I wish Cryptome would not redistribute my Zfone software. This morning I had to upload a new version due to a last minute mistake we made before the release, and Cryptome probably got the uncorrected version. This is beta software in flux, rapidly changing with new updates likely, especially shortly after it hits when we discover early problems. Further, I've just added critical warnngs to my web site about how to do the installation for Windows, and if someone grabs the software and posts it somewhere e
Although the US has ended most of their export controls for crypto software, there are still some reasonable export controls in place, namely, to prevent the software from being exported to a few embargoed nations, such as North Korea, Iran, Libya, Syria, and Sudan. And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days. PGP Corp volunteered to host the public beta software on their server, with all the appropriate checks in place. That's why you have to register, to make sure you are not in an embargoed country, to keep me in compliance with U.S. export laws. Been there, done that. -Philip Zimmermann
And for commercial encryption software that you actually pay for (not this free public beta), there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP comply with these days.
How do you go about that? Suppose I were to set up a small business reselling GPG or something similar. Does the government simply hand me a copy of the watch list and let me do the checking myself? Or must I pass along the names of all my customers to them for
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
The OFAC list is seriously fscked as it is orientated purely around latin representations of names. From many languages (i.e., Arabic, Cyrillic) there are multiple latin transliterations. The data is usually of dubious provenance and there may be discrepancies between the same entity listed in two diffent places.
Our legal department insisted that we remove embargoed countries from the dropdown on the sign-up form. So you couldn't possibly choose Iraq, Iran, Afghanistan (at the time) etc...
As a result, when Osama signs up for an account, he'd have to lie about the country he was in which would make it even harder to find him.
We have to capture the country even if it is sanctioned because I'm in banking and we keep everything for a period of time whether or not we enter into a relationship.
I've often wondered about those click-wraps for downloads. The first time I remember seeing them was when downloading Cisco images. While I don't have any contact with folks from those nations it seems to me that a simply click-to-download wrapper would do exactly nothing to stop them from getting the crypto. Anyone know if there are other things in play (watermarking, etc.) that holds people to this requirement? Is it still all just a magic dream that these nations don't have the same access to security
Theoretically this provides information to law abiding foreigners that they would be breaking the law if they get that crypto. Because legally they would then have to commit fraud to download it from the site (falsify info). I guess in theory this would give the gov't a bigger stick. Nothing like filling the internet with opportunities for self incrimination. Despotic governments like making laws that make it virtually impossible for the average citizen to live out their day without breaking some law.
Mr. Zimmermann, the registration page that is being refered to only asks for you email address, thus your argument is invalid in this case.
http://www.philzimmermann.com/EN/zfone/index-regis tration.html [philzimmermann.com]
So why do you require registration?
>Mr. Zimmermann, the registration page that is being refered to only asks for you email
>address, thus your argument is invalid in this case. So why do you require registration?
I told you why already. The wording of your posting implies you don't believe me. If you need more convincing, go to my Zfone FAQ page (http://philzimmermann.com/EN/zfone/index-faq.html ) where I address this particular question in great detail. If you still don't believe me after reading that, you are welcome to not use t
If you need more convincing, go to my Zfone FAQ page (http://philzimmermann.com/EN/zfone/index-faq.html ) where I address this particular question in great detail.
From TFL:
The Zfone registration page checks your IP address against the list of embargoed countries, then emails you a link that you must click on to start your download, and checks your IP address again when you follow that link, which presumably means you did not receive your email in an embargoed country, and that the download itself did not go to an embargoed country. It shows we made our best efforts to comply with U.S. export laws.
Your going to a lot of trouble for just about no gain at all. This system can and probably does not in any substantive way impede anyone from a blacklisted nation from downloading the software. It only alienates people who are casually interested, i.e. your main user base.
I can understand your situation. You're in a country where it is effectively illegal to publish online any piece of software that contains even the most basic of encryption algorithims. The situation is of course ludacrious, as such algorithims have long been in the public domain, at least as far as knowladge is concerned.
The purpose of the law of course, is not to prevent the export of encryption to forgein countries. They already have these algorithims. Nor is it to prevent access to the terrorist boegyman. They either don't use it, or can easily get access to encryption.
No. The purpose of the law is to hang the sword of damocles over the head of anyone who wants to bring safe and secure communication to the masses. The government doesn't want the masses to encrypt their traffic, and they use this law to impede the distrobution of your software and others like it.
I think you need to give up the ghost here. If your government wants to shut you down. they will, regardless of how much you try to comply with export restrictions it will never be good enough. I think you need to stop playing by rules where you can't possibly win and simply go all out in an effort to get as many people using zfone as possible. All out. Unrestricted downloads, ease of use, ad campaign, browser plugins, whatever. Just do anything to get as many people using encrypted VOIP as you possibly can, because until then, your software will remain one the fringe where it's easier to shut down.
If everyone and the Senator's daughter is using secure VOIP, it's only then that people will realise they have somthing to lose, and you'll have a better defense. Before that everyone who uses SVOIP is "aiding terrorism", not protecting people's privacy. Until Aunt Tillie is using your software, this angle can and will be played. You should do everything to get her onside ASAP.
to get this done you need to get skype to use encryption , I have no idea if they do ( so spare me the ranting about that ) but if skype would implement encryption then everyone will follow , for the average joes they dont care if their VOIP or regular phone is encrypted or not.... they don't even know that this can be done...for them all they know about taping is from movies...
