Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Crypto Restrictions Are Taking Over the World 370

zeke writes: "An article on SecurityFocus details how forced key escrow and other crypto restrictions have taken root around the world, in countries like France, South Africa, the Netherlands and the UK. Ironically, this leaves the United States -- the birthplace and graveyard of the Clipper Chip -- as one of the few bastions of unregulated encryption."
This discussion has been archived. No new comments can be posted.

Crypto Restrictions Are Taking Over the World

Comments Filter:
  • LK@$#H^LKHLKNSLKJS:FDOIWJO$#IT^JO$#@
    W$LTJLW$#JTK O(G*&SPD(GJLKJ$TLKJELGKJ
    LSDJFLK$JLK$^J%@LK^JL#^@ KHLKSDHFLKGD

    decode that message with the decoder ring you got with your SS#, and get the coorinates for osama.
  • U.S. Encryption (Score:3, Insightful)

    by Anonymous Coward on Wednesday July 17, 2002 @11:23AM (#3902324)
    Sometimes, it's really useful that the U.S. has so many different conflicting (powerful) interests, and a fairly lengthy legislative process, because it keeps things like this away (or atleast delays them a while.) Sure, the export policy was especially bad for a while, but overall, things weren't (and there will still ways around the export rules).

    Besides, we all know the NSA's top top top secret quantum computer can break any encryption quickly...
    • Besides, we all know the NSA's top top top secret quantum computer can break any encryption quickly...

      Top secret quantum computer?

      The one made by Microsoft [slashdot.org]?
      • Top secret quantum computer?
        The one made by Microsoft?

        No, not that one. The one which Microsoft doesn't even know the source code for. They just plugged it in and because it began working, it had solved the problem of its own programming.

        It only works successfully because they haven't tried to fix it, and as soon as they look at the code it will quit working because that is now the predetermined outcome.

  • And Canada (Score:3, Interesting)

    by Newtonian_p ( 412461 ) on Wednesday July 17, 2002 @11:23AM (#3902330) Homepage
    Canada is the only developped country in which there are no laws regulating encryption.

    That's one of the reasons for which Openbsd is developed there.

    • Re:And Canada (Score:3, Interesting)

      by gmack ( 197796 )
      Actually that's not true. I used to think that as well but then somone pointed me to the laws in question.

      We have a specific exemption for open source or free software. Commercial apps still have regulation (although less ornerous than the US)

    • Re:And Canada (Score:2, Insightful)

      by macdaddy357 ( 582412 )
      Anti crypto laws are pointless. Organized crime and terrorists don't use crypto. They hide messages where no one is looking for them, and send plain text using code words that mean nothing to an outsider. A lot of stupid legislators think that if they pass a law against rain, then every day can be sunny. They are idiots.
      • by Peyna ( 14792 )
        Sort of like that town that wrote a law banning Satan from their town. I'm sure he's going to listen and if he doesn't comply, they'll lock him up right away, eh?
      • Re:And Canada (Score:4, Interesting)

        by Anonvmous Coward ( 589068 ) on Wednesday July 17, 2002 @11:57AM (#3902670)
        I think the idea is not to thwart, but to provide punishment for it.

        I'm playing Devil's Advocate here, I'm not saying it's right. I think the mentality might be along the lines of "Yah well it sure sucks that we weren't able to bust Al Capone on anything but IRS dodging."

        It's very possible that they're looking for ways to define 'accomplice'. Let me put it another way: Lots of people were involved in executing 9-11. But besides the hijackers (that died), how can we punish the other people involved? Well, if they used illegal encyrption to communicate, they could be arrested and pulled out of the plan of the next attack.

        Again, I'm playing Devil's Advocate here. I'm explaining what their reasoning probably is, I'm not saying that I support it or that it'd even work. I'm saying that I could see some old powerful fart using reasoning like that.
        • I don't think you need encryption export laws to nail someone on conspiracy charges. I'm sure they have quite the array of laws at their disposal. I seem to recall (correct me if I'm wrong) that they got an accomplice of Timothy McVeigh's for something along the lines of conspiring to commit a terrorist act, or some-such. In any case, there are enough laws to protect the populace as it is. If the only crime you can manage to arrest a terrorist for is using encryption, maybe you need to do more detective work.
          • "If the only crime you can manage to arrest a terrorist for is using encryption, maybe you need to do more detective work."

            In some scenarios yes, in some no. My guess is that with a law like this, it'd be easy to sniff out Osama sympathizers and get them the h377 out of our country.

            Problem is I'm not sure that I'd be willing to give up personal freedoms just so they could do that. Too bad they don't enact laws like a contract. "This law is only good for one year and is up for renewal afterwards."

            Heh.
        • You're right. We could illegalize unlicensed oxygen use. Then we could just throw people in jail whenever we decided they did something wrong.

