Still Can't Export Open-Source Crypto 139
The New York Times today reports that the
Easing on Software Exports Has Limits.
(Free reg. required.)
Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"
Re:Another complete waste of time (Score:1)
I'm 6294 (Score:1)
Re:Use SuSE instead... (Score:1)
Sure. But it does not make me happier - I still think their Yast licence is a BadThing(TM).
>And for instance makes happier Software companies
> in Europe: the crypto laws of USA were a godsend
No, it does not. Closed-source is OK now, so european companies loose anyway. Except maybe for SuSe and symmilar.
>But anyway I downloades ssh from a server in >Finland, ad I'll continue to download from it.
Sure, I download it too, but I would prefere to have a better integration with "strong cryptography" in the "core" package.
IANAL (Score:1)
Re:A few points (Score:1)
JAVA is almost it, but I don't think there's exactly a 1 to 1 correspondence between each line of source code and each line in the object file. An old BASIC like on the Commodore 64 is a lot closer. The programs ran exactly as you input them, the interpreter didn't try to exploit any techniques for efficiency.
If JAVA fits the bill then we're already there. If the
Link? (Score:1)
It's already possible (Score:1)
You can even have a nifty letter sent to the president on your behalf, if you want to make your voice even louder.
And always remember... writing a real letter to your congresscritters never hurts matters. They're worth more than email.
I'm humber 6293 on the list at http://online.offshore.com.ai/arms-trafficker/kno
Re:Question: (Score:1)
As it happens, it's irrelevant because another responder pointed out that this tactic would still be illegal.
Cheers,
Perrin.
Politicians (Score:1)
"We practice selective annihilation of mayors
and government officials
for example to create a vacuum
Then we fill that vacuum"
Once all the politicians were gone, then maybe we could replace them with people who actually have clues...?
Cheers,
Perrin.
Legacy private networks safe? (Score:1)
Re:outlawing math (Score:1)
What the hell...if the state legislature in Tennessee can decide to make pi = 22/7 by just saying so, what's to stop Congresscritters?
Re:Why (Score:1)
I'm a Yank and my clueless government irritates me no end -- around here, only the relatively wealthy and vacuous can withstand the death march of running for election. It's why I've given up on our two-party system and voted Libertarian the last decade or so.
More to the point, what happens if somebody abroad creates really bitchin' encryption and posts the source code on a non-US site? Does this provide a workaround to the idiotic munitions-export rule? If so, maybe somebody needs to tutor somebody via pseudocode.
Re:Can't get to link (Score:1)
--
Re:Something new (Score:1)
*This depends upon the notion that it doesn't count as an "export" when John Smith in the UK can download a file from an ftp server in Europe by clicking on a link provided by a US web server.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Re:IANAL (Score:1)
It it only closed proprietary systems like Windows which *need* special APIs for software components to interoperate.
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Re:Why (Score:1)
Why? Because:
(1) The US government is entirely controlled by big business which doesn't give a flying fuck about individual liberties; and
(2) Individuals - including Slashdot readers - are too comfortable to get off their asses and demonstrate or even to pick up pen and paper and write to their representative.
Your Constitution is like everything else in the world that is worthwhile and that had to be fought for: USE it... or LOSE it.
If you're thinking it's none of my goddamned Brit business, think again. The whole "democratic" world still, rightly or wrongly, looks to the US for a lead. And whatever you guys let your government get away with, they are bound to try over here. Finally, if a constitution is as important as you Yanks say it is, then how can we Brits (and other Euros) possibly succeed in keeping our governments in check where you guys have already failed?
Just like the next in line at the slaughterhouse, we look across the pond at what is happening now and we very much fear for our own fate as a result.
Like it or not, the entire free world is today depending on the common American man and woman to rein in their government before these antidemocratic horrors multiply any further.
DAMN the Wassenaar agreement!
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Re:Well... (Score:1)
Well, let's start off with Black Rights movement, because that is one that everyone is familiar with (don't get me wrong here, I think this movement was great, and I fully believe in Civil Disobedience and activism; I also believe that we do need to get these encryption/free speech/freedom of privacy issues resolved).
Rosa Parks was arrested over a seat on a city bus.
