Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Symantec Restricts Crypto Export

Posted by Zonk on Thu Dec 22, 2005 11:17 AM
from the bad-old-days dept.
Security Government Encryption Politics
PhilK writes "Symantec is now refusing to sell LC5 (the Windows password cracking tool, previously from @stake) to anyone outside of the USA and Canada, claiming new Homeland Security laws. Symantec declined to field questions on the rationale for its policy and whether it applies to other products." From the article: "Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Symantec Restricts Crypto Export 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Back in the day, crypto was classified as munitions under ITAR [wikipedia.org]. This restriction was lifted principally because some smart eggs figured out that since the U.S. doesn't have a monopoly on math (no matter how much they might wish that to be the case), foreign countries could develop their own algorithms, so all the U.S was doing was shooting themselves in the foot by restricting what they could do in the international market.

    And now, Dubya & Company want to try to restrict crypto once again. I really wi

    • Re:ITAR Revisited? (Score:5, Insightful)

      by dada21 (163177) * <adam.dada@gmail.com> on Thursday December 22 2005, @11:21AM (#14318262) Homepage Journal
      Last I recall, there are about 201 Democrats (and 1 Socialist?) in Congress. This isn't a republican versus democrat issue, this is an issue used to make both authoritarian parties in Congress more powerful, along with the Executive Branch. It is the Feds versus the States and the Feds versus the People. I wouldn't say Dubya (or Clinton or anyone else) is alone in violating the rights they're precluded from violating.
      • This isn't a republican versus democrat issue,... It is the Feds versus the States and the Feds versus the People. I wouldn't say Dubya (or Clinton or anyone else) is alone in violating the rights they're precluded from violating.

        True enough. After all, Clinton forced the DCMA on us; is using the law to prevent the distribution of LC5 any worse than using it to stop the distrubution of DeCSS?

        Which gives me an idea. Since most DRM schemes are essentially a form of strong encryption, could this "Homeland

    • Re:ITAR Revisited? (Score:5, Insightful)

      by garcia (6573) on Thursday December 22 2005, @11:23AM (#14318280) Homepage
      And now, Dubya & Company want to try to restrict crypto once again. I really wish I could say I was surprised, but this is sadly a completely predictable move.

      Well, obviously because Clinton relaxed those laws the "terrorists" were able to get these products and then use them against the US! What don't you understand?!

      This strategy is doomed to failure, not only because foreign companies are perfectly able to develop their own products, but because these 'restricted' products are easily available on warez servers all over the world. If I want a copy of LC5, I can get one in less than five minutes, entirely free of charge, and I don't need to be in the U.S. to do it.

      Just like anything that we try to restrict the "terrorists" from getting their hands on. It's a losing battle but one that's not meant to do anything to stop terrorism. It's meant to control the US population.

      You might think that D&C would at least try to just keep tabs on international users of LC5 (after all, a wasp in a tent is a lot friendlier when you can see it), but instead, they choose the option to ban export, insuring that truly malicious users will stay well under the radar. Well done, George.

      It's just another way to help the trade deficit!
    • Die Gedanken sind frei
      My thoughts freely flower,
      Die Gedanken sind frei
      My thoughts give me power.
      No scholar can map them,
      No hunter can trap them,
      No man can deny:
      Die Gedanken sind frei!

      I think as I please
      And this gives me pleasure,
      My conscience decrees,
      This right I must treasure;
      My thoughts will not cater
      To duke or dictator,
      No man can deny--
      Die Gedanken sind frei!

      Are you listening, Dubya?
      • My thoughts will not cater to duke or dictator no man can deny-- Die Gedanken sind frei! Are you listening, Dubya?

        Your song sounds subversive. Your name has been added to the aviation watch list. Have a nice day, citizen.

      • Re:Time to sing... (Score:4, Insightful)

        by Tackhead (54550) on Thursday December 22 2005, @11:54AM (#14318581)
        > I think as I please
        > And this gives me pleasure,
        > My conscience decrees,
        > This right I must treasure;
        > My thoughts will not cater
        > To duke or dictator,
        > No man can deny--
        > Die Gedanken sind frei!

        "The thought police would get him just the same. He had committed--would have committed, even if he had never set pen to paper--the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you."

        >Are you listening, Dubya?

        "SMITH! SMITH, D.P.B., 263124! Yes, you! Bend lower, please! You can do better than that. You're not trying. Lower, please! That's better, citizen. Now stand at ease, the whole squad, and watch me... Anyone under forty-five is perfectly capable of touching his toes. We don't all have the privilege of fighting in the front line, but at least we can all keep fit. Remember our boys on the Iranian front! And the sailors in the Freedom Fortresses! Just think what they have to put up with. Now try again. That's better, citizen, that's much better"

    • Back in the day, crypto was classified as munitions under ITAR.

