Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Still Can't Export Open-Source Crypto

jamie posted more than 14 years ago | from the what-the-hell-is-going-on dept.

Encryption 139

The New York Times today reports that the Easing on Software Exports Has Limits. (Free reg. required.) Turns out the administration's recent change of heart on crypto specifically excludes open-source software. "When it comes to source code ... 'nothing has changed.'"

cancel ×


Sorry! There are no comments related to the filter you selected.

-sigh- (0)

Anonymous Coward | more than 14 years ago | (#1623827)

So, once again, the government sides with profit and screws the little guy. Who's surprised? Anyone?

I agree with an earlier poster; we should have 'Upload Strong Encryption Source Day'. THAT might get some attention. The bastards.

print out the source code and export (0)

Anonymous Coward | more than 14 years ago | (#1623828)

and then scan the paper and presto

Re:So what? (0)

Anonymous Coward | more than 14 years ago | (#1623829)

For starters, it's illegal for a US-based Linux distribution, for instance, to include ssh without a license. And licenses are not cheap.

source code allowed will change (0)

Anonymous Coward | more than 14 years ago | (#1623830)

I predict that this will be short lived. Eventually the rules will change and you won't be allowed to export without the source code. This will represent a change, based on enhanced security, and people will complain about it too. For now, just make money doing what come naturally.

What, like... (0)

Anonymous Coward | more than 14 years ago | (#1623832)

You mean, like having a day where we all download GPG from Finnland en masse and post it via anonymously redirected news servers around the world?

That would be cool...

Re:Why (0)

Anonymous Coward | more than 14 years ago | (#1623835)

What's the Constitution? Didn't that disappear years ago.

Plans of action... (0)

Anonymous Coward | more than 14 years ago | (#1623838)

It's not very productive to talk about the injustices of crypto export laws. While they're a pain in the ass, they're going to be around for a little while longer, at least.

One of the proposals here on Slashdot was to organize a civil disobedience day-- a day in which geeks would FTP GPG, PGP, and other export-controlled stuff, and re-export it. Sounds like a real way to say, "Fuck you!" to congress, but not very useful.

Another *very* interesting idea was to create a Virtual Machine such that any binaries for the machine can be easily, readily, and quickly converted back into a source code format. A nice idea, but what about comments? Would *those* be part of the executable? A quick check shows that GnuPG is a megabyte in size when tarred and gzipped. That translates to one *big* program when you get through with it all.

Lobbying seems to have done well enough. Now, instead of Clinton's clueless crypto policy, we have Clinton's bullshit crypto policy (why can't you create a *reasonable* policy, Mr. President?). Besides, not enough senators (with a few exceptions) even *care* about the crypto policy issue to make a difference. So lobbying is getting there, inch by inch, but we need to speed it up.

So what are we supposed to do about it, folks? I'm not a person for sitting around my thumb up my ass. And I really think this issue is something that we need to stand up for.

My proposal? Raise some fuckin' awareness. Tell people that their constitutional rights are being infringed (at least, according to the 9th Circuit Court). Get more people registered as international arms smugglers. Hold demonstrations in your town square, if you want. But let people know.

Just my $0.02

RedHat's money will help... (0)

Anonymous Coward | more than 14 years ago | (#1623842)

To be specific, they now have the resources to bribe US senators and congressmen. This is how legislation in the US gets written... sad but true.

The free America (0)

tao (10867) | more than 14 years ago | (#1623849)

The land of the free. Definitely.

Re:Another complete waste of time (1)

Anonymous Coward | more than 14 years ago | (#1623850)

I hope Theo doesn't move to Sweden. We got the same restrictive crypto regulations as the US have.

Re:Use SuSE instead... (1)

deno (814) | more than 14 years ago | (#1623852)

>Ok: this make SuSE happy, isn't it?

Sure. But it does not make me happier - I still think their Yast licence is a BadThing(TM).

>And for instance makes happier Software companies
> in Europe: the crypto laws of USA were a godsend

No, it does not. Closed-source is OK now, so european companies loose anyway. Except maybe for SuSe and symmilar.

>But anyway I downloades ssh from a server in >Finland, ad I'll continue to download from it.

Sure, I download it too, but I would prefere to have a better integration with "strong cryptography" in the "core" package.


deno (814) | more than 14 years ago | (#1623853)

But, as far as I know, US-companies arent even allowed to make interfaces to strong-cryptography programs. I suppose that is the main reason why pine support for PGP is so crappy. If the US goverment wants to be really "anal" about the crypto-law, RH is going to have a lot of difficulties.

Re:A few points (1)

substrate (2628) | more than 14 years ago | (#1623854)

I haven't programmed in JAVA in ages (and I only did it once to say I did it) so I don't remember the various file handles, so forgive me if I get this wrong (but point it out).

JAVA is almost it, but I don't think there's exactly a 1 to 1 correspondence between each line of source code and each line in the object file. An old BASIC like on the Commodore 64 is a lot closer. The programs ran exactly as you input them, the interpreter didn't try to exploit any techniques for efficiency.

If JAVA fits the bill then we're already there. If the .class files are the actual source code and some other extension contains the object code and strips out all identifiers and optimizes code then JAVA isn't it.

Link? (1)

pudge (3605) | more than 14 years ago | (#1623855)

Does someone have a link to the text of this "policy"?

Politicians (1)

Perrin-GoldenEyes (4296) | more than 14 years ago | (#1623858)

I wonder if there's any chance that all the politicians in the United States will all simultaneously self-Darwinate.

"We practice selective annihilation of mayors
and government officials
for example to create a vacuum
Then we fill that vacuum"

Once all the politicians were gone, then maybe we could replace them with people who actually have clues...?


Legacy private networks safe? (1)

pp (4753) | more than 14 years ago | (#1623859)

I heard an interesting story about 6 months ago in a seminar from an security researcher about an unnamed international company wanting to connect their UK network to the one somewhere in the middle-east. Being security conscious people they encrypted the connection (no idea if it was some 40-bit mickey mouse crypto from some american company or something decent) Everything worked just nicely. However, after a month they got a call from someone claiming to represent the french goverment asking them to stop encrypting their VPN. The next thing they did was to ask their telco to reroute the connection so it didn't go over anywhere near France ;)

Re:outlawing math (1)

alumshubby (5517) | more than 14 years ago | (#1623860)

What the hell...if the state legislature in Tennessee can decide to make pi = 22/7 by just saying so, what's to stop Congresscritters?

Re:Why (1)

alumshubby (5517) | more than 14 years ago | (#1623861)

I'm a Yank and my clueless government irritates me no end -- around here, only the relatively wealthy and vacuous can withstand the death march of running for election. It's why I've given up on our two-party system and voted Libertarian the last decade or so.