          Kindof like the shazz that started happening in NYC when they "cracked down" on jaywalking.
          • "You're right. We could illegalize unlicensed oxygen use."

            Im not right about anything. Heh. Who knows what's going on in the minds of the people that propose these things. I'm really curious what their real agenda is.

            " Kindof like the shazz that started happening in NYC when they "cracked down" on jaywalking."

            What shazz was that? I'd go look it up, but I'm curious about your PoV on it.
            • Got no link to a reference, but supposedly some guy that fit a description was walking along the street in NYC. Two cops stopped him, questioned him, searched him. Got nothing. So they let him go. The guy breathes a sigh of relief, and walks away. Across the street in the middle of the block.

              So, the cops arrest him for jaywalking, and bring him to the station, where they discover that he had an outstanding warrant. In this case, it was very fortunate that the cops could arrest him, 'cause he was really a crook. But the idea behind the arrest is kindof messed up. Like 90% of New Yorkers jaywalk every day. Just follow anyone you suspect until they jaywalk and you can arrest them?

              Iduno. Maybe it's not that messed up, but it struck me pretty bad.
      • Re:And Canada (Score:2, Interesting)

        >Organized crime and terrorists don't use crypto

        Who says they`re after organized criminals? I always assumed these `anti terrorist` laws will be used to harass the general public, in the same way that drug laws have been (or the anti-terrorist laws in the UK, come to that, unless you can point me in the direction of some black IRA members).
      • Organized crime and terrorists don't use crypto.
        Yeah, that's why the Feds busted Nicky Scarfo by installing a keylogger on his laptop, so that they could snag his PGP passphrase.

        Criminals use codes and obscurity as well, but they also use encrpytion.

    • Re:And Canada (Score:5, Informative)

      by dark_panda ( 177006 ) on Wednesday July 17, 2002 @11:56AM (#3902659)
      Some links to info on Canadian crypto laws:

      Electronic Frontier Canada's Crypto Page [mcmaster.ca]

      A Notice to Exporters, part of the Canadian Export and Import Permits Act: "Export Controls on Cryptographic Goods" [dfait-maeci.gc.ca]

      A speech by John Manley from 1998, then the Minister of Industry: Canada's Cryptography Policy [ic.gc.ca]

      The Canadian government's cryptography website: Cryptography/Cryptographie [ic.gc.ca]

      I have somewhat of a stake in Canada's crypto laws, as I've been writting and maintaining a strong cryptography extension for PHP which uses the Crypto++ library. Of course, my code itself contains absolutely no cryptographic code, it just links to the aforementioned library, but still...

      J
    • Germany ... (Score:5, Insightful)

      by 216pi ( 461752 ) on Wednesday July 17, 2002 @12:14PM (#3902825) Homepage
      ... supports [google.com] strong encryption for it's fellow citizens and the industry and I count Germany to the developped countries...
    • Re:And Canada (Score:2, Interesting)

      by ultima ( 3696 )
      If I SSH into a machine in Canada, run Emacs, and write cryptographic code, am I exporting anything/breaking any laws, if it would be export-regulated code, in the US (or maybe in another country?)

      • I think it may be, or at least, IIRC openbsd wasn't willing to do that and risk the interpretation- I think they had someone go from Detroit to Canada to a specifically set up workstation to ensure that the code was thought of as being developed in Canada.

        ostiguy
    • by pyat ( 303115 )
      [www.gov.ie]
      The ECommerce Act
      in Ireland approaches it as follows:
      "...the Act provides for a court order to be issued requiring a person to disclose the encrypted evidence in a plain-text form. However, section 27 of the Act specifically provides that nothing in the Act shall have the effect of requiring the disclosure of unique data such as codes, passwords, algorithms, private cryptographic keys..."
      Not perfect, but I have seen worse. There are also expressions that people are entitled to use the strongest available forms of encryption, and should be encouraged to do so
  • by Anonymous Coward
    "www.citizencorps.gov is a site that uses encryption to protect transmitted information. However, Netscape does not recognize the authority who signed its Certificate."
  • by Mr Guy ( 547690 ) on Wednesday July 17, 2002 @11:27AM (#3902367) Journal
    Because last time I checked, we STILL can't export the good stuff to them anyway. Or post the source. Or talk about it too loud.
  • by mesozoic ( 134277 ) on Wednesday July 17, 2002 @11:27AM (#3902368)
    The author makes a very good point: whether we have the freedom to use crypto or not, crypto software itself hasn't come very far in the past few years.

    So what can we do about it? Could Peek-a-Booty or the Six/Four protocol be used as springboards into more user-friendly crypto applications? Are there any other free/OSS projects to bring crypto to the masses? (Because God knows your average user couldn't figure out PGP or GPG if his life depended on it.)
  • Someone correct me if I'm wrong but I haven't seen too many people argueing the other side of the coin. That is the big argument for restricting crypto is that "the terrorists" (tm) will use it to communicate with each other. Are we arguing that the "the terrorists" (tm) could be hacking into communication networks and gaining vital information from everyday conversation? It seems just as plasable. And governments that are so scared of technology might actually buy it. We could see people in power start to advocate the encryption of all communications!

