Slashdot Mirror
Details About New Crypto Export Regulations
Codex The Sloth writes "The Industry Standard has a story about
industry feedback to the Clinton Administrations new Crypto Regulations which are being developed behind closed doors. Evidently it's requires high security like Hillary Clinton's health care reform plan..." Worth a read. It sounds like we're getting somewhere, although not everywhere.
but boy was that vague. They want to relax some of the export restrictions? So that whatever you're selling might only constitute 10% munitions? Or maybe only if you're using it wrong, or in the wrong market?
If this made sense to you, please post and clear it up for us. This doesn't even look like the government is considering giving us more bits for encryption! (They don't allow enough bits, and no kibbles, so write to your Congressman!)
---
pb Reply or e-mail rather than vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I'm told that the DVD standard was hackable partly because of mandatory weakening of exportable products from the US. Will the next generation of players come from Japan or Germany and ignore US limits entirely?
Now, I like the fact that DVD is now just data stored on a medium. But I suspect Hollywood is wishing that they had bought into a non-USA standard that was allowed to be as strong as the builders wanted it to be.
here's a link,http://www.cdt.org/crypto/admin/regs112399.sh tml.
Quemadmodum gladius neminem occidit, occidentis telum est
Encryption is now limited to rot13 so theres no need for key escrow. Of course all governmental encryption will be increased to tripleDES!
If I have data needing protection, i RAR it with a password, then put it on cd and hide the cd.
icq:=22921393;
Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.
Of course, it's all for naught -- quantum encryption means that they'll have to mass deploy cranial implants to be sure of what I'm up to.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Why are there different laws for foreign Govenments and foreign private use?
That has got to be one of the most stupid things I've ever heard of, even compared to the stupidity of the laws at the moment.
A (non-US) country's citizens are allowed to buy strong crypto, but that govenment isn't???
Maybe (and this maybe wayyyyy wrong) foreign govenments might not like that much?
If anything, this is going to encourage non-US software companies to enter the crypto market.
Imagine this: Network Associates spends millions of $'s on a big advertising campaign in Europe, so some govenment department decides they need strong crypto.
They head down to the local computer shop with a nice $10 Mil to equip all their offices only to be told "Sorry - you are govenment, we can't sell this to you, because it made in the US"
"Oh no! I've got this $10 Mil for strong crypto software. How can I use it?"
"Well... there is this local company.. it is crappy bit of software, but we can sell it to you"
So the govenment buys CrappySoft Encrypter, and CrappySoft then enters the US market, with a nice claim "We are the official supplier to a million European govenment workers" - what US company can boast that?
--Donate food by clicking: www.thehungersite.com
I have some third party knowledge from a DoD official regarding the new regs. The information was current as of Comdex last week. Take this with several grains of salt as it is most definitely hearsay. I'm only offering it up because the included article seemed to raise more questions than it posed answers to.
According to this individual, they are completely relaxing any bit-length restrictions on encryption technology. When sold through "retail", it is completely free of restriction. However, when sold to government at least, or perhaps major corporations, encryption vendors are required to track the end user. It wasn't specified whether or not this information needed to be expressly given to the government at point-of-purchase or only after a subpoena. If its the latter, I'll sleep better. If its the former, I think we just traded relaxation of one regulation for a tightening of another. Btw, countries like Iran, Iraq, Lybia, etc. are still on the black list. But we can't even sell them a stick of gum, let alone an encryption device.
-DS
"Any sufficiently advanced technology is indistiguishable from magic." - Arthur C. Clarke
is why Network Associates is referred to as being able to weigh in with their opinion. I personally think they showed us their opinion when they became members of the Key Recovery Alliance (http://www.kra.org). After I saw they had joined, we promptly banned all Network Associates products in our offices. Does this not bother anyone else?
You realize, of course, that any license which forbids use by residents of the U.S. would not satisfy the the Open Source Definition. Of course, neither would one that would forbid use by residents of Cuba, Syria, Iraq, etc.
Christopher A. Bohn
cb
Oooh! What does this button do!?