More to the point, what happens if somebody abroad creates really bitchin' encryption and posts the source code on a non-US site? Does this provide a workaround to the idiotic munitions-export rule? If so, maybe somebody needs to tutor somebody via pseudocode.

Re:Can't get to link (1)

larien (5608) | more than 14 years ago | (#1623862)

From the site:
We're sorry, but we are temporarily experiencing a server error.
A ton of irate Slashdotters are coming to see just how dumb-assed our government is WRT encryption.


Re:Something new (1)

ralphclark (11346) | more than 14 years ago | (#1623863)

There's no real problem for Red Hat. i.e, the Red Hat Europe subsidiary is incorporated outside of the US and they can provide the source code (and binary) rpms on their own servers. The parent US company can provide a URL on their own website without any problems - as long as the code was all developed outside of and remains stored outside of US national borders, they can still make it available to all their customers in the usual manner without actually exporting anything.

*This depends upon the notion that it doesn't count as an "export" when John Smith in the UK can download a file from an ftp server in Europe by clicking on a link provided by a US web server.

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Re:A few points (1)

crumley (12964) | more than 14 years ago | (#1623867)

Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.

Well, you could alway use paper copies of diffs. Still annoying, but it would work.

Re:Would this comply with the GPL? (1)

theJeff (13638) | more than 14 years ago | (#1623871)

What about distributing the binaries as usual, but including a pointer to a non-US site where the source could be downloaded legally. Would this fulfill the GPL's provision of a written offer to provide the source on request?
This site can either get the source directly if development is not US, or through printed copies if necessary.
I'm not sure what the legal status of a US company maintaining a non-US site for the distribution of crypto would be. I suspect that isn't allowed. But could funding be given to a third party?
I'm also not sure what the GPL allows for third-party source distribution. Does the binary distributor have to be the one actually handling the source distribution, or is it sufficient for the source to be freely available?

Re:Clueless (1)

HiThere (15173) | more than 14 years ago | (#1623872)

Your assumptions of the government's cluelessness is based on an acceptance that the motives behind their action is the one that they have informed you of.

In actuality, the government is a collection of individuals, and all of them are grinding their own axe. This results in an appearant collective goal of the government that doesn't match the stated goals. (Only some of the folk in government have those goals).

There is no central control, but there are many attempting to be the central controller, or at least to act as if they were one within an area. This is the inevitable result of allowing the executive arm to use delegated agents. Eventually, unless other matters intervene, one of these groups will destabilize the government, and then we'll need to build a new one. Pray, pray hard, that it doesn't happen soon.

Re:Something new (1)

HiThere (15173) | more than 14 years ago | (#1623873)

That's no problem. Just keep the code in Europe. Have the UK site be the main site for the UK users. Have the UK link point directly to the Euopean code-home. All security related work is done outside the US. Folk in the US can download the code and only bug-reports flow the other direction.

Huh... (1)

Teferi (16171) | more than 14 years ago | (#1623874)

Do I smell a conspiracy afoot? :P

No source = No programs (1)

mind21_98 (18647) | more than 14 years ago | (#1623875)

Could it be that the US government is still attached to closed-source software and this may be an attempt to shut down GnuPG or open-source crypto in general? Perhaps not, but if you don't have the source code you cannot release software because you can't compile it without the code, even if it's being released to the public.

Can't get to link (1)

GC (19160) | more than 14 years ago | (#1623876)

Is that a bad hyperlink of has the server been slashdotted?

Re:Why (1)

GC (19160) | more than 14 years ago | (#1623877)

Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the US...

Re:Question: (1)

minority (23819) | more than 14 years ago | (#1623878)

Even your method works, a lot of people outside US can write code, country like India can provide similiar quality with lower cost, so they don't need a US developers to ssh into a foreign machine.

Re:True goal: prevent crypto proliferation in the (1)

minority (23819) | more than 14 years ago | (#1623879)

The US government is not stupid. They know very well that the strong crypto algorithms are well known all over the world and free crypto software is widely used and can be downloaded from many non-US servers (and can also be produced by every CS major in a month).

So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.

Even non open-source software, I found certain of them with so-called strong crypto can be downloaded from the Countries like China and Russia.

The current policy of US government affect mostly the large-scale company like MS. So they want to take a balance, by having a new hand to open-couse.

Re:A few points (1)

PigleT (28894) | more than 14 years ago | (#1623881)

This isn't all that different to ordinary java .class files, is it?
I mean, that's an intermediary tokenised format, you don't have to use a JIT compiler on it... and you can mangle the symbol names (maybe not removing the idea of symbol names entirely, but as good as)...

If there's one thing it *would* achieve, it'd possibly help introducing the government to the concept of "brain" - they really need to stop talking beaurocratic crap and to produce laws that actually talk about the technology in the correct terminology, for starters. Half the problem at the moment is that legalese is not slashdot-speak, I think.

Re:A few points (1)

PigleT (28894) | more than 14 years ago | (#1623882)

I've not hacked java particularly, but from such as I know...:
The object file doesn't have 'lines'... it's tokenised, binary.

It's a two-stage thing: you write in java, which obviously looks similar to C++ source, to the not-well-trained eye. At least it's plain text at this stage.
Then you compile it into some messy looking .class format. This contains all the same symbol names as the real source, but the whole file is complete garbage to even attempt to understand.
The machine (JVM) itself reads this binary stuff and interprets it - binary encoding of token by binary encoding of token. So there's a fairly simple mapping between the instructions you gave and the things the interpreter phase of it does.

So .java is source to us, .class we regard as object. From the JVM's PoV, .class is source, actions are the results.

Is that good enough? :)

Re:Source code? (1)

PigleT (28894) | more than 14 years ago | (#1623883)

Really interesting idea: what about shipping it out as java .class files? They're not hard to convert back into .java source, for starters :)

Actually there are differences. Unless you have a linker's .map file, you can't really convert back into logical variable / symbol names. There's at least one thing out there that mangles java class & variable names, too, so you can generate .class files that work and decompile with, eg Mocha, but aren't really legible.

Maybe it comes from the other end: if someone's written it, then it *is* source code. The choice of language doesn't really define source or not? :)

Re:Clueless (1)

Uart (29577) | more than 14 years ago | (#1623885)

if you export via email, its personal correspondence, if you post it to your web site its an export.

Re:Would this comply with the GPL? (1)

starman97 (29863) | more than 14 years ago | (#1623886)

The GPL allows for distribution of the source in printed media, does it not?
So what's the problem?
Customer downloads binaries, desires source, contacts distributer and purchases printed copy of source. No problem... GPL allows for charging media is distribution costs.

Re:A few points (1)

ryanr (30917) | more than 14 years ago | (#1623887)

Books have their own sacredness in the eyes of the American people. You can't get away with banning/burning/etc.. books in America as a whole (though, yes, you will occasionally see local incidents.) This is the only reason crypto books are given special consideration.

