Please create an account to participate in the Slashdot moderation system


Forgot your password?
Encryption Security Your Rights Online

Still Can't Export Open-Source Crypto 139

The New York Times today reports that the Easing on Software Exports Has Limits. (Free reg. required.) Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"
This discussion has been archived. No new comments can be posted.

Still Can't Export Open-Source Crypto

Comments Filter:
  • by Anonymous Coward
    I hope Theo doesn't move to Sweden. We got the same restrictive crypto regulations as the US have.
  • Damn, I just looked at the list again and it turns out I'm #6294. Weird. One of those small world things I'm always hearing about.
  • >Ok: this make SuSE happy, isn't it?

    Sure. But it does not make me happier - I still think their Yast licence is a BadThing(TM).

    >And for instance makes happier Software companies
    > in Europe: the crypto laws of USA were a godsend

    No, it does not. Closed-source is OK now, so european companies loose anyway. Except maybe for SuSe and symmilar.

    >But anyway I downloades ssh from a server in >Finland, ad I'll continue to download from it.

    Sure, I download it too, but I would prefere to have a better integration with "strong cryptography" in the "core" package.
  • by deno ( 814 )
    But, as far as I know, US-companies arent even allowed to make interfaces to strong-cryptography programs. I suppose that is the main reason why pine support for PGP is so crappy. If the US goverment wants to be really "anal" about the crypto-law, RH is going to have a lot of difficulties.
  • I haven't programmed in JAVA in ages (and I only did it once to say I did it) so I don't remember the various file handles, so forgive me if I get this wrong (but point it out).

    JAVA is almost it, but I don't think there's exactly a 1 to 1 correspondence between each line of source code and each line in the object file. An old BASIC like on the Commodore 64 is a lot closer. The programs ran exactly as you input them, the interpreter didn't try to exploit any techniques for efficiency.

    If JAVA fits the bill then we're already there. If the .class files are the actual source code and some other extension contains the object code and strips out all identifiers and optimizes code then JAVA isn't it.

  • by pudge ( 3605 )
    Does someone have a link to the text of this "policy"?
  • I am a card-carrying international arms trafficker, and have been for some time. Check out the ITAR Civil Disobedience page at and discover how easy it is for you, too, to become a felon!

    You can even have a nifty letter sent to the president on your behalf, if you want to make your voice even louder.

    And always remember... writing a real letter to your congresscritters never hurts matters. They're worth more than email.

    I'm humber 6293 on the list at n-traffickers, btw.
  • You miss the point. I know that there are plenty of developers outside the US who could write crypto code. However, that doesn't invalidate the contributions that US developers could make. The whole point of this thread is how stupid the US legislation is. Sure, developers in other countries could do it, but that pretty much goes without saying.

    As it happens, it's irrelevant because another responder pointed out that this tactic would still be illegal.

  • I wonder if there's any chance that all the politicians in the United States will all simultaneously self-Darwinate.

    "We practice selective annihilation of mayors
    and government officials
    for example to create a vacuum
    Then we fill that vacuum"

    Once all the politicians were gone, then maybe we could replace them with people who actually have clues...?

  • I heard an interesting story about 6 months ago in a seminar from an security researcher about an unnamed international company wanting to connect their UK network to the one somewhere in the middle-east. Being security conscious people they encrypted the connection (no idea if it was some 40-bit mickey mouse crypto from some american company or something decent) Everything worked just nicely. However, after a month they got a call from someone claiming to represent the french goverment asking them to stop encrypting their VPN. The next thing they did was to ask their telco to reroute the connection so it didn't go over anywhere near France ;)
  • What the hell...if the state legislature in Tennessee can decide to make pi = 22/7 by just saying so, what's to stop Congresscritters?

  • I'm a Yank and my clueless government irritates me no end -- around here, only the relatively wealthy and vacuous can withstand the death march of running for election. It's why I've given up on our two-party system and voted Libertarian the last decade or so.

    More to the point, what happens if somebody abroad creates really bitchin' encryption and posts the source code on a non-US site? Does this provide a workaround to the idiotic munitions-export rule? If so, maybe somebody needs to tutor somebody via pseudocode.

  • From the site:
    We're sorry, but we are temporarily experiencing a server error.
    A ton of irate Slashdotters are coming to see just how dumb-assed our government is WRT encryption.

  • There's no real problem for Red Hat. i.e, the Red Hat Europe subsidiary is incorporated outside of the US and they can provide the source code (and binary) rpms on their own servers. The parent US company can provide a URL on their own website without any problems - as long as the code was all developed outside of and remains stored outside of US national borders, they can still make it available to all their customers in the usual manner without actually exporting anything.

    *This depends upon the notion that it doesn't count as an "export" when John Smith in the UK can download a file from an ftp server in Europe by clicking on a link provided by a US web server.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • Fortunately, Linux/Unix is an inherently modular system. Every program is *expected* to have the ability to exchange data with others via stdin and stdout. So you don't really need special hooks for crypto, you just treat it like any other filter. To prevent that, the US Govt would have to ban all forms of Unix, and all incarnations of pipes and sockets on other systems too because this is all that is required to support arbitrary pipelines.

