Slashdot Mirror

← Back to Stories (view on slashdot.org)

Still Can't Export Open-Source Crypto

Posted by jamie on from the what-the-hell-is-going-on dept.

The New York Times today reports that the Easing on Software Exports Has Limits. (Free reg. required.) Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"

8 of 139 comments (clear)

  1. Well... by Anonymous Coward · · Score: 4

    Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.

    1. Re:Well... by evilpenguin · · Score: 4

      While I do think civil disobedience is a fine and noble thing, and I wouldn't oppose this idea, have any of you tried writing your congresspersons and senators a letter? A letter writing campaign will have much more effect than an act of civil disobedience. A friend of mine once worked in a congressman's office. I asked him how many letters they had to get on a subject before it would actually be brought to the congressman's direct attention. He said four. Four!!! (Note that there are exceptions, like gun control and abortion which generate mail like crazy, but on some garden variety issue, not on the "radar", it takes four letters).

      I'm sure this varies from issue to issue and from congressperson to congressperson, but I still urge you (and everyone else who cares about this) to write an original letter and put it on paper, sign it, and send it to each member of your delegation.

      It *does* have an effect.

      The "special interests" control the process in no small part because we don't exercise our freedoms. Want freedom of speech? Say so!

      See http://www.senate.gov/senators/index.cfm for a list of senators, follow through to their mailing addresses.

      See http://www.house.gov/zip/ZIP2Rep.html to find out who your House member is. Follow through to their web pages which should offer an address.

      Use your rights and let freedom ring (okay, I know I'm souding hokey, go rent Mr. Smith Goes to Washington and get all hokey too!)

  2. outlawing math by Hollins · · Score: 4

    It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.

    It's like Congress deciding they want to rewrite the Law of Gravity.

  3. Clueless by emmons · · Score: 4

    This really only goes to prove how clueless our leaders appear to be about technology.

    "This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."

    This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.

    "The problem is that by the government's definitions, OpenBSD is foreign software"

    How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?

    "The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."

    So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in .txt files? Is this the same government that insists we must save the trees??

    Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?

    -----

    --
    Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
  4. True goal: prevent crypto proliferation in the US by AxelBoldt · · Score: 5
    The US government is not stupid. They know very well that the strong crypto algorithms are well known all over the world and free crypto software is widely used and can be downloaded from many non-US servers (and can also be produced by every CS major in a month).

    So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.

    The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.

    The major email programs still don't include seamless crypto integration.

    The government currently listens in on telephone conversations and email, and they would like to continue in the future.

    --

  5. Corporate Rights Honored; Business As Usual by Effugas · · Score: 5

    There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.

    While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.

    Something had to be done.

    Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?

    Something had to be done for them too.

    So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.

    Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)

    Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.

    I'm not so sure.

    The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.

    Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?

    It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.

    Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.

    Comments?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  6. A few points by substrate · · Score: 5

    It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.

    If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.

    A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.

    A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.

  7. Another complete waste of time by Noryungi · · Score: 5

    A couple of points...

    1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!

    2. I thought the US Navy was using WinNT exclusively? =)

    Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.

    Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?

    3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...

    4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)

    If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."

    It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!

    5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...

    But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.

    So: I can't get the source, but I can get the book, right? How stupid can you get?

    When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."

    You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.

    If only those people could leave people like Theo alone and free to code... *Sheesh*

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)