I don't believe the govt will go after books any time soon. They are already running scared on the crypto issue, because they can see the defeat of restrictions entirely.

I don't think we'll ever see any attempt at controlling export of books.

Unless, of course, it's child porn. :) I don't think the govt can make a case that crypto code is child porn.

Re:A few points (1)

Calmacil (31127) | more than 14 years ago | (#1623888)

So, what we could do is add a really crappy router (well not really a router, just a machine that you send crypto source to and it puts it through, mabey on a web page or FTP server) at the border between us and Canada or us and Mexico. Instead of doing the standard data-through-wires thing, it would actually print out a copy of the data, which would actually be fed over the border, then OCR'd on the other side. Problem solved.

Re:Well... (1)

Flower (31351) | more than 14 years ago | (#1623889)

Can somebody moderate this one up please. It's actually a useful idea.

Re:Would this comply with the GPL? (1)

NovaX (37364) | more than 14 years ago | (#1623892)

While this is true, others have realized this and are working where it counts. Where does it count? One important area is SSH. Due to the US's restrictions, RH and others can't have sites that contain the package, since international users could download it. However, Debian, Suse, and others can as they are not US-based. Thus, you don't find SSH (perhaps though SSH2) with the distribution of US based Linux vendors.

A few weeks ago when OpenBSD announced its method of solving this problem, as best they could, some users on my LUG began talking about (if I understood correctly) emulatting OpenBSD's approach [] (except non-US citizens must do it).Thank Daily Daemon News [] for covering that tidbit.

Re:Clueless (1)

Chandon Seldon (43083) | more than 14 years ago | (#1623894)

I believe that there was a case that specifically decided that elecronic communications over the 'net were just as protected by the first ammendment as dead tree communications.

therefore, I would think, renaming your .c source files to .txt is just as legal as printing it out and mailing it.

Re:Source code? (1)

Chandon Seldon (43083) | more than 14 years ago | (#1623895)

Then would "compiling perl to C" and distributing that be allowed?

Re:Would this comply with the GPL? (1)

nijhof (44330) | more than 14 years ago | (#1623896)

Perhaps Red Hat could "import" their crypto from Red Hat Europe :-)

Jeroen Nijhof

Dumbness (1)

Hard_Code (49548) | more than 14 years ago | (#1623897)

Really, this is getting thought-police-like. Really, source code is just an imprint of an idea. Can't one just print out the source and send it out? If you actually CAN do that (and I can't see why you shouldn't), then this is just really bogus. WAKE UP government, the cat is already out of the bag...everybody has encryption, you're just making it a pain in the butt.

Who cares ? (1)

Betcour (50623) | more than 14 years ago | (#1623898)

GNUpg is available. Everybody, anywhere, has access to crypto algorithms and source code. Do they belive only high security US people know how to code an RSA encoder/decoder ? In my (French) engineering school crypto and RSA are part of the cursus, and coding them is part of the projects given to students. Heck, even if you are too lazy to code it yourself and need a sourcecode that is in the US just clic and 3s later you got the source code on your drive.

Like the US had some kind of monopoly on crypto research... this is not sad, this is ridiculous and stupid. But that keeps US crypto industries off our markets :-)

Re:Question... (1)

Betcour (50623) | more than 14 years ago | (#1623899)

Would cards with hole be legal ? Then it could be usefull to save those cards readers on those old big Cobol programmed mainframes ;)

Re:Why (1)

QuoteMstr (55051) | more than 14 years ago | (#1623900)

This has already been done. See GPG.

Re:Why (1)

Pyramid (57001) | more than 14 years ago | (#1623901)

>Yeah, I know what you mean. Here in the UK I sometimes get the feeling that we're a province of the >US...

You should be so lucky; if you were a province of the United States, you'd have enumerated (constitutional) rights. As it is, you don't.

not so simple (1)

DrNO (61310) | more than 14 years ago | (#1623902)

I might argue that the creation of a novel cryptosystem is in fact a rather difficult task. Alternatives to the one time pad have been proposed for centuries - many of which were "unbreakable", but turn out to be surprisingly easy to subvert. You might consider reading something on the subject of cryptanalysis before you assert that good cryptosystems are easily understood.

Ironic (1)

CormacJ (64984) | more than 14 years ago | (#1623904)

Its ironic that software can't ship strong crypto *out* of the the US, but if its developed outside of the US it can be shipped *in*.

There are several projects that have developed strong crypto without contravening the US laws (to the extent that Opera has 128bit encryption).

There is an Australian project that reproduced the strong crpyto without reference to the US and that, I belive, was open source.

What makes things really bad though, is that the US develeopers are scared off from using this incase they are sued for selling strong crypto.

Mozilla took this decision for a number of reasons, even though they knew there was a 128bit engine that was non-US based.

This sort of thing will hinder the US development projects.

Re:Question: (1)

e. boaz (67350) | more than 14 years ago | (#1623905)

That is still illegal according to the laws/regulations of the US Government. There as a Ask Slashdot that covered this a while back Using SSH on non-US sites for Crypto Development [] .

You haven't looked (1)

SLOfuse (68448) | more than 14 years ago | (#1623906)

Haven't looked at many .src.rpm's on
US Red Hat mirrors lately, have you?

Re:Another complete waste of time (1)

Noryungi (70322) | more than 14 years ago | (#1623907)

Really? Sweden has the same crypto policy as the US?

That sounds surprising -- I thought most scandinavian countries were pretty liberal when it came to personal data privacy and crypto.

Care to elaborate?

Re:Well... (1)

InSaNe ASyLuM (70500) | more than 14 years ago | (#1623909)

I agree wholeheartedly, but there is one major problem. If this were to backfire, there would be alot of people facing felony charges for participating. While the chances of them actually prosecuting and convicting everyone involved is quite slim, the possibility is still there. I don't know about you, but that's not something I would much enjoy. This isn't exactly the type of civil disobedience that you associate with civil rights movements and such. There are some seriously powerful people who have a vested interest in seeing that the law remains as is - the NSA and FBI being just a couple of them. The fear factor from this alone would be enough to keep people from participating, thereby increasing the chances that those who do participate will be prosecuted. That's how government works anymore - it uses the fear of a felony conviction to keep its subjects^H^H^H^H^H^H^H^Hcitizens in compliance with tyranical legislation.

I agree that the governments policy on encryption export is wrong and unconstitutional, and I agree that something seriously needs to be done about it, but what you are proposing is dangerous to anyone who gets involved. I think that we should instead look to forming some sort of grass roots lobying effort to try and get Congress to repeal these laws (is there such an entity already in existance?). /. has a large enough reader base that we should be able to pool a fair amount of $$ to start something like this - and there are always those businesses who would profit from a repeal of encryption laws. Does anyone think that such a thing would be possible? Or am I just dreaming?