    It it only closed proprietary systems like Windows which *need* special APIs for software components to interoperate.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • WHY has this man been moderated down? The point he raises is not flamebait, it is exactly the point at issue here: Americans are losing their freedoms and the Constitution is not protecting them.

    Why? Because:

    (1) The US government is entirely controlled by big business which doesn't give a flying fuck about individual liberties; and

    (2) Individuals - including Slashdot readers - are too comfortable to get off their asses and demonstrate or even to pick up pen and paper and write to their representative.

    Your Constitution is like everything else in the world that is worthwhile and that had to be fought for: USE it... or LOSE it.

    If you're thinking it's none of my goddamned Brit business, think again. The whole "democratic" world still, rightly or wrongly, looks to the US for a lead. And whatever you guys let your government get away with, they are bound to try over here. Finally, if a constitution is as important as you Yanks say it is, then how can we Brits (and other Euros) possibly succeed in keeping our governments in check where you guys have already failed?

    Just like the next in line at the slaughterhouse, we look across the pond at what is happening now and we very much fear for our own fate as a result.

    Like it or not, the entire free world is today depending on the common American man and woman to rein in their government before these antidemocratic horrors multiply any further.

    DAMN the Wassenaar agreement!

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • Have you ever studied what happened, and what all those civil rights battles were about?

    Well, let's start off with Black Rights movement, because that is one that everyone is familiar with (don't get me wrong here, I think this movement was great, and I fully believe in Civil Disobedience and activism; I also believe that we do need to get these encryption/free speech/freedom of privacy issues resolved).

    Rosa Parks was arrested over a seat on a city bus.

    The sit-ins in the lunch bars and restaurants were over being able to eat at this or that restaurant.
    There are many more examples like this in other movements. Ghandi's first actions for civil rights were down in South Africa. He burned little sheets of paper, and was beaten for it. This is what civil disobedience is about. We want to diseminate text files freely accross the net, and we want to protect our personal data, incriminating or no. I also want to be able to have people know that I am indeed sending email as me. I want to know that the email I have just recieved is from my Girlfriend, or Casey, or anyone else that would send me mail.

    The first step to all of this is getting rid of the export laws. There are bigger issues at hand, but what needs to be fought are all the littles steps along the way. The first step is to oust the export restrictions. You see, the laws always are complex. What the people want to do is invariably simple but restricted.


  • Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.

    Well, you could alway use paper copies of diffs. Still annoying, but it would work.

  • Will someone PLEASE post a mirror of the story so those behind cookie-disabling proxies can read it? (The ultimate solution is to NOT use cookie-required stories! How come /. hasn't caught on to that yet?)
  • Who cares? Quite frankly, I do.

    The US citizens who WANT to (legally) contribute to OSS crypto projects are the ones who suffer here.

  • The problem is: US citizens can't (legally) contribute to OSS crypto projects. Why is this so hard for people to comprehend? Can't at all, period, even one character, by definition.
  • What about distributing the binaries as usual, but including a pointer to a non-US site where the source could be downloaded legally. Would this fulfill the GPL's provision of a written offer to provide the source on request?
    This site can either get the source directly if development is not US, or through printed copies if necessary.
    I'm not sure what the legal status of a US company maintaining a non-US site for the distribution of crypto would be. I suspect that isn't allowed. But could funding be given to a third party?
    I'm also not sure what the GPL allows for third-party source distribution. Does the binary distributor have to be the one actually handling the source distribution, or is it sufficient for the source to be freely available?
  • Your assumptions of the government's cluelessness is based on an acceptance that the motives behind their action is the one that they have informed you of.

    In actuality, the government is a collection of individuals, and all of them are grinding their own axe. This results in an appearant collective goal of the government that doesn't match the stated goals. (Only some of the folk in government have those goals).

    There is no central control, but there are many attempting to be the central controller, or at least to act as if they were one within an area. This is the inevitable result of allowing the executive arm to use delegated agents. Eventually, unless other matters intervene, one of these groups will destabilize the government, and then we'll need to build a new one. Pray, pray hard, that it doesn't happen soon.
  • That's no problem. Just keep the code in Europe. Have the UK site be the main site for the UK users. Have the UK link point directly to the Euopean code-home. All security related work is done outside the US. Folk in the US can download the code and only bug-reports flow the other direction.
  • Do I smell a conspiracy afoot? :P
  • Could it be that the US government is still attached to closed-source software and this may be an attempt to shut down GnuPG or open-source crypto in general? Perhaps not, but if you don't have the source code you cannot release software because you can't compile it without the code, even if it's being released to the public.
  • Is that a bad hyperlink of has the server been slashdotted?
  • by GC ( 19160 )
    Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the US...
  • Even your method works, a lot of people outside US can write code, country like India can provide similiar quality with lower cost, so they don't need a US developers to ssh into a foreign machine.

