Slashdot Mirror
US Relaxes Crypto Regulations
Guru Meditation writes "CNN reports in an article that Clinton has decided to relax the export restrictions on crypto products, both hardware and software. " The Washington Post also has some good coverage of this. As part of the deal, the FBI will get funds to create a new "code cracker" unit. The Administration, however, did drop the proposal to require backdoor entrance for the government. The new regulations will allow selling to virtually any country, with a few exceptions for nations deemed a national security threat.
OK - what're they trying to pull? Internet censorship? I'm very suspicious on reversals like this. Sorry. Don't trust the pols.
I am not a lawyer, but I believe it's perfectly OK to import any crypto of any sort into the US. However, exporting it, even if it's the same stuff you brought in, is illegal (and will be until the rules change as announced above). So it's fine to go on holiday to the US with SSH on your laptop, just don't take it out again. Theoretically. If you are a known crypto researcher (according to the ones I know, anyway) the Customs people do pay more attention to you than the average person leaving the USA. Fortunately I'm just a sysadmin with lots of software on my laptop.
Nicolai
I don't think the NSA is chartered to do their thing inside the country. Might be a conflict if they worked together.
NSA is prohibited by law from operations on US soil directed against US citizens. Any such operation would have to be under control of the FBI. However, I think the REAL reason for the unit is that it is an $80 million sop to the FBI and others within the administration that strenuously opposed the relaxation of the export rules.
It's not stupidity. It is the realization that crypto has escaped the confines of military and govermental agencies. Like any technology that is able to run free, it simply cannot be reigned in. From the crossbow to crypto, history has proved this point time and time again.
Any encryption can be broken. Yes the government has the technology to do it; so do you. But, they need to know the method used and spend the time to crack it. It's still going to be brute force and known weaknesses, as most cryptographic algorithmns have no 'skeleton keys' that would give the government unfettered access to your data.
What the hell do you call the $80 million for the FBI over 4 years? They (haha, thats the real "they" this time) finally did it because they get a big chunk of cash!
It is pretty obvious that a lot of commercial interests, ranging from Microsoft to joeblow.com have varying interests in allowing strong crypto. Thus, M$ can sell standard crypto packages with IE and NT, so you can do secure on-line ordering of a set of bag pipes from Scotland or whatever, because everybody has compatible crypto packages. Of course, you may not be able to order that samovar from Iran, so sad.
Personally, I'm quite cynical about the reasons for all this, but it is still a Good Thing (TM). I.e., next year is an election year, and happy lobbyists make large contributions. The Clinton White House has totally sold out environmental/wilderness protection (and Gore has to share some of the stink from this at least), so what the hell is wrong (in their eyes) with selling out another national interest?
Read the text of the bill. It's written as a "shall issue order" based on some flexible criteria. There's also a lot of "trade secret" language in the draft bill. NSA uses trade secret law to shield techniques they think could be independently discovered.
Far from a victory...rather than "enabling" strong crypto, we've just legitimized domestic NSA ops. Thank you, Janet.
"Legality? That particular aspect didn't enter into the discussions." (General Allen, NSA director, in testimony to Congress)
National Security Agency - "Security is our middle name ... because 'National Agency' was just too vague'"
Indeed. The best Crypto is imported. Alas, the most 'popular' SW with crypto, is more commonly used or exported. I believe that the release of GPG was the cause of this surface gesture, and the folly of limiting export is finally sinking in to the average MSusing american computer user, due to increased paranoia about what they have to worry about. Eventually the little things like 10000 PIN numbers for all the 100's of millions of US bank customers, as they tear thier little paper reciept up as they heard they should. Nautilus went mostly unheard, (Silent running!) but it shall indeed resurface, to sink whats left...
There appears to be two camps: 1) Bunch of folk who think it means you can export almost anything after jumping through a few hoops. 2) Bunch of folk who think little has changed other than the number of exportable data/comms encryption bits might go up to 64. So what's the correct story?
By the way, doesn't RSA's patent on DES run out this month?
Rikkers
No one lets you have rights. You take them.
