That sounds like the sort of BS I expect from traditional media, and it's exactly the sort of thing Slashdot is ordinarily good for - working around journalists who spin and release stories to suit the needs of businesses instead of their readers, or because they want to emphasize the special access they've got with publishers that ordinary people don't have. Can you imagine holding back on a story because Microsoft PR or AOL PR people suggested it would be better for them if you just sat on it for a few hours or a few days or a few weeks?
OpenBSD is a wonderful thing, but I'd hate to see Slashdot endorse a double standard for treating some software vendors with kid gloves and others with skepticism. If you keep that sort of thing up, we'll just end up with a new version of slashdot, and you guys can just do some sort of cross-license with the other lapdog media. ZD-dot, anyone?
It's unfortunate that Cailliau is apparently unable to distinguish between actual crimes (possession/distribution of child pornography) and activity which is stupid or rude or insensitive but legal (racist speech). The government's got no business tracking the second activity - and imposing a scheme by which the government approves (or disapproves) of people's access to the internet just to slow down the spread of child porn makes about as much sense as requiring a "photographer's license" or an "artists's license" before one is allowed to purchase film or pencils - those, too, might be used to create child porn. (In the US, "child porn" includes manufactured/artistic depictions of child sexuality, not just images of actual children.)
Some contributors to this thread appear to assume that a micropayment scheme implies trackable transactions, which isn't true - micropayments may use one of the "digital cash" schemes, which allow counterparties to exchange economic value irrevocably (as with cash), which means that they don't need to know each others' identities - knowing the other's identity is only important if you later plan to track that person down (or ask the state to do it) and punish them for engaging in a bad transaction. If you're certain their money is good, you can skip all of the verification and recordkeeping overhead.
I noticed something new from the NY Times today - they usually try to set two cookies, and I let them, but now they've got a third which is especially interesting in light of the anti-doubleclick techniques discussed here.
The third cookie they tried to give me today's name and value were -
RMPP-.doubleclick.net-id=A
.. the cookie itself was sent/requested from privacyproxy.nytimes.com, whatever that is.
I don't know what those are used for; they're not discussed nor disclosed in the NYTimes' online privacy policy, which does disclose/explain the other two cookies they serve.
It seems to be attached to the "House Passes Cybersquatting Bill" story, but not to some of the others, if you'd like to take a look for yourself.
First, don't forget (if you ever knew) that Netscape (now AOL) holds a patent on SSL itself. In the past, Netscape's policy was to freely license the patent to anyone who agreed not to dispute its validity, but I don't know if that's AOL's current policy, or if they'll change that in the future. There are also 14 patents which reference the SSL patent.
With respect to RSA (the company)'s control over RSA (the algorithm) it will, indeed, end on 9/20/2000 - but that means one thing to open source developers, and something else to developers who are using BSAFE or one of RSA's other toolkits.
For several years now, RSA has been very, very reluctant to issue a bare patent license for the RSA algorithm. What they will cheerfully do is give you a license to use the patent, so long as you also use their (licensed) object libraries which implement the code. This leads to continued control over the market after 9/20/2000 in two ways: by forcing licensees to recompile using other crypto libraries, since the libraries themselves are still covered by copyright even after the patent expires; and by limiting the number of competitive libraries and programmers with experience writing/using those libraries, since it hasn't been legal (in the US) to create them.
Consequently, developers who have been using RSA-licensed proprietary object code thus far will likely continue to use it (and to pay royalties to RSA) even after the patent expires. Developers who have been using open source libraries like SSLeay and OpenSSL will be well-positioned to take advantage of the expiry. The two lead programmers on the SSLeay project, Tim Hudson and Eric Young, have been RSA employees for about a year now, so updates to the package won't come from them. (See http://www.cryptsoft.com/~eeay/ for more on that.)
There's a somewhat out-of-date version available online for free at ; they charge $20/month for access to their electronic searchable full-text version.
The non-military crypto export control regs are at 15 CFR 740 (and subesequent subparts) if you're near a library which subscribes to the US' Code of Federal Regulations.