  • The US government is not stupid. They know very well that the strong crypto algorithms are well known all over the world and free crypto software is widely used and can be downloaded from many non-US servers (and can also be produced by every CS major in a month).

    So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.

    Even non open-source software, I found certain of them with so-called strong crypto can be downloaded from the Countries like China and Russia.

    The current policy of US government affect mostly the large-scale company like MS. So they want to take a balance, by having a new hand to open-couse.

  • Just went through a long export control law briefing at work. There is an exeption for public domain information. Someone should publish a book and get into a bunch of libraries4. It should be ok to export then. Watch out though, talking about crypto (or any controlled technology) with or letting yourself be overheard by a foriegner can be considered exporting... Damn export laws are more annoying than actual security laws.
  • This isn't all that different to ordinary java .class files, is it?
    I mean, that's an intermediary tokenised format, you don't have to use a JIT compiler on it... and you can mangle the symbol names (maybe not removing the idea of symbol names entirely, but as good as)...

    If there's one thing it *would* achieve, it'd possibly help introducing the government to the concept of "brain" - they really need to stop talking beaurocratic crap and to produce laws that actually talk about the technology in the correct terminology, for starters. Half the problem at the moment is that legalese is not slashdot-speak, I think.
  • I've not hacked java particularly, but from such as I know...:
    The object file doesn't have 'lines'... it's tokenised, binary.

    It's a two-stage thing: you write in java, which obviously looks similar to C++ source, to the not-well-trained eye. At least it's plain text at this stage.
    Then you compile it into some messy looking .class format. This contains all the same symbol names as the real source, but the whole file is complete garbage to even attempt to understand.
    The machine (JVM) itself reads this binary stuff and interprets it - binary encoding of token by binary encoding of token. So there's a fairly simple mapping between the instructions you gave and the things the interpreter phase of it does.

    So .java is source to us, .class we regard as object. From the JVM's PoV, .class is source, actions are the results.

    Is that good enough? :)
  • Really interesting idea: what about shipping it out as java .class files? They're not hard to convert back into .java source, for starters :)

    Actually there are differences. Unless you have a linker's .map file, you can't really convert back into logical variable / symbol names. There's at least one thing out there that mangles java class & variable names, too, so you can generate .class files that work and decompile with, eg Mocha, but aren't really legible.

    Maybe it comes from the other end: if someone's written it, then it *is* source code. The choice of language doesn't really define source or not? :)
  • Well, I think all the scandinavian countries that are members of the European Union have signed the Wassenaar agreement, which classifies strong crypto as heavy arms (though I think each country make their own laws on this. In DK strong crypto in source form is legal at least). Though I expect that all the fuss about Echelon and NSA is going to push crypto very much forward in all of Europe (and the rest of the world for that matter).
    The Danish government is on the brink of throwing out their newly acquired NT system because the NSA has 16bits of the 56bits they use for encrypting emails, making it *very* easy to decrypt sensitive internal mail. This is a serious threat to national security.
    Therefore the .DK government is likely to fund development of danish crypto tools (not worked out yet).

    If I were a crypto company or Theo De Raadt, I'd move to Finland or Switzerland which, I believe, are two most independent and unemcumbered countries in Europe. Neither are members of the EU or NATO (not 100% sure about .ch and NATO).
  • if you export via email, its personal correspondence, if you post it to your web site its an export.
  • The GPL allows for distribution of the source in printed media, does it not?
    So what's the problem?
    Customer downloads binaries, desires source, contacts distributer and purchases printed copy of source. No problem... GPL allows for charging media is distribution costs.
  • Books have their own sacredness in the eyes of the American people. You can't get away with banning/burning/etc.. books in America as a whole (though, yes, you will occasionally see local incidents.) This is the only reason crypto books are given special consideration.

    I don't believe the govt will go after books any time soon. They are already running scared on the crypto issue, because they can see the defeat of restrictions entirely.

    I don't think we'll ever see any attempt at controlling export of books.

    Unless, of course, it's child porn. :) I don't think the govt can make a case that crypto code is child porn.
  • So, what we could do is add a really crappy router (well not really a router, just a machine that you send crypto source to and it puts it through, mabey on a web page or FTP server) at the border between us and Canada or us and Mexico. Instead of doing the standard data-through-wires thing, it would actually print out a copy of the data, which would actually be fed over the border, then OCR'd on the other side. Problem solved.
  • Can somebody moderate this one up please. It's actually a useful idea.
  • I'm humber 6293 on the list at n-traffickers, btw.

    642, myself.

    You should see the looks I get when I tell people I'm a registered arms dealer. That alone makes it all worthwhile. Three years, and I still haven't been arrested. Darn.

    But the more, the merrier. Anyone got some spare Stinger missiles?