The new regulations are not as good as they seem. True, it will no longer be necessary to get government approval for each instance of an export, but the producer of a product must still register the product with the government. That's OK for Microsoft or RSA, but I don't think it works for open-source software. Note also that the announcement of the new regulations appears to be a move by the administratin to head off SAFE. The administration still claims that SAFE would compromise national security and would therefore be vetoed. Write your congressman and tell him to vote for SAFE.
Here is the actual whitehouse briefing. The articles had no info on online or free software distribution, because the press release had no information. Our media has gotten so absurdly lazy, they don't bother to inquire about anything.
It would be good if someone could find an online copy of the actual Executive Order.
----
----
Open mind, insert foot.
Or maybe I'm just a bit cynical about our government *ever* giving an inch and letting US citizens have rights...
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
>mathematicians and computer scientists, and the clock cycles to help 'em?
Be afraid.
The FBI is chartered for domestic survailance. The NSA is not. This new unit is to spy on you.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Whether the NSA/FBI/... are now giving in because they have found a new trick is "interesting speculation", but not all that relevant in practice. Even if it is true, nothing changes for users of "exportable" encryption software when dealing with the NSA: the NSA was able to break such crypto before, and it still is. What's more, nothing much should change for users who distrust the NSA and use stronger crypto either: based on their distrust and assumption that the NSA already had a secret trick up their sleeves, they will (should) already have opted for stuff that is a lot harder to break anyway.
What is relevant in practice, is that one can now export (i.e. use) stronger crypto that (for the time being) only the likes of NSA, but not Joe Random Cracker, would be able to break.
Notice that I'm not saying "so what". All I'm saying is that the important thing is that it's a move in the right direction, whatever reason made it possible.
--
Linux user since early January 1992.
We still need to keep an eye out, to make sure that some elements of the administration don't try to sneak in some kind of compromise (escrowed keys, for instance).
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
RSA does not hold a patent on DES. DH key exchange, yes.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Seriously, this has always been confusing to people. You have been able to import an encryption product into the US from country B, and then not export the exact same encryption product back to country B.
-- "Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"
The FBI's charter however is:
The NSA's goal is to provide signal intelligence from foreign sources while the FBI's goal is uphold federal law and protect the US against foreign threats. They can be a consumer of information from the NSA if it relates to protecting us from foreign threats but not for residents breaking federal law.
If I'm forced to have an orginization trying to spy on my signals I'd rather have the FBI do it, they won't have near the resources of the NSA (the worlds leading employer of mathematicians). To reduce the chances of me being spyed on I avoid breaking any federal laws.
Second, the text of the bill indicates that software designed for end-users will be more readily approved. This indicates a bias against products that will protect whole networks and provide a secure infrastructure; insuring that secure communications will remain the exception rather than the default.
Third, the timing of this decree is obviously designed to kill the SAFE bill. The SAFE bill not only goes further in liberating crypto exports, but also carries the force of law. Repealing a law is a large affair, requiring a vote of congress and thus allowing the public time to lobby, cuss and complain. This decree does not dismantle the export regs, and they can be tightened to previous standards with a stroke of a pen and no opportunity for public comment.
Do not let this kill SAFE! Lobby your congresscritter!
Not so much a sig as a lack of one.
"Serving the national security interest" and "protecting law enforcement capabilities" were apparently not the reasons for restricting export in the first place. We have always been at war with Eurasia.
--
Fuck the system? Nah, you might catch something.
None of the articles said what this really means.
Will they rise the bar by a couple bits or do we get to 128? Any restrictions on the kinds of software?
Also, how does this go with the Wassenaar contract? Is it that now that Wassenaar went through, US can happily rely on other countries living with no exporting due to the contract. So, in essence, does this mean the White House is saying the contract doesn't apply to US anymore? Looking at the past where everyone else could export and US companies couldn't, the situation has now been completely reversed. Smart tactics from the US government.
"Although it is not true that all conservatives are stupid, it is true that most stupid people are conservative."
