and many non-incorporated businesses are, you have to take a conservative approach to avoid being either shut down directly or bankrupted by the cost of a legal defense.

Some companies or private individuals, like C2.Net software and John Gilmore's FreeS/WAN Linux IPSec project, take the approach of hiring non-US-citizens to develop the product outside the US - it's legal to import the crypto into the US, and the people providing the money aren't providing technical assistance to foreigners, they're customers getting technical assistance from foreigners. FreeS/WAN has taken an especially careful approach with this, because they want their product to be unquestionably legal for anybody to use, whether inside or outside the US.

Whether the export is detectable or not is a separate issue -
Not Getting Caught is a different problem than Not Violating Bogus Rules :-)

Embassy?

[oburi]

Why not go to a local foreign embassy and do all the coding on foreign soil. Now thats a plan.

How can the gov. tell us we can't work on crypto. and then buy crypto. code from foreign companies?

US legislative range

[JonK]

I thought the whole point about MAI, which the Yanks (and, sadly, our toadying mob in Whitehall too) were vigorously supporting was that the US's laws would soon apply in all countries, whether they liked it or not... particularly when it came to the right of a corporate entity to rape'n'pillage for profit (see BGH, GM soya, Ethyl Corporation in Canada etc)

Hurrah for the French who told the rest of the OECD where to stick it (temporarily, at least).
--
Cheers

Jon

mmmmmmmm, love that mad cow

[Hollins]

mmmmmmmm, love that mad cow

Re: Reexport is also illegal

[Noer]

But how is this different from your buddy in Iraq calling you up and saying "hey, I'm trying to finish this killer encryption program but I can't remember how to do something simple, does this source code (spoken verbally, and just some little piece of class-definition code) sound right to you?"

Is it illegal to provide programming advice? What if you didn't know it was encryption code? What if it's just a load/store module for encryption code? What if it's just an FFT routine for encryption code?

Who gives a damn?

[poing]

For things like 128 bit browsers and PGP, why do people bother with these complex schemes for legally bypassing the restrictions (e.g. OCR'ing the sources from paper)? I don't understand why the original files aren't made more widely available on servers outside the US - It's not like you're breaking any laws that apply to you if you host a copy of a 128 bit SSL browser or similar on a site that's located outside the US.
I'd like to see more places like ftp.replay.com (located in Holland, serving the US versions of all the browsers etc). If it's about US companies trying to sell their software abroad, ideas such as developing on a foreign server might be worth considering, but I think there's way too much fuss about getting hold of US versions of software - only one person needs to break the law by exporting (you're hardly gonna get caught for an ftp transfer), once it's outside export restrictions don't apply anymore.

Only if you Delete, not add

[JDizzy]

I'm sure the US goverment would be happy for you to telnet in and destroy as much data as possible from the source tree. Adding , or auditing the code would be silly. Considerring the US has them internet listening stations all around I wouldn't want to risk it. Then again, with them listening stations I'm sure they would actually consider you a patriot for letting them listen to you log in. theres no telling how usefull that kind info is. especially since you made your intentions public on slashdot.

But why?

[Vortex]

If all you are doing is bug fixes, there wouldn't be a problem, but why couldn't the person at the other end fix the bugs? Most crypto algorithms I've seen tend to be short and sweet, and if anyone is capable of devising and coding one, they can certainly fix their own bugs. Now if you were actually writing a small bit of the code which reflected crypto code in the country, the Feds would probably get you.

I personally think the regulations are silly. If it's possible to smuggle a bomb onto an airplane or through the mail, one could certainly smuggle a floppy disk. We're not preventing anyone who seriously wants our crypto algorithms from getting them. You want relatively unknown crypto, go work for the spooks.

A Crypto-Digital Revolution

[Ephron]

In an Eutopian society, Politics and Government don't mix, neither do Academics and State Secrets. We are not, by any means, living in such a society. All this aside....

Ideas spawned in public institutions or in the minds of academics, novelists (who have inspired many a usuable invention through fiction) or anyone else for that matter are not normally censured in this way.

It seems irrational that everyone is so dependant on US sources for "techincal support" on crypto routines, but to achieve a common PGP style interface for all, it is logical to expect everyone to have the same encoding / decoding to be able to use the "envelope". And as many of the common operating systems development (besides OpenBSD, BEOS etc) reside in the US it would imply that the technology would have to be "imported" to be integrated into the OS before it could be "exported" again...SAME PROBLEM....

The crunch being, in a society where something is oppressed by law (like my homeland used to be) it takes a revolution / a few casualties / a few martyrs / and years in jail to finally overcome such restrictive legislation.

After reading a good number of the postings, it is clear that the only way to open this up would be for someone to actually break the law....The law itself seems to be so open to interpretation that there would be no way for a US citizen to offer assistance, technical or otherwise.

So what do you do...Wear a T-Shirtwith a PGP Algorithm printed on it???? You all know where that gets you.......