With regard to crypto software, US export control laws regulate three broad classes of behavior, which US persons (US citizens or green card holders) may not engage in -
1. the export of code which performs crypto for hiding information (crypto for authentication is treated differently), or code which has been specially designed or modified to work with crypto code
2. the transfer of technical data (plans, blueprints, documentation, test specs or results, etc) to a foreign person who will use them to create crypto code
3. providing technical assistance to a foreign person who will use them to create crypto code.
The regs do not restrict the publication and distribution of books on paper (like Applied Cryptography or the PGP source books) but they do restrict publication and distribution in electronic format (like web pages, or Applied Cryptography example programs on disk, or the PGP executables).*
Note that it's not important where the US person is located, nor how they communicate with the foreign person (other than the published printed material exception).
That's what the law prohibits.
It's important to not confuse techniques or strategies which make the likelihood of capture and conviction less likely (like using SSH to hide evidence of an illegal export) with techniques or strategies which comply with the letter of the law while frustrating its intent - e.g., doing work in the US and publishing it on paper, or developing crypto outside the US with non-US persons (Canada and Anguilla are two popular locations) to avoid the US' regulatory reach.
I'm an attorney who has worked on crypto export control issues, but the above isn't nearly complete enough to be legal advice, it's just a very short summary of current law and interpretation. If people need more information, email me and I can give you names of people who do this for a living. (not me, any more.)
* I went to a seminar on crypto export control put on by the BXA, the agency which enforces the regs, and another attorney asked one of the agency personnel to agree that loaning a foreign person a book about crypto did not constitute technical assistance or the provision of technical data, and the BXA person refused to provide an answer one way or the other. I think the First Amendment should protect that behavior, but the USDOJ and BXA have been fighting against the First Amendment in the Bernstein case for 4+ years now, so that may not be worth much.
I ordered the Firecracker kit, and it never arrived, but they sent me almost daily spams for more "great deals". Ugh. Have most other people received their Firecrackers yet? They're way beyond the FTC's 30-day limit for mail order sales, but I don't have the energy to kick them around about it at the moment. I'm sure not ordering anything else from them until they get my first order correct, no matter how cool the new stuff sounds.
Slashdot Mirror
That sounds like the sort of BS I expect from traditional media, and it's exactly the sort of thing Slashdot is ordinarily good for - working around journalists who spin and release stories to suit the needs of businesses instead of their readers, or because they want to emphasize the special access they've got with publishers that ordinary people don't have. Can you imagine holding back on a story because Microsoft PR or AOL PR people suggested it would be better for them if you just sat on it for a few hours or a few days or a few weeks?
OpenBSD is a wonderful thing, but I'd hate to see Slashdot endorse a double standard for treating some software vendors with kid gloves and others with skepticism. If you keep that sort of thing up, we'll just end up with a new version of slashdot, and you guys can just do some sort of cross-license with the other lapdog media. ZD-dot, anyone?
It's unfortunate that Cailliau is apparently unable to distinguish between actual crimes (possession/distribution of child pornography) and activity which is stupid or rude or insensitive but legal (racist speech). The government's got no business tracking the second activity - and imposing a scheme by which the government approves (or disapproves) of people's access to the internet just to slow down the spread of child porn makes about as much sense as requiring a "photographer's license" or an "artists's license" before one is allowed to purchase film or pencils - those, too, might be used to create child porn. (In the US, "child porn" includes manufactured/artistic depictions of child sexuality, not just images of actual children.)
Some contributors to this thread appear to assume that a micropayment scheme implies trackable transactions, which isn't true - micropayments may use one of the "digital cash" schemes, which allow counterparties to exchange economic value irrevocably (as with cash), which means that they don't need to know each others' identities - knowing the other's identity is only important if you later plan to track that person down (or ask the state to do it) and punish them for engaging in a bad transaction. If you're certain their money is good, you can skip all of the verification and recordkeeping overhead.
I noticed something new from the NY Times today - they usually try to set two cookies, and I let them, but now they've got a third which is especially interesting in light of the anti-doubleclick techniques discussed here.
The third cookie they tried to give me today's name and value were -
RMPP-.doubleclick.net-id=A
.. the cookie itself was sent/requested from privacyproxy.nytimes.com, whatever that is.