Just wanted to say thank you for the reply Phil. I knew in no small part due to your efforts, the U.S. lifted export restrictions on cryptographic tools. I had forgotten that certain countries remain on the watchlist, though. That said, I think with the current administration, many U.S. citizens feel uneasy about giving out their personal info for this sort of software. As the government becomes more aggressive in its surveillance of the public, lists like these will become suspect and possibly get added
You may want to a do little history check concerning the original release of PGP by Phillip Zimmermann, and the the charge the NSA made of "arms dealling". I think you will understand this precaution.
After thinking about this some more... Given that you can download any number of free software programs that contain encryption technology from U.S. servers, without registration, Phil's rationale is itself somewhat paranoid.
For a good example: Firefox links against libssl. Firefox would have been illegal to export in the early 90s when PGP was just starting to become available. Now it (mostly) isn't.
According to Phil, it is illegal to export it to Iran & friends. If that's the case, why doesn't Firef
Cryptome (Score:2, Informative)
http://cryptome.org/zfone-agree.htm [cryptome.org]
Re:Cryptome (Score:5, Informative)
Re:Cryptome (Score:5, Insightful)
For better or worse, people interested in this type of technology also have a vested interest in anonymity.
Re:Cryptome (Score:2)
I did what I do for almost *every* site that requires registration:
- used fake user data
- used a one time throw-away email account
- moved on
Maybe I don't see the problem because this is just SOP for me...
Re:Cryptome (Score:5, Informative)
Interesting... how does that work? (Score:3, Interesting)
How do you go about that? Suppose I were to set up a small business reselling GPG or something similar. Does the government simply hand me a copy of the watch list and let me do the checking myself? Or must I pass along the names of all my customers to them for
They give you the list (Score:4, Informative)
http://www.treas.gov/offices/enforcement/ofac/sdn
Of course some of the entries are obviously from gathered inteliigence. I recall having to block anyone called "The Chess Player" from signing up. Unfortunately most websites don't gather date of birth, and when you do name only matching you catch a lot of innocent people - who are usually mightily pissed off about having to call EVERY SINGLE SITE that they try to sign up for.
The other big caveat is what you're supposed to do when you find a match - it's virtually impossible to stop them just changing their details and signing up again.
Re:They give you the list (Score:3, Insightful)
Another glaring ommission (Score:2)
As a result, when Osama signs up for an account, he'd have to lie about the country he was in which would make it even harder to find him.
Re:Another glaring ommission (Score:2)
Re:Cryptome (Score:2)
Anyone know if there are other things in play (watermarking, etc.) that holds people to this requirement? Is it still all just a magic dream that these nations don't have the same access to security
Re:Cryptome (Score:3, Interesting)
Re:Cryptome (Score:3, Informative)
http://www.philzimmermann.com/EN/zfone/index-regi
So why do you require registration?
Misplaced paranoia (Score:2, Informative)
Re:Misplaced paranoia (Score:2)
Re:Misplaced paranoia (Score:4, Insightful)
From TFL:
Your going to a lot of trouble for just about no gain at all. This system can and probably does not in any substantive way impede anyone from a blacklisted nation from downloading the software. It only alienates people who are casually interested, i.e. your main user base.
I can understand your situation. You're in a country where it is effectively illegal to publish online any piece of software that contains even the most basic of encryption algorithims. The situation is of course ludacrious, as such algorithims have long been in the public domain, at least as far as knowladge is concerned.
The purpose of the law of course, is not to prevent the export of encryption to forgein countries. They already have these algorithims. Nor is it to prevent access to the terrorist boegyman. They either don't use it, or can easily get access to encryption.
No. The purpose of the law is to hang the sword of damocles over the head of anyone who wants to bring safe and secure communication to the masses. The government doesn't want the masses to encrypt their traffic, and they use this law to impede the distrobution of your software and others like it.
I think you need to give up the ghost here. If your government wants to shut you down. they will, regardless of how much you try to comply with export restrictions it will never be good enough. I think you need to stop playing by rules where you can't possibly win and simply go all out in an effort to get as many people using zfone as possible. All out. Unrestricted downloads, ease of use, ad campaign, browser plugins, whatever. Just do anything to get as many people using encrypted VOIP as you possibly can, because until then, your software will remain one the fringe where it's easier to shut down.
If everyone and the Senator's daughter is using secure VOIP, it's only then that people will realise they have somthing to lose, and you'll have a better defense. Before that everyone who uses SVOIP is "aiding terrorism", not protecting people's privacy. Until Aunt Tillie is using your software, this angle can and will be played. You should do everything to get her onside ASAP.
Re:Misplaced paranoia (Score:1)
Re:Cryptome (Score:1)
That said, I think with the current administration, many U.S. citizens feel uneasy about giving out their personal info for this sort of software. As the government becomes more aggressive in its surveillance of the public, lists like these will become suspect and possibly get added
Re:Cryptome (Score:1, Informative)
Re:Cryptome (Score:1)
Given that you can download any number of free software programs that contain encryption technology from U.S. servers, without registration, Phil's rationale is itself somewhat paranoid.
For a good example: Firefox links against libssl. Firefox would have been illegal to export in the early 90s when PGP was just starting to become available. Now it (mostly) isn't.
According to Phil, it is illegal to export it to Iran & friends. If that's the case, why doesn't Firef