The sit-ins in the lunch bars and restaurants were over being able to eat at this or that restaurant.
There are many more examples like this in other movements. Ghandi's first actions for civil rights were down in South Africa. He burned little sheets of paper, and was beaten for it. This is what civil disobedience is about. We want to diseminate text files freely accross the net, and we want to protect our personal data, incriminating or no. I also want to be able to have people know that I am indeed sending email as me. I want to know that the email I have just recieved is from my Girlfriend, or Casey, or anyone else that would send me mail.
The first step to all of this is getting rid of the export laws. There are bigger issues at hand, but what needs to be fought are all the littles steps along the way. The first step is to oust the export restrictions. You see, the laws always are complex. What the people want to do is invariably simple but restricted.
Jeff
Re:A few points (Score:1)
Well, you could alway use paper copies of diffs. Still annoying, but it would work.
Grumble! Damn NYT again! (Score:1)
Re:Who cares ? (Score:1)
Who cares? Quite frankly, I do.
The US citizens who WANT to (legally) contribute to OSS crypto projects are the ones who suffer here.
Re:So what? (Score:1)
Re:Would this comply with the GPL? (Score:1)
This site can either get the source directly if development is not US, or through printed copies if necessary.
I'm not sure what the legal status of a US company maintaining a non-US site for the distribution of crypto would be. I suspect that isn't allowed. But could funding be given to a third party?
I'm also not sure what the GPL allows for third-party source distribution. Does the binary distributor have to be the one actually handling the source distribution, or is it sufficient for the source to be freely available?
thejeff
Re:Clueless (Score:1)
In actuality, the government is a collection of individuals, and all of them are grinding their own axe. This results in an appearant collective goal of the government that doesn't match the stated goals. (Only some of the folk in government have those goals).
There is no central control, but there are many attempting to be the central controller, or at least to act as if they were one within an area. This is the inevitable result of allowing the executive arm to use delegated agents. Eventually, unless other matters intervene, one of these groups will destabilize the government, and then we'll need to build a new one. Pray, pray hard, that it doesn't happen soon.
Re:Something new (Score:1)
Huh... (Score:1)
No source = No programs (Score:1)
Can't get to link (Score:1)
Re:Why (Score:1)
Re:Question: (Score:1)
Re:True goal: prevent crypto proliferation in the (Score:1)
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
Even non open-source software, I found certain of them with so-called strong crypto can be downloaded from the Countries like China and Russia.
The current policy of US government affect mostly the large-scale company like MS. So they want to take a balance, by having a new hand to open-couse.
Re:A few points (Score:1)
Re:A few points (Score:1)
I mean, that's an intermediary tokenised format, you don't have to use a JIT compiler on it... and you can mangle the symbol names (maybe not removing the idea of symbol names entirely, but as good as)...
If there's one thing it *would* achieve, it'd possibly help introducing the government to the concept of "brain" - they really need to stop talking beaurocratic crap and to produce laws that actually talk about the technology in the correct terminology, for starters. Half the problem at the moment is that legalese is not slashdot-speak, I think.
Re:A few points (Score:1)
The object file doesn't have 'lines'... it's tokenised, binary.
It's a two-stage thing: you write in java, which obviously looks similar to C++ source, to the not-well-trained eye. At least it's plain text at this stage.
Then you compile it into some messy looking
The machine (JVM) itself reads this binary stuff and interprets it - binary encoding of token by binary encoding of token. So there's a fairly simple mapping between the instructions you gave and the things the interpreter phase of it does.
So
Is that good enough?
Re:Source code? (Score:1)
Actually there are differences. Unless you have a linker's
Maybe it comes from the other end: if someone's written it, then it *is* source code. The choice of language doesn't really define source or not?
Re:Another complete waste of time (Score:1)
The Danish government is on the brink of throwing out their newly acquired NT system because the NSA has 16bits of the 56bits they use for encrypting emails, making it *very* easy to decrypt sensitive internal mail. This is a serious threat to national security.
Therefore the
If I were a crypto company or Theo De Raadt, I'd move to Finland or Switzerland which, I believe, are two most independent and unemcumbered countries in Europe. Neither are members of the EU or NATO (not 100% sure about
Re:Clueless (Score:1)
Re:Would this comply with the GPL? (Score:1)
So what's the problem?
