Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Ask Slashdot: Using SSH on non-US Sites for Crypto Development? 302

Posted by Cliff from the working-around-silly-laws dept.
cesarb droppped this interesting question in my inbox, that I would like to share with you all: "I would like to know if a developer in the U.S. could use telnet or SSH to a box outside the U.S. and help developing a code that uses crypto. If he types a whole file of source code for a crypto algorythm, this of course is export; however, if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes and the actual text you typed (like the new name for the function), and what appears on your screen was just imported but never exported back. This would allow things like the kernel, Mozilla or anything else to be developed with crypto outside the U.S. but by people inside the U.S., and so would stop the last piece of usefulness in those silly U.S. crypto export restrictions." Would something like this work? Are there any other solutions for U.S. citizens developing strong cryptography to share there work with others abroad?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Using SSH on non-US Sites for Crypto Development? More

Ask Slashdot: Using SSH on non-US Sites for Crypto Development?

Comments Filter:

  • Missing the "point" (Score:1)

    by Anonymous Coward
    The purpose of ITAR is clearly to make it as difficult as possible for an "enemy" to make use of "miltary grade" encryption. If you export a change of function names such that the new exported function name makes it easier for said "enemy" to figure out how to accomplish miltary grade encryption then you are working against the purpose of the ITAR controls on encryption. Regardless of if it is right or wrong/legal or illegal, there are members of U.S. goverment that are dedicated to enforcing the *purpose* of crypto export laws. These people are not interested in "loop-holes" and are ready to make your life hell for "missing the point."

    Please please please read the US crypto policy FAQ [eff.org] from the EFF [eff.org] archives.

  • OpenBSD solution (Score:1)

    by Anonymous Coward
    Since we are the guys who have the definitive collection of crypto source in tree, what we do is literally fly/bus people over the border for a concentrated time of working on crypto stuff.

    No problem with any interpretation of "export regulations."

  • Export in printed form - they did this! (Score:1)

    by Anonymous Coward
    > importr is legal > Export in Electronic form is illegal > Export in non-electronic form is legal > Print the diffs!!! Didn't they once send out the printed source for PGP 5 or something with checksums written by each line to make it easy for a computer with a scanner to read it and check it? Very clever. Aren't there plenty of competent people in Europe to develop this for import into the US afterwards?

  • "Technical Assistance" is a felony (Score:2)

    by Anonymous Coward

    Irregardless of "export," it's a felony for an American to provide "technical assistance" to foreigners about crypto.

    Companies and organizations like mozilla.org have to keep their noses clean, so they can't even provide minor help like bugfixes to free-world crypto efforts. A single person could probably get away with it, though, especially if you were careful (e.g., anonymous encrypted mail with the bugfix, etc.) (Not that I would ever publicly encourage someone to commit a felony, of course!)

    However, most of the major free-world crypto development efforts will not accept help from Americans, because under American law that then "taints" their effort as an American product, confusing the issue further. This is not just a technical worry; the US assumes its laws apply in all countries.

  • SCREW stupid laws. Just don't get caught. :-)

    (No, I'm not doing it, I'm not a crypto guy. So if you're the feds and are chasing me, you're just wasting your time.)
  • Wow, that was convincing. PLEASE guys, quit programming cryptography! The only people who should have cryptography are the US Government(TM) and Microsoft! If anyone else has it, he might be tempted to become a terrorist or a child abuser!


  • I am a US citizen and wanted to do exactly the same thing. According to Julie Lever an Analyst at the DOC in the crypto export division, you need a license to do this (I'm in the process of obtaining one). I have servers in Panama I access via SSH. Even building SSH on them (d/l directly from Finland) is grey area. What she says is that _I_ doing the work constitute exporting encryption technology because I am a US citizen. I cannot even do the work if I live in Panama as long as I'm a US citizen.

  • Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation.

    Not everyone who lives in US is an US citizen, and a lot of programmers are not (me, for example), so formally the "technology" or "expertize" doesn't belong to US in the first place.

  • Check DejaNews, the appropriate portion of the regulation is posted to sci.crypt and crossposted later (by me) to talk.politics.crypt. U.S. citizens are prohibited from exporting crytography, and are prohibited from providing technical assistance, and if overseas are prohibited from working on products that would require an export permit within the U.S.

    Regarding sovereignty the United States Government holds that if you are a U.S. citizen, you must obey U.S. law no matter where in the world you are. The USG has been known to kidnap U.S. citizens in foreign countries in order to bring them to trial here in the U.S. if they peeved the USG enough. Heck, they don't even have to be U.S. citizens -- anybody remember Manuel Noriega, who was (quite illegally) kidnapped and brought to trial in Miami for crimes that did not violate Panama law and that were committed within the borders of Panama?

    -E

  • You're breaking the law even to contribute technical assistance. However, the USG has a "gentleman's agreement" not to prosecute where it feels that they'd lose on First Amendment grounds. But where is the border line? Do YOU want to be the test case who spends the next five years in jail waiting for trial?

    -E

  • The regulation says that if you're an American citizen overseas and working on a product that would require export permission here in the 'States, you're breaking the law. For that matter, an American citizen re-keying the code into a system upon arrival overseas would be breaking the law (since he would be providing technical assistance).
    For that matter, even printed on paper it's technically against the regulation, except that the regulation allows "academic discourse" and if you print a few academic notes to go with the code it slips through that loophole in the regulation. But don't think you can add a few academic notes and post the source to the USENET, the requirement is that it be printed on paper in order to qualify as "academic discourse", though the Bernstein case is trying to qualify source code in electronic form distributed as part of a book as "academic discourse" too (and he has a good case, but the USG will drag this out forever).

    Anyhow, it's all a blatant violation of the First Amendment, but the U.S. government doesn't believe in the Constitution anyhow (see the RICO statutes, which violate the 5th Amendment, for another example), so it doesn't matter.

    -E
  • Flee the USA if you wish, but expect that if you peeve the USG enough, they'll go out and kidnap you in order to bring you back to trial. Heck, Noreiga was president of his whole damned country and you saw how well he fared when the USG decided to kidnap him in order to bring him to trial in Miami (for acts legal in Panama, that occured within the borders of Panama). What makes you think that a little pipsqueak like you or me stands a chance if they get peeved?