Re:A few points (1)

JM_the_Great (70802) | more than 14 years ago | (#1623911) they downloaded it from us, would it be illegal (supposing we had a disclaimer saying that nobody outside the US can download this (kinda like the mp3 disclaimers))?

Anyway, the problem with paper is that ever time something changes, you have to print a whole new book. This could become a little time consuming and resourse (monetary) intensive.

Though I agree that they shouldn't embellish storys, let's face it, there's nothing to gain for a CSS company giving it to people overseas.

That's my $(2^4*3+1/7%3*2/100)

Would this comply with the GPL? (1)

scumdamn (82357) | more than 14 years ago | (#1623912)

If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US, what are the legal ramifications in regard to the GPL?
Did that make sense? I'll clarify if not.

Re:outlawing math (1)

Fuzzbone (82515) | more than 14 years ago | (#1623913)

Actually - it was the state of Indiana. When legendary Chicago columnist Mike Royko lampooned them in his column they quietly repealed the law..

Re:So what? (1)

Fuzzbone (82515) | more than 14 years ago | (#1623914)

You're wrong here. It's still against the law. If you have a product and you include crypto - even crypto written by your third-country programmers - and include THEIR code in your app; it's against the law to export it.

The only way it's illegal would be for you to design your app where the customer can install the crypto routines AFTER they install your app.

You have to design your app to allow this; it may be less efficient; and the three-letter-agencies (who are behind this gov't policy) are counting on the fact that many if not most of your customers either will be too lazy or ignorant to actually do this.

why not vote with your feet? (1)

zerone (83179) | more than 14 years ago | (#1623915)

My plan exactly. Walk. The US is trying to protect its monopoly on a.) the dollar supreme and b.) a hairball tax code, revenue stream. Are less violent trading routes imaginable?

Bit trading brains-r-us are close to implementing alternative mediums of exchange (see saxas [] ), other possibilities for paying the piper (see taxes [] ) and disciplines that might increase the velocity and value (and reduce the ecological cost) of "money [] ".

Encryption is how currency "borders" are enforced on the Net, thus cryptography is the only way any trading system can protect its turf. Personally, I'd like to see 7 or 8 billion traders exercize that right, using an abundance of free space quantum cryptography [] :)

Re:Would this comply with the GPL? (1)

Rares Marian (83629) | more than 14 years ago | (#1623916)

RedHat will have its own shop in the European Socialist Utopia soon as well as nonWaassenar(sp!) countries. What's to stop them from developing crypto code work from there then importing it.

On the other hand maybe cancelling geography classes for a few generations might help here.

Or maybe RH et al should start whining a little more.

Nothing's really changed (1)

Greyfox (87712) | more than 14 years ago | (#1623917)

I still download my crypto programs from more free countries like Finnland or Russia, which I was doing anyway, and Janet Reno still insures that 99 percent of the E-Mailing public still sends their E-Mail via easily intercepted channels.

Once I get my mail server back in place now (RSN, Hope Hope) I'm going to start bouncing unencrypted messages with a reply that if you REALLY have something important to say to me, you'll encrypt it with PGP or GPG and resend, along with a lecture on why this is important. May as well start doing my part to insure that crypto usage spreads. The fact that this will have the added benefit of completely eliminating the spam I get now is not lost on me, either.

French Persons! (1)

Greyfox (87712) | more than 14 years ago | (#1623918)

Give us the grail or we will take your castle by force!

Re:not so simple (1)

gaffney (88218) | more than 14 years ago | (#1623919)

>before you assert that
> good cryptosystems are easily understood.

Not easily understood, _widely_ understood.

What I meant was the concepts behind strong crypto are easily accessible to someone with technical knowlege or the money to hire such people.


Re:A few points (1)

lweinmunson (91267) | more than 14 years ago | (#1623920)

I think it is ironic that this stance has been taken by the administration in the middle of a large legal battle by the EFF and others over just this issue. The courts have come down on the side of freedom of speech and that source code is speech several times already in this case. In fact the US 9th circuit court of appeals had previously ruled that regulations on encryption source code were unconstitutional under both the 1st and the 4th amendments and that they would have to be significantly reworked. The case the EFF is using is Bernstein vs USDOJ at this address The courts have agreed to re-hear this case but I think it will probably make it up to the supreme court in a year or two. That's when we should finally get a clear answer on this issue and hopefully not have to worry about it any more.

Source code? (1)

tc (93768) | more than 14 years ago | (#1623921)

Couldn't get the link to work properly, but I'll extrapolate and comment anyway...

Are they saying that you can export strong crypto, but you can't export sourcecode to strong crypto? Because if so, then it just doesn't make any sense. Where do you distinguish between sourcecode and not sourcecode? Human-readability? If so, then that means you couldn't ship a strong crypto implementation in any sort of scripting lanaguage or other interpreted form (e.g. Perl). And what about assembly - would you be allowed to ship an ASM sourcefile? If not then can someone explain the conceptual difference between an ASM sourcefile and the output of a disassembler?

Once again, governments fail to understand technology...

Re:So what? (1)

WanderingWastrel (98947) | more than 14 years ago | (#1623923)

The recent change in export laws was to allow crypto-enabled applications to be exported from the US. Now they're saying that it's only for "shrink wrapped" applications, not the source code. So you can't ship the code with the app. So? Put the non-crypto parts of the source with the app, and ship it out -- no violation of the law (assuming you've met whatever regulations still govern shipping compiled apps). Then put the crypto parts of the source code on a web server in a country that doesn't give a crap about paranoid levels of control like the US does. You've got your app, you can ship it anywhere, all the source is available to anyone. Open source isn't about the source code being on the same physical CD, it's about it being available, period. It's inconvient to do it this way, yes, but it's a whole lot more effective, IMO, then lobbying a government that doesn't give a crap what people want.

So what? (1)

WanderingWastrel (98947) | more than 14 years ago | (#1623924)

I don't see what the problem is. So you can't export open-source crypto. Big deal -- import it instead. Pick a country (or countries) that isn't interested in trying to control this stuff, and find some programmers there willing to open-souce their crypto software. Even if they screw it up at first, just email them bug fixes (a couple of lines at a time, if need be to conform to whatever silly laws your country has at the time), and eventually you'll have damn strong cryto.

Laws like this are like flaws in an OS. You can waste your time wailing about the fact that the flaw is there; you can waste your time begging for the flaw to be repaired; or you can code around it, and make the flaw irrelevant.