    James - I really should get the t-shirt

  • You think you've got it bad... try figuring out what the hell we Canucks are allowed to do.
  • While this is true, others have realized this and are working where it counts. Where does it count? One important area is SSH. Due to the US's restrictions, RH and others can't have sites that contain the package, since international users could download it. However, Debian, Suse, and others can as they are not US-based. Thus, you don't find SSH (perhaps though SSH2) with the distribution of US based Linux vendors.

    A few weeks ago when OpenBSD announced its method of solving this problem, as best they could, some users on my LUG began talking about (if I understood correctly) emulatting OpenBSD's approach [] (except non-US citizens must do it).Thank Daily Daemon News [] for covering that tidbit.

  • An interesting question is whether there are any parties out there with the cojones to act on Bernstein and "Publish and be damned!"

    The decision matrix on this is interesting. Will the USgovt wait until years have passed and the USSC has ruled, and then bring charges? How many juries will convict given the Defense pointing out that the Defendent was acting in accord with the law as decided both in Court and on appeal?

    On the other hand, the USgovt could move for an injunction. That would take a lot of confidence to go before a judge and try to explain that irreperable harm would be done by exporting a copy of source code that originated on a non-US server and will continue to be on that server no matter the Court's decision. The whole proceding would be a Heaven-sent opportunity to lampoon all of the nonsense arguments in front of someone whose very job description requires filtering through BS.

    [earthworm jim]
    Better than pro wrestling!
    [/earthworm jim]
  • I believe that there was a case that specifically decided that elecronic communications over the 'net were just as protected by the first ammendment as dead tree communications.

    therefore, I would think, renaming your .c source files to .txt is just as legal as printing it out and mailing it.

  • Then would "compiling perl to C" and distributing that be allowed?

  • Perhaps Red Hat could "import" their crypto from Red Hat Europe :-)

    Jeroen Nijhof
  • Really, this is getting thought-police-like. Really, source code is just an imprint of an idea. Can't one just print out the source and send it out? If you actually CAN do that (and I can't see why you shouldn't), then this is just really bogus. WAKE UP government, the cat is already out of the bag...everybody has encryption, you're just making it a pain in the butt.
  • GNUpg is available. Everybody, anywhere, has access to crypto algorithms and source code. Do they belive only high security US people know how to code an RSA encoder/decoder ? In my (French) engineering school crypto and RSA are part of the cursus, and coding them is part of the projects given to students. Heck, even if you are too lazy to code it yourself and need a sourcecode that is in the US just clic and 3s later you got the source code on your drive.

    Like the US had some kind of monopoly on crypto research... this is not sad, this is ridiculous and stupid. But that keeps US crypto industries off our markets :-)
  • Would cards with hole be legal ? Then it could be usefull to save those cards readers on those old big Cobol programmed mainframes ;)
  • This has already been done. See GPG.
  • >Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the >US...

    You should be so lucky; if you were a province of the United States, you'd have enumerated (constitutional) rights. As it is, you don't.
  • I might argue that the creation of a novel cryptosystem is in fact a rather difficult task. Alternatives to the one time pad have been proposed for centuries - many of which were "unbreakable", but turn out to be surprisingly easy to subvert. You might consider reading something on the subject of cryptanalysis before you assert that good cryptosystems are easily understood.
  • Well, you don't have to publish the whole source
    again. You can publish the output from diff.

  • Its ironic that software can't ship strong crypto *out* of the the US, but if its developed outside of the US it can be shipped *in*.

    There are several projects that have developed strong crypto without contravening the US laws (to the extent that Opera has 128bit encryption).

    There is an Australian project that reproduced the strong crpyto without reference to the US and that, I belive, was open source.

    What makes things really bad though, is that the US develeopers are scared off from using this incase they are sued for selling strong crypto.

    Mozilla took this decision for a number of reasons, even though they knew there was a 128bit engine that was non-US based.

    This sort of thing will hinder the US development projects.
  • That is still illegal according to the laws/regulations of the US Government. There as a Ask Slashdot that covered this a while back Using SSH on non-US sites for Crypto Development [].
  • Haven't looked at many .src.rpm's on
    US Red Hat mirrors lately, have you?
  • Really? Sweden has the same crypto policy as the US?

    That sounds surprising -- I thought most scandinavian countries were pretty liberal when it came to personal data privacy and crypto.

    Care to elaborate?

  • Actually, I am not sure the Wassenaar Agreement will be respected at all. I am going to check if I can find some more information on this. I doubt it will be applied, even if signed by different countries, since most European countries realize e-commerce is going to be big -- and they don't want to surrender their financial and communication independence to the US.

    As far as I know, Finland is a member of the European Union (EU), but not of NATO, since it is supposed to be a "neutral" country. Switzerland is not a member of EU or of NATO, since these guys take their neutrality more seriously than anybody else.

    Moving to Switzerland may not be such a good idea for Theo & the OpenBSD project: it's very hard to obtain residency and work permits in Switzerland. On the other hand, if a swiss computer firm was to hire him, getting the necessary authorization & paperworks in order would be much easier (think Linus Torvald & Transmeta). In any case, this is nothing more than an empty discussion, since Canada has been very friendly so far.