As I speculated in another article, the reason might be the fact that now that the US has all other countries tied up with the Wassenaar contract, they have less competition in the marketplace. Without the restrictions they couldn't have passed the contract. Now with the contract in place, they can free up their own export regulations and let the US companies really grab the market.
So, it's all just marketting tactics done by politicians. Money talks.
"Although it is not true that all conservatives are stupid, it is true that most stupid people are conservative."
Now that's an interesting idea. :)
:)
Someone's really given thought on this one and still fails to understand that the misusers haven't and still won't do anything by the regulations nor tell of the use to third parties. The repositories will probably end up with a ton of keys from people who never have anything to say that'd require cryptography in the first place.
"Although it is not true that all conservatives are stupid, it is true that most stupid people are conservative."
Warning !!! IANAL
We seem to have a congress with two bridges to burn... How to tax the internet, and how secure can we allow the Internet to be. The real question for congress (if the realize it or not) is not how to tax the internet, but how to justify taxing the internet. Perhaps a combo bill would be powerful enough to ram right through lobby roadblocks.
Some key points of such a bill.
* No review or restriction of any crypto (up to X number of bits encryption.) Complete restriction after X.
* Online transactions (when the consumer is physically located in the US) must be made by credit or debit card. Credit card/Debit card companies/banks will be responsible for extracting N% federal sales tax.
Now congress can justify why American citizens should pay an internet tax. N-Y% (Y will likely go to kissing somones butt to make this thing pass.) of the internet tax can be spent on propping up agencies like the NSA an FBI so they can effectively brute force X level encription upon court order.
This should work if you choose the correct numbers for N, X and Y.
Whatever you push to the congress critters, remember keep it fair and simple.
Novel theory: Modern Man evolved from psychopath
One thing that I never understood about the US crypto laws was this:
...
Is it OK for a US citizen to *import* strong encryption?
If the US laws state ony that crypto shouldn't be exported, then the law is becoming a bit of a non-issue. There arc plenty of good encryption algorithms and sopftware coming from outside the US, from places like Israel, etc.
Perhaps this change of heart is to prevent other countries adopting draconian export licenses which would hinder US software houses. Of course, export laws will never hinder covert organisations who will use the best available crypto code regardless of laws
Chris Wareham
Something that just occurred to me upon reading that the FBI is getting concessions, and recalling that Louis Freeh (the FBI director) has been so anti-crypto.
The US government does not prohibit US citizens from using cryptography, no matter how strong, as far as I know. PGP and so on are just fine for US citizens to use. The government just doesn't allow their export.
So, the crypto regulations that the US has are, in theory, supposed to prevent foreign interests from getting strong crypto. The regulations don't work, of course, but that's the motivation for them.
The FBI is a domestic law-enforcement agency. Practically everybody it's supposed to be watching is already allowed to use crypto. The people who would benefit from the export regs (if they actually did anything) would be the CIA and the NSA, which monitor international communication.
So, why is the FBI in a position to receive concessions when the export regs are relaxed? They shouldn't be in a position to benefit from the regulations in the first place!
The NSA doesn't officially have a charter. Or at least, if it does, you, I, and everyone else are not allowed to see it. The desription on the web page is filtered through some rose-colored glasses. NSA does not, and is not legeally required to, stick solely to foreign SIGINT. They tend to, because otherwise they piss off other US spy agencies, but they will do, and have done, whatever they feel is necessary, including domestic snooping on many occasions.
In general, though, your conclusions are sensible. The FBI is not nearly as competent, so I'd much rather have them trying to decode my bomb plans, or laundry list, or whatever. :-)
----
We all take pink lemonade for granted.
There is no K5 cabal.
I am not the real rusty.
From here
Few = 7
Countries = Iran, Iraq, Libya, Syria,Sudan, North Korea and Cuba.
"The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says.
This would mean that the feds could introduce evidence at a trial and not disclose how they obtained it. I think that is a very bad idea. What would prevent them from fabricating "incriminating evidence" and saying "we can't tell you where it came from, trust us". We already have the use of anonymous tips from non-existent sources as a basis for obtaining search warrants.