Why (1)

lawn_ornament (99174) | more than 14 years ago | (#1623925)

The HELL does the US govt always act like it owns the world. DAMN that makes me mad.
n.b. I said the US govt. not the us. ppl. them I like very much

Use SuSE instead... (1)

havana9 (101033) | more than 14 years ago | (#1623926)

> Right! Redhat and Caldera (especially RedHat,
> since they really want to keep their
> distribution "free") still have the same
> problems, because their "products" are open
> sourced. Cute.

Ok: this make SuSE happy, isn't it?
And for instance makes happier Software companies
in Europe: the crypto laws of USA were a godsend
for european software houses.

But anyway I downloades ssh from a server in Finland, ad I'll continue to download from it.

Please no (1)

pol-pot (101141) | more than 14 years ago | (#1623927)

If crypto is allowed (fullscale) then it would not be so good to be a hacker. We hackers would loose the technique of sniffing passwords rigth of telnet shells.

Then the politicans have to think: less craking => less need for cops => more unemployment => worse election.

So come on stop this crazy proposal of allowing free crypto.

What if e.g. RH was Printed in Europe, with strong crypto and exported to US! Would that be legal?

Re:A few points (2)

substrate (2628) | more than 14 years ago | (#1623931)

Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah? Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...

Well, if they ban textual publishing this would render the US as a source of cryptography useless. Not that the government would have the foresight to see this of course.

There is a workaround even at this point, but it requires a bit of effort. Create a virtual machine. The characteristics of this virtual machine are that it runs an interpreted tokenized format (which probably isn't human readable) but performs no optimizations. Information on subroutine names and so on must be stored in the tokenized version (even if they aren't directly readable by humans)

The virtual machine doesn't have to run the code efficiently. In fact because of the constraints I've mentioned it wouldn't. But the goal of the virtual machine isn't running cryptographic algorithms anyway. It's job is to enable a program to be transferred 'without source code' across international boundaries. The tokens distributed aren't source code, they're kind of an intermediate machine code, but because of the design of the machine each token can be translated back into a function call or construct such as a for loop or multiplication or a named user defined subroutine.

This would probably be fairly difficult for the government to legislate away without totally disallowing the export of encryption. I wouldn't want to be in the court that tried to define the distinction between source code, object code and compiled code.

Question: (2)

Perrin-GoldenEyes (4296) | more than 14 years ago | (#1623932)

If I ssh into a machine that's outside the US and write crypto code, does that count as exporting it? Am I exporting a weapon one character at a time? If not, I guess that is a possible work-around, though one that would probably be pretty annoying for US developers.


Re: A few points (2)

jamiemccarthy (4847) | more than 14 years ago | (#1623933)

If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.

This is splitting hairs in my opinion, because the nature of cryptography demands peer review and the most popular cryptography packages are open-source.

I suppose one could say that the government has also restricted the export of commercial crypto packages which make their source code available only under NDA for a price. Are there even any companies which are silly enough to offer such a product?

Apart from that hypothetical, the effect of prohibiting the export of source code is essentially identical to prohibiting the export of open-source software. In essense, the government is turning the GPL or any other open-source license into an anchor which forces the package to remain within U.S. borders. Closed-source software is not so restricted.

A bigger point is that constraints on the export of source code has been rendered ineffective anyway.

Quite true!

Jamie McCarthy

Question... (2)

LordDartan (8373) | more than 14 years ago | (#1623934)

Hmm...correct me if I'm wrong, but I thought it was said(maybe a year or so ago) it was LEGAL to export encryption source code in non-electronic form (ie, on paper). Guess that means whenever you download an open source encryption product, to get the source you have to have it printed out and sent to you. Hope you have good OCR software for your scanner!

Re:No source = No programs (2)

Cironian (9526) | more than 14 years ago | (#1623935)

It would be hard to shut down GnuPG with US export controls, as it was made completely outside of the US.

So what happens if . . . (2)

Lord of the Files (10941) | more than 14 years ago | (#1623936)

It was compiled with debug symbols? (And not stripped.)
Is that exporting the source code, or the binary?

Re:Running Scared (2)

hey! (33014) | more than 14 years ago | (#1623939)

Thank you.

I could have figured this one out myself I guess. I was busy scratching my head trying to figure out why the justice department was advocating a policy which could be so demonstrably easily defeated by anyone, and which merely has had the effect of moving the centers of development of security critical software offshore. In the long term, the inevitable deskilling US programmers this will lead to can't be in the national interest.

This policy only makes sense if the administration thinks it has important political symbolism.

In that case, it may be not so much that they are clueless, but out of touch. I mean, as a political message, "no export of strong encryption" isn't exactly "remember the alamo". "No export of source code for strong encryption algorithms except in printed form" is even more obscure. Anybody who cares at all about this issue has to think the policy is simply stupid.

I don't buy that this is a plot to advance Microsoft, or to sneak back doors into strong encryption. It is simply too trivially easy to defeat this policy for it to have kind any effect whatsoever, except to bar US programmers from working on open source cryptography.

I wonder if this could be challenged on constitutional grounds, on the basis that source code is an expression of ideas (just as it would be in paper form), as opposed to being an apparatus, which a binary product would arguably be.

Re:Would this comply with the GPL? (2)

IIH (33751) | more than 14 years ago | (#1623940)

If a program is licensed under the GPL and a distribution with that program on it ships overseas, if a person purchases the distribution but wants the source code to the encryption program, but can't download it because it's hosted in the US

It's quite simple. According to the GPL, if you can't distribute the source according to the GPL, then you can't distribute the program at all

From the GPL [] (section 7)
If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the
Program at all

So, in the case you laid out, if you are allowed by export laws to export crypto binarys (and not source) then, if that binary is covered by the GPL, then the GPL forbids any export distribution.

In short, under the GPL, if you can't distribute the source and binary, you can't distribute either.

Anyone case to therorise what would happen if someone ex-USA got a copy of a GPL crypto binary, and asked for the source? If they say yes, they are breaking export laws, if they say no, they are breeching the GPL. Quite a dilemma.

Bernstein wlill save us (2)

Russ Nelson (33911) | more than 14 years ago | (#1623941)

Bernstein [] will save us.

Re:Would this comply with the GPL? (2)

Sun Tzu (41522) | more than 14 years ago | (#1623942)

It sounds to me like it will not allow GPL'd strong crypto to be exported at all and still comply with both the GPL and this export restriction.

This is great for Microsoft. This is terrible for Red Hat. While it doesn't actually add any new restrictions to RH, it allows MS to compete more effectively with RH Linux. Maybe it will also be a boon for offshore distributions such as SuSE and TurboLinux.

Connecting Traditional to Technology (2)

_Sprocket_ (42527) | more than 14 years ago | (#1623943)

Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
As the article mentioned, officials are hesitant to go after printed material. Printed documents are a sacred cow (ie: Freedom of the Press). It would be easy to prove any such restrictions unconstitutional.