    -E
  • The problem is that most strong authentication mechanisms depend upon public key encryption, which IS export controlled. So, for example, let's say you want to only run binaries which are signed by Red Hat Software or by your Corporate Information Center. They would "sign" the binary by encrypting the MD5 of the binary using their private key, then before you run the binary you check the binary to make sure its MD5 matches the MD5 decrypted using their public key. Thus you can insure that you got a trusted binary and not some barfled one.
    The problem is that even though this would recieve an export license if you applied for one (because it is an authentication scheme, not an encryption scheme), you cannot include source code, because the source code would be capable of being "misappropriated for non-authorized uses". The GPL means that thus this capability won't go into the kernel.

    In other words, the US Government is propping up Microsoft here, since Microsoft can include this capability in their OS. (If they gave a damn, which they apparently don't). But that figures, the US Government is also giving Microsoft huge export subsidies too, at the same time that they're suing Microsoft for monopolistic acts. Quite a government we have, eh?

    -E
  • This is the Bernstein case, and was about posting the source code that went with an academic paper. See the EFF home page (http://www.eff.org ) for more info.

    As far as I know it's still tied up in court. I'll just note that the regulations allow academic discourse but unless it takes place on paper and ink the USG doesn't believe it's academic discourse. Bernstein is trying to pry a hole in the rule to say that academic discourse can take place over the Internet too. That still won't help Red Hat export a product that incorporates encryption. (SuSE, on the other hand, has no such problem, since they are not an American company -- in other words, the USG is putting American companies at a disadvantage).

    -E
  • Not exactly. Source code AS ACADEMIC DISCOURSE is free speech -- in one particular circuit court, and the decision is being appealed. Source code outside of academic discourse is another story altogether. See http://www.eff.org for more info on the Bernstein case.

    -E
  • The U.S. Code of Federal Regulations is online at:

    http://www.access.gpo.gov/nara/cfr/index.html [gpo.gov]

    -E

  • Other countries do have their own crypto. That's the problem. American companies are at a disadvantage because they cannot put strong crypto into their products, while foreign companies can.

    The most beloved product by all Unix system administrators is 'ssh', which does encrypted rsh/telnet connections instead of sending passwords in plain text. It was done in (guess what!) Europe, and in fact is illegal to use in the United States unless you buy it from a licensed vendor (because it incorporates the RSA algorithm, which is patented, though only in the United States).

    Of the candidates for the AES data encryption standard, a 128-and-256-bit-key encryption standard which will be required to be used by all government agencies and contractors as the replacement for 56-bit DES, three of the five finalists were coded entirely outside of the United States. We may soon be using foreign encryption code to run the U.S. Government!

    --E
  • I don't personally care. If the Federal Government wants to prosecute me because I've been fuddling around on sci.crypt and posted some thoughts about Diffie-Hellman in a place where foreigners could see, it, screw them.

    But dozens of people rely on my employer for their living, and he's not going to jeopardize his company by saying "screw you!" to the government. So he's not going to export a product containing strong encryption in violation of the regulations, because they could fine him millions of dollars and throw the whole executive staff in jail, in which case the company is kaput and everybody who's not in jail is out of a job. So he cannot compete with European companies who CAN sell products with strong encryption.

    So the final status is that we will have two products: A US/Canada product with strong encryption, and an overseas product which does not have encryption (because the export regulations also require that we track where each copy is sold to make sure it's not re-exported to a company on the "forbidden" list -- hell, we ship these things en-masse to distributors, how'n'hell do we know where they've been sold to?!). So we will be at a disadvantage compared to European competitors. Pisses me off, personally, I think I have great code in one utility that I'd love to release as Open Source, but nobody will ever be able to see it because of those @#$% export restrictions :-(.

    -- Eric (EST's crypto expert "because somebody had to do it").

  • The fiction is that publishing papers is "academic discourse" and thus is protected by the First Amendment, while source code in electronic form is a "mechanism" and thus covered by the commerce clause. Actually, even publishing papers internationally would technically be against the law that prohibits "technical assistance" to foreign nationals, if I'm reading the draconian CFR correctly, except that the Justice Department has issued a directive that they won't prosecute cases that clearly are First Amendment cases.

    See the EFF site for the Bernstein case, which is trying to get source code classified as academic discourse too.

    -E

  • Academic discourse is protected under the First Amendement, according to the DOJ, and thus will not be prosecuted under the regulations even if foreign nationals can see it. Bernstein is trying to get source code classified as academic discourse (see the EFF home page).

    Atomic bombs are export-controlled, but as a U.S. citizen you cannot go to Pakistan and help them with their atomic bomb project. The notion is that this is like yelling "Fire!" in a crowded theatre -- i.e., that the purpose of the speech counts, you can yell Fire! all you want to in the privacy of your own home or in a cow pasture, but not where it can harm others.

    The RSA incident may be from "The Codebreakers", I don't remember it in Schneier (though I have not memorized Schneir -- yet -- so it may be in there).

    -E
  • Keypunching or scanning the code in off of a printed research paper (note that a printed "book" with a few lines describing the algorithm and the rest being the algorithm qualifies as a "research paper" as far as the US DOJ is concerned) is okay, and the USA cannot put you in jail for doing so since you are not a US citizen. You can in fact put your code up for grabs on the Internet. See http://www.replay.com for an example.

    On the other hand, while you will not be prosecuted for using false pretenses to gain access to U.S. code and then putting U.S. code on international servers, the authors of that code may very well be prosecuted. Phil Zimmerman (PGP) spent years with the hounds of the US Government on his tail. In addition, many countries do have recipricol agreements with the US that they will not re-export US code in exchange for various special favors. Canada is an example, that is why only a version of Kerberos 4 re-coded from the "bones" by foreign nationals is part of OpenBSD, even though Kerberos 5 is available from the worldwide crypto archives (via the same print-out-then-scan-back-in mechanism). The difference is that Kerberos 5 was not re-coded from the "bones" and thus qualifies as U.S. code as far as Canada is concerned.

