Slashdot Mirror
Still Can't Export Open-Source Crypto
The New York Times today reports that the
Easing on Software Exports Has Limits.
(Free reg. required.)
Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"
would it be legal to create a program that when run creates the source file to the crypto?
I agree with an earlier poster; we should have 'Upload Strong Encryption Source Day'. THAT might get some attention. The bastards.
and then scan the paper and presto
For starters, it's illegal for a US-based Linux distribution, for instance, to include ssh without a license. And licenses are not cheap.
I predict that this will be short lived. Eventually the rules will change and you won't be allowed to export without the source code. This will represent a change, based on enhanced security, and people will complain about it too. For now, just make money doing what come naturally.
There was, if I recall correctly, a proposal where prosecutors would not have to disclose in court how law enforcement obtained information from encrypted files. Quite apart from the potential for abuse ("You mean to say you're NOT a subversive pedophile? This binary file on your disk indicates you are. Maybe you should decrypt it so we can see what it really says."), the above proposal hints strongly that approved crypto codes will have back doors built into them. I can see some outfit fnordMicrosoftfnord having its product held up for months then getting a hint from the NSA that an "optimisation" might get their release approved within a week. Open source crypto would reveal exactly what was going on, which is why the spooks can't allow it out the door.
That would be cool...
cypherpunks/cypherpunks doesn't seem to work anymore, nor does cypherpunk/cypherpunk or any of the other common public logins.
Did they wise up to it?
But anyone can buy a book such as Applied Cryptography and implement rsa or blowfish based on what they read there. They really don't need to fully understand the principles behind encryption to use it. While a lot of security software has been reviewed by expert cryptographers, a lot of it wasn't written by them.
What's the Constitution? Didn't that disappear years ago.
It sounds like the gov't hopes that the large majority of crypto users will use canned MS software without the benefit of open-source community oversight. Thus, the US gov't is attempting to slow down the adoption of an open-source large key space crypto application.
Like that idea :)
/.ers
Keep up the brainstorm
-kabloie
It's not very productive to talk about the injustices of crypto export laws. While they're a pain in the ass, they're going to be around for a little while longer, at least.
One of the proposals here on Slashdot was to organize a civil disobedience day-- a day in which geeks would FTP GPG, PGP, and other export-controlled stuff, and re-export it. Sounds like a real way to say, "Fuck you!" to congress, but not very useful.
Another *very* interesting idea was to create a Virtual Machine such that any binaries for the machine can be easily, readily, and quickly converted back into a source code format. A nice idea, but what about comments? Would *those* be part of the executable? A quick check shows that GnuPG is a megabyte in size when tarred and gzipped. That translates to one *big* program when you get through with it all.
Lobbying seems to have done well enough. Now, instead of Clinton's clueless crypto policy, we have Clinton's bullshit crypto policy (why can't you create a *reasonable* policy, Mr. President?). Besides, not enough senators (with a few exceptions) even *care* about the crypto policy issue to make a difference. So lobbying is getting there, inch by inch, but we need to speed it up.
So what are we supposed to do about it, folks? I'm not a person for sitting around my thumb up my ass. And I really think this issue is something that we need to stand up for.
My proposal? Raise some fuckin' awareness. Tell people that their constitutional rights are being infringed (at least, according to the 9th Circuit Court). Get more people registered as international arms smugglers. Hold demonstrations in your town square, if you want. But let people know.
Just my $0.02
Why is it so important to export crypto technology? I mean, I'm pleading ignorance here. I want to know why it's "Your Rights Online" that are being compromised by not being allowed to export crypto source code.
Thanks,
ichthus
It's quite clear to even the most dimwhitted goverment flucky that there is high quality strong encryption available to the masses of the World. The fight here is to convince the cattle that there is not strong encryption or that using it is wrong. Everyone should encrypt everything. Most email is in plaintext because people think that encryption should only be used for "important" things. If everyone encrypted everything then the government would have to decrypt everything. Maybe the NSA can crack your Twofish key but can they crack 6 billion Twofish keys?
How many times does the current U.S. federal government have to spell it out to the programming community or anyone else? Does it have to engrave the message into a monument? Please, they would like to keep their impotence tacit. Here's the point, just do not push them on it:
"We, the U.S. federal government would be irrelevant if we where not so powerful. Innovators, take your business, your creativity, and your selves to a different country. We want the sun to set quickly on the American era, and we do not want you drawing out the process with your prosperity. To that end, we, the Dead Hand Of Government, will stifle all that is creative and meaningful."
Until we move, what most of us will do is sidestep the government through its own loopholes and incompetence, but the long-term strategy is looking remarkably clear. The U.S. public has proved itself incapable of electing qualified politicians and, equally important, reigning in the power of arrogant, un-elected, bureaucrats. For now, use open source encryption, open source software, keep a gun, join the NRA, know your friends, get a passport, do not trust the corporate news media, vote in all elections, and avoid fluoride. Most importantly, using probability analysis, find a balance between pollyannaism and paranoia. Let the brain drain begin.
(Regarding fluoride, start by looking up why the FDA will not approve its use.)
To be specific, they now have the resources to bribe US senators and congressmen. This is how legislation in the US gets written... sad but true.
http://www.bxa.doc.gov/Encryption/q&a99
This has been up since the policy change was announced.
My opinions on this are here
-hbo (my password is packed in storage)
Umm. They never said they own the world. They simply passed laws telling their people how to behave. The US GOVT said 'You will not export crypto without permission.' to it's citzens. If they have a problem with that, then it's up to them to change it, not the rest of us. We can certainly let them *know* that the rest of the world doesn't behave this way.