Basically, its an issue of understanding technology. Most people, to include some very bright minds, just can't seem to get a good understanding of what the various forms of technology are. Thus, its hard to see electronic documents containing source code as free speach. Meanwhile, any fool can understand the printed word must be protected.

Take email vs. snail mail as an example. Traditional paper note-in-an-envelope mail has a fair amount of legal protection. It didn't have to have it - but early American planners made sure of it. Meanwhile, recent rulings have given email none of the protections that traditional mail has. I think those who work within a technology environment see little difference between the legal privacy of a piece of paper vs. electronic file. Its obviously not so apparent to outsiders.

So going back to source code... those who are a part of the techology see restriction of source code as a freedom of speach/press issue. However, outsiders may not understand this. It may take some considerable work to connect the two. In a court of law, this doesn't always happen. Thus, officials who want to go after published source code will have an easier time at restricting electronic distribution than dead-tree distributions.

Re:Well... (2)

Mr. Slippery (47854) | more than 14 years ago | (#1623944)

This isn't exactly the type of civil disobedience that you associate with civil rights movements and such. There are some seriously powerful people who have a vested interest in seeing that the law remains as is - the NSA and FBI being just a couple of them.
That's the way civil disobedience works, my friend. The USAmerican civil rights marchers in the 60's weren't out for a lovely day in the fresh air; they were risking beatings, imprisonment, and assassination.

Civil disobedience means putting your ass on the line against the power of the state. By doing so, you hope to shame the state into behaving better; or, failing that, let it know that there are people willing to put themselves at risk to oppose it - and let them figure out that said opposition may not be restricted to nonviolent means.

Free speach issues and ways to defeat restrictions (2)

Pyramid (57001) | more than 14 years ago | (#1623945)

Several /. posters have raised the issue that printed source code may one day be considered machine readable and therefore illegal to export. This of course stretches the bounds of constitutionality, but is a grey enough area to be held up in a court system populalated by the pseudo-socialist ninnies currently running it.

Should printed (crypto) source code be restricted, I say we up the stakes yet another level; fire up your Mac (or whatever machine/OS gets your jumbly stiff) and have the machine *SPEAK* the source code. Simply record the output and mail a copy to whoever you please or play it over the phone. Although the recording might make for some boring listening, it would be spoken word and therefore any attempts to restrict it would be very clear-cut violation of the constitution. Should some old decomposing pile of bones masquerading as a congressman raise the point that a machine made the recording, simply enlist a few intrepid souls to read and record the code; what will the gov't do then, decree that spoken work is machine readable and therefore subject to their control? Can you say "Violation of my constitutional rights"? I knew you could!

With a bit of tweaking, I'm sure one could get ViaVoice to transcribe the recording. Voila! Stupid law circumvented once again!

I believe that every effort the gov't makes to restrict crypto (and ANY free speech) should be challenged and every loophole exploited. The effect of this is they must address the holes and tighten their grasp on us. Once this happens, the issue will become a pure free speech issue and will be forced to a head.

"The more you tighten your grip, Tarkin, the more star systems
will slip through your fingers".

--Princess Leia

Bah! Stupid Congress! (2)

gaffney (88218) | more than 14 years ago | (#1623947)

This is just getting silly. The US government doesn't want to allow exportation of source code for strong crypto and thinks this is gonna make a damned difference!? Do they honestly think they can prevent the Chinese or the Indians or the drug cartels from developing their own (also raises the "who cares anyway?" questions...)? Its not like the concepts behind this stuff are poorly understood!
Also it seems kinda rude in terms of foreign policy to declare to someone you're trying to build a trade relationship with that you're not going to give them access to something that would give them privacy; by doing this the US is openly admitting the fact that they're spying on everyone. Now granted we already could've guessed, but for them to stand up and yell it on a street corner is just stoopid.

-gaffney, who wishes to hell he were old enough to vote.

Something new (3)

deno (814) | more than 14 years ago | (#1623948)

So, the US goverment has finaly realized that Microsoft, IBM, SUN & co. will be in trouble if they cannot export cryptographic software.
Now, name at least two well-known US-based companies which will continue to suffer from these restrictions!

Right! Redhat and Caldera (especially RedHat, since they really want to keep their distribution "free") still have the same problems, because their "products" are open-sourced. Cute.

Source-in-the-bin (3)

KodaK (5477) | more than 14 years ago | (#1623949)

Ok, I can export binaries, but not "machine readable source code". Simple fix, write your code, wrap it up in an encrypted binary, do a ./lameusgovtextrastep (or whatever) and there ya go... I wouldn't be distributing source, I'd be distributing a binary that generated source.

It need not be said that this whole thing is incredibly stupid, and I'm ashamed of my government, I mean really -- "We don't trust our people" is essentially what they're saying. It doesn't need to be this way, we (at this point still) have voices and an organized effort would probably be enough to sway some influential congressbots into behaving reasonably. Maybe I ask too much.

This is expected (3)

tilly (7530) | more than 14 years ago | (#1623950)

The government's announcement was a way to make it look like they were opening up while really trying to keep things under control. After all what did they say? "Approved code" would be allowed to be exported at any strength. Who does the approval? They do! And what else was in their announcement? Lots of verbiage about how important it is for law enforcement to be able to break encryption.

Can you say "secret key escrow" just like Clipper?

I knew you could!

So, of course, no open source software can possibly meet the guidelines. After all with open software anyone can see the back door and that would never do, would it?



Re:A few points (3)

PigleT (28894) | more than 14 years ago | (#1623951)

Problem: paper copy is only a workaround until the folks that be decide that a book IS a machine-readable form (courtesy of OCR), at which point we're really screwed, yeah?
Let's hope they get round to changing the somewhat broken law in the first place, before they realise that much...

Free speech (3)

coyote-san (38515) | more than 14 years ago | (#1623952)

This point keeps coming up, so I'll answer it globally instead of in several responses.

The current US position is that source code in electronic form is communications between the programmer and the compiler and hence under no Constitutional protection. Source code in printed form, since a computer can't read it, must be communications between two programmers and *is* Constitutionally protected.

Of course the government knows that OCR software exists and people who are serious about exporting software use special OCR fonts. (As an aside, where I can find those fonts?!) But they know that if they take OCR scanning programmer to court they may lose not only that case, but the larger issue of paper vs. disk vs. net distribution. The appeals courts in the Bernstein case make this seem likely.

As for motivations, I think a lot of the policy makers are driven by old-time military security policies and don't understand that they don't apply here. Leaking *any* information about most military hardware allows the enemy to work on ways to disrupt yours and improve their own, but mathematics and basic physical properties are things that can be done by anyone with the motivation and time. With them, all we can do is continously remind them that *all* public source cryptology can be understood by a motivated college maths major, and even some HS students.