Mea navis aericumbens anguillis abundat
o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf
Hey! They're only giving Janet $80 million -- you've just wasted about $3 million of it, so she's only got $77 million left for other codes!
And you misspelled dp,ryjom -- but that'll probably make it harder for her to decipher. :-)
The only people who should ever have been inconvenienced by the export regulations are U.S-based crypto sellers. U.S and non-U.S citizens have access to strong crypto anyway.
U.S. citizens cannot contribute work to a cryptosystem that is distributed outside of the U.S. That is a good practical reason for objecting to crypto controls.
But besides that, crypto laws are an area where we clearly need to be concerned about our eroding rights. I don't think there's any doubt that Freeh and Reno would be just as glad to see the use of strong crypto outlawed. For them to head off a law that would have eliminated most export controls, simply by throwing a tiny concession to the computing industry, would be a significant strategic victory. That is why we should be concerned about the effect of this move.
What we know so far:
Few details have been released. The only official words on the subject seem to be yesterday's White House briefing, which is more like press release cheerleading than hard policy. The briefing was conducted by:
Reinsch's role in the briefing was mainly to answer procedural questions about Wassenaar and technical review. Swire spoke very briefly in support of the upcoming Cyberspace Electronic Security Act, and talked about how key escrow will make all our lives better.
That leaves Steinberg, Reno and Hamre -- noted opponents of private crypto, all three -- to express their support for the Administration's decision to relax export controls.
I smell a rat.
As others have noticed, the closest thing to a firm commitment that has been made is that a "license exception" can be made for products that pass a "one-time technical review." The details of the technical review are not forthcoming: Secretary Daley says, "That will be developed over the next number of weeks." Nor do we know under what circumstances a license exception will be granted. This has all the earmarks of being all talk and no action.
Maybe this is the most telling part of the briefing:
I am not getting my hopes up. The right thing for us to do is to contact our Congresscritters and make sure they understand that it is still important to pass SAFE -- maybe more than ever.
Also, this has relaxed the rules enough for big business to sell their stuff *reasonably* easy.
Thus, there's a lot less incentive for big business to continue lobbying for total freedom.
Now that big business is happy, what's the chance of this trend continuing any further?
Define few...
Define national security threat...
I don't believe this relaxation. You either restrict it, or you don't.
the pun is mightier than the sword
Slightly offtopic to the article, but relevant:
One of the great things about electronic communication is that it gives the common man instant lobbying power.
One of the greatest things Slashdot:YRO could do is to post a tool, or a permanent link to a tool, that lets you quickly and easily determine who represents you. I have occasionally seen posts with links to sites like Project Vote Smart that provide this ability. More frequently I have seen posts where people have formatted excellent letters to send to your congressional representatives that address various issues (UCITA, Microsoft trial, etc.), but I still have to do a lot of rooting around to find out who my current representatives are.
This process could all be streamlined right here on YRO, if there was some kind of simple tool (enter your ZIP, up pop the email addresses of everyone who represents you).
There are a lot of intelligent opinions on Slashdot. We need to make them visible in the political arena.
No sooner is Microsoft's Freedom to Innovate Network founded than they get the government to relax the crypto export regulations.
I just wish I had joined FIN so I could claim to be part of the group that made it happen [or at least claim to have made it happen].
Can't wait until FIN finds a way to protect me from the internet boogey man.
Microsoft will find it far easier to export W2K (which includes e&e Kerberos)
My company *might* be able get an export license for a Kerberized Linux distribution. Or it might not, since my company is still at the "one person in the garage" stage. Red Hat wouldn't have this problem, but if the export license prohibited export of source code they're still dead in the water due to the GPL.
Debian wouldn't have a snowball's chance in Redmond of being able to carry my (US) Kerberos packages on their pages.
To me, this proposal is proof that "social engineering" isn't limited to crackers. This proposal will get industry lobbyists off the administration's back, and it gives them the perceived moral high ground on the Sunday morning talk shows. ("We've removed all but token obstacles to American businesses competing in the world market. Only drug running child pornography terrorists will be impacted, and We Don't Want To Help THEM, Do We?!")
