Slashdot Mirror
Still Can't Export Open-Source Crypto
The New York Times today reports that the
Easing on Software Exports Has Limits.
(Free reg. required.)
Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"
Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!
Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.
Ok, I can export binaries, but not "machine readable source code". Simple fix, write your code, wrap it up in an encrypted binary, do a ./lameusgovtextrastep (or whatever) and there ya go... I wouldn't be distributing source, I'd be distributing a binary that generated source.
It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
The government's announcement was a way to make it look like they were opening up while really trying to keep things under control. After all what did they say? "Approved code" would be allowed to be exported at any strength. Who does the approval? They do! And what else was in their announcement? Lots of verbiage about how important it is for law enforcement to be able to break encryption.
Can you say "secret key escrow" just like Clipper?
I knew you could!
So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?
:-(
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...
~Tim
--
Rushing on down to the circle of the turn
This point keeps coming up, so I'll answer it globally instead of in several responses.
The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.
Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.
As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.
At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)
As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Maybe, if we live so long. The appeals court seems to be in no hurry.
The re-hearing before the Ninth Circuit Court of Appeals has been scheduled for Dec. 16, 1999. The first time the 9th Circuit heard the case was in December of 1997, and they took a year and a half, until May 1999 to decide. Based on this we can "extrapolate" (using Arthur C. Clarke's term) the following timeline:
12/1997: 9th Circuit appeal hearing
5/1999: 9th Circuit decides
12/1999: 9th Circuit en banc re-hearing
5/2001: 9th Circuit decides again
10/2001: Supreme Court takes case
5/2002: Supreme Court decides case (they take pride in making prompt decisions)
Or course, the 9th Circuit may be faster or slower this time around, and the Supreme Court may not take the case, but this is as good a guess as any. The real problem is that no one knows what legal tricks (new regulations, new legislation) the government may pull to delay this even longer. It's already taken most of this decade.
What will the closed-source vendors do if you spot them a 2.5-year head start from now?
No, in the Commonwealth, we are a Commonwealth of the US. Civil disobedience is the best way to get this law overturned I would say. Have everyone on /. and a few other places export a single line of code with the number of the line in the subject header to be rebuilt by a script outside the country. Or just have everyone here export the code with a cc to president@whitehouse.gov. There is already a website somewhere (its several years old) that allows you to do that...http://online.offshore.com.ai/arms-t rafficker/.
Or anyone whose out there in the development of such software should simply leave the US and develop outside. I don't think anything would scare the US government more then a brain drain.
OFTC: By the community, for the community
Things like Perl and Tcl, for instance. If someone were to make a "shrink-wrapped" software package featuring strong cryptography via Perl, what would the department's policy be?
Only the dead have seen the end of war.
Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.
They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.
Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.
It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.
It's like Congress deciding they want to rewrite the Law of Gravity.
This really only goes to prove how clueless our leaders appear to be about technology.
.txt files? Is this the same government that insists we must save the trees??
"This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."
This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.
"The problem is that by the government's definitions, OpenBSD is foreign software"
How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?
"The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."
So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in
Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?
-----
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.
The major email programs still don't include seamless crypto integration.
The government currently listens in on telephone conversations and email, and they would like to continue in the future.
--
There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.
While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.
Something had to be done.
Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?
Something had to be done for them too.
So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.
Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)
Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.
I'm not so sure.
The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.
Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?
It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.
Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.
Comments?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.
If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.
A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.
A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.
A couple of points...
1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!
2. I thought the US Navy was using WinNT exclusively? =)
Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.
Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?
3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...
4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)
If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."
It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!
5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...
But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.
So: I can't get the source, but I can get the book, right? How stupid can you get?
When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."
You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.
If only those people could leave people like Theo alone and free to code... *Sheesh*
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)