At the same time, I'm sure that "industry" lobbyists are talking to their old colleagues and pointing out that the exposure is limited when a company exports its binary packages. Have you ever tried to disassemble a megabyte-sized "hello, world" windows program? The fact that this makes it easier for MS to export its Kerberos-enhanced W2K, but I can't export my Kerberos-enhanced Debian packages, isn't mentioned. Besides, MS has 90% of the market, and my distribution has 0%. (Because of the export laws, it's an on-again/off-again project and still in early beta.)

As a final comment, I know I could distribute my packages as source code, but that's completely unmanageable. The Kerberos source tarball is around 5 MB, and while many of the other packages (e.g., lprng, postgres, coda, cvs) can be rebuilt with a one-line change in the 'debian/rules' file you need a fully loaded development platform to recompile everything. Few people would use a distribution where you have to scan in a book (literally), then spend two days compiling everything.

Re:Bernstein wlill save us (3)

jjo (62046) | more than 14 years ago | (#1623953)

Maybe, if we live so long. The appeals court seems to be in no hurry.

The re-hearing before the Ninth Circuit Court of Appeals has been scheduled for Dec. 16, 1999. The first time the 9th Circuit heard the case was in December of 1997, and they took a year and a half, until May 1999 to decide. Based on this we can "extrapolate" (using Arthur C. Clarke's term) the following timeline:

12/1997: 9th Circuit appeal hearing
5/1999: 9th Circuit decides
12/1999: 9th Circuit en banc re-hearing
5/2001: 9th Circuit decides again
10/2001: Supreme Court takes case
5/2002: Supreme Court decides case (they take pride in making prompt decisions)

Or course, the 9th Circuit may be faster or slower this time around, and the Supreme Court may not take the case, but this is as good a guess as any. The real problem is that no one knows what legal tricks (new regulations, new legislation) the government may pull to delay this even longer. It's already taken most of this decade.

What will the closed-source vendors do if you spot them a 2.5-year head start from now?

Re:Why (3)

cdlu (65838) | more than 14 years ago | (#1623954)

No, in the Commonwealth, we are a Commonwealth of the US. Civil disobedience is the best way to get this law overturned I would say. Have everyone on /. and a few other places export a single line of code with the number of the line in the subject header to be rebuilt by a script outside the country. Or just have everyone here export the code with a cc to There is already a website somewhere (its several years old) that allows you to do that... rafficker/ [] .

Or anyone whose out there in the development of such software should simply leave the US and develop outside. I don't think anything would scare the US government more then a brain drain.

Hm. How 'bout interpreted foo? (3)

Stonehand (71085) | more than 14 years ago | (#1623955)

Things like Perl and Tcl, for instance. If someone were to make a "shrink-wrapped" software package featuring strong cryptography via Perl, what would the department's policy be?

Running Scared (3)

morzeke (100541) | more than 14 years ago | (#1623956)

Washington is simply under public pressure to do something about exporting national secrets (as if any open source code could be considered a national secret) considering recent debacles related to Chinese espionage and the subsequent attempted coverup.

They're just flailing out at a segment of the software industry that can't defend itself, collecting the brownie points back home, and forgetting about it by morning.

Well... (4)

Anonymous Coward | more than 14 years ago | (#1623957)

Rather than bitching and complaining about this obvious lame/idiotic law why don't we do something about it? Organize something. Have a civil disobedience day where we upload whatever piece of encrytion software we damned well want to foreign servers. Set a date, hype it up like Microsoft hypes up NT, and then execute. It's important that we do this. Courts do recognize mass civil disobedience.

Re:Well... (4)

evilpenguin (18720) | more than 14 years ago | (#1623958)

While I do think civil disobedience is a fine and noble thing, and I wouldn't oppose this idea, have any of you tried writing your congresspersons and senators a letter? A letter writing campaign will have much more effect than an act of civil disobedience. A friend of mine once worked in a congressman's office. I asked him how many letters they had to get on a subject before it would actually be brought to the congressman's direct attention. He said four. Four!!! (Note that there are exceptions, like gun control and abortion which generate mail like crazy, but on some garden variety issue, not on the "radar", it takes four letters).

I'm sure this varies from issue to issue and from congressperson to congressperson, but I still urge you (and everyone else who cares about this) to write an original letter and put it on paper, sign it, and send it to each member of your delegation.

It *does* have an effect.

The "special interests" control the process in no small part because we don't exercise our freedoms. Want freedom of speech? Say so!

See for a list of senators, follow through to their mailing addresses. []

See [] to find out who your House member is. Follow through to their web pages which should offer an address.

Use your rights and let freedom ring (okay, I know I'm souding hokey, go rent Mr. Smith Goes to Washington and get all hokey too!)

outlawing math (4)

Hollins (83264) | more than 14 years ago | (#1623959)

It never ceases to amaze me that my government has essentially decided it can regulate math. I cannot specify a sequence of simple mathematical operations and send that sequence to anyone I choose.

It's like Congress deciding they want to rewrite the Law of Gravity.

Clueless (4)

emmons (94632) | more than 14 years ago | (#1623960)

This really only goes to prove how clueless our leaders appear to be about technology.

"This happens to suit U.S. government intelligence and law-enforcement agencies, which worry that access to the source code for encryption and security software would enable terrorists, drug dealers and other criminals to devise secure communications networks that agents would not be able to monitor."

This shows the apparant stupidity and lack of competence in our government agencies. Outlawing crypto doesn't keep it out of the hands of those who want it for covering illegal deeds. If you've got the rescources to be running an organized illegal operation like is mentioned here, getting your hands on software that will encrypt your communications will not be difficult no matter how illegal it may be.

"The problem is that by the government's definitions, OpenBSD is foreign software"

How, exactly, is this a problem? It is a problem for the US government because they can't stop strong encryption from being made in other countries?

"The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment."

So does this mean that if we only write the code for strong encryption and print it out on paper then we can export it? Since when is there a distinction of free speech on paper and free speech in .txt files? Is this the same government that insists we must save the trees??

Is this really a brain dead government honestly trying to keep something from the hands of dangerous criminals? Or does it look more like a government that is trying to make it difficult for companies to develop products for the everyday consumer and more importantly, "petty criminals"?


True goal: prevent crypto proliferation in the US (5)

AxelBoldt (1490) | more than 14 years ago | (#1623961)

The US government is not stupid. They know very well that the strong crypto algorithms are well known all over the world and free crypto software is widely used and can be downloaded from many non-US servers (and can also be produced by every CS major in a month).

So why do they insist on export controls? It's plain: to slow down crypto proliferation inside the US. The major email programs still don't include seamless crypto integration.

