Slashdot Mirror
Still Can't Export Open-Source Crypto
The New York Times today reports that the
Easing on Software Exports Has Limits.
(Free reg. required.)
Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"
You still don't seem to understand that source code available is NOT equivalent to Open Source. For example, Sun's new source code license allows people to view the source. It is not an Open Source (or Free Software) license, however, as it does not allow redistribution of modifications.
These restrictions apply equally to Open Source licenses and non-Open Source licenses. All source code is restricted in an identical fashion, regardless of its licensing. Therefore, it is indeed incorrect to say that Open Source software is specifically targeted.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Well, if they ban textual publishing this would render the US as a source of cryptography useless. Not that the government would have the foresight to see this of course.
There is a workaround even at this point, but it requires a bit of effort. Create a virtual machine. The characteristics of this virtual machine are that it runs an interpreted tokenized format (which probably isn't human readable) but performs no optimizations. Information on subroutine names and so on must be stored in the tokenized version (even if they aren't directly readable by humans)
The virtual machine doesn't have to run the code efficiently. In fact because of the constraints I've mentioned it wouldn't. But the goal of the virtual machine isn't running cryptographic algorithms anyway. It's job is to enable a program to be transferred 'without source code' across international boundaries. The tokens distributed aren't source code, they're kind of an intermediate machine code, but because of the design of the machine each token can be translated back into a function call or construct such as a for loop or multiplication or a named user defined subroutine.
This would probably be fairly difficult for the government to legislate away without totally disallowing the export of encryption. I wouldn't want to be in the court that tried to define the distinction between source code, object code and compiled code.
If I ssh into a machine that's outside the US and write crypto code, does that count as exporting it? Am I exporting a weapon one character at a time? If not, I guess that is a possible work-around, though one that would probably be pretty annoying for US developers.
Cheers,
Perrin.
-Perrin.
Now I want you to go in that bag and find my lightsaber. It's the one that says bad mother-fscker on it.
This is splitting hairs in my opinion, because the nature of cryptography demands peer review and the most popular cryptography packages are open-source.
I suppose one could say that the government has also restricted the export of commercial crypto packages which make their source code available only under NDA for a price. Are there even any companies which are silly enough to offer such a product?
Apart from that hypothetical, the effect of prohibiting the export of source code is essentially identical to prohibiting the export of open-source software. In essense, the government is turning the GPL or any other open-source license into an anchor which forces the package to remain within U.S. borders. Closed-source software is not so restricted.
Quite true!
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
Hmm...correct me if I'm wrong, but I thought it was said(maybe a year or so ago) it was LEGAL to export encryption source code in non-electronic form (ie, on paper). Guess that means whenever you download an open source encryption product, to get the source you have to have it printed out and sent to you. Hope you have good OCR software for your scanner!
It would be hard to shut down GnuPG with US export controls, as it was made completely outside of the US.
It was compiled with debug symbols? (And not stripped.)
Is that exporting the source code, or the binary?
God does not play dice - Einstein
Not only does God play dice, he sometimes throws them where they
Please tell me... HOW many CDs, DATs, zip cartridges, and floppys get shipped out of the US every day, either as part of a commercial shipment or carried in someone's luggage?
Crypto source, like any information, doesn't need to be continually exported. It just needs to make it out *once*. After that, there's no need to risk smuggling anything again, when you can make a million electronic copies if you'd like.
Given the number of highly guarded, classified, ultra-top-secret US government documents that routinely turn up in places like Russia, China, Great Britain, Israel, Iran... I think it's fairly safe to assume that whatever Janet Reno thinks is worth guarding, is already gone.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
> It's like Congress deciding they want to rewrite the Law of Gravity.
Why not? They change the time of day with impunity twice a year.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Thank you.
I could have figured this one out myself I guess. I was busy scratching my head trying to figure out why the justice department was advocating a policy which could be so demonstrably easily defeated by anyone, and which merely has had the effect of moving the centers of development of security critical software offshore. In the long term, the inevitable deskilling US programmers this will lead to can't be in the national interest.
This policy only makes sense if the administration thinks it has important political symbolism.