Customer downloads binaries, desires source, contacts distributer and purchases printed copy of source. No problem... GPL allows for charging media is distribution costs.
Re:A few points (Score:1)
I don't believe the govt will go after books any time soon. They are already running scared on the crypto issue, because they can see the defeat of restrictions entirely.
I don't think we'll ever see any attempt at controlling export of books.
Unless, of course, it's child porn.
Re:A few points (Score:1)
Re:Well... (Score:1)
Re:It's already possible (Score:1)
642, myself.
You should see the looks I get when I tell people I'm a registered arms dealer. That alone makes it all worthwhile. Three years, and I still haven't been arrested. Darn.
But the more, the merrier. Anyone got some spare Stinger missiles?
James - I really should get the t-shirt
Re:Why (Score:1)
Re:Would this comply with the GPL? (Score:1)
A few weeks ago when OpenBSD announced its method of solving this problem, as best they could, some users on my LUG began talking about (if I understood correctly) emulatting OpenBSD's approach [openbsd.org] (except non-US citizens must do it).Thank Daily Daemon News [daemonnews.org] for covering that tidbit.
Re:Bernstein wlill save us (Score:1)
The decision matrix on this is interesting. Will the USgovt wait until years have passed and the USSC has ruled, and then bring charges? How many juries will convict given the Defense pointing out that the Defendent was acting in accord with the law as decided both in Court and on appeal?
On the other hand, the USgovt could move for an injunction. That would take a lot of confidence to go before a judge and try to explain that irreperable harm would be done by exporting a copy of source code that originated on a non-US server and will continue to be on that server no matter the Court's decision. The whole proceding would be a Heaven-sent opportunity to lampoon all of the nonsense arguments in front of someone whose very job description requires filtering through BS.
[earthworm jim]
Better than pro wrestling!
[/earthworm jim]
Re:Clueless (Score:1)
I believe that there was a case that specifically decided that elecronic communications over the 'net were just as protected by the first ammendment as dead tree communications.
therefore, I would think, renaming your .c source files to .txt is just as legal as printing it out and mailing it.
Re:Source code? (Score:1)
Then would "compiling perl to C" and distributing that be allowed?
Re:Would this comply with the GPL? (Score:1)
Jeroen Nijhof
Dumbness (Score:1)
Who cares ? (Score:1)
Like the US had some kind of monopoly on crypto research... this is not sad, this is ridiculous and stupid. But that keeps US crypto industries off our markets
Re:Question... (Score:1)
Re:Why (Score:1)
Re:Why (Score:1)
You should be so lucky; if you were a province of the United States, you'd have enumerated (constitutional) rights. As it is, you don't.
not so simple (Score:1)
Re:A few points (Score:1)
again. You can publish the output from diff.
Ironic (Score:1)
There are several projects that have developed strong crypto without contravening the US laws (to the extent that Opera has 128bit encryption).
There is an Australian project that reproduced the strong crpyto without reference to the US and that, I belive, was open source.
What makes things really bad though, is that the US develeopers are scared off from using this incase they are sued for selling strong crypto.
Mozilla took this decision for a number of reasons, even though they knew there was a 128bit engine that was non-US based.
This sort of thing will hinder the US development projects.
Re:Question: (Score:1)
You haven't looked (Score:1)
US Red Hat mirrors lately, have you?
Re:Another complete waste of time (Score:1)
That sounds surprising -- I thought most scandinavian countries were pretty liberal when it came to personal data privacy and crypto.
Care to elaborate?
Re:Another complete waste of time (Score:1)
As far as I know, Finland is a member of the European Union (EU), but not of NATO, since it is supposed to be a "neutral" country. Switzerland is not a member of EU or of NATO, since these guys take their neutrality more seriously than anybody else.
Moving to Switzerland may not be such a good idea for Theo & the OpenBSD project: it's very hard to obtain residency and work permits in Switzerland. On the other hand, if a swiss computer firm was to hire him, getting the necessary authorization & paperworks in order would be much easier (think Linus Torvald & Transmeta). In any case, this is nothing more than an empty discussion, since Canada has been very friendly so far.