      Yeah, and it was actually easier to import strong crypto than export it, so alot of companies outside the US became very popular with the security vendors not only for the talentthat exists internationally, but also for the import capabiity.

    • Hasty Generalization (Score:2, Informative)

      by Anonymous Coward
      "Back in the day, crypto was classified as munitions under ITAR."

      It still IS controlled (US Department of Commerce) and has been for a while; check your facts.

      "foreign companies are perfectly able to develop their own products"

      That is not the point. The point is that you don't want US companies AIDING foreign companies in creating cryptography systems to which the details are not known. Yes, I know, the strength of crypto lies in the mathematics not how it is done (read source); but having the algorithm d

    • Re:ITAR Revisited? (Score:5, Informative)

      by Decius6i5 (650884) on Thursday December 22 2005, @12:19PM (#14318868) Homepage
      This isn't news. When encryption software was removed from the ITAR list it was added to the Commerce Control List instead. Encryption export in the US is regulated by BIS [doc.gov] "Dubya and Company" didn't do this. This has been the case since the Clinton years. And, no, the government isn't completely confused about the Internet, and they don't think these regulations are useless.

      Cryptoanalytic items are more strictly controlled then encryption items because the regs are immature. Few people actually make and export them, and most cryptanalytic stuff is designed for snooping on people and not protecting computer security. The regs are designed with snooping equipment in mind. I don't think Lopht Crack is the droid BIS is looking for, and I figure Symantec could probably get a license to export it if they tried. Furthermore, I figure that if you had an open source cryptanalytic program you could probably distribute it online with the same sort of TSU notification you have to do when you ship open source cryptography software. However, IANAL, so don't take my word for that...

    • I really don't understand this line of thinking. If you ask a conservative what they think about banning guns they will tell you that it can't be done because criminals will have guns anyway. Yet in this case, they somehow think the same exact principle doesn't apply. Do they really think international money launderers will no longer be able to get encryption software just because its not legal for export?

  • I can't believe that few people see the flagrant violation of the 1st amendment in restricting expression and speech when government prevents code from crossing borders. Even without looking into COnstitutionally protected actions, why do you allow your government to make these victimless-crime laws? You can't stop code from crossing borders (not even in China). If the code does leave this country, it has hurt no one in the process. If some madman uses a Windows password cracking tool to steal a passwor
    • I'm not in favor of this, but calling it a violation of your right to free speech is totally ridiculous. Free speech clearly means personal expression, not technical data. Or do you somehow believe people be able to send munitions plans to Iran in the name of free speech?
      • Or do you somehow believe people be able to send munitions plans to Iran in the name of free speech?

        I do. I should be able to trade with whomever I want to trade, without restrictions by the State. That's what freedom means. If we had open trade and didn't stick our noses in other countries' business, we wouldn't be living under fear of restribution.

        Nonetheless, I do believe that the Feds can restrict trade by declaring war. They didn't declare war on Iran, or Iraq or Afghanistan or Bosnia or Vietnam, s
        • Your personal freedom stops where your actions begin to infringe on the rights of others. Selling munitions plans to Iran would greatly jeopardize the right to life that Americans enjoy.
          • Your personal freedom stops where your actions begin to infringe on the rights of others. Selling munitions plans to Iran would greatly jeopardize the right to life that Americans enjoy.

            Americans have the right to arms. Defend yourself. Form a militia in your town. Learn to love your neighbors, and to be fair to other people. Iran has no power to attack us, and they already have all the munitions plans they need. Iran has the right to self defense just as we do, and I have no problem with every country
              • Remember 9/11, dada? Ordinary people can attack us any day of the week. It doesn't need to be the country of Iran formally declaring war on us.

                I do remember 9/11.

                Iran did not attack us. Iraq did not attack us. Afghanistan did not attack us. A group of people angry about our murdering 500,000 children in the Middle East attacked us. They died in that attack. We never found their top leaders, even after hundreds of billions of dollars were spent. Game over, move on.

                I don't see how one attack killing 300
                • "I do remember 9/11. ... Afghanistan did not attack us."

                  You certainly have an interesting perspective on things.