WE know that it also hurts us, but we also know that we're all a bunch of pinko communists. Just look at the "exposes" that appear on a regular basis.
Finally, as others have pointed out Executive Orders can be rescended, often with no basis in reality. E.g., I'm still showing my passport to board domestic flights because TERRORISTS BLEW UP TWA 800. That theory has been discredited for years, but the EO that grew from it is still in effect. I would not be surprised if this EO blocked passage of SAFE, then in 6 months some crisis is manufactured which justifies slamming the door again. Naturally products with licenses (e.g., W2K) will be grandfathered.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Can anyone with better insight into this whole soap opera answer the question that is notably missing from the press coverage, namely what this means for open development and online publishing?
:-) )
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
I understand that is means companies like AOL, NA and co. can now get one license to export crypto products that would cover all shipments of the product, but it doesn't say anywhere that the regime will actually grant that license, or anything about the terms required. And while a company might be able to negoiate the terms with the american regime, that is completely out of the question for an open source effort, right? (I mean, they would still need to have it re-evaluated with every version).
What about the proffessor who posted his crypto routines on his webpage? As I understand the new law, he might actually be able to do it, but only after applying for a license and being granted one. Wow, that is sooo much better.
It seems to me that this is a bit out of touch with reality. It makes it clear how to export shrink wrapped crypto software, but how many of you bought your crypto software in a shrinkwrap anyways? The real issue is online, I couldn't care less if I will now start seeing american crypto products in stores here.
Good for Microsoft though... (they can dump the whole key thing and include the crypto modules in NTs installation now - just in time when the PR damage has been done, how sweet
-
Well, the opponents relaxing imports have gotten their PR machines rolling. This BBC article doesn't say much other than reiterate the old terrorist and criminals argument. Same old BS.
Heh - in other words, the government either has the technology or the keys to encryption algorithums - I don't think they would be that stupid.
I think the Clinton administration is just throwing the dog a bone on this one. They have eased up only slightly on large companies with existing export agreements on crypto previously approved for export. In the future, a company will have to go through an export review only once before being allowed to ship crypto inside of another product. There is clearly no mention of freeware or OSS products in these press releases.
What this bill does not cover includes sales to any foreign government, military, or ISP. Those will still require a case-by-case review. Only products that meet the requirements for law-enforcement intercept will get this one time approval, so key-escrow and door-bell systems will quickly get the green light, others will have to slog through a years long process. They will still criminalize exports to "terrorist" countries, such as Cuba, but allow it to friendly nations like Columbia.
Nobody gets to see the wording of this new policy until December, so it is hard to tell why Hamre and Reno are smiling at this announcement. I have a feeling there is nothing new here except a minor improvement for big companies in return for a drop-in-the-bucket US$80million for a dedicated cryptanalysis team for the FBI. Its just a PR move.
For another slightly pessimistic view, go read this San Jose Merc article. Given the track record of the administration, I really don't think they've suddenly given up the fight and want strong crypto everywhere.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
"The only person who'd be safe if the SAFE bill were to pass," Hamre said, "would be spies."
WTF?
Isn't that like saying, "If gun ownership is legal, only criminals will use guns"? What a bunch of crap...
If the SAFE bill were to pass, the citizens would be another step closer to running the country, not the bloated, increasingly self-centered government. OK, I hope I'm not quite as paranoid as I sound, but it does appear the government doesn't care about the citizens any more, but rather focuses on giving itself more power.
Blessed are the pessimists, for they have made backups.
Uh, which one are you referring to? Based on past actions I think there is room for debate.
Hates people who have stupid little sigs
Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
The Bureau of Export Administration (BXA) has updated its encryption web site to include information on the new policy. In the question and answer page appears the following :
8. Is source code allowed to be exported under a license exception or does this policy only authorize the export of encryption object code?
Source code will continue to be reviewed under a case-by-case basis. This update will allow the global export of object code encryption software under a license exception.