    -E
  • Err, block ciphers of 128 bits or greater are safe for the time being. The output of known good block ciphers, such as the five AES candidates, is statistically indistinguishable from random noise. The only real attack that can be made is differential attacks, and that appears to be a problem only for DES, which is why the NIST is retiring DES in favor of a new American government encryption standard (the AES candidates). If you use Bruce Schneir's "TwoFish", a derivative of "Blowfish" and the best known of the AES candidates, you can pretty much be assured that you're safe -- all of the five AES candidates have been extensively cryptanalysed (especially by their competitors, all of whom are looking for a weakness in the others' algorithms!).
    RSA public key encryption, on the other hand, could be succeptible to new solutions to the underlying "factoring problem". (Public key encryption uses the product of two large strong primes and relies on the difficulty of factoring very large numbers to provide its strength). There are varieties of public key encryption which use exponential equations distributed over a field (ElGamal) or elliptic curves (see http://www.certicom.com/ for info there) as the underlying "hard problem" rather than the factoring problem, but they have not been as widely cryptanalysed. Actually, elliptic curve cryptography is just now getting to the point where I think it's been analysed enough to be safe, but any public key encryption algorithm implicitly has a relationship between the public and private keys, so public key encryption is always succeptible to new revelations in mathematics, and the NSA has some of the best.
    Which won't help them crack a message encoded with 256-bit TwoFish! But I would say that 512-bit RSA is toast, and 1024 bit probably would take the NSA spooks only a few days at most on their big specialized RSA cracker machines. (But note that someone "inside" has stated that the NSA doesn't even need to crack RSA for the most part, because people's computer security is so bad that usually they can walk right in and intercept the cleartext BEFORE they're encrypted).

    _E

  • The law covers technical assistance too. (Score:3)

    by Eric Green ( 627 ) on Thursday September 02, 1999 @01:53PM (#1708177) Homepage
    According to the regulation as recently posted to sci.crypt, even helping someone outside of the country with their crytographic product is illegal. And you can't even move to Mexico (which has no encryption restrictions) and get away from the long arm of American law -- the regulation says that if you're outside of the U.S. and either develop or help someone make a product that would be export-controlled within the U.S., you can be prosecuted. Before you say "so what, I'm in Mexico!", the U.S. government has been known to *KIDNAP* American citizens overseas in order to prosecute them here... hell, they don't even have to be American citizens, they kidnapped Manuel Noriega and prosecuted him here too, quite illegally I might add, the man was a scumbag but that doesn't excuse it.

    -E
  • The difference is that while both Encryption and Nuclear Technology can be used productively (privacy, energy), only Nuclear Power can actually be used as a weapon. Encyrption's categorization as munition is completely bogus, it is only considered that to prevent it from being exported, because government likes the ability to find out what people are saying. In the end it just hurts business, because privacy is a NEED in international markets. You send contract negotiations in plain text, your competitor is going to win.
  • What about the book publication of PGP? They printed out VOLUMES of PGP code, sent it oversees, and started scanning it in like mad. Hence, international PGP.
  • Is it illegal for a US citizen to develop and freely distribute a Tcl/TK front-end to a non-US-developed command-line crypto package? I don't think so. If you know otherwise, please refer to the legal source.

    I guess you're referring to the "crypto-specific API" case, where your application invokes encryption functions through some sort of "crypto-specific" interface, and thus may be considered export-controlled even though it contains no crypto code. The restrictions on this are really enforced on a case by case basis, as the regulations don't really cover every question about what is a crypto-specific interface and what is not. However for my best guesses on the matter see question 5 of the Mozilla Crypto FAQ [mozilla.org]. I include references to the relevant sections of the Export Administration Regulations, but unfortunately the links in the FAQ are no longer working; check the GPO's online version of the EAR [gpo.gov].

  • Lawyer: I'm not even going to touch this (Score:3)

    by hawk ( 1151 ) <hawk@eyry.org> on Thursday September 02, 1999 @01:10PM (#1708181) Journal
    What you need is legal advice from a seasoned criminal lawyer who is also well grounded in D.C. politics. And even then, you won't know for sure until the first cases reaches the Supreme Court.

    This is playing with fire. Even if it's legal, expect to spend years and millions in court.
  • Follow anything like this to conclusion, and you will just convince yourself even further that the crypto export/import/usage laws are thoroughly ridiculous.

    I always thought that law was somewhat like a mathematical proof, where legislators attempted to capture their intention elegantly, and without holes.

    It seems that reductio ad absurdum doesn't really apply in this case, though.

    Matthew.

  • US dual nationals are liable for US federal tax wherever they reside. If you've never paid US federal tax you are liable for back tax (and applicable fines for non-payment). The IRS and State Department announced about two months ago a joint effort to trace US ex-pats who have not paid tax. Better get down to Grosvenor Square and ask for the citizenship-renouncement form...

    Nick

  • You are not allowed to export encryption technologies, even if they are developed outside the US. In fact the statute is broad enough to proscribe you from doing a private security audit of foreign code and sending them the results.
    --
  • Hit submit button too soon...

    You can however link to a site hosted outside the US where non-exportable material is kept. The EFF (I think) fought an one a court battle on this matter.
    --
  • Well, I can see that someone working on a nuclear weapon would be considered a traitor, but the point here is whether or not a encryption should be considered as important to state security. I mean, someone helping to develop a kids toy, even during a war, for an opponent probably won't be convicted as a traitor.

    If you have proper crypto, it's almost impossible to find out that you do work on nuclear weapons or do other things considered treason. Or just trade kiddie porn. Authorities wouldn't be able to find out so they are afraid of strong crypto that's routinely employed by most people.

    Of course, there's a pitfall here, since the smart criminals already have that crypto and use it regularly. The only people who don't have it yet are ordinary people. The terrorist threat won't change because of crypto, but if everybody uses it, authorities will lose their tight control. They don't like that, so they fight it, but ultimately they can't win. They would ruin their economy and people that way.