                  "I don't see how one attack killing 3000 people ... should infringe on my right to trade with whomever I want"

                  Yes, it's awfully convenient to partition the world into so many parts that no single thing has anything to do with another. Now back to reality: that's just not how things work. The world is a complicated place. Issues cannot always be separated from each other, and they are not simply
              • I'm surprised with your oversimplification of the concept of freedom. Saying we can form a militia to protect ourselves is irresponsible. One of the historical reasons for government is to protect its citizens from enemies both forgein and domestic.

                I agree with you! A militia is a great way to keep our people strong and able. A militia prevents us from running around the globe trying to instill through force a system that came through voluntary cooperation (over time). Government is supposed to defend ou
        • Your definition of speech is somewhat all-encompassing. If I were to want to "express" myself by taking pictures of naked children (without their knowledge, perhaps) and display them on billboards throughout the country your argument would permit that. You base your argument on some sort of arbitrary freedom that you think you have as a member of this country. Nowhere in the Constitution are you granted that freedom.

          In fact, the Commerce clause gives Congress the right (and the power) to regulate commerc
          • Your definition of speech is somewhat all-encompassing. If I were to want to "express" myself by taking pictures of naked children (without their knowledge, perhaps) and display them on billboards throughout the country your argument would permit that. You base your argument on some sort of arbitrary freedom that you think you have as a member of this country. Nowhere in the Constitution are you granted that freedom.

            You picked one of maybe 5 places where I don't have a good response -- yet. I do believe th

    • OR (Score:3, Interesting)

      by TubeSteak (669689)
      From TFA

      "I guess I'll just have to go back to using John the Ripper."

      JTR + Rainbow Tables = Teh Shit

      http://rainbowtables.shmoo.com.nyud.net:8090/ [nyud.net]
      Bittorrent to Download.

      FYI
      Alpha-Numeric and 14 Symbols = 11 GB
      All Characters and the Space Character = 43 GB

      It helps if you have enough RAM to load each 700MB section of table into memory. The longest part of this process (for me) is waiting for my puter to finish reading the tables off the DVD I burnt them too.

      BTW- If something is illegal for export, that means th

  • In other news piracy of crypto applications have risen dramatically in non-US countries.

    Really now, do they think if they just dont sell it that it wont end up in the hands of those who they dont want to have it? Please.
    • Well, since ITAR is no more, why would @stake do this? Marketing, of course! "Our product is so good, we can't sell it to just anyone!" Balderdash... Anyone in the biz knows that LC is obsolete anyway. Don't believe me? Google "Rainbow Tables" and see for yourself...

      If you just have to have an automated tool for hash cracking, skip LC and do SamInside. Same functionality, cheap, no copy protection, and integrates with Rainbow Tables as well. Hey Mudge! Still think selling out was a good idea?

  • Now... (Score:5, Funny)

    by wishbone (740565) on Thursday December 22 2005, @11:26AM (#14318307) Homepage
    All your Cyphers are belong to U.S.

  • Good News/Bad News (Score:5, Funny)

    by sunderland56 (621843) on Thursday December 22 2005, @11:27AM (#14318317)
    Bad news: I can't buy a copy of LC5.

    Good news: According to another Slashdot story, I can download one for free from a French web site!! [slashdot.org]

  • Maybe it provides an excuse for something (Score:2, Interesting)

    by Anonymous Coward
    Nobody would be stupid enough to think it is possible to keep a commercial product out of foreign hands. Maybe making it illegal to export this product is just a way to provide an excuse for search/wiretap warrants.

    Since I think the administration is at least semi-intelligent, I am looking for the ulterior motive.
  • hey, the government is just worried that scary e-terrorists that don't know how to download the software for free will break into the dept. of homeland security and compromise the sensitive windows 95 [com.com] network they've got running.... i, for one, feel safer already.

  • LC5 - L0phtCrack (Score:5, Interesting)

    by spacerog (692065) <spacerog AT spacerogue DOT net> on Thursday December 22 2005, @11:34AM (#14318389) Homepage Journal
    It is quite a shame to think of what could have been only to see what has become.

    Yeah, I know, I'm partly at fault. Still, things could have been great.

    But hey, we were all just a bunch of FBI Snitches [theregister.co.uk] anyway. Which if true means that there is probably a secret back door in L0phtCrack and still in LC5 that transmits all cracked passwords direct to the FBI so that they can get into any server anywhere. Of course if that is true (and of course it is) DHS and Symantec should actively promote the use and distribution of LC5. All the more passwords they can get. Whatever.

    - Space Rogue
    L0pht Heavy Industries
    Whacked Mac Archives
    Hacker New Network
    Sell Out
    FBI Snitch

    (Pay no attention to this rambling bitter old man.)