    Probably just wishful thinking but I'd love to see it tried.
    • by Ubi_UK ( 451829 ) on Wednesday July 17, 2002 @11:34AM (#3902448)
      You are completely missing the point

      'The terrorists' are the guys that have the finance to develop and use illegal-level encryption (it's not really the biggest crime they'll commit). Same goes for other big time criminals. They have more to lose with low encryption (which the police can read) than high encryption (which wiull just give them a $20 fine)

      Only small-time criminals with no resources and normal citicens will be forced to downgrade their encryption, making it easy for big brother to read their email....
      • I really don't think most law makers are interested in spying on people (call me naive, whatever, no one has given a really good answer why they would want to at least in a Democracy). I think law makers are interested in money and votes, and if the public is crying "Save us from the evil hacker terrorists" the law makers are going to at least try to appear to be giving the public what they want. In this case in many governments its regulation of encryption.

        The lawmakers don't understand the technology so if someone gives them a case where restricting encryption actually benefits the "evil hacker terrorists" by being able to spy on us because we all have weak encryption. (and yes regulation or not the terrorist's encryption will be just fine)

        Its a case of playing the same game the lawmakers do, it doesn't really have to do with what the terrorists can get their hands on.
    • > Someone correct me if I'm wrong but I haven't seen too many people argueing the other side of the coin. That is the big argument for restricting crypto is that "the terrorists" (tm) will use it to communicate with each other.

      Fair enough, and yeah, they could be.

      > Are we arguing that the "the terrorists" (tm) could be hacking into communication networks and gaining vital information from everyday conversation? It seems just as plasable.

      I'm not sure if anyone's argued that. Personally, I'd find that argument pretty far-fetched.

      We're talking about guys who use the Journal of Irreproducible Results (a source of "science geek humor") as a source for their nuclear weapons plans.

      We're talking about guys who can't seem to figure out that soggy fuses in shoes won't light reliably. (Thankfully.)

      We're talking about guys whose only successful operation above the level of truck-bombing was to steal a piece of 20th-century technology (jet aircraft turned into flying bomb) using 11th-century technology (knives and physical intimidation) and the knowledge that up to September 10, 2001, passengers had been trained to cooperate with hijackers in the hope of eventual release.

      So no, I don't think Al-Queda is capable of intercepting useful communications from US citizens.

      And furthermore, given NSA's public statements on their difficulty in dealing with the deluge of data they intercept -- it's pretty obvious that "the terrorists" (or even terrorist states) lack the technology to use such information, even if they had a live stream of every byte passing through MAE-East.

      While it's never wise to underestimate one's enemy, and while securing government, military, or corporate communication systems (whether you suspect terrorist monitoring thereof or not!) is a Good Thing, it seems pretty obvious to me that our enemies simply aren't capable of intercepting much .gov, .mil, or .com traffic, let alone Joe and Jane Sixpack or Slashdotter's. Encrypting your emails doesn't secure 'em against the terrorists, because the terrorists aren't intercepting your unencrypted mails.

      A high-tech war in which everyone needs secure comms could be kinda fun. But it's not the kind of war we're fighting today. (Maybe in 50+ years when nanotech takes off, and microscopic self-replicating listening devices become ubiquitous, and maybe against a nation with enough nanotech designers to make it interesting. But not today, and not against this enemy.)

  • This [bbc.co.uk] about sums it up for the UK.

    We`re all doomed!!! doomed i tells ya!!
  • Irony? (Score:3, Insightful)

    by w.p.richardson ( 218394 ) on Wednesday July 17, 2002 @11:28AM (#3902387) Homepage
    What is the irony of encryption being allowed in the US? After all, the US is a free country.

    It may not be free beer (no EU-style social safety net), but you have all the opportunity that you can make for yourself.

    • After all, the US is a free country.
      That depends on your definition. Some people might say that the opposite of being free is being in prison. The US has the highest incarceration rate [sentencingproject.org] in the world. Here are some of the numbers (all per 100.000 inhabitants)
      USA: 699
      Russia: 644
      UK: 125
      Germany: 95
      Japan: 40

      Do you believe in death after life?

  • by jc42 ( 318812 ) on Wednesday July 17, 2002 @11:31AM (#3902415) Homepage Journal
    The main way that most people use encryption is when they order something from a web site, and the traffic is encrypted to protect credit-card numbers. I've been wondering how well the various restrictive governments police this.

    Consider that most users aren't even really aware that they are encrypting their internet traffic. It's done by behind-the-scene transactions between their browser and the remote web site. The user never invokes any encryption software, and never sees the keys.