The most revealing bit of the puzzle is that source code is not exportable if it only contains hooks to allow easy plugging in of foreign developed crypto code. No US developed free software currently contains hooks like that, since it is impossible to prevent free software from being exported. It's not about stopping the flow of crypto algorithms to foreigners, it's also not about terrorists and organized crime (they can easily invest a bit of work and put the hooks in themselves): it's all about preventing wide spread adoption of strong crypto for every day communications in the US.

The major email programs still don't include seamless crypto integration.

The government currently listens in on telephone conversations and email, and they would like to continue in the future.


Corporate Rights Honored; Business As Usual (5)

Effugas (2378) | more than 14 years ago | (#1623962)

There seems to be some misunderstanding as to the purpose behind the recent administration decision to reduce barriers to the export of encryption software.

While government is ostensibly concerned with the rights of citizens, its primary goal is self-preservation. (Do you want to lose your job? Neither do they.) The furor over encryption technologies was threatening to move voting blocs and critical endorsements; very well endowed companies and individuals were losing money due to certain governmental policies.

Something had to be done.

Meanwhile, those same guys who cruise Silicon Valley harassing company after company, working tirelessly to put an ear in every wall, are skillfully scaremongering those same politicians with the kind of information you just don't get from a Freedom of Information Act request. These guys inspire terror in more than a few silicon valley techies; you don't think they know how to play the fear game with a few PR-conscious congresspeople and secretaries?

Something had to be done for them too.

So, the general concept was this: Remove the heavy artillery from the open-encryption campaign by placating the highly-funded(and thus dangerous in the PR department) companies seeking to make millions off of encryption sales. Do this by offering a slightly increased acceptable keylength, as well as a "one stop shop" for an intelligence community OK to speed acceptance.

Meanwhile, do absolutely nothing for open source code, and in fact have Janet Reno talking with Germany about ways of suppressing critical infrastructure tools such as ssh and SSLeay. (No need to worry, there are many businesses that would be happy to sell you a closed source product that's only been peer reviewed by the intelligence community.)

Everybody's happy, no? Oh, yeah. The public. Those are the guys who a) finance the system and b) think the system is taking care of their finances.

I'm not so sure.

The real problem that the government's continual threat-making is exasperating is that tremendous quantities of very private information is travelling in virtual plaintext. Go find out how many large companies make the rather ridiculous assumption that "Phone Company = Private Connection". There's no small amount of irony in the fact that a Virtual Private Network is in fact significantly more secure than Telco-Mediated Point to Point links. VPN design specs accept the fact that they're traveling over insecure lines. Legacy Private Networks presume that there's nobody able to listen in. This is a rather ridiculous assumption, particularly with the recent actions of the US Government against alternative phone service providers who were failing to provide wiretap/geoposition trace capabilities.

Is there a Telco engineer around who hasn't accidentally(or intentionally) listened in on a circuit to "make sure it's working"? Have we not been paying attention to the recent exposures regarding the Echelon system?

It is simply undeniable that Telco links, be they voice or Frame Relay, are insecure. The arguably misnamed "Virtual Private Network" is far less virtual than its predecessors, and the government knows it.

Then again, if the public is having its data tossed around in a forced-sniffable form, so too with the company's data which is being tossing around right along side it. Maybe Corporate Rights are being trampled on after all.


Yours Truly,

Dan Kaminsky
DoxPara Research

A few points (5)

substrate (2628) | more than 14 years ago | (#1623963)

It's always hard to determine the official verbage from mainstream media, reporters often get things wrong. I'll give The New York Times the benefit of the doubt though.

If what the NYT says is true then Open Source software wasn't specifically excluded from the recent relaxed stance on crypto software. No source code may be exported whether its Open Source or a commercial entity. Please don't embellish stories with information that isn't factual.

A bigger point is that constraints on the export of source code has been rendered ineffective anyway. I can still publish a book (such as Bruce Schneir's Applied Cryptography) that contains source code though technically I can't publish it in a machine readable format. Just about anybody can get access to a decent OCR program however (is there one available for Linux incidently?) and can scan in the source code and generate a machine copy.

A paper book isn't the most efficient way of publishing source code but it is a work around. If uploading the source to Blowfish to a server in Jakarta, Indonesia is illegal than it is possible for a person located their to purchase the book, OCR it and set up an overseas mirror there.

Another complete waste of time (5)

Noryungi (70322) | more than 14 years ago | (#1623964)

A couple of points...

1. (minor gripe) How come that OpenBSD is not mentioned in Slashdot's original mention of the aticle? (end minor gripe). Please note: That's a *minor* gripe, people!

2. I thought the US Navy was using WinNT exclusively? =)

Thus, the Navy's project is built with Italian enhancements to a Canadian product that was born in a U.S. university. What is more, it is likely that the software contains pieces of code contributed by programmers in Finland, Germany, Eastern Europe, Russia, Australia, India, Mexico and other countries.

Open Source Rules OK! Go BSD GO!!! =) This being said, isn't it sad^H^H^Hgood that, because of brain-damaged US policies, good programmers can now work in peace in Canada?

3. If Canada starts behaving as stupidly as the American administration does, Theo de Raadt will have to move to Finland or Sweden. Same weather, same relaxed crypto policies, same Internet access. Just a big waste of time. I'll be the first to send some $$$$ his way to make his moving easier...

4. You will have to pry my OpenBSD CDs from my cold finger, Janet Reno! (see below) =)

If the attorney general succeeds in persuading the Europeans and Canadians to shut off the flow of open-source security software, he said, "I think it would be a tragedy."

It's not going to be a tragedy, just a complete waste of time -- most europeans are *fed up* with minor inconveniences such as NSA's Echelon and NSI's policies. They are not going to go back to the "old ways" of doing things. The US administration is behaving is such a heavy-handed manner, there is no way most European governement are going to clamp down on crypto. Even *France* authorized heavy crypto recently for crying out loud! That was a country that used to be lumped with China and Iran as far as crypto used to concerned!

5. Dear Janet: please *get* *a* *clue*. The cat is out of the bag, and there is no way you'll ever, *ever* get it back in...

But in case Reno has her way, the software industry is developing end runs. The administration, for example, has so far declined to regulate the international movement of source code if it is printed on paper, presumably out of concern that such regulation would violate the First Amendment. Thus, several companies are already shipping printouts of their code to Europe where it is scanned into computers.

So: I can't get the source, but I can get the book, right? How stupid can you get?

When asked about the policy's impact on the development of Linux, FreeBSD, and other open-source projects that serve the government's own needs, Reinsch, the commerce undersecretary, said: "It's an important question which we need to study a lot more. We don't have all of the answers."

You probably mean you don't have *any* answer. The crypto part of Linux, *BSD, etc... will simply be programmed out of the US, as they have been for a long time. US crypto policy, just like the walls of Jericho, are built on sand. And it's just as useless.

If only those people could leave people like Theo alone and free to code... *Sheesh*
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>