    In my opinion, most European countries will end up saying "we don't care" to Janet Reno and adopt strong crypto -- unless the US government just drops the whole crypto regulation idea in the dustbin, where it belongs.

    Just my US$ 0.02...
  • I agree wholeheartedly, but there is one major problem. If this were to backfire, there would be alot of people facing felony charges for participating. While the chances of them actually prosecuting and convicting everyone involved is quite slim, the possibility is still there. I don't know about you, but that's not something I would much enjoy. This isn't exactly the type of civil disobedience that you associate with civil rights movements and such. There are some seriously powerful people who have a vested interest in seeing that the law remains as is - the NSA and FBI being just a couple of them. The fear factor from this alone would be enough to keep people from participating, thereby increasing the chances that those who do participate will be prosecuted. That's how government works anymore - it uses the fear of a felony conviction to keep its subjects^H^H^H^H^H^H^H^Hcitizens in compliance with tyranical legislation.

    I agree that the governments policy on encryption export is wrong and unconstitutional, and I agree that something seriously needs to be done about it, but what you are proposing is dangerous to anyone who gets involved. I think that we should instead look to forming some sort of grass roots lobying effort to try and get Congress to repeal these laws (is there such an entity already in existance?). /. has a large enough reader base that we should be able to pool a fair amount of $$ to start something like this - and there are always those businesses who would profit from a repeal of encryption laws. Does anyone think that such a thing would be possible? Or am I just dreaming?
  • Yes, I realize that. But look at what we are fighting for, compared to what they were. We want to be able to export encryption, they were fighting for the most basic human rights. Big difference. Would you be as willing to spend the rest of your life in jail for the right to send crypto overseas as you would for the right to be treated as a human being? I sure wouldn't. Civil disobedience is not the answer to everything. You must look at the risk vs the potential profit. My original post was saying that it isn't worth it in this case, and I still stand by what I said.
  • they downloaded it from us, would it be illegal (supposing we had a disclaimer saying that nobody outside the US can download this (kinda like the mp3 disclaimers))?

    Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.

    Though I agree that they shouldn't embellish storys, let's face it, there's nothing to gain for a CSS company giving it to people overseas.

    That's my $(2^4*3+1/7%3*2/100)
  • If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US, what are the legal ramifications in regard to the GPL?
    Did that make sense? I'll clarify if not.
  • Actually - it was the state of Indiana. When legendary Chicago columnist Mike Royko lampooned them in his column they quietly repealed the law..
  • You're wrong here. It's still against the law. If you have a product and you include crypto - even crypto written by your third-country programmers - and include THEIR code in your app; it's against the law to export it.

    The only way it's illegal would be for you to design your app where the customer can install the crypto routines AFTER they install your app.

    You have to design your app to allow this; it may be less efficient; and the three-letter-agencies (who are behind this gov't policy) are counting on the fact that many if not most of your customers either will be too lazy or ignorant to actually do this.

  • You still don't seem to understand that source code available is NOT equivalent to Open Source. For example, Sun's new source code license allows people to view the source. It is not an Open Source (or Free Software) license, however, as it does not allow redistribution of modifications.

    These restrictions apply equally to Open Source licenses and non-Open Source licenses. All source code is restricted in an identical fashion, regardless of its licensing. Therefore, it is indeed incorrect to say that Open Source software is specifically targeted.

  • Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah? Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...

    Well, if they ban textual publishing this would render the US as a source of cryptography useless. Not that the government would have the foresight to see this of course.

    There is a workaround even at this point, but it requires a bit of effort. Create a virtual machine. The characteristics of this virtual machine are that it runs an interpreted tokenized format (which probably isn't human readable) but performs no optimizations. Information on subroutine names and so on must be stored in the tokenized version (even if they aren't directly readable by humans)

    The virtual machine doesn't have to run the code efficiently. In fact because of the constraints I've mentioned it wouldn't. But the goal of the virtual machine isn't running cryptographic algorithms anyway. It's job is to enable a program to be transferred 'without source code' across international boundaries. The tokens distributed aren't source code, they're kind of an intermediate machine code, but because of the design of the machine each token can be translated back into a function call or construct such as a for loop or multiplication or a named user defined subroutine.

    This would probably be fairly difficult for the government to legislate away without totally disallowing the export of encryption. I wouldn't want to be in the court that tried to define the distinction between source code, object code and compiled code.
  • If I ssh into a machine that's outside the US and write crypto code, does that count as exporting it? Am I exporting a weapon one character at a time? If not, I guess that is a possible work-around, though one that would probably be pretty annoying for US developers.

  • If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.

    This is splitting hairs in my opinion, because the nature of cryptography demands peer review and the most popular cryptography packages are open-source.

    I suppose one could say that the government has also restricted the export of commercial crypto packages which make their source code available only under NDA for a price. Are there even any companies which are silly enough to offer such a product?

