Ask Slashdot: Using SSH on non-US Sites for Crypto Development?

cesarb droppped this interesting question in my inbox, that I would like to share with you all: "I would like to know if a developer in the U.S. could use telnet or SSH to a box outside the U.S. and help developing a code that uses crypto. If he types a whole file of source code for a crypto algorythm, this of course is export; however, if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes and the actual text you typed (like the new name for the function), and what appears on your screen was just imported but never exported back. This would allow things like the kernel, Mozilla or anything else to be developed with crypto outside the U.S. but by people inside the U.S., and so would stop the last piece of usefulness in those silly U.S. crypto export restrictions." Would something like this work? Are there any other solutions for U.S. citizens developing strong cryptography to share there work with others abroad?

The law covers technical assistance too.

[Eric+Green]

According to the regulation as recently posted to sci.crypt, even helping someone outside of the country with their crytographic product is illegal. And you can't even move to Mexico (which has no encryption restrictions) and get away from the long arm of American law -- the regulation says that if you're outside of the U.S. and either develop or help someone make a product that would be export-controlled within the U.S., you can be prosecuted. Before you say "so what, I'm in Mexico!", the U.S. government has been known to *KIDNAP* American citizens overseas in order to prosecute them here... hell, they don't even have to be American citizens, they kidnapped Manuel Noriega and prosecuted him here too, quite illegally I might add, the man was a scumbag but that doesn't excuse it.

-E

Lawyer: I'm not even going to touch this

[hawk]

What you need is legal advice from a seasoned criminal lawyer who is also well grounded in D.C. politics. And even then, you won't know for sure until the first cases reaches the Supreme Court.

This is playing with fire. Even if it's legal, expect to spend years and millions in court.

Re:It depends.

[dattaway]

All laws are subject to interpretation. I say its time to get the lawyers involved and perhaps do some digging to see what kind of corruption we really have in the US government behind the "dangers" of encryption.

When I say all laws are subject to interpretation by the courts, let me relate my experience with a personal bad habit a several years back. You see, I liked to drive fast. A lot. From speeding tickets to OJ getting away with murder, I'm sure the principle behind encryption is much more honorable and should be pursued.

My experience with taking things to court suggest anything can be pursued given enough energy for much less than you think. I accumulated *five* speeding tickets in Kansas City. My lawyer told me the law only allowed one instance of getting a ticket reduced to, say, a "parking violation." I got two tickets that week, a 90 in a 55 and a 69 in a 55. I may have interested him with my comment I would like to fight these (perhaps unwisely) to the supreme court. He was intrigued and to make a long story short and a few courtroom visits later, I had no points on my license due to him getting the worst violations dismissed for technical wording. I added up the legal costs out of my pocket was $1055. After that I got rid of my radar detector and haven't gotten a ticket since.

Anyhow, I'm sure this encryption debate is not a boring issue with some powerful, yet isolated government officials. Its time to turn up the heat and see how they react. It has nothing to do with terrorism or child molestors, but may have much to do with government officials stealing secrets from industry and their sideline consulting businesses. I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.

Thoughts.

[FireReaper]

So, what you are saying is that someone, in this case, a US citizen, is participating in the development of cryptography, yes?

And while that isn't a big deal, we add into the stew the note that this person is physically in the states.But the databases and code he is working with are outside of the states.

This has some ramifications. Namely, the person in question is developing cryptography. But not only that, he is helping a foreign organization develop it outside of the states. But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.

If the problem is somewhat hard to see, let's use another example. Nuclear weaponry and technology.

Let's say our friend is a US citizen and through an encrypted channel, is helping an organization in another nation work on nuclear weaponry. Sure, he doesn't have any documents on this side of the border and sure, all the work he is doing is stored remotely. But what do his actions amount to?

I'm not sure in our current state of "peace", but if it were during a war, this person would be considered a traitor and if caught, would be held for treason.

I'm not saying it is right or it is wrong. But the aiding of foreign nations to develope technology which could in turn be used against the states isn't exactly smiled upon.

But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?

On a side note, a knife painted like a banana is sort of silly, but it is still a knife and by that token, still dangerous and something to be respected. Even if the wielder is nothing more than a clown.

;)
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.

Re:crypto import is legal, right?

[rde]

Do you want to be the one to tell Linus he can't look at the crypto code?

Crypto fine points

[The+Cheese]

The company I work for (which shall remain nameless) has a strict policy on this sort of thing; our hot'n'juicy lawyers have made sure that the policy strictly conforms to US and international law. ANY work done by a US national that is implemented in a project outside of the borders of the US is considered export work. This includes bug fixes, and even commenting on work done by foreign nationals outside the US. In fact, even commenting on software produced by foreign nationals WHILE IN THE US is considered exporting those resources. Consequently, our encryption division looks like a typical shaker community; you shake it, and nothing but white guys fall out.

Canada is still "domestic"

[coyote-san]

Nope, Canada is still considered a "domestic" site for the purposes of ITAR. US law allows export to Canada, but *Canadian* law bans reexport.

What you're describing is crypto developed in Canada alone, which is a grey area. I think the treaties ban it also, but last I heard the current Canadian government didn't have it's head as severely dislocated into its digestive track as the US government.

BTW, before someone else marks this "offtopic" or "flamebait" I believe these treaties date back to the creation of NORAD and the associated consolidated US/Canadian military commands. It made sense in that context, but nothing about treating unclassified software as a "military munition" makes any sense.