You see what's really going on? There is a whole generation of people out there now (You guys) Who don't give a hoot about race or politics. You (me too) say 'why will our respective governments not allow us to trade information with each other... I don't think it's my government's place to tell me what to say to people...' And we probably realize a whole lot of other silly things that are going on too....
How do we change it?
Uhh.. obviously, if it wasn't create in the US, or by US Citizens, and isn't being exported from the US.. then they don't give a hoot.
If the software is on a non-us site, the it's not being EXPORTED. They aren't trying to claim any sort of control over this.
They just change what their clocks say. They don't move the sun (though you gotta love the "Earth Orientation Department"), and AFAIK there's no law saying "Thou Shalt Own a Clock Accurately Set to Daylight Savings Time During the Summer."
Bug reports could be considered as exporting technical assistance, a no-no almost as severe as exporting crypto itself.
Why would a hacker waste time snooping their subnet instead of writing code? Use your own machine already!
The land of the free. Definitely.
I hope Theo doesn't move to Sweden. We got the same restrictive crypto regulations as the US have.
Damn, I just looked at the list again and it turns out I'm #6294. Weird. One of those small world things I'm always hearing about.
>Ok: this make SuSE happy, isn't it?
Sure. But it does not make me happier - I still think their Yast licence is a BadThing(TM).
>And for instance makes happier Software companies
> in Europe: the crypto laws of USA were a godsend
No, it does not. Closed-source is OK now, so european companies loose anyway. Except maybe for SuSe and symmilar.
>But anyway I downloades ssh from a server in >Finland, ad I'll continue to download from it.
Sure, I download it too, but I would prefere to have a better integration with "strong cryptography" in the "core" package.
But, as far as I know, US-companies arent even allowed to make interfaces to strong-cryptography programs. I suppose that is the main reason why pine support for PGP is so crappy. If the US goverment wants to be really "anal" about the crypto-law, RH is going to have a lot of difficulties.
I haven't programmed in JAVA in ages (and I only did it once to say I did it) so I don't remember the various file handles, so forgive me if I get this wrong (but point it out).
.class files are the actual source code and some other extension contains the object code and strips out all identifiers and optimizes code then JAVA isn't it.
JAVA is almost it, but I don't think there's exactly a 1 to 1 correspondence between each line of source code and each line in the object file. An old BASIC like on the Commodore 64 is a lot closer. The programs ran exactly as you input them, the interpreter didn't try to exploit any techniques for efficiency.
If JAVA fits the bill then we're already there. If the
Does someone have a link to the text of this "policy"?
I am a card-carrying international arms trafficker, and have been for some time. Check out the ITAR Civil Disobedience page at http://online.offshore.com.ai/arms-trafficker/ and discover how easy it is for you, too, to become a felon!
w n-traffickers, btw.
You can even have a nifty letter sent to the president on your behalf, if you want to make your voice even louder.
And always remember... writing a real letter to your congresscritters never hurts matters. They're worth more than email.
I'm humber 6293 on the list at http://online.offshore.com.ai/arms-trafficker/kno
You miss the point. I know that there are plenty of developers outside the US who could write crypto code. However, that doesn't invalidate the contributions that US developers could make. The whole point of this thread is how stupid the US legislation is. Sure, developers in other countries could do it, but that pretty much goes without saying.
As it happens, it's irrelevant because another responder pointed out that this tactic would still be illegal.
Cheers,
Perrin.
-Perrin.
Now I want you to go in that bag and find my lightsaber. It's the one that says bad mother-fscker on it.
I wonder if there's any chance that all the politicians in the United States will all simultaneously self-Darwinate.
"We practice selective annihilation of mayors
and government officials
for example to create a vacuum
Then we fill that vacuum"
Once all the politicians were gone, then maybe we could replace them with people who actually have clues...?
Cheers,
Perrin.
-Perrin.
Now I want you to go in that bag and find my lightsaber. It's the one that says bad mother-fscker on it.
I heard an interesting story about 6 months ago in a seminar from an security researcher about an unnamed international company wanting to connect their UK network to the one somewhere in the middle-east. Being security conscious people they encrypted the connection (no idea if it was some 40-bit mickey mouse crypto from some american company or something decent) Everything worked just nicely. However, after a month they got a call from someone claiming to represent the french goverment asking them to stop encrypting their VPN. The next thing they did was to ask their telco to reroute the connection so it didn't go over anywhere near France ;)
What the hell...if the state legislature in Tennessee can decide to make pi = 22/7 by just saying so, what's to stop Congresscritters?
"How many light bulbs does it take to change a person?" --BMcC-->
I'm a Yank and my clueless government irritates me no end -- around here, only the relatively wealthy and vacuous can withstand the death march of running for election. It's why I've given up on our two-party system and voted Libertarian the last decade or so.
More to the point, what happens if somebody abroad creates really bitchin' encryption and posts the source code on a non-US site? Does this provide a workaround to the idiotic munitions-export rule? If so, maybe somebody needs to tutor somebody via pseudocode.
"How many light bulbs does it take to change a person?" --BMcC-->
--
There's no real problem for Red Hat. i.e, the Red Hat Europe subsidiary is incorporated outside of the US and they can provide the source code (and binary) rpms on their own servers. The parent US company can provide a URL on their own website without any problems - as long as the code was all developed outside of and remains stored outside of US national borders, they can still make it available to all their customers in the usual manner without actually exporting anything.
*This depends upon the notion that it doesn't count as an "export" when John Smith in the UK can download a file from an ftp server in Europe by clicking on a link provided by a US web server.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
WHY has this man been moderated down? The point he raises is not flamebait, it is exactly the point at issue here: Americans are losing their freedoms and the Constitution is not protecting them.