I don't believe compromise is possible on this issue. Either I can write open source crypto code and post it publicly without going to jail, or I can't. I see no indication that the FBI and NSA are prepared to allow that. My guess is that they're stalling for time, since they know if this issue ever gets before the Supreme Court all restrictions are likely to be struck down.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Mainstream crytography is for wusses! If you use your own proprietary crypto system, then not only will the cracker have to factor to hell, they will also have to figure out what the fsck is going on first. It's too easy to crack these days with evereyone using normal des.
Anyway, I have a new super crypto algorithm that is freely exportable, I think. Feel free to use it all you want, just give credit where it is due.
THE NINJA/LINE NOISE ALGORITHM by EL8 DOOD
Ok, here is the basic idea: Say you have a 2000 word secret message you want to send to someone. You could just substitute letters for new letters, ie a=x, b=d, etc, but that would die to a stastical analysis attack since the most common letter would be e, and so on.
Now, here is where the line noise comes in: After doing a substitution cypher, you fill a file with a billion random characters! Then you randomly insert the secret message somewhere in the middle of the randomness! There will be so many characters that those in the actual message will not be stastically significant and will thus be undetectable. There is _NO WAY_ to crack this unless you want to go through every possible substitution cypher(26 factorial possibilities) and search a billion bytes for something which resembles English.
In short, my algorithm is better than des and freely exportable too. Once word gets out on my great achievement, Reno might try to get my algorithm banned overseas, so use it while you can!
Linux rools and Microsoft drools, so moderate this post up already
- From their old export policy, one might infer the insular attitude "Our encryption is American, therefore it's the best".
- The effect of the policy was that other, more effective, forms of encryption were developed outside the United States, and they're now wising up to the fact that if an Iranian terrorist wants to send military grade encrypted attack plans, he can.
- The insistance of government authorities around the world on key escrow / backdoors is destined to fail, as independent software authors will always be willing to write commercial/military grade encryption products which do not provide key escrow / backdoors.
- Government authorities worldwide now realise that it is expedient to allow encryption for the growth of e-commerce.
From these points, it can be concluded that the US restriction on export of encryption products has only harmed US business, as similar/better products are available outside the US."Last night, the government group released a preliminary draft to several companies that manufacture encryption products. The government asked the firms to keep the details secret for the time being" I don't see any reason for the government to restrict the public from reading the report except to minimize nettlesome grass roots opposition to the new regulations. In a democracy the whole/B public (not just a selct few corporations) is supposed to able to review, discuss, and agitate for or against rules that will affect everyone. Though by and large it seems as if most companies have tried to stand up to the NSA and the Clinton administration when faced with absurd crypto regulations, I worry that they may find a path that optimizes their profits but minimizes our privacy.
The administration says that the regulations were modified to allow noncommercial source code export. But then the draft of the regulations says that it is specifically still illegal to send source code to the Seven (e.g. Cuba). Since that's the case, it could still be illegal to post crypto code on the web, in anonymous CVS, on an anonymous FTP site, or in a newsgroups -- just as it is now. Unless the government specifically says that open and unrestricted electronic publication of crypto code is legal, the situation may not change at all -- because FTP site operators and so on could still be threatened with prosecution, because someone in Cuba can still download the code.
I generally don't read the crypto articles so excuse me if this question has been asked (and/or answered) before, but what are other countries' crypto regulations like? Is the US the only country with such regulations? If not, how strict are other countries and are any worse than the US? I can read tons and tons of articles about why people think this is so awful, but I personally can't really understand all the venom unless I understand the context.
You know what should be criminal? It should be criminal that I have to ftp to finnland to get my crypto products because no one will post them here in the states. It should be criminal to say that if I do that and then send the source to my friends in, say, Romania, that I could and probably would be arrested for what amounts to trafficking in arms over international borders. It should be criminal that I can't get a mail program that incorporates strong crypto here in the states because of the government stance on cryptography, including "Crypto enabling APIs." I think it should be criminal that in 10 years my country is going to be a fucking THIRD WORLD COUNTRY because even goddamn ETHOPIA will have surpassed us in the new world economy. That's what I think should be criminal.
</flame>
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Take your message. Say... "Hail Eris"...