    Will we eventually see cases where a poor baffled user is arrested and charged with illegal encryption, when what they really did was order a pair of socks from llbean.com?

    • Will we eventually see cases where a poor baffled user is arrested and charged with illegal encryption, when what they really did was order a pair of socks from llbean.com?

      I seriously doubt it, because that form of encryption is mostly illusory. The government can read/MitM that traffic anyway, so why bother arresting anyone over it?

      Web crypto's transparency is the very weakness that keeps it from being a threat to the government. The user doesn't do anything to verify public keys. At best, they might know whether it has been signed by some "certificate authority" who happens to be some faceless corporation whose integrity (or lack thereof) is a complete mystery. And most users don't even know that much, or what all the built-in assumptions in the system are.

      Web crypto is a joke. There's no reason to arrest someone for using it. I kind of doubt that any sort of transparent crypto that doesn't need at least some user attention, will be worth worrying about, because it'll be too easy to MitM.

      Zimmerman had the right attitude (paranoia) about MitM attacks, and that's why PGP/GPG is so cool. Now there's something for government to worry about.

    • Will we eventually see cases where a poor baffled user is arrested and charged with illegal encryption, when what they really did was order a pair of socks from llbean.com?

      Probably, but it'll because they want the user for something else.

      People always get the local governments they deserve.
      E.E. "Doc" Smith

      What does this kind of crypto law say about the residents of the EU?

    • Since the major use of cryptography is to prevent crimes, mabye they're afraid of the competition.

      I know that sounds like a troll, but think about it this way;
      It's usually the job of the police, to investigate crimes, not prevent them.
      Cryptography makes the job of investigating more difficult.
      So the police are constantly hampered by encryption.
      Cryptography also makes theft of information more difficult, but how do you measure that?
      You don't call the FBI every time someone doesn't steal your credit card, and say "good job, thanks".

      If there was a government body charged with protecting the public from criminals,
      instead of catching and punishing criminals, then cryptography would be as mainstream as locks.

      -- this is not a .sig
  • by perlyking ( 198166 ) on Wednesday July 17, 2002 @11:31AM (#3902419) Homepage
    ....when you are being detained as part of the "war on terror" without trial and denied legal counsel.

    But yeah there are bad encryption laws in other places like here in the UK. Its worrying.
  • When you outlaw encryption, only the outlaws will have encryption...
    • Again, I point out that the government would make everyone outlaws if they could. This gives them the power to do things that they otherwise couldn't. They watch you and if you are dangerous they can FIND something to pin you for.
  • by jaymzter ( 452402 )
    I know the general Slashdot response is going to be how we are being oppressed, and that's my first reaction also. There is another side however. What these supposedly democratic countries are facing is the ugly truth about all such governments: they play by a set of rules while the other side is completely unfettered. With Western Europe's recent history of terrorist groups such as Action Direct and the Red Brigade, I think it's clear that they have serious obstacles to face when dealing with the current technologically adept terrorists. The fact is, since they are hindered by the "rights" that they do let us keep, we have to expect them to try something to protect us. We can be outraged, but do we have another method they can use? Creating a repository of keys is to me a desperate act, not just a simple power grab. The real question is how far behind the curve are these intelligence types when dealing with Internet enabled terrorists? All I'm saying is that I think this sucks, but it isn't necessarily a power grab to create a society based on "1984".
    • by gmack ( 197796 ) <[gmack] [at] [innerfire.net]> on Wednesday July 17, 2002 @11:44AM (#3902551) Homepage Journal
      Lets think about that logically for a second...

      What exactly makes you think criminals and terrorists are going to hand over thier keys for escrow?

      I don't think this is an invasion of privacy so much as a complete waste of money and a source of unneeded complexity.

    • Yeah and suppose when crypto restrictions get imposed the terrorists will stop using crypto because it is now illegal.

      This is an argument most governments do or will try to use in order to spy on their citizens and it is completely bogus.
    • All I'm saying is that I think this sucks, but it isn't necessarily a power grab to create a society based on "1984".

      I suggest getting up to speed on current events. The goal of the terrorists with respect to what they want our societies to look like has a lot in common with the goals of our "democratically" elected officials.

      America already has imprisonment without trial, the reason why our crypto is still unregulated enough to be useful is that even our boneheads have figured out that without encryption, e-commerce is impossible, and that could cost a lot of their campaign contributors a lot of money.

      I can see a day coming very soon where I won't be making statements like this publically because of a reasonable fear of "disappearing".

      We can be outraged, but do we have another method they can use?

      We don't have to in order to demostrate that the authorities want to take our civil liberties in exchange for even more insecurity than we had to begin with.

      The only use a central repository of database keys for a government is to give the government a tool with which its honest citizens can be attacked and another charge to hang on a suspected terrorist, as if conspiracy to commit murder, etc. isn't enough.