    Apart from that hypothetical, the effect of prohibiting the export of source code is essentially identical to prohibiting the export of open-source software. In essense, the government is turning the GPL or any other open-source license into an anchor which forces the package to remain within U.S. borders. Closed-source software is not so restricted.

    A bigger point is that constraints on the export of source code has been rendered ineffective anyway.

    Quite true!

    Jamie McCarthy

  • Hmm...correct me if I'm wrong, but I thought it was said(maybe a year or so ago) it was LEGAL to export encryption source code in non-electronic form (ie, on paper). Guess that means whenever you download an open source encryption product, to get the source you have to have it printed out and sent to you. Hope you have good OCR software for your scanner!
  • It would be hard to shut down GnuPG with US export controls, as it was made completely outside of the US.
  • It was compiled with debug symbols? (And not stripped.)
    Is that exporting the source code, or the binary?
  • Please tell me... HOW many CDs, DATs, zip cartridges, and floppys get shipped out of the US every day, either as part of a commercial shipment or carried in someone's luggage?

    Crypto source, like any information, doesn't need to be continually exported. It just needs to make it out *once*. After that, there's no need to risk smuggling anything again, when you can make a million electronic copies if you'd like.

    Given the number of highly guarded, classified, ultra-top-secret US government documents that routinely turn up in places like Russia, China, Great Britain, Israel, Iran... I think it's fairly safe to assume that whatever Janet Reno thinks is worth guarding, is already gone.
  • > It's like Congress deciding they want to rewrite the Law of Gravity.

    Why not? They change the time of day with impunity twice a year.

    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Thank you.

    I could have figured this one out myself I guess. I was busy scratching my head trying to figure out why the justice department was advocating a policy which could be so demonstrably easily defeated by anyone, and which merely has had the effect of moving the centers of development of security critical software offshore. In the long term, the inevitable deskilling US programmers this will lead to can't be in the national interest.

    This policy only makes sense if the administration thinks it has important political symbolism.

    In that case, it may be not so much that they are clueless, but out of touch. I mean, as a political message, "no export of strong encryption" isn't exactly "remember the alamo". "No export of source code for strong encryption algorithms except in printed form" is even more obscure. Anybody who cares at all about this issue has to think the policy is simply stupid.

    I don't buy that this is a plot to advance Microsoft, or to sneak back doors into strong encryption. It is simply too trivially easy to defeat this policy for it to have kind any effect whatsoever, except to bar US programmers from working on open source cryptography.

    I wonder if this could be challenged on constitutional grounds, on the basis that source code is an expression of ideas (just as it would be in paper form), as opposed to being an apparatus, which a binary product would arguably be.
  • If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US

    It's quite simple. According to the GPL, if you can't distribute the source according to the GPL, then you can't distribute the program at all

    From the GPL [] (section 7)
    If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the
    Program at all

    So, in the case you laid out, if you are allowed by export laws to export crypto binarys (and not source) then, if that binary is covered by the GPL, then the GPL forbids any export distribution.

    In short, under the GPL, if you can't distribute the source and binary, you can't distribute either.

    Anyone case to therorise what would happen if someone ex-USA got a copy of a GPL crypto binary, and asked for the source? If they say yes, they are breaking export laws, if they say no, they are breeching the GPL. Quite a dilemma.
  • Bernstein [] will save us.
  • It sounds to me like it will not allow GPL'd strong crypto to be exported at all and still comply with both the GPL and this export restriction.

    This is great for Microsoft. This is terrible for Red Hat. While it doesn't actually add any new restrictions to RH, it allows MS to compete more effectively with RH Linux. Maybe it will also be a boon for offshore distributions such as SuSE and TurboLinux.
  • Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
    As the article mentioned, officials are hesitant to go after printed material. Printed documents are a sacred cow (ie: Freedom of the Press). It would be easy to prove any such restrictions unconstitutional.

    Basically, its an issue of understanding technology. Most people, to include some very bright minds, just can't seem to get a good understanding of what the various forms of technology are. Thus, its hard to see electronic documents containing source code as free speach. Meanwhile, any fool can understand the printed word must be protected.

    Take email vs. snail mail as an example. Traditional paper note-in-an-envelope mail has a fair amount of legal protection. It didn't have to have it - but early American planners made sure of it. Meanwhile, recent rulings have given email none of the protections that traditional mail has. I think those who work within a technology environment see little difference between the legal privacy of a piece of paper vs. electronic file. Its obviously not so apparent to outsiders.

    So going back to source code... those who are a part of the techology see restriction of source code as a freedom of speach/press issue. However, outsiders may not understand this. It may take some considerable work to connect the two. In a court of law, this doesn't always happen. Thus, officials who want to go after published source code will have an easier time at restricting electronic distribution than dead-tree distributions.

