Open Source's Role in Lowering Export Restrictions

Bozo points to this article (PDF) "from the latest issue of the Notices of the American Mathematical Society by Whitfield Diffie and Susan Landau. It mentions the role of Open Source software in the U.S. government's backing off on export restrictions on cryptography. Here is a quote from the article: 'Open-source software has taken its place as a major element in the software marketplace. The consequence is a general decrease in the controllability of software and,in particular,a serious threat to effectiveness of the government efforts to stop the export of software containing strong cryptography.'"

Government needs a time machine

[software_non_olet]

"a serious threat to effectiveness of the government efforts..." - are the medieval Machiavellian ideas of the government itself.

The Open Source development was only proof, that the lag between reality and government is 10 years at least - and growing.

you can't stop us, we're online

[BroadbandBradley]

here

there

everywhere!!!

Long Live GNU/Linux/Freedom!!!

Hell yeah

[extrasolar]

Free software *has* decreased the ability to control software. Slowly, its becomming less taken-for-granted that users have no rights with the software they use. I think that people--hackers and power users for now--are realizing that when developers keep control of the software they sell...they are indirectly controlling the people they sell too. Free software means more freedom. It means you have complete control over the software you use.

But...but...I'm sorry. We're talking about the Open Source Movement? Oh...then all we're in it for is free labor and less bugs right?

Sorry for my confusion.

Its more sinister than that

[Lord Hugh Toppingham]

The reason the govt does not care about strong crypto is that it almost certainly has figured out how to crack it. Either they have a quantum computer somewhere or more likely an enormous beowulf cluster of E10K Suns that can brute force almost anything. Or maybe they have finally figured out how to factor large prime numbers like Bill Gates predicted.

Re:Its more sinister than that

[ecrips]

Or maybe they realised that the people whose encryption they really want to crack (ie terriosts) isn't going to be the standard encryption which comes with your OS/browser. If you really cared about security you'd download the illegal encryption software which didn't meet the export restrictions - you wouldn't care about breaking the law.

Really its stupid asking people to submit their keys or use weak encryption - because the people you really care about are always going to be using the strongest encryption they can get their hands on - and it doesn't matter whether its legal for them to have it or not.

Re:Its more sinister than that

[jcast]

Nah, that's assuming their common sense exceeds their power lust. I wouldn't bet on it.

Perhaps not that significant

[Chope]

Having just finished Crypto by Stephen Levy over spring break, it was a pleasant surprise to see Whit Diffie's name in the news. I wouldn't make too much of the statement however.

There were a lot of different pressure points that finally caused the government to relax crypto export controls. Open source software played a part to be sure, even if it had to be printed on paper and then scanned back in again to get around the arcane export restrictions. (I don't recall if it was Stanford or MIT that actually did just that - printed source code in a font intended to be easily scanned, so it could be sent out of the country. Judges understood the First Amendment applies to paper...)

But don't forget there were a lot of others with a dog in this fight. Microsoft was not the least of them, as its foreign customers wanted strong crypto. Lotus worked very hard to get crypto into early versions of Notes and needed the export market to make the product viable. Overseas development companies were starting to provide the strong crypto that U.S. companies couldn't, and both the crypto developers like RSA and the big Microsoft gorilla's didn't like that they were grounded by Big Brother.

Phil Zimmermann did his part, to be sure. The question is, was his great contribution the fact that PGP was open source, or was it that it was uploaded onto servers where there were no "safeguards" to prevent downloading to non-US locations? The open nature of the code my have made the program attractive from the standpoint of allowing independent verification that there were no back doors, but I'm not convinced that alone was PGP's greatest contribution.

And before we all break an arm patting ourselves on the back, are we overstating the importance of strong crypto in general? Of the "billions and billions" of bytes flowing around the Internet, let alone corporate networks, how much is encrypted? With the exception of e-commerce transactions, precious little. In a society where one can be a voyeur in any fast food outlet listening to cell phone conversations conducted in the open with no semblance of security, it shouldn't be too surprising.

Yes, I'm glad we have strong crypto, but it will be a long time before any significant portion of the population will be using it with regularity.

Re:Perhaps not that significant

[mystran]

One nice thing is that most people are reading their mail unencrypted even if they used ssh for shell logins. Still one can often ask for passwords and user rights by email. Also one can easily sniff the passwords (in case of POP3 you don't even need to know anything about the protocol, never checked IMAP closely enough) and often use the same password for an ssh connection.

The best part however is sending mail. How many email users believe it's not possible to fake email address when sending mail ? How many believe it's hard ? And how many are actually authenticating with something when sending mail ? Most are using their ISP's SMTP server, sending plain text mail, no digital signatures, with a address field that can be filled with almost anything, are not aware of the extra headers that would give some pointers for were the mail actually came from, and are reading their mail using unencrypted POP3.

But hey, you understand why if you're ever tried using PGP (or GPG) with Outlook or Hotmail :)

Needs a geek to use it.