In that case, it may be not so much that they are clueless, but out of touch. I mean, as a political message, "no export of strong encryption" isn't exactly "remember the alamo". "No export of source code for strong encryption algorithms except in printed form" is even more obscure. Anybody who cares at all about this issue has to think the policy is simply stupid.
I don't buy that this is a plot to advance Microsoft, or to sneak back doors into strong encryption. It is simply too trivially easy to defeat this policy for it to have kind any effect whatsoever, except to bar US programmers from working on open source cryptography.
I wonder if this could be challenged on constitutional grounds, on the basis that source code is an expression of ideas (just as it would be in paper form), as opposed to being an apparatus, which a binary product would arguably be.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US
It's quite simple. According to the GPL, if you can't distribute the source according to the GPL, then you can't distribute the program at all
From the GPL (section 7)
If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the
Program at all
So, in the case you laid out, if you are allowed by export laws to export crypto binarys (and not source) then, if that binary is covered by the GPL, then the GPL forbids any export distribution.
In short, under the GPL, if you can't distribute the source and binary, you can't distribute either.
Anyone case to therorise what would happen if someone ex-USA got a copy of a GPL crypto binary, and asked for the source? If they say yes, they are breaking export laws, if they say no, they are breeching the GPL. Quite a dilemma.
--
Exigo spamos et dona ferentes
Bernstein will save us.
-russ
Don't piss off The Angry Economist
It sounds to me like it will not allow GPL'd strong crypto to be exported at all and still comply with both the GPL and this export restriction.
This is great for Microsoft. This is terrible for Red Hat. While it doesn't actually add any new restrictions to RH, it allows MS to compete more effectively with RH Linux. Maybe it will also be a boon for offshore distributions such as SuSE and TurboLinux.
Geeky modern art T-shirts
Basically, its an issue of understanding technology. Most people, to include some very bright minds, just can't seem to get a good understanding of what the various forms of technology are. Thus, its hard to see electronic documents containing source code as free speach. Meanwhile, any fool can understand the printed word must be protected.
Take email vs. snail mail as an example. Traditional paper note-in-an-envelope mail has a fair amount of legal protection. It didn't have to have it - but early American planners made sure of it. Meanwhile, recent rulings have given email none of the protections that traditional mail has. I think those who work within a technology environment see little difference between the legal privacy of a piece of paper vs. electronic file. Its obviously not so apparent to outsiders.
So going back to source code... those who are a part of the techology see restriction of source code as a freedom of speach/press issue. However, outsiders may not understand this. It may take some considerable work to connect the two. In a court of law, this doesn't always happen. Thus, officials who want to go after published source code will have an easier time at restricting electronic distribution than dead-tree distributions.
Civil disobedience means putting your ass on the line against the power of the state. By doing so, you hope to shame the state into behaving better; or, failing that, let it know that there are people willing to put themselves at risk to oppose it - and let them figure out that said opposition may not be restricted to nonviolent means.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Several /. posters have raised the issue that printed source code may one day be considered machine readable and therefore illegal to export. This of course stretches the bounds of constitutionality, but is a grey enough area to be held up in a court system populalated by the pseudo-socialist ninnies currently running it.
Should printed (crypto) source code be restricted, I say we up the stakes yet another level; fire up your Mac (or whatever machine/OS gets your jumbly stiff) and have the machine *SPEAK* the source code. Simply record the output and mail a copy to whoever you please or play it over the phone. Although the recording might make for some boring listening, it would be spoken word and therefore any attempts to restrict it would be very clear-cut violation of the constitution. Should some old decomposing pile of bones masquerading as a congressman raise the point that a machine made the recording, simply enlist a few intrepid souls to read and record the code; what will the gov't do then, decree that spoken work is machine readable and therefore subject to their control? Can you say "Violation of my constitutional rights"? I knew you could!
With a bit of tweaking, I'm sure one could get ViaVoice to transcribe the recording. Voila! Stupid law circumvented once again!
I believe that every effort the gov't makes to restrict crypto (and ANY free speech) should be challenged and every loophole exploited. The effect of this is they must address the holes and tighten their grasp on us. Once this happens, the issue will become a pure free speech issue and will be forced to a head.