    • Do you feel like a sellout for, well, selling L0pht to Symantec? Or are you just bitter at being labeled a sellout for doing so?

      (I worked for Symantec for 4.5 years. The money was really nice, but I didn't feel like I sold out to get it...)

      • Re:Personal question for Space Rogue (Score:5, Insightful)

        by drwho (4190) on Thursday December 22 2005, @01:24PM (#14319637) Homepage Journal
        Hi Chris (Space Rogue)! and to rewt66, SR left @Stake a long time ago. He had nothing to do with Symantec.

        I think what Symantec has done to @Stake is sad, really sad. They're sitting on some really cool software technology and not doing anything with it. My guess is that the same heebie-geebies that make them do export restriction on L0phtCrack (a.k.a. LC5) are making them sit on this decompilation technology.

        I'd say that I'd like to see l0pht reborn from the ashes, but differently. Hasty Pastry is close to it, and I am glad I was able to my part and start it, and sad I couldn't afford to stay involved. But I think that more than HP is needed. Hasty Pastry is specifically non-commercial. L0pht become overly commercial. There needs to be something that's commercial but not a part of The Machine. A place where there's both money and fun. But that's not going to happen in Boston, this city has become too expensive.

  • Dark days indeed. (Score:5, Funny)

    by merc (115854) <slashdot@upt.org> on Thursday December 22 2005, @11:35AM (#14318401) Homepage
    What sad times are these when passing ruffians can say 'Ni' at will to old ladies. There is a pestilence upon this land. Nothing is sacred. Even those who arrange and design cryptographic software are under considerable economic stress at this period in history.
  • cince it was probably written in the former soviet union.

    Almost ALL the good pro cracking tools for passwords come out of the former USSR. We purchased a suite of them to crack documents and databases for use her at work and they work fantastically.

  • Oh come on... (Score:4, Insightful)

    by Noryungi (70322) on Thursday December 22 2005, @11:44AM (#14318473) Homepage Journal
    I travel regularly between the USA and Europe... What's to prevent me from buying several copies of this tool and take them back with me to Europe? Do you think Symantec and/or the shop owner will ask me for my passport before selling me this software?

    For that matter, there is a good chance that there are mirrors and/or legal copies of this tool in Europe already. So what's the point? This type of restriction is ridiculous.

    Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix. Again, what's the point behind this restriction?

    • Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

      It gets even easier than that. Just grab this [eunet.no], put it on a floppy or CD-R, boot it, and follow the prompts. IIRC, the current version works with everything up to at least WinXP SP2. It'll unlock any account and clear the password; after that, you can boot normally and set whatever password you wa

    • I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

      Shameless karma-whoring, coming right up:

      Emergency Boot CD [pcministry.com]. Has a Windows password-reset tool on it. Run it, shows you the list of accounts, pick one, reset its password to anything you want.

      So, anyone care to start a pool on how soon the US requests my extradition for posting that?

      • Here is something really funny for you: I also travel with several CDs (music and/or data) in my luggage. I have never been stopped, not just once, by the US customs.

        I mean, seriously, what's to prevent me from slipping the Symantec CD-ROM in a little Case Logic CD folder, among dozens of other CDs? Do you really think the customs officer are going to check me? Do you think they are going to review each and every CD in my little folder, looking for the illegal-to-export LC5 CD? (short answer: NO).

        What abo
  • So instead of having the opportunity to buy it, they will pirate it. Doesn't seem very effective. If they would let them buy it, they would also have records of people who have bought it.

  • Imposed? (Score:5, Informative)

    by HardCase (14757) on Thursday December 22 2005, @11:50AM (#14318535)
    Although the Reg article claims that Symantec appears to have had the restriction imposed by the government, both Symantec and the Register seem to have things a little bit wrong.

    For starters, section 5A002 of the ECCN covers hardware. Perhaps Symantec meant section 5D002, software. 5D002.c.1 covers their situation. But the list of restricted countries hasn't changed for quite a while - it's the usual gang: Syria, North Korea, Sudan, etc. It seems to me that Symantec is being a little lazy here. Yes, they have to have an export license to sell the software outside of the US, but the restrictions aren't any more onerous than they were in 1999, when the EAR was updated to move cryptographic software from munitions to commerce.

    Oh, and this "news" is almost a month old.

    -h-

    • Re:Imposed? (Score:3, Informative)

      by mpapet (761907)
      Mod parent up.

      Having personally gotten a crypto product approved for export, this fellow is right on.

      What's interesting to me is this is most likely a "business decision" more than anything else. A Suit at Symantec put a stop to this potentially evil tool for no other reason than it's too small potatoes for them to deal with the risk of it being used by bad non-Americans versus the sales numbers.