In my opinion, most European countries will end up saying "we don't care" to Janet Reno and adopt strong crypto -- unless the US government just drops the whole crypto regulation idea in the dustbin, where it belongs.
Just my US$ 0.02...
Re:Well... (Score:1)
I agree that the governments policy on encryption export is wrong and unconstitutional, and I agree that something seriously needs to be done about it, but what you are proposing is dangerous to anyone who gets involved. I think that we should instead look to forming some sort of grass roots lobying effort to try and get Congress to repeal these laws (is there such an entity already in existance?).
Re:Well... (Score:1)
Re:A few points (Score:1)
Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.
Though I agree that they shouldn't embellish storys, let's face it, there's nothing to gain for a CSS company giving it to people overseas.
That's my $(2^4*3+1/7%3*2/100)
Would this comply with the GPL? (Score:1)
Did that make sense? I'll clarify if not.
Re:outlawing math (Score:1)
Re:So what? (Score:1)
The only way it's illegal would be for you to design your app where the customer can install the crypto routines AFTER they install your app.
You have to design your app to allow this; it may be less efficient; and the three-letter-agencies (who are behind this gov't policy) are counting on the fact that many if not most of your customers either will be too lazy or ignorant to actually do this.
Re: A few points (Score:2)
These restrictions apply equally to Open Source licenses and non-Open Source licenses. All source code is restricted in an identical fashion, regardless of its licensing. Therefore, it is indeed incorrect to say that Open Source software is specifically targeted.
Re:A few points (Score:2)
Well, if they ban textual publishing this would render the US as a source of cryptography useless. Not that the government would have the foresight to see this of course.
There is a workaround even at this point, but it requires a bit of effort. Create a virtual machine. The characteristics of this virtual machine are that it runs an interpreted tokenized format (which probably isn't human readable) but performs no optimizations. Information on subroutine names and so on must be stored in the tokenized version (even if they aren't directly readable by humans)
The virtual machine doesn't have to run the code efficiently. In fact because of the constraints I've mentioned it wouldn't. But the goal of the virtual machine isn't running cryptographic algorithms anyway. It's job is to enable a program to be transferred 'without source code' across international boundaries. The tokens distributed aren't source code, they're kind of an intermediate machine code, but because of the design of the machine each token can be translated back into a function call or construct such as a for loop or multiplication or a named user defined subroutine.
This would probably be fairly difficult for the government to legislate away without totally disallowing the export of encryption. I wouldn't want to be in the court that tried to define the distinction between source code, object code and compiled code.
Question: (Score:2)
Cheers,
Perrin.
Re: A few points (Score:2)
This is splitting hairs in my opinion, because the nature of cryptography demands peer review and the most popular cryptography packages are open-source.
I suppose one could say that the government has also restricted the export of commercial crypto packages which make their source code available only under NDA for a price. Are there even any companies which are silly enough to offer such a product?
Apart from that hypothetical, the effect of prohibiting the export of source code is essentially identical to prohibiting the export of open-source software. In essense, the government is turning the GPL or any other open-source license into an anchor which forces the package to remain within U.S. borders. Closed-source software is not so restricted.
Quite true!
Jamie McCarthy
Question... (Score:2)
Re:No source = No programs (Score:2)
So what happens if . . . (Score:2)
Is that exporting the source code, or the binary?
Good grief (Score:2)
Crypto source, like any information, doesn't need to be continually exported. It just needs to make it out *once*. After that, there's no need to risk smuggling anything again, when you can make a million electronic copies if you'd like.
Given the number of highly guarded, classified, ultra-top-secret US government documents that routinely turn up in places like Russia, China, Great Britain, Israel, Iran... I think it's fairly safe to assume that whatever Janet Reno thinks is worth guarding, is already gone.
Re:outlawing math (Score:2)
Why not? They change the time of day with impunity twice a year.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:Running Scared (Score:2)
I could have figured this one out myself I guess. I was busy scratching my head trying to figure out why the justice department was advocating a policy which could be so demonstrably easily defeated by anyone, and which merely has had the effect of moving the centers of development of security critical software offshore. In the long term, the inevitable deskilling US programmers this will lead to can't be in the national interest.