This confirms the fears of many posing here that OSS crypto is NOT covered under the new policy.
They also had an item this morning that seemed to imply that they were still hoping for some sort of key escrow for law enforcement, but it has since been pulled.
It should be interesting to see how contined restrictions on the export of crypto source code are rationalized. The stated reason source (and object) code was treated differently from printed matter in the past was that such code represented an encryption "device". Clearly this continued restriction on source code export is designed to hobble freely available packages such as SSH, PGP and GnuPG. Why? So that export of crypto can be confined to business entities that can be pressured to play ball with the Government. Paranoid rant? I don't think so.
Howard Owen hbo@egbok.com Everything's Gonna Be OK Consulting
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
Besides the "party line", which I'm sure we'll hear plenty about, what's really going on? Why so sudden? Which of the following options have come to pass?
1) NSA can factor prime numbers?
2) NSA/FBI finally gave in after the finalists for AES (successor to DES which they can brute-force) were announced since they can crack them all (and PGP, and RSA, and elliptic curve)?
3) The U.S. military has become so heavily dependent on TCP/IP that they need a secure infrastructure throughout the Internet.
4) NSA has developed effective nano-mites which effectively render all encryption obsolete via a physical side-channel attack?
5) Intel's microprocessor dominance is now assured. And the NSA has inserted a microcode hook (can you say, "mask technician?") in all Intel processors (cf Ken Thompson, "A well installed microcode bug will be almost impossible to detect.")
Reply with your speculative other options. Remember "only the paranoid survive."
--LinuxParanoid
Rejoice, crypto friends! Strong encryption is now about to be legalized in the US... Or is it?
Here is a quote that I like (from the Washington Post):
Pressed to explain the turnabout, Reno and Hamre said their concerns were assuaged by the administration's pending introduction of legislation called the Cyberspace Electronic Security Act of 1999, which would give the FBI $80 million over the next four years to establish the new code-cracking unit.
That's really interesting. Up until now, the NSA was not allowed by the law to conduct SIGINT (code-cracking) operations against US citizens. Now, this new law gives the FBI a spanking, brand new unit, specialised in... tada! code-cracking! I think this little outfit will be more like a joint-venture between NSA and FBI. It happened before -- but now it's going to be legit.
Think about it for a second: who is the ultimate authority in code-cracking? NSA. Who has been playing the little game of crypto for the past 20+ years? NSA. Who has the brain- and CPU power to do some serious code-cracking? NSA. I can't believe, for more than 10 seconds, that this agency is going to just stand there and let the FBI have it its own way, especially since these people have been very cosy for a number of years now. Expect some interesting stories to surface in the near-future... I really expect the NSA to start spying on US citizens. Maybe not on a scale on a par with the "Echelon" project, but certainly a lot more often than what was the case previously.
Another important question is: WHY NOW? Why accept a law these people have been fighting tooth and nail for the past 5 years?
Is it because there really isn't any choice and crypto's Pandora box is open? It's possible. The rest of the world has been doing a great job creating strong crypto, despite (or because of) the silly US ban on export.
Is it because NSA scientists would like to get fat stock options from new Silicon Valley start-ups? That's possible too. Some of these people are incredibly smart, and it must hurt to see so many bad code out there, while they are the cream of the crop, but can't talk because of the security involved. Expect plenty of little, unknown crypto companies to appear overnight if that's the case.
Is it because the NSA has found a new way to factor prime number? That could also be the case... Imagine 2048 bits crypto cracked in 15 seconds flat and 4096 bits in half an hour, due to to some ultra-secret mathematical breakthrough. Why keep on playing the export control game? Just let crypto go free. NSA can read your e-mail anyway. Oh, and your SSL transactions as well. Of course, it's not going to publicize that fact.
Yeah, I know. I *am* getting paranoid... =)
But you have to admit this last scenario makes sense, all of a sudden. It certainly explain the change of heart of this ultra-secretive organization. And the fact that it makes Al "I invented the Internet" Gore looks good doesn't hurt, either.