    The next powers that be might well be corporations - but I digress...
  • But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally. Obviously there are other legal beartraps one could step on (working as a consultant developing nuclear missle targeting systems for China would probably result in an NSA-funded body cavity search as foreplay). However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken. But there are two issues here: the items being transferred, and the transferring itself. I think there's a way to be safe from both perspectives.

    If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law. By the same token (big disclaimer -- IANAL) a US citizen should be able to contribute to a foreign-based project legally by making sure the only tangible thing transferred internationally is knowhow. I.e. using ssh, the non-US-exportable item being developed never originates in the US.

    Just to be sure that you've covered the transfer aspect as well, the work relationship also needs to be structured such that there never is an "export" event. One needs to make sure that the contribution takes the form of legal telecommuting to another country to perform work legally in that country. Even if you receive no other compensation than inclusion of one's name in a list of contributors.

    IANAL. IANA export specialist. IAN even sure I know who I am.
  • Sources, please. Is it illegal for a US citizen to develop and freely distribute a Tcl/TK front-end to a non-US-developed command-line crypto package? I don't think so. If you know otherwise, please refer to the legal source. As other posters have noted, there is a distinction between working on something that would export-restricted from the US (chip design, hemp farming, certain software development, etc, which are not illegal), and working on something where the activity constitutes treason, which most certainly is illegal.
  • Not to beat a dead horse, but doesn't this point bring it full circle -- Isn't this requirement for public disclosure and open contribution what the GPL is all about? While I think there's a good argument to be made linking the very nature of free/open/GPL software development to the academic/open research publication exceptions in the silly US export laws, I hasten to add that I wouldn't want to be the test case.
  • I seem to recall that one of those cypherpunks who runs some kind of crypto company in Anguilla or somewhere renounced his US citizenship a few years ago to be able to legally work on exportable crypto.

    Even if you don't have a high enough Noriega factor to justify kidnapping, if you're a US citizen and export crypto from the US or work on crypto overseas, you'd best be wary about catching any flights that stop over in US territory.

  • Stateless (Score:1)

    by acb ( 2797 )
    You could move to Fernando Poo or Stateless. Or one of those heavily-armed floating anarcho-objectivist colonies on the high seas. (Heavily armed to fend off pirates and because foreign governments would be only too pleased if they met with misfortune.)
  • Microsoft's Crypto API allows modules of any strength -- as long as they're signed by Microsoft. The compliance part involves MS not signing any strong modules destined for export.

    I think HP or someone made a crypto chip that uses a similar mechanism, requiring an authentication code from a central authority to enable features. Thus it can do full-strength crypto in the US, 40-bit cereal-box-decoder-ring crypto outside of the US, and nothing at all in France.

  • Re:It depends. (Score:3)

    by dattaway ( 3088 ) on Thursday September 02, 1999 @01:40PM (#1708193) Homepage Journal
    All laws are subject to interpretation. I say its time to get the lawyers involved and perhaps do some digging to see what kind of corruption we really have in the US government behind the "dangers" of encryption.

    When I say all laws are subject to interpretation by the courts, let me relate my experience with a personal bad habit a several years back. You see, I liked to drive fast. A lot. From speeding tickets to OJ getting away with murder, I'm sure the principle behind encryption is much more honorable and should be pursued.

    My experience with taking things to court suggest anything can be pursued given enough energy for much less than you think. I accumulated *five* speeding tickets in Kansas City. My lawyer told me the law only allowed one instance of getting a ticket reduced to, say, a "parking violation." I got two tickets that week, a 90 in a 55 and a 69 in a 55. I may have interested him with my comment I would like to fight these (perhaps unwisely) to the supreme court. He was intrigued and to make a long story short and a few courtroom visits later, I had no points on my license due to him getting the worst violations dismissed for technical wording. I added up the legal costs out of my pocket was $1055. After that I got rid of my radar detector and haven't gotten a ticket since.

    Anyhow, I'm sure this encryption debate is not a boring issue with some powerful, yet isolated government officials. Its time to turn up the heat and see how they react. It has nothing to do with terrorism or child molestors, but may have much to do with government officials stealing secrets from industry and their sideline consulting businesses. I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.
  • I think this could work...
    As mentioned, the screen seen while editing is obviously "import", and code never does get exported, as it is abroad all-the-time.

    The article's title is a bit misleading, SSH is only a detail in the method, ssl-telnet or any other encryption program could be used.
  • Speculation is perfectly fine. It's just hazardous to act on those speculations. Significant distinction.

  • Those who make laws in the US are very often former attorneys, or in some cases law enforcement officials or ex-military officers. Granted lawyers are intelligent people, but those who hold legislative office are generally subject to no deep understandings of anything other than bureaucratic and other governmental process. So to put it mildly, they don't seem content with a canonical cover of a set of laws.

    But, looked at another way, most legislators have placed their entire faith in their own laws, and have never learned to deal with defiance. Like Aman Hannesy (sp) said to a judge whilst being prosecuted, "Aw judge, your damn laws... the good people don't need 'em and the bad people don't obey em, so what good are they anyway." Theorize: what would happen if everyone, simultaneously, ceased obeying crypto export laws?

  • Your solution for the crypto stuff is the equivalent of uploading a patch. This is, from my understanding, legal, as there are patches to SSH to let it run under Win32, which can be exported, though the binaries themselves that result from applying the patch cannot be exported. Instead they must be compiled and distributed completely outside the US.

    I'm not a lawyer, and I don't claim to be (so you might want to double-check with an expert!), but that's my take, fwiw.
  • PBS actually had a cool special on this recently. There were a couple hundred brit cows shipped over here before the US banned their export. Apperantly the FDA (or whoever's lame job this is) has been tracking them down, buyin them up, and incinerating them. No BSE possitive cows have turned up yet tho.

    The other cool think I learned is that BSE isn't a virus, it's a funky self-replicating protien. Yes, self replication without DNA. Totally unlike any other communicable disease...

    Here's the link. It's worth your time

    Click me [pbs.org]

    moo.

    - Digger

  • As a US citizen, I wouldn't count on nitpicky details like that to protect me. If the government wanted to bust someone for crypto export, they won't be deterred by this kind of thing. Someone might eventually be acquitted, but only after a lot of legal hassle. Better not to subject oneself to that kind of trouble.