This policy only makes sense if the administration thinks it has important political symbolism.
In that case, it may be not so much that they are clueless, but out of touch. I mean, as a political message, "no export of strong encryption" isn't exactly "remember the alamo". "No export of source code for strong encryption algorithms except in printed form" is even more obscure. Anybody who cares at all about this issue has to think the policy is simply stupid.
I don't buy that this is a plot to advance Microsoft, or to sneak back doors into strong encryption. It is simply too trivially easy to defeat this policy for it to have kind any effect whatsoever, except to bar US programmers from working on open source cryptography.
I wonder if this could be challenged on constitutional grounds, on the basis that source code is an expression of ideas (just as it would be in paper form), as opposed to being an apparatus, which a binary product would arguably be.
Re:Would this comply with the GPL? (Score:2)
It's quite simple. According to the GPL, if you can't distribute the source according to the GPL, then you can't distribute the program at all
From the GPL [gnu.org] (section 7)
If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the
Program at all
So, in the case you laid out, if you are allowed by export laws to export crypto binarys (and not source) then, if that binary is covered by the GPL, then the GPL forbids any export distribution.
In short, under the GPL, if you can't distribute the source and binary, you can't distribute either.
Anyone case to therorise what would happen if someone ex-USA got a copy of a GPL crypto binary, and asked for the source? If they say yes, they are breaking export laws, if they say no, they are breeching the GPL. Quite a dilemma.
--
Bernstein wlill save us (Score:2)
-russ
Re:Would this comply with the GPL? (Score:2)
This is great for Microsoft. This is terrible for Red Hat. While it doesn't actually add any new restrictions to RH, it allows MS to compete more effectively with RH Linux. Maybe it will also be a boon for offshore distributions such as SuSE and TurboLinux.
Connecting Traditional to Technology (Score:2)
Basically, its an issue of understanding technology. Most people, to include some very bright minds, just can't seem to get a good understanding of what the various forms of technology are. Thus, its hard to see electronic documents containing source code as free speach. Meanwhile, any fool can understand the printed word must be protected.
Take email vs. snail mail as an example. Traditional paper note-in-an-envelope mail has a fair amount of legal protection. It didn't have to have it - but early American planners made sure of it. Meanwhile, recent rulings have given email none of the protections that traditional mail has. I think those who work within a technology environment see little difference between the legal privacy of a piece of paper vs. electronic file. Its obviously not so apparent to outsiders.
So going back to source code... those who are a part of the techology see restriction of source code as a freedom of speach/press issue. However, outsiders may not understand this. It may take some considerable work to connect the two. In a court of law, this doesn't always happen. Thus, officials who want to go after published source code will have an easier time at restricting electronic distribution than dead-tree distributions.
Re:Well... (Score:2)
Civil disobedience means putting your ass on the line against the power of the state. By doing so, you hope to shame the state into behaving better; or, failing that, let it know that there are people willing to put themselves at risk to oppose it - and let them figure out that said opposition may not be restricted to nonviolent means.
Free speach issues and ways to defeat restrictions (Score:2)
Should printed (crypto) source code be restricted, I say we up the stakes yet another level; fire up your Mac (or whatever machine/OS gets your jumbly stiff) and have the machine *SPEAK* the source code. Simply record the output and mail a copy to whoever you please or play it over the phone. Although the recording might make for some boring listening, it would be spoken word and therefore any attempts to restrict it would be very clear-cut violation of the constitution. Should some old decomposing pile of bones masquerading as a congressman raise the point that a machine made the recording, simply enlist a few intrepid souls to read and record the code; what will the gov't do then, decree that spoken work is machine readable and therefore subject to their control? Can you say "Violation of my constitutional rights"? I knew you could!
With a bit of tweaking, I'm sure one could get ViaVoice to transcribe the recording. Voila! Stupid law circumvented once again!
I believe that every effort the gov't makes to restrict crypto (and ANY free speech) should be challenged and every loophole exploited. The effect of this is they must address the holes and tighten their grasp on us. Once this happens, the issue will become a pure free speech issue and will be forced to a head.
"The more you tighten your grip, Tarkin, the more star systems
will slip through your fingers".