  • by MemRaven ( 39601 ) <kirk@noSPam.kirkwylie.com> on Wednesday July 17, 2002 @11:40AM (#3902508)
    Something that I think people should bear in mind in the article is that the tradition of Freedom allowed in countries which are currently making moves to restrict cryptographic freedoms is much lower than in the US, either with the consent of the governed or without. For example, while the author points to places like Burma and Russia as Bad Places that have serious cryptography restrictions, it also points out that places like France, the UK, the Netherlands, and South Africa also are looking at them, and after all, they don't seem like they have horrible military regimes, so what gives?

    Well, those countries don't have a history of providing their citizens with the almost absurd levels that the US does. In Britain, you don't have nearly the same rights that you do in the US, and while the Netherlands is a socially permissive country in many respects, it's also very tough on law and order for those things that it deems are social problems (just because in Amsterdam you can buy pot and sex doesn't mean you can kill someone in Utrecht). And South Africa has hardly had any history whatsoever of having solid personal freedoms. So while you can look at the problem pragmatically ("the US looked at the issues and realized that they're unworkable"), you can't just look at it from a US-civil-liberties perspective ("no one should be willing to give a government that much power").

    The problem, as the author correctly identifies, is that anything along the lines of key recovery is completely unworkable in practice at all. While it might look nice sitting in a piece of legislation, it's impossible to enforce. Cryptography isn't something like a gun, that's physically manufactured, it's a bunch of mathematical equations (remember the whole RSA on a T-Shirt campaign?). You can't stop the providers of something based on mathematics, and you can't force everybody in teh world to start keeping track of other people's keys, or else they'll just start using "illegal" encryption.

    And that's the real kicker: regardless of whether you want your citizens to have the power to encrypt things such that you can't have acccess to them, you can't stop them in any way. All you do by attempting is instantly incriminating a pretty significant portion of your population to access information that you can still get elsewhere (like keystroke loggers that the FBI uses to get passwords, or search warrants for hardware encryption devices, which are both pretty effective IMHO for key recovery purposes). You can't outlaw mathematics (the whole US issue highlighted that), so you really shouldn't try.

    • Well that all depends on your point of view.
      The UK has far more employment rights than the US has.
      also the right to medical treatment.

      the right to life (no death penality).

      The right to get arrested without being put in handcufs.
      Hell I can even crack a joke with the police if they get stopped, and give them a bit of hastle e.g. Have you got any ID? so long as i don't break any serious law or take the piss to much.

      I can buy tin foil, baking soda, spoons, bongs etc.... without feer of being arrested.

      I can have a open bottle in the car.

      I can cross the road.

      When I was younger I had even more rights, maybe the UK is just trying to catch up with the poor human rights policy in the US.

      • Huh? You need to do a little more reading, I think. Employment rights better? Can a woman be fired for getting pregnant in the UK? Sure. Are you garaunteed medical treatment in the US? You betcha! You can crack a joke with the cops? Whoah! What an amazing "right". You can have an open beer in your car? What another amazing right! Can you be arrested if in a crowd of more than three, just 'cos someone feels "threatened" by you? Of course - that got plowed through years ago. Can the police throw you in jail if you don't give up your crypto key? Even if you don't have it? You bet! Can you buy your beloved beer between 11:30PM and Noon the next day? Generally no. Can you shop for groceries on a sunday? Only if you're lucky. Can you return a VCR to the store for a full refund, just 'cos you think you picked the wrong one. Hey - I'd be glad to hear a factual rebuttal other than turd-headed tripe such as "I can cross the road".
      • Yeah, I don't think I made my point on that particularly well. I think what I was meaning to say is that in terms of freedom from government intrusion in your privacy, the US has it pretty paranoid-leaning. Partially it's a historical thing in the US, partly it's a cultural thing, but we have the most paranoid culture about government intruding on your privacy without your consent that I can imagine. That's what I was really trying to get at.

        Although, I would point out that any nation without an actual constitution or any viable or realistic checks on its Prime Minister can hardly be considered to be a place where you can be guaranteed your rights (as anti-terrorism legistlation passed to try to deal with teh Northern Ireland conflict can attest to).

      • "The UK has far more employment rights than the US has.
        also the right to medical treatment."

        Forcing someone to hire you or keep you employed is not a "right". It's a violation of another persons right not to employ you if they don't want to. Forcing someone to pay for your medical care is not a "right", it's a violation of another persons right not to pay for your medical care.

        The failure to understand that there is no such thing as a "right" to force another person to perform an action that is advantagous to yourself is the reason real rights are being erroded on both sides of the Atlantic.

  • I guess Osama will have no choice but to throw out his OpenBSD CD's now, what with crypto becoming more and more restricted!

    Someone should also let him know that flying planes into building is also a big no-no, so that he will stop doing that too.