    Unless, that is, you want to star in a test case.

  • MS seems to always insist that the only reason they are in court is that they bundled Explorer with Windows.
    And given that MS executives have expounded on how this is not anti-competitive until they're blue in the face, I've got to wonder whether those same executives aren't kicking themselves now. They now can't make a credible claim that Sun giving away StarOffice is anticompetitive.

  • My guess is no. The US crypto export rules go beyond the simple: "you can't export real crypto." For example if an American wishes to move to Canada to work on cryptography they have to: renounce American citizenship, and WAIT 10 YEARS. This is probably true for Americans moving to other countries as well. This assumes that the American will want to some day return to the US. There is not much the US law can do to you, if the country you are in won't extradite you (Canada will extradite).

  • > it takes more time than SSH but you get to have
    > some real food instead of american genetically
    > engineered hormone
    > grown hamburgers..

    And catch Captain Tripps or other funny one-time-diseases while eating british beaf?

    Uhm, no thanx :-)
  • wouldn't that be import when he/she loads up the file and has it sent to the screen? And aren't there policies about that too?
  • I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.

    I was so moved that I had to post this short message and say that I agree 100%.

    Wow. I was just thinking this myself before I read your reply. It is sad when we as a supposedly "free" country don't even have the right to privacy or the simple right to exchange algorithms or ideas with people in other countries. Write your congressperson! These laws need to be stricken from our books. The Constitution was intended to preserve our freedom of speech, not to take it away!
  • After all, I believe there were issues with software which invoked PGP (such as mailer plug-ins), which only used the interface. I believe patches are a similar situation. Of course, take this as a grain of salt as IANAL.
  • Find the original ITAR regulations somewhere on Thomas [loc.gov]. Recently, the controls were transferred to Commerce by the Export Arms Regulations. String Cryptographic software has been placed on this list of unexportable munitions by the President. In a nutshell, anyone can write any cryptographic software they want. However, if the strength of said software exceeds 56 bits, I believe, it cannot be exported from the US without an export license from the Commerce Department. US citizens may not acquire said software, take it to Canada, and re-export it from there, however, I'm not so sure Canadian citizens are banned from doing any such thing.

    As for where the list of munitions is, I'm not sure.

    Why can PGPI.com [pgpi.com] export the code? At the moment, any printed material is considered to be speech, and may be exported under the First Amendment to the US Constitution. The current manufacturers of PGP simply printed the source code in an easy-to-OCR format, PGPi bought copies of it, and distributed them to Europeans who proceeded to scan and proofread them.
  • Doh. Should've checked my copy.
  • Well, then, we must do what we must - fight the powers that be.

    "a"

    The preceding letter is an excerpt of a piece of a very strong encryption algorhythm, posted to Slashdot where my fine European and Asian compatriots may get ahold of it.

    Although I don't support the use of the letter 'a' (there, I did it again) in harming the United States of America, I must support strong crypto.

    If the government comes after me for this, I will be forced to purchase a dozen PowerMac G4s and flee the country.

    - Darchmare
    - Axis Mutatis, http://www.axismutatis.net
  • Maybe, but if I'm lucky they'll let me keep my G4s.

    - Darchmare
    - Axis Mutatis, http://www.axismutatis.net

  • shipping a nuclear bomb overseas, one tiny little piece at a time? I don't think the feds would let that one slip through the cracks. :-)

    Certainly not, if they ever found out, which is the point of this whole discussion in the first place.


    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]

  • It would be vary slow but may me in the law because nothing is leaving.

    Nope, the data is still being sent -- it's just encoded in the ACK sequences then. In fact, modulating ACKs is one popular way to quietly get data out of non-airwalled "secure" networks, hence we use fun devices like NLS pumps to prevent that.

    [ n.b. if you actually care about something, don't ever put it on a machine even remotely near an open network, firewalls, NLS pumps or no. Airwalls are the only way. (and even then they're not totally secure due to human factors) ]


    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]

  • At the end of each line, you could put a checksum digit. Then, if the OCR fails on that line, it can be flagged for checking by the human operator.

    This was done for the PGP book and others.


    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
  • Now, I don't vouch for the veracity of their claim, but there is a restaurant named Louis Lunch in New Haven, CT which claims to have invented the hamburger. They do not allow ketchup in the building -- in fact, the only toppings they allow are freshly sliced tomatoes and onions, and cheese. They serve it on toasted bread, not a bun. No fries.

    While their claim is farfetched, they have been open for over a hundred years.

    Then again, there is a pizza ("apizza") place -- Pepe's Pizza -- in New Haven which claims to have invented the pizza pie. I have it on great authority from another pizza place that it was invented in Brooklyn, perhaps at John's Pizzeria. And of course any Italian you meet will have their own deluded notion that pizza refers to the dough used, and it was invented in Italy. Oh well.

    The moral of the story is: when in New Haven, eat your burgers at Louis Lunch and your pizza (white clam is the best!) at Pepe's.

    Beware of anyone who claims to have invented anything culinary.

    Russell Ahrens

  • Working on strong cryptography is not covered by export laws. It is covered by munitions laws. In the same way that an American citizen cannot work on a nuclear bomb project for Iraq, an American cannot work on cryptography for a foreign company or for a foreign open-source movement.

    Basically, American citizens are not allowed to directly transfer intellectual property, whether it be code or simply ideas, concerning strong crypto to foreigners. Of course, Americans can simply write a book with these ideas and/or code. The First Amendment to the US Constitution is still stronger than the munitions laws. This is, in fact, exactly what Phil Zimmerman (he is the guy that wrote PGP, right? my memory is getting weaker these days...) did... he published the source code to PGP in the form of a book.
  • If I get this correctly, telneting into an offshore box and contributing "data" would be the equivelent of doing gambling over the net.

    In both cases you would be contributing something that is illegal in your own country to another country. Data for crypto and money for gambling.

    Someone had mentioned that if you were helping a country with crypto and they were using it for nuclear weapon technology, you would be counted as a traitor if there was a war. What if the offshore illegal site you were gambling on was using it's profits to buy nuclear weapons. In both cases you would be contributing to your country's enemy.