--Princess Leia
Re:Well... (Score:2)
However, please do not dismiss the importance of a challenge, even a small one, to free speech. Should free speech fall or simply become ineffective you'll have a *very* tough time organizing demonstrations for *anything*.
This specific issue, encryption, is very important itself to effective free speech and the right of free assembly. Organized civil disobedience can make use of encryption just as any illegal group like criminals or terrorists can. It's just far less obvious we want to prevent it.
Bah! Stupid Congress! (Score:2)
Also it seems kinda rude in terms of foreign policy to declare to someone you're trying to build a trade relationship with that you're not going to give them access to something that would give them privacy; by doing this the US is openly admitting the fact that they're spying on everyone. Now granted we already could've guessed, but for them to stand up and yell it on a street corner is just stoopid.
-gaffney, who wishes to hell he were old enough to vote.
Something new (Score:3)
Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!
Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.
Source-in-the-bin (Score:3)
It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.
This is expected (Score:3)
Can you say "secret key escrow" just like Clipper?
I knew you could!
So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?
:-(
Ben
Re:A few points (Score:3)
Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...
Free speech (Score:3)
The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.
Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.
As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.
At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)
As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.
Re:Bernstein wlill save us (Score:3)
The re-hearing before the Ninth Circuit Court of Appeals has been scheduled for Dec. 16, 1999. The first time the 9th Circuit heard the case was in December of 1997, and they took a year and a half, until May 1999 to decide. Based on this we can "extrapolate" (using Arthur C. Clarke's term) the following timeline:
12/1997: 9th Circuit appeal hearing
5/1999: 9th Circuit decides
12/1999: 9th Circuit en banc re-hearing
5/2001: 9th Circuit decides again
10/2001: Supreme Court takes case
5/2002: Supreme Court decides case (they take pride in making prompt decisions)
Or course, the 9th Circuit may be faster or slower this time around, and the Supreme Court may not take the case, but this is as good a guess as any. The real problem is that no one knows what legal tricks (new regulations, new legislation) the government may pull to delay this even longer. It's already taken most of this decade.
What will the closed-source vendors do if you spot them a 2.5-year head start from now?
Re:Why (Score:3)
Or anyone whose out there in the development of such software should simply leave the US and develop outside. I don't think anything would scare the US government more then a brain drain.
Hm. How 'bout interpreted foo? (Score:3)
Running Scared (Score:3)
Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.
They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.
Well... (Score:4)
Re:Well... (Score:4)
I'm sure this varies from issue to issue and from congressperson to congressperson, but I still urge you (and everyone else who cares about this) to write an original letter and put it on paper, sign it, and send it to each member of your delegation.
It *does* have an effect.
The "special interests" control the process in no small part because we don't exercise our freedoms. Want freedom of speech? Say so!
See http://www.senate.gov/senators/index.cfm for a list of senators, follow through to their mailing addresses. [senate.gov]
See http://www.house.gov/zip/ZIP2Rep.html [house.gov] to find out who your House member is. Follow through to their web pages which should offer an address.
Use your rights and let freedom ring (okay, I know I'm souding hokey, go rent Mr. Smith Goes to Washington and get all hokey too!)
outlawing math (Score:4)
It's like Congress deciding they want to rewrite the Law of Gravity.
Clueless (Score:4)
"This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."
This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.
"The problem is that by the government's definitions, OpenBSD is foreign software"
How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?
"The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."
So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in
Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?
-----
True goal: prevent crypto proliferation in the US (Score:5)
So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.
The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.
The major email programs still don't include seamless crypto integration.
The government currently listens in on telephone conversations and email, and they would like to continue in the future.
--
Corporate Rights Honored; Business As Usual (Score:5)
While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.
Something had to be done.
Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?
Something had to be done for them too.
So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.
Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)
Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.
I'm not so sure.
The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.
Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?
It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.
Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.
Comments?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
A few points (Score:5)
If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.
A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.
A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.
Another complete waste of time (Score:5)
1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!
2. I thought the US Navy was using WinNT exclusively? =)
Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.
Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?
3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...
4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)
If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."
It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!
5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...
But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.
So: I can't get the source, but I can get the book, right? How stupid can you get?
When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."
You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.
If only those people could leave people like Theo alone and free to code... *Sheesh*