Why? Because:
(1) The US government is entirely controlled by big business which doesn't give a flying fuck about individual liberties; and
(2) Individuals - including Slashdot readers - are too comfortable to get off their asses and demonstrate or even to pick up pen and paper and write to their representative.
Your Constitution is like everything else in the world that is worthwhile and that had to be fought for: USE it... or LOSE it.
If you're thinking it's none of my goddamned Brit business, think again. The whole "democratic" world still, rightly or wrongly, looks to the US for a lead. And whatever you guys let your government get away with, they are bound to try over here. Finally, if a constitution is as important as you Yanks say it is, then how can we Brits (and other Euros) possibly succeed in keeping our governments in check where you guys have already failed?
Just like the next in line at the slaughterhouse, we look across the pond at what is happening now and we very much fear for our own fate as a result.
Like it or not, the entire free world is today depending on the common American man and woman to rein in their government before these antidemocratic horrors multiply any further.
DAMN the Wassenaar agreement!
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Well, let's start off with Black Rights movement, because that is one that everyone is familiar with (don't get me wrong here, I think this movement was great, and I fully believe in Civil Disobedience and activism; I also believe that we do need to get these encryption/free speech/freedom of privacy issues resolved).
Rosa Parks was arrested over a seat on a city bus.
The sit-ins in the lunch bars and restaurants were over being able to eat at this or that restaurant.
There are many more examples like this in other movements. Ghandi's first actions for civil rights were down in South Africa. He burned little sheets of paper, and was beaten for it. This is what civil disobedience is about. We want to diseminate text files freely accross the net, and we want to protect our personal data, incriminating or no. I also want to be able to have people know that I am indeed sending email as me. I want to know that the email I have just recieved is from my Girlfriend, or Casey, or anyone else that would send me mail.
The first step to all of this is getting rid of the export laws. There are bigger issues at hand, but what needs to be fought are all the littles steps along the way. The first step is to oust the export restrictions. You see, the laws always are complex. What the people want to do is invariably simple but restricted.
Jeff
Well, you could alway use paper copies of diffs. Still annoying, but it would work.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
Will someone PLEASE post a mirror of the story so those behind cookie-disabling proxies can read it? (The ultimate solution is to NOT use cookie-required stories! How come /. hasn't caught on to that yet?)
Who cares? Quite frankly, I do.
The US citizens who WANT to (legally) contribute to OSS crypto projects are the ones who suffer here.
The problem is: US citizens can't (legally) contribute to OSS crypto projects. Why is this so hard for people to comprehend? Can't at all, period, even one character, by definition.
What about distributing the binaries as usual, but including a pointer to a non-US site where the source could be downloaded legally. Would this fulfill the GPL's provision of a written offer to provide the source on request?
This site can either get the source directly if development is not US, or through printed copies if necessary.
I'm not sure what the legal status of a US company maintaining a non-US site for the distribution of crypto would be. I suspect that isn't allowed. But could funding be given to a third party?
I'm also not sure what the GPL allows for third-party source distribution. Does the binary distributor have to be the one actually handling the source distribution, or is it sufficient for the source to be freely available?
thejeff
Your assumptions of the government's cluelessness is based on an acceptance that the motives behind their action is the one that they have informed you of.
In actuality, the government is a collection of individuals, and all of them are grinding their own axe. This results in an appearant collective goal of the government that doesn't match the stated goals. (Only some of the folk in government have those goals).
There is no central control, but there are many attempting to be the central controller, or at least to act as if they were one within an area. This is the inevitable result of allowing the executive arm to use delegated agents. Eventually, unless other matters intervene, one of these groups will destabilize the government, and then we'll need to build a new one. Pray, pray hard, that it doesn't happen soon.
I think we've pushed this "anyone can grow up to be president" thing too far.
That's no problem. Just keep the code in Europe. Have the UK site be the main site for the UK users. Have the UK link point directly to the Euopean code-home. All security related work is done outside the US. Folk in the US can download the code and only bug-reports flow the other direction.
I think we've pushed this "anyone can grow up to be president" thing too far.
Do I smell a conspiracy afoot? :P
-- Veni, vidi, dormivi
Could it be that the US government is still attached to closed-source software and this may be an attempt to shut down GnuPG or open-source crypto in general? Perhaps not, but if you don't have the source code you cannot release software because you can't compile it without the code, even if it's being released to the public.
US businesses that currently accept chip and PIN/signature
Is that a bad hyperlink of has the server been slashdotted?
Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the US...
Even your method works, a lot of people outside US can write code, country like India can provide similiar quality with lower cost, so they don't need a US developers to ssh into a foreign machine.
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
Even non open-source software, I found certain of them with so-called strong crypto can be downloaded from the Countries like China and Russia.
The current policy of US government affect mostly the large-scale company like MS. So they want to take a balance, by having a new hand to open-couse.
Just went through a long export control law briefing at work. There is an exeption for public domain information. Someone should publish a book and get into a bunch of libraries4. It should be ok to export then. Watch out though, talking about crypto (or any controlled technology) with or letting yourself be overheard by a foriegner can be considered exporting... Damn export laws are more annoying than actual security laws.
This isn't all that different to ordinary java .class files, is it?
I mean, that's an intermediary tokenised format, you don't have to use a JIT compiler on it... and you can mangle the symbol names (maybe not removing the idea of symbol names entirely, but as good as)...