    Darlock (from Canada)
    ---------------------------------------

    A child is walking along the beach at low tide.
    The beach is covered with thousands of star fish stuck up on the sand as the tide moved out.
    The child walks along, picking up one star fish at a time and tossing it out into the ocean.
    An old man comes along and says. "What are you doing, you can't possibly save them all.
    You are wasting your time. What you are doing doesn't matter".
    The child with joy in his face picks up another star fish, throws it into the ocean and says, "It matters to that one."
  • Import is allowed




    5th post!
  • If you go and find the stupid crypto export regulations, you'll also discover that they technically make it illegal for a US citizen with crypto expertise to travel outside of the US and sell (or give away) their crypto expertise there.

    The loophole you think you've found just isn't there.

    US Law forbids its citizens from exporting crypto expertise (or crypto work) as well as actual crypto binaries. If you're currently a US citizen and you want to export some crypto expertise, I think the only way you can do it is by leaving the US, becoming a citizen of another country and renouncing your US citizenship. Otherwise you'd be breaking US law and extradition might be possible.
  • That is a bad attitude to have. If everyone decides to only follow the laws, that they agree make sense, you will have anarchy.

    If you don't approve of the rules, work to change them. Don't just pick and choose which ones to obey.
  • About a month ago, Forbes had an article about Protegrity, a Swedish company that does crypto related work.

    One of the paragraphs in the article:

    "Unlike Protegrity, American encryption companies have to engage in some fancy footwork to stay legal. "It's like defusing mines--one wrong turn and the mine could explode," says Stewart Baker, a partner in the law firm Steptoe & Johnson in Washington, D.C. For instance, if only two of a firm's engineers, one in the U.S. and one abroad, were to exchange insights about an encryption algorithm, the U.S. government could shut the company down, fine it $1 million and jail its employees."

    Seems pretty cut and dried. If just talking about it theoretically is enough to get a company in deep, I think that coding, even over a terminal connection, would be just as bad.
  • What I said, is that you should move to change them. Rosa Parks did that. In her case, making a statement, by standing up to them, was how she worked to change them.

    You guys are willing to make a stand just like hers. Only you're too chickenshit to even identify yourselves by name on a forum like Slashdot. I assume you'd never consider putting yourself in harms way, the way Rosa Parks did.

    I don't have a problem with actively opposing laws, but don't hide in the shadows, and try and sneak around the laws. If you're think they need to be changed, stand up. Oppose the laws openly. And then fight for your right to do what you feel needs to be done.
  • A single person, can provide the genesis of a movement.

    If you expect things to change, at some point, someone is gonna have to make a move to get things changed. It's very rare, for laws to spontaneously disappear.
  • I'd start a movement around it, if I was that worried about it.

    I do think the laws are flawed. But I don't think that just ignoring laws that are flawed, is a solution to problems. Anarchy is not a favorite of mine.

    I was mostly just incensed, at an anonymous coward comparing poor downtrodden programmers, to Rosa Parks. I never realized before, what a mistreated underclass computer professionals are.
  • "Dude, even anarchy would be better than the current system in the USA."

    Are you insane? You'd rather have no protection form anyone/thing. Than what we currently. have?

    I freely admit that some of what the Gov't does, is pretty dumb. But I much prefer what we have now, to total anarchy.
  • Just move to Canade, you can still pass crypto across the border to the US with next to no restrictions and still export it. Plus free helthcare will be able to deal with your stress of paying taxes.

  • So you're actually having a problem with a big political power acting self-righteously just so they can feel important?

    And you're a US citizen?

    Can't be, right? ;-)

  • >To exercise exclusive Legislation in all Cases
    >whatsoever, over such District (not exceeding
    >ten Miles square)
    (Italics mine)
    What you missed is that the congress also exercises joint jurisdiction over the rest of the United States (granted in the "necessary and proper" clause of the Constitution).

    Please look up "Dual Soveriegnty" in your law dictionary.

    IMHO, IANAL, and all other disclaimers apply.
  • But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?

    Free world or not; developing nuclear technology should be wrong if it's for your own nation or a foreign one.
  • "Articles like this make me want to yell, 'we're not all freakin american!!'"

    Which is why the poster said a "a developer in the U.S." This doesn't apply to you.

    If you don't like the article, don't post a comment to it.
  • It's sort of ironic you chose nuclear secrets for this sort of discussion, because this ties into national news as well. (National news? The big blue room? Aieee!)

    There was an incident at Los Alamos labs [cnn.com] where a person had access to nuclear secrets in an encrypted channel, and then copied them to an unencrypted channel and send them to China. When you look at it, it's what you're talking about - "secrets" that should not be exported from the US (crypto or nuke) being sent to another country for development of a "program" there. That's what this boils down to. And in the case of nukes, people have resigned [cnn.com] and others may be indicted and convicted [cnn.com] of espionage.

    On the other hand, I can't help but wonder if anyone working on SSH or the like is in the United States, and if that violates any laws...
  • Thank you. I was wondering how long it would take someone to realize that when you type in your changes, you are EXPORTING that code. You type here, and your code TRAVELS down the wire to Iraq. Surely the govenment needs to know about subversive activities, and I for one am glad that there are humble, concerned people like the FBI, CIA, and J. Edgar Hoover wathcing over my e-mails to my friends and family. I am sure they wouldn't ruin your professional reputation to protect their privelige. I am sure that they wouldn't trump up espionage charges, and lock you up for the rest of your life. Have a nice day!
  • Didn't someone decide that source code is free speech and therefore protected...? So wouldn't this be a non question?
    xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]
  • Why would Linus have to look at it? He deals with kernel additions mostly, right?
  • There's no restriction on importing strong crypto INTO the US, is there? If not, why doesn't the Linux community just agree to restrict all strong crypto development to people who aren't going to get in trouble for it and have US-based developers focus on other projects? We all get to benefit from the proceeds, so what's the difference?
  • The point is, we all want good crypto available to everyone. So why try so hard to circumvent an obviously dumb law?

    The irony is, of course, that by not allowing US developers to export their code, the US government is discouraging US crypto development when they THINK they're protecting US assets. That means that non-US technology has a better chance for sucess.