"The more you tighten your grip, Tarkin, the more star systems
will slip through your fingers".
--Princess Leia
~Any apparent grammatical or typographic errors are caused by defects in your display device.
I think it is far too early to give up on getting the government to see the light with regard to crypto, so I agree with you that *right now* it may not be worth the risk.
However, please do not dismiss the importance of a challenge, even a small one, to free speech. Should free speech fall or simply become ineffective you'll have a *very* tough time organizing demonstrations for *anything*.
This specific issue, encryption, is very important itself to effective free speech and the right of free assembly. Organized civil disobedience can make use of encryption just as any illegal group like criminals or terrorists can. It's just far less obvious we want to prevent it.
This is just getting silly. The US government doesn't want to allow exportation of source code for strong crypto and thinks this is gonna make a damned difference!? Do they honestly think they can prevent the Chinese or the Indians or the drug cartels from developing their own (also raises the "who cares anyway?" questions...)? Its not like the concepts behind this stuff are poorly understood!
Also it seems kinda rude in terms of foreign policy to declare to someone you're trying to build a trade relationship with that you're not going to give them access to something that would give them privacy; by doing this the US is openly admitting the fact that they're spying on everyone. Now granted we already could've guessed, but for them to stand up and yell it on a street corner is just stoopid.
-gaffney, who wishes to hell he were old enough to vote.
"Violence never settled anything." -Ghengis Khan
Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!
Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.
Ok, I can export binaries, but not "machine readable source code". Simple fix, write your code, wrap it up in an encrypted binary, do a ./lameusgovtextrastep (or whatever) and there ya go... I wouldn't be distributing source, I'd be distributing a binary that generated source.
It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
The government's announcement was a way to make it look like they were opening up while really trying to keep things under control. After all what did they say? "Approved code" would be allowed to be exported at any strength. Who does the approval? They do! And what else was in their announcement? Lots of verbiage about how important it is for law enforcement to be able to break encryption.
Can you say "secret key escrow" just like Clipper?
I knew you could!
So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?
:-(
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...
~Tim
--
Rushing on down to the circle of the turn
This point keeps coming up, so I'll answer it globally instead of in several responses.
The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.
Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.
As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.
At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)
As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
No, in the Commonwealth, we are a Commonwealth of the US. Civil disobedience is the best way to get this law overturned I would say. Have everyone on /. and a few other places export a single line of code with the number of the line in the subject header to be rebuilt by a script outside the country. Or just have everyone here export the code with a cc to president@whitehouse.gov. There is already a website somewhere (its several years old) that allows you to do that...http://online.offshore.com.ai/arms-t rafficker/.
Or anyone whose out there in the development of such software should simply leave the US and develop outside. I don't think anything would scare the US government more then a brain drain.
OFTC: By the community, for the community
Things like Perl and Tcl, for instance. If someone were to make a "shrink-wrapped" software package featuring strong cryptography via Perl, what would the department's policy be?
Only the dead have seen the end of war.
Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.
They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.
Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.
It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.
It's like Congress deciding they want to rewrite the Law of Gravity.
This really only goes to prove how clueless our leaders appear to be about technology.
.txt files? Is this the same government that insists we must save the trees??
"This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."
This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.
"The problem is that by the government's definitions, OpenBSD is foreign software"
How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?
"The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."
So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in
Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?
-----
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.
The major email programs still don't include seamless crypto integration.
The government currently listens in on telephone conversations and email, and they would like to continue in the future.
--
There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.
While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.
Something had to be done.
Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?
Something had to be done for them too.
So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.
Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)
Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.
I'm not so sure.
The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.
Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?
It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.
Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.
Comments?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.
If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.
A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.
A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.
A couple of points...
1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!
2. I thought the US Navy was using WinNT exclusively? =)
Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.
Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?
3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...
4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)
If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."
It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!
5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...
But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.
So: I can't get the source, but I can get the book, right? How stupid can you get?
When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."
You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.
If only those people could leave people like Theo alone and free to code... *Sheesh*
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)