If there's one thing it *would* achieve, it'd possibly help introducing the government to the concept of "brain" - they really need to stop talking beaurocratic crap and to produce laws that actually talk about the technology in the correct terminology, for starters. Half the problem at the moment is that legalese is not slashdot-speak, I think.
~Tim
--
Rushing on down to the circle of the turn
I've not hacked java particularly, but from such as I know...:
.class format. This contains all the same symbol names as the real source, but the whole file is complete garbage to even attempt to understand.
.java is source to us, .class we regard as object. From the JVM's PoV, .class is source, actions are the results.
:)
The object file doesn't have 'lines'... it's tokenised, binary.
It's a two-stage thing: you write in java, which obviously looks similar to C++ source, to the not-well-trained eye. At least it's plain text at this stage.
Then you compile it into some messy looking
The machine (JVM) itself reads this binary stuff and interprets it - binary encoding of token by binary encoding of token. So there's a fairly simple mapping between the instructions you gave and the things the interpreter phase of it does.
So
Is that good enough?
~Tim
--
Rushing on down to the circle of the turn
Really interesting idea: what about shipping it out as java .class files? They're not hard to convert back into .java source, for starters :)
.map file, you can't really convert back into logical variable / symbol names. There's at least one thing out there that mangles java class & variable names, too, so you can generate .class files that work and decompile with, eg Mocha, but aren't really legible.
:)
Actually there are differences. Unless you have a linker's
Maybe it comes from the other end: if someone's written it, then it *is* source code. The choice of language doesn't really define source or not?
~Tim
--
Rushing on down to the circle of the turn
Well, I think all the scandinavian countries that are members of the European Union have signed the Wassenaar agreement, which classifies strong crypto as heavy arms (though I think each country make their own laws on this. In DK strong crypto in source form is legal at least). Though I expect that all the fuss about Echelon and NSA is going to push crypto very much forward in all of Europe (and the rest of the world for that matter). .DK government is likely to fund development of danish crypto tools (not worked out yet).
.ch and NATO).
The Danish government is on the brink of throwing out their newly acquired NT system because the NSA has 16bits of the 56bits they use for encrypting emails, making it *very* easy to decrypt sensitive internal mail. This is a serious threat to national security.
Therefore the
If I were a crypto company or Theo De Raadt, I'd move to Finland or Switzerland which, I believe, are two most independent and unemcumbered countries in Europe. Neither are members of the EU or NATO (not 100% sure about
if you export via email, its personal correspondence, if you post it to your web site its an export.
Opinionated Law Student Strikes Again!
The GPL allows for distribution of the source in printed media, does it not?
So what's the problem?
Customer downloads binaries, desires source, contacts distributer and purchases printed copy of source. No problem... GPL allows for charging media is distribution costs.
Starman97@Gmail.com (bring it on spammers)
Books have their own sacredness in the eyes of the American people. You can't get away with banning/burning/etc.. books in America as a whole (though, yes, you will occasionally see local incidents.) This is the only reason crypto books are given special consideration.
:) I don't think the govt can make a case that crypto code is child porn.
I don't believe the govt will go after books any time soon. They are already running scared on the crypto issue, because they can see the defeat of restrictions entirely.
I don't think we'll ever see any attempt at controlling export of books.
Unless, of course, it's child porn.
So, what we could do is add a really crappy router (well not really a router, just a machine that you send crypto source to and it puts it through, mabey on a web page or FTP server) at the border between us and Canada or us and Mexico. Instead of doing the standard data-through-wires thing, it would actually print out a copy of the data, which would actually be fed over the border, then OCR'd on the other side. Problem solved.
Calmacil
I can't seem to face up to the facts, I'm tense and nervous and I can't relax... --Talking Heads
Can somebody moderate this one up please. It's actually a useful idea.
I don't want knowledge. I want certainty. - Law, David Bowie
You think you've got it bad... try figuring out what the hell we Canucks are allowed to do.
A few weeks ago when OpenBSD announced its method of solving this problem, as best they could, some users on my LUG began talking about (if I understood correctly) emulatting OpenBSD's approach (except non-US citizens must do it).Thank Daily Daemon News for covering that tidbit.
"Open Source?" - Press any key to continue
An interesting question is whether there are any parties out there with the cojones to act on Bernstein and "Publish and be damned!"
The decision matrix on this is interesting. Will the USgovt wait until years have passed and the USSC has ruled, and then bring charges? How many juries will convict given the Defense pointing out that the Defendent was acting in accord with the law as decided both in Court and on appeal?
On the other hand, the USgovt could move for an injunction. That would take a lot of confidence to go before a judge and try to explain that irreperable harm would be done by exporting a copy of source code that originated on a non-US server and will continue to be on that server no matter the Court's decision. The whole proceding would be a Heaven-sent opportunity to lampoon all of the nonsense arguments in front of someone whose very job description requires filtering through BS.
[earthworm jim]
Better than pro wrestling!
[/earthworm jim]
Lacking <sarcasm> tags,
I believe that there was a case that specifically decided that elecronic communications over the 'net were just as protected by the first ammendment as dead tree communications.
therefore, I would think, renaming your .c source files to .txt is just as legal as printing it out and mailing it.
-- The act of censorship is always worse than whatever is being censored. Always.
Then would "compiling perl to C" and distributing that be allowed?
-- The act of censorship is always worse than whatever is being censored. Always.
Perhaps Red Hat could "import" their crypto from Red Hat Europe :-)
Jeroen Nijhof
Really, this is getting thought-police-like. Really, source code is just an imprint of an idea. Can't one just print out the source and send it out? If you actually CAN do that (and I can't see why you shouldn't), then this is just really bogus. WAKE UP government, the cat is already out of the bag...everybody has encryption, you're just making it a pain in the butt.
