Symantec Restricts Crypto Export 186
PhilK writes "Symantec is now refusing to sell LC5 (the Windows password cracking tool, previously from @stake) to anyone outside of the USA and Canada, claiming new Homeland Security laws. Symantec declined to field questions on the rationale for its policy and whether it applies to other products." From the article: "Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government."
ITAR Revisited? (Score:2, Insightful)
Back in the day, crypto was classified as munitions under ITAR [wikipedia.org]. This restriction was lifted principally because some smart eggs figured out that since the U.S. doesn't have a monopoly on math (no matter how much they might wish that to be the case), foreign countries could develop their own algorithms, so all the U.S was doing was shooting themselves in the foot by restricting what they could do in the international market.
And now, Dubya & Company want to try to restrict crypto once again. I really wi
Re:ITAR Revisited? (Score:5, Insightful)
MOD THIS MAN/WOMAN UP (Score:2)
How true. Everything from the abuse of interstate commerce laws to abuse of executive privledge and secret laws are all the fed's grab for more power. There is no true state power since SCOTUS decided that fed law can trump state law.
Could this law be used to stop DRM? (Score:3, Interesting)
True enough. After all, Clinton forced the DCMA on us; is using the law to prevent the distribution of LC5 any worse than using it to stop the distrubution of DeCSS?
Which gives me an idea. Since most DRM schemes are essentially a form of strong encryption, could this "Homeland
Re:ITAR Revisited? (Score:2)
Besides, there are so many other things to nail the dems for. For one, almost all backed W in wanting to invade Iraq, but now call fo
Re:ITAR Revisited? (Score:5, Insightful)
Well, obviously because Clinton relaxed those laws the "terrorists" were able to get these products and then use them against the US! What don't you understand?!
This strategy is doomed to failure, not only because foreign companies are perfectly able to develop their own products, but because these 'restricted' products are easily available on warez servers all over the world. If I want a copy of LC5, I can get one in less than five minutes, entirely free of charge, and I don't need to be in the U.S. to do it.
Just like anything that we try to restrict the "terrorists" from getting their hands on. It's a losing battle but one that's not meant to do anything to stop terrorism. It's meant to control the US population.
You might think that D&C would at least try to just keep tabs on international users of LC5 (after all, a wasp in a tent is a lot friendlier when you can see it), but instead, they choose the option to ban export, insuring that truly malicious users will stay well under the radar. Well done, George.
It's just another way to help the trade deficit!
Re:ITAR Revisited? (Score:2)
Re:ITAR Revisited? (Score:2)
Well, literally it restricts what US citizens can do in some way.
More specifically, it means that businesses can't make money selling export-banned products to the rest of the world. I assume it also means that researchers can't collaborate on projects related to banned technology with foreigners.
Re:ITAR Revisited? (Score:2)
Time to sing... (Score:2, Flamebait)
My thoughts freely flower,
Die Gedanken sind frei
My thoughts give me power.
No scholar can map them,
No hunter can trap them,
No man can deny:
Die Gedanken sind frei!
I think as I please
And this gives me pleasure,
My conscience decrees,
This right I must treasure;
My thoughts will not cater
To duke or dictator,
No man can deny--
Die Gedanken sind frei!
Are you listening, Dubya?
Re:Time to sing... (Score:2, Funny)
Your song sounds subversive. Your name has been added to the aviation watch list. Have a nice day, citizen.
Re:Time to sing... (Score:4, Insightful)
> And this gives me pleasure,
> My conscience decrees,
> This right I must treasure;
> My thoughts will not cater
> To duke or dictator,
> No man can deny--
> Die Gedanken sind frei!
"The thought police would get him just the same. He had committed--would have committed, even if he had never set pen to paper--the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you."
>Are you listening, Dubya?
"SMITH! SMITH, D.P.B., 263124! Yes, you! Bend lower, please! You can do better than that. You're not trying. Lower, please! That's better, citizen. Now stand at ease, the whole squad, and watch me... Anyone under forty-five is perfectly capable of touching his toes. We don't all have the privilege of fighting in the front line, but at least we can all keep fit. Remember our boys on the Iranian front! And the sailors in the Freedom Fortresses! Just think what they have to put up with. Now try again. That's better, citizen, that's much better"
Re:Time to sing... (Score:2)
Re:ITAR Revisited? (Score:2)
Yeah, and it was actually easier to import strong crypto than export it, so alot of companies outside the US became very popular with the security vendors not only for the talentthat exists internationally, but also for the import capabiity.
Hasty Generalization (Score:2, Informative)
It still IS controlled (US Department of Commerce) and has been for a while; check your facts.
"foreign companies are perfectly able to develop their own products"
That is not the point. The point is that you don't want US companies AIDING foreign companies in creating cryptography systems to which the details are not known. Yes, I know, the strength of crypto lies in the mathematics not how it is done (read source); but having the algorithm d
Re:Hasty Generalization (Score:2)
The only cryptosystem protected by hiding the algorithm is a weak one. Strong systems flaunt their mathematical foundations, daring all to attack them--and survive that rigorous, even hostile, examination.
Coddle the weak and guarantee pwnage. The weak system, used unquestioningly, will fall easily to black-box examination of ciphertext or other system artifacts. And the users will not know!