    If developers don't bother to develop the software within the US, nobody gets in trouble, the NSA's greatest fears are realized (which is fun), and we all get better crypto protection.

  • Right. And when you return from your hard day's work at the foreign embassy and return home, you will most likely find several darkly clothed individuals who represent the US government wanting to have a pleasant "chat" with you.

    Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation. Whether it is by travelling several hundred miles or just across the street, you are basically giving technology to another foreign power. Embassy's only provide protection if that country decides to accept you. But since you will be willingly leaving the building everyday, that just means there will be people waiting for your return to dole out your punishment, if you have violated the law(s) through your activities.

    One thing I don't get is why no one here admits Crypto is munition when everyone here admits that it should be used as such. Is it just denial?


    - Wing
    - Reap the fires of the soul.
    - Harvest the passion of life.

  • One of the main reasons there is such a stint over crypto is that it is considered a munition. So exporting it is tantamount to exporting live rounds, according to the law.

    Here's something interesting: Quite a few posters here would suggest that such an association of crypto with munitions is silly. That crypto isn't like live rounds or armour. But if that is the case, then why is it that crypto is referred to as a technology to "protect" us from the government's eyes and ears? Why the mention of ssh for "protected" and "secured" channels of communication. Obviously cryptography is being used as a tool, one which proves to be as effective as a gun, flak jacket, armoured tank, or missle silo.

    With cryptography, you can potentially run an underground operation without being detected. Your paper trail would take decades to decode or decipher, during which time, the statuet of limitations would expire. With cryptography, the order to assasignate would never be heard by anyone other than the person the message was intended. It is the cloak which pairs with the dagger. The stealth camouflage.

    Yet there are still some people who argue that the idea of crypto being a munition is silly. Fine. Whatever.

    The law is there not because the government thinks US citizens are the brightest folk on the planet. It is to offer a means to punish those who would think to leak the secrets, weapons, technology, secret keys, etc to other nations either out of sheer ignorance or for personal gain.

    Powerful encryption is just as important as the latest technological advancement in military technology. It is useful if you have an understanding of how to use it which is on par or better than others who are using it. It is EXTREMELY beneficial if you are the only nation which holds control over it.

    The laws cover US citizens no matter where they go. Or at least tries to. Some peope praise it for saving their asses when they get into trouble in other countries. Those same people scream their head off when those same laws follow them when they want to do something illegal outside of the jurisdiction of the states.

    If you ran a company and needed to keep clientele secrets for a living. What would happen if your employees had a habit of going home with a headful of those secrets and tells them to a friend when off duty and off company grounds? Just because they aren't working, does that mean the rules and regulations won't apply until they check in again? Does THAT make sense? No. The rules would apply even after work hours and off company grounds. It is the nature of the situation which creates the necessities for these laws. Due to one viewpoint or another.

    The ironic thing, of course, is that these laws were probably created by the very same type of people who are now seeking their removal. And in time, these new people will bring about laws which will become targets of yet another generation with different viewpoints.

    Basically, if you don't like it, talk to your representatives. Send letters. Send emails. Change the law. It IS your right. Better that than sneaking around hoping to not get caught because you think the law is evil.


    - Wing
    - Reap the fires of the soul.
    - Harvest the passion of life.

  • Thoughts. (Score:3)

    by FireReaper ( 11087 ) on Thursday September 02, 1999 @01:20PM (#1708237)

    So, what you are saying is that someone, in this case, a US citizen, is participating in the development of cryptography, yes?

    And while that isn't a big deal, we add into the stew the note that this person is physically in the states.But the databases and code he is working with are outside of the states.

    This has some ramifications. Namely, the person in question is developing cryptography. But not only that, he is helping a foreign organization develop it outside of the states. But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.

    If the problem is somewhat hard to see, let's use another example. Nuclear weaponry and technology.

    Let's say our friend is a US citizen and through an encrypted channel, is helping an organization in another nation work on nuclear weaponry. Sure, he doesn't have any documents on this side of the border and sure, all the work he is doing is stored remotely. But what do his actions amount to?

    I'm not sure in our current state of "peace", but if it were during a war, this person would be considered a traitor and if caught, would be held for treason.

    I'm not saying it is right or it is wrong. But the aiding of foreign nations to develope technology which could in turn be used against the states isn't exactly smiled upon.

    But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?

    On a side note, a knife painted like a banana is sort of silly, but it is still a knife and by that token, still dangerous and something to be respected. Even if the wielder is nothing more than a clown.

    ;)
    - Wing
    - Reap the fires of the soul.
    - Harvest the passion of life.

  • Hmmmm... (Score:1)

    by BJH ( 11355 )

    You would be following the letter of the law rather than the spirit. If the US Government did happen to take an interest in you, they'll drag you into court anyway - and they just might win (try explaining your reasoning to a group of twelve random people and see how many of them get it.)

    Interesting idea, though...

  • Importr is legal
    Export in Electronic form is illegal
    Export in non-electronic form is legal
    Print the diffs!!!
  • A significantly advanced organization wouldn't have a problem cracking such cryptography.

    Ah, but to persecute ... er... prosecute you they have to admit they can break it, thus spurring the rest of us to use an actually-secured system. Much better to let a hacker do something that's going to get done anyway than to lose the ability to eavesdrop on all the naughty emails and whatnot they're really after.

  • if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes
    In this you'd be safe, imho, only because any anti-crypto prosecutions would be laughed out of court. If you were busted and were forced to use the 'only a few key-strokes' argument, however, you'd be skating on thin ice. After all, all programs could be considered the sum of their key-strokes, and it doesn't matter whether they were written by one person or ten; if you willingly contribute code in a foreign land you're breaking the law.

  • Re:crypto import is legal, right? (Score:3)

    by rde ( 17364 ) on Thursday September 02, 1999 @01:20PM (#1708250)
    Do you want to be the one to tell Linus he can't look at the crypto code?