It's 10 PM. Do you know if you're un-American?
GNUpg is available. Everybody, anywhere, has access to crypto algorithms and source code. Do they belive only high security US people know how to code an RSA encoder/decoder ? In my (French) engineering school crypto and RSA are part of the cursus, and coding them is part of the projects given to students. Heck, even if you are too lazy to code it yourself and need a sourcecode that is in the US just clic and 3s later you got the source code on your drive.
:-)
Like the US had some kind of monopoly on crypto research... this is not sad, this is ridiculous and stupid. But that keeps US crypto industries off our markets
Would cards with hole be legal ? Then it could be usefull to save those cards readers on those old big Cobol programmed mainframes ;)
This has already been done. See GPG.
>Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the >US...
You should be so lucky; if you were a province of the United States, you'd have enumerated (constitutional) rights. As it is, you don't.
~Any apparent grammatical or typographic errors are caused by defects in your display device.
I might argue that the creation of a novel cryptosystem is in fact a rather difficult task. Alternatives to the one time pad have been proposed for centuries - many of which were "unbreakable", but turn out to be surprisingly easy to subvert. You might consider reading something on the subject of cryptanalysis before you assert that good cryptosystems are easily understood.
"I believe the children are our future: nasty, brutish and short."
Well, you don't have to publish the whole source
again. You can publish the output from diff.
If the code and the comments disagree, then both are probably wrong. - Schryer
Its ironic that software can't ship strong crypto *out* of the the US, but if its developed outside of the US it can be shipped *in*.
There are several projects that have developed strong crypto without contravening the US laws (to the extent that Opera has 128bit encryption).
There is an Australian project that reproduced the strong crpyto without reference to the US and that, I belive, was open source.
What makes things really bad though, is that the US develeopers are scared off from using this incase they are sued for selling strong crypto.
Mozilla took this decision for a number of reasons, even though they knew there was a 128bit engine that was non-US based.
This sort of thing will hinder the US development projects.
That is still illegal according to the laws/regulations of the US Government. There as a Ask Slashdot that covered this a while back Using SSH on non-US sites for Crypto Development.
Haven't looked at many .src.rpm's on
US Red Hat mirrors lately, have you?
Criminalize spam and telemarketing!
Really? Sweden has the same crypto policy as the US?
That sounds surprising -- I thought most scandinavian countries were pretty liberal when it came to personal data privacy and crypto.
Care to elaborate?
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Actually, I am not sure the Wassenaar Agreement will be respected at all. I am going to check if I can find some more information on this. I doubt it will be applied, even if signed by different countries, since most European countries realize e-commerce is going to be big -- and they don't want to surrender their financial and communication independence to the US.
As far as I know, Finland is a member of the European Union (EU), but not of NATO, since it is supposed to be a "neutral" country. Switzerland is not a member of EU or of NATO, since these guys take their neutrality more seriously than anybody else.
Moving to Switzerland may not be such a good idea for Theo & the OpenBSD project: it's very hard to obtain residency and work permits in Switzerland. On the other hand, if a swiss computer firm was to hire him, getting the necessary authorization & paperworks in order would be much easier (think Linus Torvald & Transmeta). In any case, this is nothing more than an empty discussion, since Canada has been very friendly so far.
In my opinion, most European countries will end up saying "we don't care" to Janet Reno and adopt strong crypto -- unless the US government just drops the whole crypto regulation idea in the dustbin, where it belongs.
Just my US$ 0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
I agree wholeheartedly, but there is one major problem. If this were to backfire, there would be alot of people facing felony charges for participating. While the chances of them actually prosecuting and convicting everyone involved is quite slim, the possibility is still there. I don't know about you, but that's not something I would much enjoy. This isn't exactly the type of civil disobedience that you associate with civil rights movements and such. There are some seriously powerful people who have a vested interest in seeing that the law remains as is - the NSA and FBI being just a couple of them. The fear factor from this alone would be enough to keep people from participating, thereby increasing the chances that those who do participate will be prosecuted. That's how government works anymore - it uses the fear of a felony conviction to keep its subjects^H^H^H^H^H^H^H^Hcitizens in compliance with tyranical legislation.
/. has a large enough reader base that we should be able to pool a fair amount of $$ to start something like this - and there are always those businesses who would profit from a repeal of encryption laws. Does anyone think that such a thing would be possible? Or am I just dreaming?
I agree that the governments policy on encryption export is wrong and unconstitutional, and I agree that something seriously needs to be done about it, but what you are proposing is dangerous to anyone who gets involved. I think that we should instead look to forming some sort of grass roots lobying effort to try and get Congress to repeal these laws (is there such an entity already in existance?).
Roses are red, violets are blue. I'm a schitzophrenic, and so am I.
Yes, I realize that. But look at what we are fighting for, compared to what they were. We want to be able to export encryption, they were fighting for the most basic human rights. Big difference. Would you be as willing to spend the rest of your life in jail for the right to send crypto overseas as you would for the right to be treated as a human being? I sure wouldn't. Civil disobedience is not the answer to everything. You must look at the risk vs the potential profit. My original post was saying that it isn't worth it in this case, and I still stand by what I said.
Roses are red, violets are blue. I'm a schitzophrenic, and so am I.
So....um......if they downloaded it from us, would it be illegal (supposing we had a disclaimer saying that nobody outside the US can download this (kinda like the mp3 disclaimers))?
Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.
Though I agree that they shouldn't embellish storys, let's face it, there's nothing to gain for a CSS company giving it to people overseas.