      What this also suggest is there's a bit of a figurative "circling of the wagons" at Symantec. It suggests very
      • Sure, because there's no possible way that any of those evil hackers and terrorists could get a copy without buying it from Symantec.... [snicker]

        Well, no kidding, Captain Obvious, but that wasn't the point of my post. Let me try again. The Reg claims that Symantec can't sell the software outside of the US and Canada because the government imposed a regulation on them. Not true. Symantec claims that a certain section of the EAC prohibits them from selling overseas. Not only not true, but they cited the
  • Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers.

    No they don't! This time, Canadians can buy them too!
    • OK, so this is a US law, but the product is available in Canada. So what about Canadian resells? How about me as a user. I could buy the software, and then resell it to somebody in another country. EULA preventing that... how about if I leave the shrink-wrap on, then I haven't agreed to anything.

      Not that such laws would actually have a snowball's chance in hell of preventing this software from reaching other countries, but I do wonder when the US includes Canada in their private little party whether or no
  • I have carefully read other people's comments, and noone can come up with a rational explanation so I shall try.

    Let us suppose the NSA wants you to put backdoors into your security products and you refuse, what leverage does NSA have? Well, perhaps they might put commercial pressure on the company to comply: by refusing to allow them to sell the product until they do.

    I am not sure this is the real reason, but it seems possible.

  • Arrogance? (Score:5, Interesting)

    by Goth Biker Babe (311502) on Thursday December 22 2005, @12:00PM (#14318657) Homepage Journal
    The export ban always made me laugh because it arrogantly assumed that no one outside of the US/Canada was capable of developing their own encryption technologies.

    This is something that British Secret Services have used to their advantage. Public key encryption technologies were developed at GCHQ [gchq.gov.uk] in the early 70s but unlike the US, they didn't tell anyone until recently [ladlass.com] so they could use it without anyone knowing.

    Something similar was done with Enigma. The fact that Enigma had been cracked was kept very quiet so that Enigma machines could be sold by the Brits to foreign governments after the war and we could listen in! News that we invented the World's first electronic computer was also kept secret [picotech.com] for the same reason.

  • four words (Score:3, Funny)

    by martin (1336) <(moc.liamg) (ta) (cesxam)> on Thursday December 22 2005, @12:07PM (#14318740) Journal
    stable, horse, bolted and door

    Q. make a familiar phrase out of the above
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    .
    A. Closing the stable door after the horse has bolted

  • Yawn, another bullshit screed from The Register (Score:4, Interesting)

    by Anonymous Coward on Thursday December 22 2005, @12:20PM (#14318883)
    The crypto regulations haven't changed since they were relaxed under Clinton. Either Symantec is just too lazy to follow the export licensing procedures which are unchanged, or they're trying to drum up interest for a faltering product by pretending that "the US government doesn't want you foreigners to have it,"or it could even be a crass political ploy to cause the usual fly-off-the-handle sorts to rant against some imagined sin of Bush.

    It's quite difficult to take The Register seriously when they post articles such as this. So many of The Register's articles are breathless screeds of the form Civil Liberties to be Abolished in the USA, Film at 11. Remember that the UK has oppressive laws (e.g., the Official Secrets Act) that make the PATRIOT Act in the USA look like a model of civil liberties protection by comparison. I wonder if The Register is secretly funded by the propaganda arms of the UK government.
  • Hello, my name is Matthew Pang, and I live in Selangor,Malaysia.(This isnt in the U.S or canada just incase you didnt know that. 5:18pm (GMT)-Decides he wants to get lc5 (just because he saw this on /.) 5:19pm (GMT)-performs this search "http://www.torrentz.com/search_lc5_9_0_0.html" 5:20pm (GMT)-Downloads the torrent file from "http://www.seedler.org/en/iindex.x?a=info&id=1952 55" 5:21pm (GMT)-Launches Azureus and starts torrent download. 5:26pm (GMT)-Azureus completes download.Also seeing. 5:26pm (GMT)-Runs lc5 Setup 5:27pm (GMT)-lc5 setup complete,runs lc5,runs keygen and unloacks lc5 5:28pm (GMT)-Runs a dictionary attack on all password the program sniffed from the local network.Found 7 exposed accounts.2 of which are privelaged. 5:29pm (GMT)-Starts comparison against pre-computed hash tables The moral of the story: Dont restrict export.It`ll just make angry people like me run out and get it.Also making sure to save a copy to distribute to his friends.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.