  • This isn't exactly the type of civil disobedience that you associate with civil rights movements and such. There are some seriously powerful people who have a vested interest in seeing that the law remains as is - the NSA and FBI being just a couple of them.
    That's the way civil disobedience works, my friend. The USAmerican civil rights marchers in the 60's weren't out for a lovely day in the fresh air; they were risking beatings, imprisonment, and assassination.

    Civil disobedience means putting your ass on the line against the power of the state. By doing so, you hope to shame the state into behaving better; or, failing that, let it know that there are people willing to put themselves at risk to oppose it - and let them figure out that said opposition may not be restricted to nonviolent means.

  • Several /. posters have raised the issue that printed source code may one day be considered machine readable and therefore illegal to export. This of course stretches the bounds of constitutionality, but is a grey enough area to be held up in a court system populalated by the pseudo-socialist ninnies currently running it.

    Should printed (crypto) source code be restricted, I say we up the stakes yet another level; fire up your Mac (or whatever machine/OS gets your jumbly stiff) and have the machine *SPEAK* the source code. Simply record the output and mail a copy to whoever you please or play it over the phone. Although the recording might make for some boring listening, it would be spoken word and therefore any attempts to restrict it would be very clear-cut violation of the constitution. Should some old decomposing pile of bones masquerading as a congressman raise the point that a machine made the recording, simply enlist a few intrepid souls to read and record the code; what will the gov't do then, decree that spoken work is machine readable and therefore subject to their control? Can you say "Violation of my constitutional rights"? I knew you could!

    With a bit of tweaking, I'm sure one could get ViaVoice to transcribe the recording. Voila! Stupid law circumvented once again!

    I believe that every effort the gov't makes to restrict crypto (and ANY free speech) should be challenged and every loophole exploited. The effect of this is they must address the holes and tighten their grasp on us. Once this happens, the issue will become a pure free speech issue and will be forced to a head.

    "The more you tighten your grip, Tarkin, the more star systems
    will slip through your fingers".

    --Princess Leia
  • I think it is far too early to give up on getting the government to see the light with regard to crypto, so I agree with you that *right now* it may not be worth the risk.

    However, please do not dismiss the importance of a challenge, even a small one, to free speech. Should free speech fall or simply become ineffective you'll have a *very* tough time organizing demonstrations for *anything*.

    This specific issue, encryption, is very important itself to effective free speech and the right of free assembly. Organized civil disobedience can make use of encryption just as any illegal group like criminals or terrorists can. It's just far less obvious we want to prevent it.
  • This is just getting silly. The US government doesn't want to allow exportation of source code for strong crypto and thinks this is gonna make a damned difference!? Do they honestly think they can prevent the Chinese or the Indians or the drug cartels from developing their own (also raises the "who cares anyway?" questions...)? Its not like the concepts behind this stuff are poorly understood!
    Also it seems kinda rude in terms of foreign policy to declare to someone you're trying to build a trade relationship with that you're not going to give them access to something that would give them privacy; by doing this the US is openly admitting the fact that they're spying on everyone. Now granted we already could've guessed, but for them to stand up and yell it on a street corner is just stoopid.

    -gaffney, who wishes to hell he were old enough to vote.
  • by deno ( 814 ) on Monday October 11, 1999 @04:50AM (#1623948) Homepage
    So, the US goverment has finaly realized that Microsoft, IBM, SUN & co. will be in trouble if they cannot export cryptographic software.
    Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!

    Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.

  • by KodaK ( 5477 ) <sakodak@gma[ ]com ['il.' in gap]> on Monday October 11, 1999 @06:29AM (#1623949) Homepage
    Ok, I can export binaries, but not "machine readable source code". Simple fix, write your code, wrap it up in an encrypted binary, do a ./lameusgovtextrastep (or whatever) and there ya go... I wouldn't be distributing source, I'd be distributing a binary that generated source.

    It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.
  • by tilly ( 7530 ) on Monday October 11, 1999 @05:40AM (#1623950)
    The government's announcement was a way to make it look like they were opening up while really trying to keep things under control. After all what did they say? "Approved code" would be allowed to be exported at any strength. Who does the approval? They do! And what else was in their announcement? Lots of verbiage about how important it is for law enforcement to be able to break encryption.

    Can you say "secret key escrow" just like Clipper?

    I knew you could!

    So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?


  • by PigleT ( 28894 ) on Monday October 11, 1999 @05:01AM (#1623951) Homepage
    Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
    Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...
  • by coyote-san ( 38515 ) on Monday October 11, 1999 @07:19AM (#1623952)
    This point keeps coming up, so I'll answer it globally instead of in several responses.

    The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.

    Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.

    As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.

    At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)

    As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.
  • by jjo ( 62046 ) on Monday October 11, 1999 @05:29AM (#1623953) Homepage
    Maybe, if we live so long. The appeals court seems to be in no hurry.