That's my $(2^4*3+1/7%3*2/100)
--Justin Mitchell
"2nd Place is a fancy word for losing" --Bender (Futurama)
If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US, what are the legal ramifications in regard to the GPL?
Did that make sense? I'll clarify if not.
Actually - it was the state of Indiana. When legendary Chicago columnist Mike Royko lampooned them in his column they quietly repealed the law..
You're wrong here. It's still against the law. If you have a product and you include crypto - even crypto written by your third-country programmers - and include THEIR code in your app; it's against the law to export it.
The only way it's illegal would be for you to design your app where the customer can install the crypto routines AFTER they install your app.
You have to design your app to allow this; it may be less efficient; and the three-letter-agencies (who are behind this gov't policy) are counting on the fact that many if not most of your customers either will be too lazy or ignorant to actually do this.
My plan exactly. Walk. The US is trying to protect its monopoly on a.) the dollar supreme and b.) a hairball tax code, revenue stream. Are less violent trading routes imaginable?
:)
Bit trading brains-r-us are close to implementing alternative mediums of exchange (see saxas), other possibilities for paying the piper (see taxes) and disciplines that might increase the velocity and value (and reduce the ecological cost) of "money".
Encryption is how currency "borders" are enforced on the Net, thus cryptography is the only way any trading system can protect its turf. Personally, I'd like to see 7 or 8 billion traders exercize that right, using an abundance of free space quantum cryptography
Once I get my mail server back in place now (RSN, Hope Hope) I'm going to start bouncing unencrypted messages with a reply that if you REALLY have something important to say to me, you'll encrypt it with PGP or GPG and resend, along with a lecture on why this is important. May as well start doing my part to insure that crypto usage spreads. The fact that this will have the added benefit of completely eliminating the spam I get now is not lost on me, either.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Give us the grail or we will take your castle by force!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I think it is ironic that this stance has been taken by the administration in the middle of a large legal battle by the EFF and others over just this issue. The courts have come down on the side of freedom of speech and that source code is speech several times already in this case. In fact the US 9th circuit court of appeals had previously ruled that regulations on encryption source code were unconstitutional under both the 1st and the 4th amendments and that they would have to be significantly reworked. The case the EFF is using is Bernstein vs USDOJ at this address http://www.eff.org/bernstein/ The courts have agreed to re-hear this case but I think it will probably make it up to the supreme court in a year or two. That's when we should finally get a clear answer on this issue and hopefully not have to worry about it any more.
Couldn't get the link to work properly, but I'll extrapolate and comment anyway...
Are they saying that you can export strong crypto, but you can't export sourcecode to strong crypto? Because if so, then it just doesn't make any sense. Where do you distinguish between sourcecode and not sourcecode? Human-readability? If so, then that means you couldn't ship a strong crypto implementation in any sort of scripting lanaguage or other interpreted form (e.g. Perl). And what about assembly - would you be allowed to ship an ASM sourcefile? If not then can someone explain the conceptual difference between an ASM sourcefile and the output of a disassembler?
Once again, governments fail to understand technology...
Being as the method is hidden, how is it to be validated as to prove it was not made up by the offense?
Someone set us up the bomb, so shine we are!
The recent change in export laws was to allow crypto-enabled applications to be exported from the US. Now they're saying that it's only for "shrink wrapped" applications, not the source code. So you can't ship the code with the app. So? Put the non-crypto parts of the source with the app, and ship it out -- no violation of the law (assuming you've met whatever regulations still govern shipping compiled apps). Then put the crypto parts of the source code on a web server in a country that doesn't give a crap about paranoid levels of control like the US does. You've got your app, you can ship it anywhere, all the source is available to anyone. Open source isn't about the source code being on the same physical CD, it's about it being available, period. It's inconvient to do it this way, yes, but it's a whole lot more effective, IMO, then lobbying a government that doesn't give a crap what people want.
I don't see what the problem is. So you can't export open-source crypto. Big deal -- import it instead. Pick a country (or countries) that isn't interested in trying to control this stuff, and find some programmers there willing to open-souce their crypto software. Even if they screw it up at first, just email them bug fixes (a couple of lines at a time, if need be to conform to whatever silly laws your country has at the time), and eventually you'll have damn strong cryto.
Laws like this are like flaws in an OS. You can waste your time wailing about the fact that the flaw is there; you can waste your time begging for the flaw to be repaired; or you can code around it, and make the flaw irrelevant.
The HELL does the US govt always act like it owns the world. DAMN that makes me mad.
n.b. I said the US govt. not the us. ppl. them I like very much
---
Killroy Woz Here
> Right! Redhat and Caldera (especially RedHat,
> since they really want to keep their
> distribution "free") still have the same
> problems, because their "products" are open
> sourced. Cute.
Ok: this make SuSE happy, isn't it?
And for instance makes happier Software companies
in Europe: the crypto laws of USA were a godsend
for european software houses.
But anyway I downloades ssh from a server in Finland, ad I'll continue to download from it.
If crypto is allowed (fullscale) then it would not be so good to be a hacker. We hackers would loose the technique of sniffing passwords rigth of telnet shells.
Then the politicans have to think: less craking => less need for cops => more unemployment => worse election.
So come on stop this crazy proposal of allowing free crypto.
What if e.g. RH was Printed in Europe, with strong crypto and exported to US! Would that be legal?
The Autonomous Cow. Moo.
If natural language (English or whatever you happen to speak) is "free speech", then translate C to that language, and export away.