  • by 4of12 ( 97621 ) on Wednesday July 17, 2002 @11:47AM (#3902569) Homepage Journal

    It seems to me that more widespread use of encryption enables a lot more benefits than it does drawbacks.

    AFAICT, the big problem is that every control freak organization in the world, be it government or corporate, wants to be the one owning the Certifying Authority for public keys used in private transactions.

    My default install of Mozilla (doesn't practically everyone in the world use default installations, especially for things like IE?) shows a list of Certifying Authorities with names like the names of companies that meter my credit card usage.

    It would be nice if there were an easy way to build up miniature webs of trust and local CA's for individuals and small groups to establish private communication. "A click of a button" easy is what's needed...

    And yes, the same technology that can be used for selling pedophiles kiddie porn and allowing Osama to give remote orders (heh, like he fires up his laptop and satellite uplink in his goatpen!) is also the same technology that would allow dissidents in China to openly discuss and criticize their government.

    • I agree.

      Isn't the whole point of "free speech" nations that you can speak your mind without hinderence. This is what encryption allows but on a global scale. I can say what I want to who I want.

      Now, empower some Certifying Authority and suddenly they control my power of free speech.

    • Well, that doesn't really give you all that much. All a CA is doing is setting up a trust relationship, which is different from a privacy relationship. As an example, imagine we were using public key cryptosystems with no CAs at all, and no PGP-style web of trust.

      In that environment, I can give you my self-signed certificate along with some digital signature over a nonce, and you'll have my public key. As of that point in time, you can be assured that your communications with whoever gave you that certificate will be private, and only the people with the private key corresponding to that certificate will be able to read them. So you have great privacy at that point. The problem is that you can't trust that I am who I said I am when I gave you that certificate. (note that I'm intentionally ignoring MITM attacks here, because those are also trust attacks, not privacy attacks....in a MITM attack, you are privately communicating with someone, just not the person you thought you were).

      All a CA does is say that "we believe that John Smith is the only person in the world that has access to the private key corresponding to the public key in this certificate." They don't have the private key for that person, they don't have any ability to intercept messages, etc.

      The real problem with proliferating CA roots is because certificate chains are all-or-nothing: if Verisign is willing to sign the John Smith CA, then anybody that trusts Verisign will trust ANYTHING that the John Smith CA issues in the future, so Verisign had better be pretty damn sure that the John Smith CA is doing exactly what Verisign would in that case. It's binary, and it lasts for what amounts to forever. So because of that, nobody's willing to allow there to be the One True CA, because that CA wouldn't trust anybody else in the world.

      In my experience, both Microsoft and Mozilla make it right easy to allow certificates from CAs that it hasn't seen before, and make it pretty easy for an administrator to add a CA to your corporate setup, or for a suitably skilled person to do so. But since it's a Big Decision, I'm glad it isn't "click of a button." My mom has NO business trusting a third-party CA for now. She doesn't even know what PKI is.

  • You know, I'm kind of glad encryption hasn't made many inroads for regular communications of casual users. I find it really hard to be on the pro-crypto side of almost anything. (And then there's that USA Today Report [usatoday.com] on using Ebay for posted embedding messages in images...)

    Then again, I've always had an underdeveloped sense of privacy. It's really never been a big concern of mine, security through obscurity (or maybe apathy...if someone wants to know enough to bother to ask I'll probably tell them)
    • My 2 most common uses of encryption:

      SSL: so my credit card info can't be seen by a third party.

      SSH: so my root passwords can't be seen by a third party.

      How can you possibly argue against encryption?

  • by Hornsby ( 63501 ) on Wednesday July 17, 2002 @12:03PM (#3902719) Homepage
    Why should I need crypto when I have palladium to ensure the security of my PC anyway?
  • I encrypt things so that nobody can have access to my ideas without my permission. It is basically the equivalent of having a disk drive put into my brain. The government cannot pry things out of my head, what makes them think that they should have the right to know what I MEAN when I put something down on paper? They have no right to know. The best they can do is convince me to cooperate.
  • by johnlcallaway ( 165670 ) on Wednesday July 17, 2002 @12:18PM (#3902865)
    Am I the only one who really read this, or did I not read it right.

    I saw places where it said "..and the police can order you to hand over your keys" or '..such and such a company has to register with the officials', but nowhere did it say '...you can't use encryption'. (I do agree that the key escrow stuff is very bad though.)

    Just like a gun, ecnryption can be used for good things (hiding my p0rn from my girlfriend), or bad (emailing terrorism plots to agents.) In this country (USA), if the police have enough evidence, they can go to a judge and get a very specific search warrant. So, if they accuse me of having illegal p0rn (instead of just the good stuff), they can search my computer till the cows come home. But if they find a terrorism plot, they can't use that information.