    The re-hearing before the Ninth Circuit Court of Appeals has been scheduled for Dec. 16, 1999. The first time the 9th Circuit heard the case was in December of 1997, and they took a year and a half, until May 1999 to decide. Based on this we can "extrapolate" (using Arthur C. Clarke's term) the following timeline:

    12/1997: 9th Circuit appeal hearing
    5/1999: 9th Circuit decides
    12/1999: 9th Circuit en banc re-hearing
    5/2001: 9th Circuit decides again
    10/2001: Supreme Court takes case
    5/2002: Supreme Court decides case (they take pride in making prompt decisions)

    Or course, the 9th Circuit may be faster or slower this time around, and the Supreme Court may not take the case, but this is as good a guess as any. The real problem is that no one knows what legal tricks (new regulations, new legislation) the government may pull to delay this even longer. It's already taken most of this decade.

    What will the closed-source vendors do if you spot them a 2.5-year head start from now?

  • by cdlu ( 65838 ) on Monday October 11, 1999 @05:05AM (#1623954) Homepage
    No, in the Commonwealth, we are a Commonwealth of the US. Civil disobedience is the best way to get this law overturned I would say. Have everyone on /. and a few other places export a single line of code with the number of the line in the subject header to be rebuilt by a script outside the country. Or just have everyone here export the code with a cc to There is already a website somewhere (its several years old) that allows you to do that... rafficker/ [].

    Or anyone whose out there in the development of such software should simply leave the US and develop outside. I don't think anything would scare the US government more then a brain drain.
  • by Stonehand ( 71085 ) on Monday October 11, 1999 @05:55AM (#1623955) Homepage
    Things like Perl and Tcl, for instance. If someone were to make a "shrink-wrapped" software package featuring strong cryptography via Perl, what would the department's policy be?
  • by morzeke ( 100541 ) on Monday October 11, 1999 @05:11AM (#1623956) Homepage

    Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.

    They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.

  • by Anonymous Coward on Monday October 11, 1999 @05:11AM (#1623957)
    Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.
  • by evilpenguin ( 18720 ) on Monday October 11, 1999 @09:23AM (#1623958)
    While I do think civil disobedience is a fine and noble thing, and I wouldn't oppose this idea, have any of you tried writing your congresspersons and senators a letter? A letter writing campaign will have much more effect than an act of civil disobedience. A friend of mine once worked in a congressman's office. I asked him how many letters they had to get on a subject before it would actually be brought to the congressman's direct attention. He said four. Four!!! (Note that there are exceptions, like gun control and abortion which generate mail like crazy, but on some garden variety issue, not on the "radar", it takes four letters).

    I'm sure this varies from issue to issue and from congressperson to congressperson, but I still urge you (and everyone else who cares about this) to write an original letter and put it on paper, sign it, and send it to each member of your delegation.

    It *does* have an effect.

    The "special interests" control the process in no small part because we don't exercise our freedoms. Want freedom of speech? Say so!

    See for a list of senators, follow through to their mailing addresses. []

    See [] to find out who your House member is. Follow through to their web pages which should offer an address.

    Use your rights and let freedom ring (okay, I know I'm souding hokey, go rent Mr. Smith Goes to Washington and get all hokey too!)
  • by Hollins ( 83264 ) on Monday October 11, 1999 @05:17AM (#1623959) Homepage
    It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.

    It's like Congress deciding they want to rewrite the Law of Gravity.
  • by emmons ( 94632 ) on Monday October 11, 1999 @05:13AM (#1623960) Homepage
    This really only goes to prove how clueless our leaders appear to be about technology.

    "This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."

    This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.

    "The problem is that by the government's definitions, OpenBSD is foreign software"

    How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?

    "The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."

    So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in .txt files? Is this the same government that insists we must save the trees??

    Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?

  • The US government is not stupid. They know very well that the strong crypto algorithms are well known all over the world and free crypto software is widely used and can be downloaded from many non-US servers (and can also be produced by every CS major in a month).

    So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.

    The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.

    The major email programs still don't include seamless crypto integration.

    The government currently listens in on telephone conversations and email, and they would like to continue in the future.


  • by Effugas ( 2378 ) on Monday October 11, 1999 @05:23AM (#1623962) Homepage
    There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.

    While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.

    Something had to be done.

    Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?

    Something had to be done for them too.

    So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.

    Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)

    Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.

    I'm not so sure.

    The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.

    Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?

    It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.

    Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.


    Yours Truly,

    Dan Kaminsky
    DoxPara Research

  • by substrate ( 2628 ) on Monday October 11, 1999 @04:49AM (#1623963)
    It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.

    If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.

    A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.

    A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.
  • by Noryungi ( 70322 ) on Monday October 11, 1999 @05:09AM (#1623964) Homepage Journal
    A couple of points...

    1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!

    2. I thought the US Navy was using WinNT exclusively? =)

    Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.

    Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?

    3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...

    4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)

    If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."

    It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!

    5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...

    But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.

    So: I can't get the source, but I can get the book, right? How stupid can you get?

    When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."

    You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.

    If only those people could leave people like Theo alone and free to code... *Sheesh*

No problem is so large it can't be fit in somewhere.