Perhaps use the c2txt2c translator (GPL'd open source) at http://personal.sip.fi/~lm/c2txt2c/ or http://www.nettaxi.com/citizens/lma/
Of course c2txt2c does make it pretty obvious that the output text contains a program. But it would not be very difficult to write a translator that *hides* the program in a normal piece of literature. (along the lines of steganography)
So maybe the government will get another un-clue and say that *any* chunk of text that is computer-readable and could be translated to source for a restricted kind of program is not "free speech".
Digital messages (signatures) are already being encoded into .GIFs, .JPGs and the like -- why not encode a program or program fragment instead.
What if the text if this message actually contains part of the source for PGP? (appropriately encoded, of course) It might.
The end result is that as long as geeks are smarter than politicians (that's for(;;); in C) there will be ways for private citizens to communicate privately. And as long as the general populace continues to elect clueless politicians, silly rules will continue to be enacted and shoved down our throats.
The Autonomous Cow. Moo.
You still don't seem to understand that source code available is NOT equivalent to Open Source. For example, Sun's new source code license allows people to view the source. It is not an Open Source (or Free Software) license, however, as it does not allow redistribution of modifications.
These restrictions apply equally to Open Source licenses and non-Open Source licenses. All source code is restricted in an identical fashion, regardless of its licensing. Therefore, it is indeed incorrect to say that Open Source software is specifically targeted.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Well, if they ban textual publishing this would render the US as a source of cryptography useless. Not that the government would have the foresight to see this of course.
There is a workaround even at this point, but it requires a bit of effort. Create a virtual machine. The characteristics of this virtual machine are that it runs an interpreted tokenized format (which probably isn't human readable) but performs no optimizations. Information on subroutine names and so on must be stored in the tokenized version (even if they aren't directly readable by humans)
The virtual machine doesn't have to run the code efficiently. In fact because of the constraints I've mentioned it wouldn't. But the goal of the virtual machine isn't running cryptographic algorithms anyway. It's job is to enable a program to be transferred 'without source code' across international boundaries. The tokens distributed aren't source code, they're kind of an intermediate machine code, but because of the design of the machine each token can be translated back into a function call or construct such as a for loop or multiplication or a named user defined subroutine.
This would probably be fairly difficult for the government to legislate away without totally disallowing the export of encryption. I wouldn't want to be in the court that tried to define the distinction between source code, object code and compiled code.
If I ssh into a machine that's outside the US and write crypto code, does that count as exporting it? Am I exporting a weapon one character at a time? If not, I guess that is a possible work-around, though one that would probably be pretty annoying for US developers.
Cheers,
Perrin.
-Perrin.
Now I want you to go in that bag and find my lightsaber. It's the one that says bad mother-fscker on it.
This is splitting hairs in my opinion, because the nature of cryptography demands peer review and the most popular cryptography packages are open-source.
I suppose one could say that the government has also restricted the export of commercial crypto packages which make their source code available only under NDA for a price. Are there even any companies which are silly enough to offer such a product?
Apart from that hypothetical, the effect of prohibiting the export of source code is essentially identical to prohibiting the export of open-source software. In essense, the government is turning the GPL or any other open-source license into an anchor which forces the package to remain within U.S. borders. Closed-source software is not so restricted.
Quite true!
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
Hmm...correct me if I'm wrong, but I thought it was said(maybe a year or so ago) it was LEGAL to export encryption source code in non-electronic form (ie, on paper). Guess that means whenever you download an open source encryption product, to get the source you have to have it printed out and sent to you. Hope you have good OCR software for your scanner!
It was compiled with debug symbols? (And not stripped.)
Is that exporting the source code, or the binary?
God does not play dice - Einstein
Not only does God play dice, he sometimes throws them where they
Please tell me... HOW many CDs, DATs, zip cartridges, and floppys get shipped out of the US every day, either as part of a commercial shipment or carried in someone's luggage?
Crypto source, like any information, doesn't need to be continually exported. It just needs to make it out *once*. After that, there's no need to risk smuggling anything again, when you can make a million electronic copies if you'd like.
Given the number of highly guarded, classified, ultra-top-secret US government documents that routinely turn up in places like Russia, China, Great Britain, Israel, Iran... I think it's fairly safe to assume that whatever Janet Reno thinks is worth guarding, is already gone.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
> It's like Congress deciding they want to rewrite the Law of Gravity.
Why not? They change the time of day with impunity twice a year.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Thank you.
I could have figured this one out myself I guess. I was busy scratching my head trying to figure out why the justice department was advocating a policy which could be so demonstrably easily defeated by anyone, and which merely has had the effect of moving the centers of development of security critical software offshore. In the long term, the inevitable deskilling US programmers this will lead to can't be in the national interest.
This policy only makes sense if the administration thinks it has important political symbolism.
In that case, it may be not so much that they are clueless, but out of touch. I mean, as a political message, "no export of strong encryption" isn't exactly "remember the alamo". "No export of source code for strong encryption algorithms except in printed form" is even more obscure. Anybody who cares at all about this issue has to think the policy is simply stupid.
I don't buy that this is a plot to advance Microsoft, or to sneak back doors into strong encryption. It is simply too trivially easy to defeat this policy for it to have kind any effect whatsoever, except to bar US programmers from working on open source cryptography.
I wonder if this could be challenged on constitutional grounds, on the basis that source code is an expression of ideas (just as it would be in paper form), as opposed to being an apparatus, which a binary product would arguably be.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Bernstein will save us.
-russ
Don't piss off The Angry Economist
Basically, its an issue of understanding technology. Most people, to include some very bright minds, just can't seem to get a good understanding of what the various forms of technology are. Thus, its hard to see electronic documents containing source code as free speach. Meanwhile, any fool can understand the printed word must be protected.