I don't know what those are used for; they're not discussed nor disclosed in the NYTimes' online privacy policy, which does disclose/explain the other two cookies they serve.
It seems to be attached to the "House Passes Cybersquatting Bill" story, but not to some of the others, if you'd like to take a look for yourself.
First, don't forget (if you ever knew) that Netscape (now AOL) holds a patent on SSL itself. In the past, Netscape's policy was to freely license the patent to anyone who agreed not to dispute its validity, but I don't know if that's AOL's current policy, or if they'll change that in the future. There are also 14 patents which reference the SSL patent.
With respect to RSA (the company)'s control over RSA (the algorithm) it will, indeed, end on 9/20/2000 - but that means one thing to open source developers, and something else to developers who are using BSAFE or one of RSA's other toolkits.
For several years now, RSA has been very, very reluctant to issue a bare patent license for the RSA algorithm. What they will cheerfully do is give you a license to use the patent, so long as you also use their (licensed) object libraries which implement the code. This leads to continued control over the market after 9/20/2000 in two ways: by forcing licensees to recompile using other crypto libraries, since the libraries themselves are still covered by copyright even after the patent expires; and by limiting the number of competitive libraries and programmers with experience writing/using those libraries, since it hasn't been legal (in the US) to create them.
Consequently, developers who have been using RSA-licensed proprietary object code thus far will likely continue to use it (and to pay royalties to RSA) even after the patent expires. Developers who have been using open source libraries like SSLeay and OpenSSL will be well-positioned to take advantage of the expiry. The two lead programmers on the SSLeay project, Tim Hudson and Eric Young, have been RSA employees for about a year now, so updates to the package won't come from them. (See http://www.cryptsoft.com/~eeay/ for more on that.)
There's a somewhat out-of-date version available online for free at ; they charge $20/month for access to their electronic searchable full-text version.
The non-military crypto export control regs are at 15 CFR 740 (and subesequent subparts) if you're near a library which subscribes to the US' Code of Federal Regulations.
With regard to crypto software, US export control laws regulate three broad classes of behavior, which US persons (US citizens or green card holders) may not engage in -
1. the export of code which performs crypto for hiding information (crypto for authentication is treated differently), or code which has been specially designed or modified to work with crypto code
2. the transfer of technical data (plans, blueprints, documentation, test specs or results, etc) to a foreign person who will use them to create crypto code
3. providing technical assistance to a foreign person who will use them to create crypto code.
The regs do not restrict the publication and distribution of books on paper (like Applied Cryptography or the PGP source books) but they do restrict publication and distribution in electronic format (like web pages, or Applied Cryptography example programs on disk, or the PGP executables).*
Note that it's not important where the US person is located, nor how they communicate with the foreign person (other than the published printed material exception).
That's what the law prohibits.
It's important to not confuse techniques or strategies which make the likelihood of capture and conviction less likely (like using SSH to hide evidence of an illegal export) with techniques or strategies which comply with the letter of the law while frustrating its intent - e.g., doing work in the US and publishing it on paper, or developing crypto outside the US with non-US persons (Canada and Anguilla are two popular locations) to avoid the US' regulatory reach.
I'm an attorney who has worked on crypto export control issues, but the above isn't nearly complete enough to be legal advice, it's just a very short summary of current law and interpretation. If people need more information, email me and I can give you names of people who do this for a living. (not me, any more.)
* I went to a seminar on crypto export control put on by the BXA, the agency which enforces the regs, and another attorney asked one of the agency personnel to agree that loaning a foreign person a book about crypto did not constitute technical assistance or the provision of technical data, and the BXA person refused to provide an answer one way or the other. I think the First Amendment should protect that behavior, but the USDOJ and BXA have been fighting against the First Amendment in the Bernstein case for 4+ years now, so that may not be worth much.
I ordered the Firecracker kit, and it never arrived, but they sent me almost daily spams for more "great deals". Ugh. Have most other people received their Firecrackers yet? They're way beyond the FTC's 30-day limit for mail order sales, but I don't have the energy to kick them around about it at the moment. I'm sure not ordering anything else from them until they get my first order correct, no matter how cool the new stuff sounds.