  • Crypto fine points (Score:4)

    by The Cheese ( 17421 ) on Thursday September 02, 1999 @01:51PM (#1708251)
    The company I work for (which shall remain nameless) has a strict policy on this sort of thing; our hot'n'juicy lawyers have made sure that the policy strictly conforms to US and international law. ANY work done by a US national that is implemented in a project outside of the borders of the US is considered export work. This includes bug fixes, and even commenting on work done by foreign nationals outside the US. In fact, even commenting on software produced by foreign nationals WHILE IN THE US is considered exporting those resources. Consequently, our encryption division looks like a typical shaker community; you shake it, and nothing but white guys fall out.
  • Call me stupid, but I thought mad-cow virus lived in brain tissue. Is there a waiting time or something? cause I can't imagine mad cow staying in your blood stream past a certain amount of time. (though you'd probably be dead by then I guess but thats not the point)
  • another way to do it would be to spend some time in europe and fiddle with us bearded european math wizzes.

    it takes more time than SSH but you get to have some real food instead of american genetically engineered hormone grown hamburgers..

    laurent

  • But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally.
    ...
    However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken.
    ...
    If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law.

    Like it or not, sensible or not, what you describe is illegal technical assistance. The only exportable information is that which is clearly public: it has to be printed and it has to be publicly available. Also acceptable is public technical discussion at conferences, etc. Furthermore, some of the other commentors are right: in this area, following what you believe to be the letter of the law in hopes of finding loopholes is not a good idea. Big parts of the law are generally enough written to end with the situation that they mean what their enforcers want them to mean.
  • Under the current US interpretation, it's illegal to do a logical no-op like downloading a file and immediately reuploading the identical file.

    Editing a file remotely, instead of downloading it, editing locally, then uploading the changed file might not be considered a legally significant difference since the end results are identical - software exists outside of the US and Canada which didn't exist there prior to your acts.
  • Those comments are completely uninformed. It is completely legal to publish the complete source code to PGP, DES, Kerberos, etc. (either in bound book form, or even source listings), and transport them out of the country.

    Not only "can" this be done, O'Reilly has published several books using special fonts designed to reduce OCR records. "Cracking DES" is one well-known example, and AFAIK it has been exported without problems.

    The *only* thing that's illegal is to export the exact same material in electronic format. So you can ship a palette full of boxes containing source code, but not a CD-ROM containing the identical material. You can even carry the OCR software out on a disk, since it's not export restricted.

    This is why many of us are so frustrated with current US policy. It doesn't stop anyone from exporting cryptographic software, it just makes it such a pain that few people bother. (BTW, when Phil Zimmermann was being investigated for exporting PGP the focus was always on a specific FTP transfer that occured almost immediately after he released his code.)
  • The problem with this reasoning is that you can't re-export cryptographic software, so you can't have US mirrors of these packages. Ditto US-based distributions, for the same reason.

    Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:

    - strong filesystem encryption (at the kernel level)

    - strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)

    plus numerous other applications which are currently in userland since the kernel lacks encryption. (SecureRPC, VPN, etc.)

    The results of this policy are very much like the driver who slams on the brakes to avoid harming the cute little squirrel running across the street... but causes several injuries to her passengers and the people in the following cars, to say nothing of $50,000 in damage. It's a damn good trade-off, as long as you never take your eyes off the furry little drug-running child pornography terrorists which only you can see.

  • Canada is still "domestic" (Score:3)

    by coyote-san ( 38515 ) on Thursday September 02, 1999 @02:24PM (#1708289)
    Nope, Canada is still considered a "domestic" site for the purposes of ITAR. US law allows export to Canada, but *Canadian* law bans reexport.

    What you're describing is crypto developed in Canada alone, which is a grey area. I think the treaties ban it also, but last I heard the current Canadian government didn't have it's head as severely dislocated into its digestive track as the US government.

    BTW, before someone else marks this "offtopic" or "flamebait" I believe these treaties date back to the creation of NORAD and the associated consolidated US/Canadian military commands. It made sense in that context, but nothing about treating unclassified software as a "military munition" makes any sense.

  • Crypto algorithms are short and sweet (well not always) but Crypto modes and protocols are often complicated and cumbersome, especially if you want the program to be useful.

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • The real question here is of course "Where are you on the internet". The answer is obviously "A student came to Moon and asked...". To be hypotetically concrete:

    If I am physically in the US (say on an extended vacation) but telecommute to Sweden to program for a firm that has hired me, pays me, and bills its customers in Sweden, where am I working?

    Arguably, I am using up more swedish resources (administration of postal services, social security, and what not) than US (a couple of KB internet bandwidth that I pay for explicitly anyway).

    The above case would probably be judged that I was working in sweden because I am employed by a company that is clearly in sweden. Now change the gedanken experiment to have me not employed but rather contracting... oooh! now I'd probably be working in the US.

    The problem is that old labour laws (IANAL) are to new labor situations like newtonian physics are to quantum. The old way works fine as long as we don't look at the limiting cases, like one person working at a distance. (I couldn't resist a non-locality pun).

    I've looked at some laws and they're full of things like preponderance of evidence, and other vagaries that make no sense when applied to an individual.

    The short of it is basically that location is a null issue on the internet, and until governments recognize this, we're going to see one absurdity after another.
  • I've been thinking about this type of thing myself lately. (#$%*@ Cryptonomicon)


    The main question I keep comming back to is, what defines the crypto?


    Say I and a buddy are developing an editor that encrypts the files when they are written/read from the disk. If he lives in Timbuktu and writes the crypto module, and I in the USA write functions that operate solely on the cleartext, can it be exported? Or is the whole project covered by the crypto laws by default?

  • The relevant section from the Defence Trade Regulations states:
    Part 121 - The United States Munitions List.

    Category XIII--Auxiliary Military Equipment
    (b)Speech scramblers, privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed to be modified therefore, ancillary equipment, and protective apparatus specifically designed or modified for such devices, components, and equipment.

    So if your software is "specifically designed to be modified" into a "cryptographic device" for "encoding and decoding" than export is prohibited. And the definition of export includes:

    Section 120.10 Export---permanent and temporary.

    Export means:
    (4) Disclosing or transferring technical data to a foreign person, whether in the United States or abroad.
    (5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close