    To follow that point, what is wrong with issuing a search warrant and demanding that I decrypt the data?? I may not like it, especially if I'm guilty or don't want to share my p0rn, but I don't see where that is any different than letting the police go through a drug dealers house looking for drugs. Ok...there is that fifth amendment thing, so maybe a law like that couldn't even be enacted in the US.

    And so what if company X has to register with the government. They probably had to get a business permit anyway, and if they do anything novel they probably have patents. Not too many companies survive by being secret about their existance.

    So...tell me what is all the hub, bub.....
    • If the cops get a search warrant for, say, pot plants in your house, they'll be able to tell pretty easily whether you're growing or not. Step 1: find all the plants; step 2: see if they're pot plants.

      But say they want to look for incriminating digital evidence that you're growing or dealing pot. You can't just decrypt the stuff you want them to see and say, "This is not the encrypted data you're looking for. I can go on my way."

      No, they're going to decrypt everything. This means that while they might not find evidence of pot, they might find something else. And sure, it may not stand up in a court of law ... 3 years, 4 appeals, and 1 bankruptcy later.
    • Okay, so take your statement one step further, that it's okay to register with the government. You're assuming that the government has to permit anyone to register that wants to register. When have you ever known THAT to be the case? Or that if in fact they do have to allow anyone to register, that your paperwork won't get lost for 25 years? The assumption that registration is okay ignores the possibility that it's actually an explicit (or implicit) approval of your ability to provide crypto. Because I can very easily see a scenario where if you're not willing to provide special Clipper Chips with Key Escrow, your registration will be disallowed or take forever to process.

      But then again, what about the open source projects? Who's providing the crypto? Where are they? Does downloading a program hosted on a server in the US from a computer in South Africa make the server provider a company which had to register? What happens if they haven't? What if I'm just distributing source code? You see, even if you say "okay, well, we'll just screw over RSA but we'll all be fine in our Stallman Warm Fuzzy Blankets," you're ignoring the issues involved in registration laws.

  • We all talk about how Osama bin Laden uses 128-bit encyrption, but in actuality, the laptops captured in Afganistan were using the default Windows encryption - lousy 40-bit encryption. Another terrorist used the default encryption on his palmtop, which was quickly enough cracked by the French government. It seem that most terrorists don't know enough to use serious encryption. Now, nothing is going to take serious encyrption out of the hands of geeks, but the default encryption is what matters for most people, and that's what needs to be cracked most the time. Silently turning on strong encryption does not help law and order.
  • by Anonymous Coward
    Does anyone see a quandary with Palladium, encryption and government in general?

    If Palladium is implemented, as everyone expects it will, and encryption becomes standard to the operating system does this not mean that the data on the hard drive is therefore protected from intrusion by outside sources? Would this not be a boon for those looking protect their nefarious purposes from prying eyes? This creates a problem for Microsoft and computer manufacturers in general; How to provide "trustworthy computing" to the general public while resassuring the government that data can be retrieved from hard drives when needed.

    If Microsoft or the Palladium hardware manufacturers build in a "backdoor" for just this purpose, then the idea of trustworthy computing is lost. Who would trust their sensitive data to a compromised system? Hence the quandary.
  • by Anonymous Coward
    Since there are "no crypto restrictions in the US" my MCS professor can teach cryptography again? Last i checked [cr.yp.to] such was not the case.
  • Regulating encryption will do nothing to stop criminals from using it. There is a TON of information on the internet about strong encryption. Anyone with basic programming skills and an understanding of mathematics should be able to implement any of the most popular encryption algorithms.

    Even if you make transmitting encrypted communication illegal, it's not going to stop criminals. Hiding cyphertext is just too easy. For example, take a 16-bit wave file and use the least significant bit of each sample for your cyphertext. Assuming your cyphertext doesn't have any header data, it will be virtually undetectable. The only thing someone might notice is some very low level white noise in the background that could be attributed to anything.

    Similar things can be done with jpegs, mpegs, and a host of other file formats. If government officials had a better understanding of the technology, they wouldn't waste our time with laws that only hurt law abiding citizens and do nothing to curtail crime.

  • Slashdot meetups [meetup.com] are coming up, and they would be a good opportunity for exchanging PGP/GPG keys with some other nerds in your area. And, conversely, a keysigning party is a reasonably good pretense for meeting people.

    If you live near Albuquerque NM USA, please visit my journal.

  • I hope this doesn't descend into a US freedoms versus someone elses freedoms because there is no universal set of freedoms humans need (other than things like food, shelter, air, etc).

    Most everyone understands that there are limitations to freedom. Hell, even a perfect omniscient judiciary couldn't make a totally free society exist (e.g. how to choose between two parties' gripes when both are contradictory? Someone is going to have to lose).

    So governments chose which freedoms are best limited and those that need to be preserved. In the end I think it is all arbitrary. You just have to have some system that allows for a decision to be made. Firearms are legal or they aren't. Nazi Memorabilia is legal or it isn't. The same with encryption.