Just my $0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
...but why create a new unit under the FBI, when the NSA probably has significant numbers of mathematicians and computer scientists, and the clock cycles to help 'em? Sounds like duplication of effort...
Only the dead have seen the end of war.
Ah, the joys of rule by decree. They can always change the decree whenever they wish. Note that this is not a change in law but rather a change in regulation. Oh, joy...
I see no lasting good news here!
Free the mallocs!
I think we need someone to read the regulation and report how it affects free software and open source software.
If I write a crypto program I don't intend on selling it. How weak must it be to export? Is the approval free?
It's an act of good for netscape, i suppose.
Atleast it's a start. :)
fou aje oym asoyf ueyf jaffaq afset su!6j!/\ op 'ua>|7!>| ppn7
I find this whole subject moot. There's no need to use U.S encryption. Several of the candidates for A.E.S were invented outside of America anyway.
People outside of the U.S should use non-U.S strong cryptography, it's freely available (and generally free - PGP International and GNUPG are two examples) and at least as strong as the U.S variants.
The only people who should ever have been inconvenienced by the export regulations are U.S-based crypto sellers. U.S and non-U.S citizens have access to strong crypto anyway.
Does anyone really believe that a halfway intelligent criminal would not have downloaded PGP by now?
I think the consenses yesterday on /. was that this new "relaxation" is simply a concession on the part of the government. They know that our silly little laws aren't stopping anything from going anywhere, and are finally bowing to the pressure from all sides of the American computer industry.
When I was in Japan a few years ago, I ordered a cheesy reseller system(because they would mail it to me and they financed over the phone). They would not send me MS office 97 Home Edition because of the encryption in MONEY! The stupid thing is, I could go buy an American version(the one the wouldn't send me) from various places throughout Asia, and not only from pirate shops.
With the advent of incredibly secure encryption schemes that are so easy to download(PGP, et al.), American export laws are silly at best.
Computers can only simulate determinism. ~Hermetic.
Close, but not quite.
The patent on the RSA algorithm runs out precisely one year from today -- Sept 17, 2000.
366 days and counting...
I'll shove something up their backdoor, thats for sure. (This is not Flamebait)
-=>>=-
...because beople have never been able to make any sense of their products anyway...
-=>>=-
Well done! The misspelling was there as a reference point to identify true decypherers. As for the $3million - just doing my little bit to help... (and it was $4.3million actually.) movr pmr@
-=>>=-
o yjoml oy jsd dp,yomh yp fp eoyj no;; v;omypmd jrsf nromh dvts,n;rf
-=>>=-
One aspect of these relaxed regs, highlighted by Wired News but ignored pretty much everywhere else, is that investigators will no longer need to reveal their methods for arriving at a plaintext from a cryptotext for which they had no key. There are some scary implcations to this. Specifically, if investigators cannot be compelled to reveal how they decoded encrypted info, they could take an encrypted doc which they could positively attach to the defendant, and then present in court ANY plaintext as being its source. They could make up the foulest, nastiest, most incriminating thing in the world and claim it is the plaintext. With a decent algorithm (i.e. ANY strong algo) there is NO WAY to verify that a plaintext and cryptotext match up without the key (that's the point of encryption, for godssakes.) As the investegators cannot be made to reveal HOW they got plain from cipher, the only defense the defendant could make would be to decrypt the doc in question before the court herself, and that would require her to expose to the court her cryptosystem and key. I.E., in the end, she would be giving up the one thing that protected her. Any even worse scenario: another clause in these regs permits courts to subpeona private keys (previously considered unconstitutional, as it forces a person to incriminate herself.) If the defandant refused to do so, claiming to have forgotten the key, and the prosecution later played its dummed-plaintext trump card, she would be put in the positin of either 1) going to prison for heinous crimes she never even considered commiting or 2) admitting to perjury. This is a very-much bad situation that we, as citizens, are being put into. The NSA, agains, has designed a brilliant protocol.
Much Love,
"S"HM
*****
(I refuse to spellcheck out of contempt for your belief system)