Take email vs. snail mail as an example. Traditional paper note-in-an-envelope mail has a fair amount of legal protection. It didn't have to have it - but early American planners made sure of it. Meanwhile, recent rulings have given email none of the protections that traditional mail has. I think those who work within a technology environment see little difference between the legal privacy of a piece of paper vs. electronic file. Its obviously not so apparent to outsiders.
So going back to source code... those who are a part of the techology see restriction of source code as a freedom of speach/press issue. However, outsiders may not understand this. It may take some considerable work to connect the two. In a court of law, this doesn't always happen. Thus, officials who want to go after published source code will have an easier time at restricting electronic distribution than dead-tree distributions.
Civil disobedience means putting your ass on the line against the power of the state. By doing so, you hope to shame the state into behaving better; or, failing that, let it know that there are people willing to put themselves at risk to oppose it - and let them figure out that said opposition may not be restricted to nonviolent means.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Several /. posters have raised the issue that printed source code may one day be considered machine readable and therefore illegal to export. This of course stretches the bounds of constitutionality, but is a grey enough area to be held up in a court system populalated by the pseudo-socialist ninnies currently running it.
Should printed (crypto) source code be restricted, I say we up the stakes yet another level; fire up your Mac (or whatever machine/OS gets your jumbly stiff) and have the machine *SPEAK* the source code. Simply record the output and mail a copy to whoever you please or play it over the phone. Although the recording might make for some boring listening, it would be spoken word and therefore any attempts to restrict it would be very clear-cut violation of the constitution. Should some old decomposing pile of bones masquerading as a congressman raise the point that a machine made the recording, simply enlist a few intrepid souls to read and record the code; what will the gov't do then, decree that spoken work is machine readable and therefore subject to their control? Can you say "Violation of my constitutional rights"? I knew you could!
With a bit of tweaking, I'm sure one could get ViaVoice to transcribe the recording. Voila! Stupid law circumvented once again!
I believe that every effort the gov't makes to restrict crypto (and ANY free speech) should be challenged and every loophole exploited. The effect of this is they must address the holes and tighten their grasp on us. Once this happens, the issue will become a pure free speech issue and will be forced to a head.
"The more you tighten your grip, Tarkin, the more star systems
will slip through your fingers".
--Princess Leia
~Any apparent grammatical or typographic errors are caused by defects in your display device.
I think it is far too early to give up on getting the government to see the light with regard to crypto, so I agree with you that *right now* it may not be worth the risk.
However, please do not dismiss the importance of a challenge, even a small one, to free speech. Should free speech fall or simply become ineffective you'll have a *very* tough time organizing demonstrations for *anything*.
This specific issue, encryption, is very important itself to effective free speech and the right of free assembly. Organized civil disobedience can make use of encryption just as any illegal group like criminals or terrorists can. It's just far less obvious we want to prevent it.
This is just getting silly. The US government doesn't want to allow exportation of source code for strong crypto and thinks this is gonna make a damned difference!? Do they honestly think they can prevent the Chinese or the Indians or the drug cartels from developing their own (also raises the "who cares anyway?" questions...)? Its not like the concepts behind this stuff are poorly understood!
Also it seems kinda rude in terms of foreign policy to declare to someone you're trying to build a trade relationship with that you're not going to give them access to something that would give them privacy; by doing this the US is openly admitting the fact that they're spying on everyone. Now granted we already could've guessed, but for them to stand up and yell it on a street corner is just stoopid.
-gaffney, who wishes to hell he were old enough to vote.
"Violence never settled anything." -Ghengis Khan
Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!
Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.
Ok, I can export binaries, but not "machine readable source code". Simple fix, write your code, wrap it up in an encrypted binary, do a ./lameusgovtextrastep (or whatever) and there ya go... I wouldn't be distributing source, I'd be distributing a binary that generated source.
It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
The government's announcement was a way to make it look like they were opening up while really trying to keep things under control. After all what did they say? "Approved code" would be allowed to be exported at any strength. Who does the approval? They do! And what else was in their announcement? Lots of verbiage about how important it is for law enforcement to be able to break encryption.
Can you say "secret key escrow" just like Clipper?
I knew you could!
So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?
:-(
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...
~Tim
--
Rushing on down to the circle of the turn
This point keeps coming up, so I'll answer it globally instead of in several responses.
The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.
Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.
As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.
At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)
As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Things like Perl and Tcl, for instance. If someone were to make a "shrink-wrapped" software package featuring strong cryptography via Perl, what would the department's policy be?
Only the dead have seen the end of war.
Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.
They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.
Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.
It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.
It's like Congress deciding they want to rewrite the Law of Gravity.
This really only goes to prove how clueless our leaders appear to be about technology.
.txt files? Is this the same government that insists we must save the trees??
"This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."
This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.
"The problem is that by the government's definitions, OpenBSD is foreign software"
How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?
"The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."
So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in
Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?
-----
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.
The major email programs still don't include seamless crypto integration.
The government currently listens in on telephone conversations and email, and they would like to continue in the future.
--
There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.
While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.
Something had to be done.
Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?
Something had to be done for them too.
So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.
Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)
Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.
I'm not so sure.
The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.
Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?
It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.
Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.
Comments?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.
If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.
A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.
A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.
A couple of points...
1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!
2. I thought the US Navy was using WinNT exclusively? =)
Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.
Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?
3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...
4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)
If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."
It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!
5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...
But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.
So: I can't get the source, but I can get the book, right? How stupid can you get?
When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."
You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.
If only those people could leave people like Theo alone and free to code... *Sheesh*
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)