Put all the vowels at the end ("HLRSAIEI")
Reverse Order ("IEIASRLH")
Convert letters to numbers: (9-5-9-1-19-18-12-8)
Put into numerical order (1-5-8-9-9-12-18-19)
Convert back to letterse ("AEHIILRS")
This cryptographic cypher code is GUARANTEED to be 100% unbreakable.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Encryption regulations are a royal pain, especially for small developers. I had an idea for a program that uses cryptography, so I got together with a friend to write this. After nearly half a year, our software is almost done, but the issues regarding crypto regulations are unresolved.
In order to comply with the export regulations, we had to cripple our software (56bit DES instead of 3DES), because we plan to offer our software for download over the internet but we don't have the resources to limit our software to people in the US only. Even then, there are still more problems. We have to submit our software for a "one time technical review". After spending hours and hours pouring through the regulations and making phone calls to the BXA, we finally figure out what has to be done. There are half are dozen forms to fill out, we have to describe our software in detail, spend time modifying our code so that the encryption strength cannot be easily increased, etc. etc.
We haven't managed to find the time or energy to do this yet. I'm still studying and my friend holds a full time job. We barely have time to work on the software proper, let alone deal with legal crap like this. Perhaps someone has some advice to offer on how we should go ahead?
Nukes to Saddam? They couldn't care less.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You know, there are african-americans on slashdot who go about their business, commenting insightfully on discussions, and trying to help the free flow of information we have here by not using inflammatory racial slurs. I suggest you try to be more like them.
--
Harvey
I can't find any description of what encryption algorithm RAR uses on their web pages or anywhere else. That usually means it's a home-grown piece of crap. Furthermore, the password is limited to 10 characters, so it's weak. See On Cryptosystems untrustworthiness or this page on Russian Password Crackers including a couple of RAR crackers to get the picture about how bad the situation is.
Use PGP, or ScramDisk, or SFS, or similar systems which at least tell you what algorithms they're using.
--
Xenu loves you!
Actually, they can, and have.
There is a difference between "preventing anyone from using strong encryption" and "preventing everyone...". They can't stop everyone from using crypto but they can stop some people.
In fact, they've stopped most people from using strong encryption. Most people don't have crypto-aware email software. Most people continue to use "export-grade" web browsers. Less than one percent of internet traffic is strongly encrypted. Cellphones are still using weak crypto or none at all. Landline phone traffic is almost completely unencrypted.
The mess of government regulations has successfully slowed the spread of strong encryption. Promises about lifting those regulations have been used repeatedly to keep the industry from forming an effective opposition (why actively oppose something which will go away on its own "RSN").
Don't be fooled into thinking that we've won. That's exactly what they want us to think.
As it says in the article, there's >800 other crypto products which are freely importable to US, so the terrorists can just use those. If I wanted to hide data from the govt, I'd just download PGP (the war on that one has already been lost) and encrypt my data. I could use ssh with 1024 bit encryption to keep my data secure over the network.
In short, all the US regulations do is:
- Put
.us firms at a disadvantage in competing against the rest of the world - Piss off the non-us-ians who can't get secure versions of eg Netscape (but check out Fortify) or NT or whatever.
Somebody desperately needs to LART some clues into these people.--
..the US has export bans on strong encryption products. Countries & governments to where export is banned can just simply download whatever they want [sometimes anonymously] via the Internet anyway.
OTOH, and perhaps parodoxically, I have no problems in the government doing its best to snoop on the conversations of other governments. I don't think we should ever forget that World War II was essentially won by the fact that the US and UK could read German and Japanese messages. The damage at Pearl Harbour could possibly have been limited if certain messages had been decrypted and communicated faster. A lot of damage was caused by the US Governments line of "Gentleman do not read each others mail" before each World War.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
There is a posting by Bruce Schneier in sci.crypt entitled "New U.S. Crypto Regulations (advance copy: do not distribute)". It han't reached DejaNews when I searched just now. It isn't signed (which is consistent with Bruce's usual postings), but it looks like a lot of work for a forgery or spoof.
"open source code" is mentioned in the introduction, and "non-commercial encryption source-code" in the body.
"Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export."
rant
That is exactly what I mean - and if Netowrk Associates can't sell their stuff anyway, that helps even more.
I'm not from the US, BTW
--Donate food by clicking: www.thehungersite.com