    Basically you can limit anything people can do without forever. But that goes against what freedom stands for. In the end countries have to make choices. And I doubt that any one (say France's versus the US versus Japan) are better than any other.

    In the end I think it comes down to economic interest. What jobs/corporations/industries does a company need to have strategic overlay in order to survive. Saudi Arabia is concerned about its oil interest and the people who own and work for it, not the nature of the shoe industry in Malasyia. From that point outward the society's policy is formed.
  • This article is just plain wrong. True, a few years ago, France was one of the few country in the world where encryption was illegal, along with Iran, Irak and North Corea. I think that even today you're legally limited to 128-bit encryption, but nobody gives a shit. I think that most legislators never heard about such a thing as encryption, let alone key escrow. Basically no legislator gives a shit about computer security because there are other more important problems, like getting reelected through FUD. France's policy on computer security is simply one long string of oddities, mainly composed of long forgotten fags nobody cares about anymore. It's quite nice actually! No DMCA, multizones DVD players everywhere...

  • Well. Digital Crypto , is for the most part 90% a waste of time for particularly sensitive data.

    Its like the old MasterLock commercials, "Sure you can shoot it with a 308 in the middle and itll hold" but take a $5 pair of bolt cutters to it and its dust. Crypto is the same way, the client computers are the weak link, and as goverments spend more time and effort on Electronic Cypto, assuming it is the preffered route.

    Well quite frankly it makes it EASIER to disseminate information in the plain REAL world, How hard is it to get a warrant to sniff email, In the US you dont even NEED one !!!!.

    BUT let the FEDS TRY to get a warrant to open your snail mail, its damm near impossible.

    Paper and Pen , these are going to be the Crypto tools of the next century.
  • This is yet another point demonstrating the superiority of OSS & FS.

    Closed-sourced-software (CSS) can easily be regulated, because it often has immobile targets of regulation. Companies can't afford to dick around with defying government regulation.

    However, try to regulate OSS / FS. Its not possible. Few things go into OSS / FS that users don't want, and if things go in there that users really don't want, they will eventually be purged (either by a fork, or by users individually who simply delete the offending lines of source code).

    Part of the reason OSS / FS is not regulable is because you can't control what users do with it once they get it. A user gets OSS / FS software, and it can include all the DRM and spyware in the world -- doesn't matter if the user doesn't want it; the user can simply delete the offending lines of code, do a little bit of work, and recompile, or (s)he can hire someone else do to do that. It only takes one person to do this and then offer the modifications to the public -- possibly anonymously -- for the offending code to be removed from nearly every install. [it should be noted that this has even occured for CSS (refer to Kazaa, which includes virus', spyware, and adware, all of which were removed in KazaaLite)].

    The other reason why OSS / FS can't be regulated is because of its very nature. How do you regulate something for which no one makes any profits, no one need reveal their identity to contribute to, and which is free as in freedom (and usually free as in beer)? You can't. Not effectively anyways. Sure, the government can drag its heels, but there is no effective way to regulate OSS / FS -- not even for an authoritarian state like China. Every move that is made attempting to regulate OSS / FS can easily be countered and alluded by OSS / FS devlopers.

    Demand that no one release crytpo software w/o a gov't backdoor, the penalty being multi-million dollar fines and long jail time? Works great on all CSS and businesses. They'll be scared shitless; their execs and programmers too. Doesn't work at all on OSS / FS developers. They simply start developing and posting anonymously, possibly post from a server in another country, possibly move to another country, or publish the code from a public terminal.

    This is not to say the government can't be an inconvenience. Taking special steps to post anonymously or posting from a public terminal is a nuisance, as would be (obviously) hosting software on a server outside one's own nation or moving to another nation. Obviously, we should work to make OSS / FS as unregulatable as possible. The CBGTA should not be allowed to in any way touch OSS / FS.

    Obviously, one major key to making sure government regulations don't hinder OSS / FS is anonymosity. The government cannot regulate what it can't see. Regulation relies on having a target to be regulated -- i.e., the poster of the code. If one can't see that target, one can't effectively regulate. Another key is distribution. Even if the government can't regulate the developers themselves, it can target the servers they use to post their code to the world, taking it down. The way to deal with this is obviously mirrors, as well as working on distribution through P2P.
  • Yeah, the laws have softened in the U.S. yet no Linux distribution (other than ones originating from outside the country) will ship with an IPsec implementation pre-installed.

    There is still alot of fear that this softening of restictions will eventually rebound.

    SUPPORTING INFORMATION
    ----------------------
    Here is a list of some distributions that do include IPsec and their country of origin:
    SuSE Linux (Germany)
    Conectiva (Brazil)
    Mandrake (France)
    Best Linux (Finland)
    Polish(ed) Linux Distribution (Poland)

An adequate bootstrap is a contradiction in terms.

Working...