Re:ITAR Revisited? (Score:5, Informative)
Cryptoanalytic items are more strictly controlled then encryption items because the regs are immature. Few people actually make and export them, and most cryptanalytic stuff is designed for snooping on people and not protecting computer security. The regs are designed with snooping equipment in mind. I don't think Lopht Crack is the droid BIS is looking for, and I figure Symantec could probably get a license to export it if they tried. Furthermore, I figure that if you had an open source cryptanalytic program you could probably distribute it online with the same sort of TSU notification you have to do when you ship open source cryptography software. However, IANAL, so don't take my word for that...
Re:ITAR Revisited? (Score:3, Insightful)
Violation of my rights (Score:2, Insightful)
I can't believe that few people see the flagrant violation of the 1st amendment in restricting expression and speech when government prevents code from crossing borders. Even without looking into COnstitutionally protected actions, why do you allow your government to make these victimless-crime laws? You can't stop code from crossing borders (not even in China). If the code does leave this country, it has hurt no one in the process. If some madman uses a Windows password cracking tool to steal a passwor
Re:Violation of my rights (Score:2)
Re:Violation of my rights (Score:3, Interesting)
I do. I should be able to trade with whomever I want to trade, without restrictions by the State. That's what freedom means. If we had open trade and didn't stick our noses in other countries' business, we wouldn't be living under fear of restribution.
Nonetheless, I do believe that the Feds can restrict trade by declaring war. They didn't declare war on Iran, or Iraq or Afghanistan or Bosnia or Vietnam, s
Re:Violation of my rights (Score:2, Insightful)
Re:Violation of my rights (Score:2)
Americans have the right to arms. Defend yourself. Form a militia in your town. Learn to love your neighbors, and to be fair to other people. Iran has no power to attack us, and they already have all the munitions plans they need. Iran has the right to self defense just as we do, and I have no problem with every country
Re:Violation of my rights (Score:2)
Characterizing a serviceman as a "cruel murderer" is extremely out of order. Coupled with your unhealthy fanatical reverence for strict constitutional constructionism I'm just going to have to concl
Re:Violation of my rights (Score:2)
I do remember 9/11.
Iran did not attack us. Iraq did not attack us. Afghanistan did not attack us. A group of people angry about our murdering 500,000 children in the Middle East attacked us. They died in that attack. We never found their top leaders, even after hundreds of billions of dollars were spent. Game over, move on.
I don't see how one attack killing 300
Re:Violation of my rights (Score:2)
I'm no fan of US foreign policy, but are you smoking crack? What 500,000 children has the US murdered in the Middle East? And in any case, al-Qaeda is quite explicit about the reasons for its actions and it has said nothing about any 500,000 murdered children. It wants and end to US presence and influence in the Muslim world, especially Saudi Arabia.
Re:Violation of my rights (Score:2)
What the poster reffered to is the children that died because of brutal and murderous sanctions (medicines unavailable because of those sanctions etc etc).
Re:Violation of my rights (Score:2)
Well, if that's what the poster meant he should have said so. I agree that the sanctions were probably ill-advised, but they did have exemptions for food and medicine. The fact that Iraqi children didn't get needed medicine is due largely to the fact that the money intended for them was diverted by Saddam Hussein and his buddies.
Re:Violation of my rights (Score:2)
And you think the two aren't related? In a nutshell (and in
1) Fund/Support corupt and brutal regimes as long as it fits US agenda in the region.
2) Regime breaks from US control.
3) US kills thousands of innocent people in process of "liberating" them from that regime.
4) $Profit
5) Repeat steps 1-4
Re:Violation of my rights (Score:2)
Right, I think the two are not related. In fact, I'd say the evidence is overwhelming that Al-Qaeda is not motivated by the casualties resulting from US intervention in Iraq since Al-Qaeda's major actions preceded the US invasion of Iraq. Nor does Al-Qaeda care about US support for oppressive and corrupt regimes. Al-Qaeda is fine with oppressive and corrupt regimes as long as they are, by Al-Qaeda's criteria. Witness the Taliban.
Re:Violation of my rights (Score:3, Insightful)
You certainly have an interesting perspective on things.
"I don't see how one attack killing 3000 people
Yes, it's awfully convenient to partition the world into so many parts that no single thing has anything to do with another. Now back to reality: that's just not how things work. The world is a complicated place. Issues cannot always be separated from each other, and they are not simply
Re:Violation of my rights (Score:2)
Re:Violation of my rights (Score:2)
So what's the point of imposing all these restrictions on foreign countries then? Sounds like it won't actually make you any safer and restricts your business opportunities, not to mention taking time, money and effort to enforce, so why bother?
Re:Violation of my rights (Score:2)
Also, as you point out, the country of Iran did not attack the US. Rogue people that may have been citizens of Iran attacked. How do you ju
Re:Violation of my rights (Score:2)
But that is why there is an arms race, after all.
Re:Violation of my rights (Score:2)
We must restrict the export of boxcutters and plane tickets.
Just to be careful we should extend the same restrictions to stuents and citizens too. In fact, we shhould probably require special clearance for the purchase of plane tickets and box cutters, only then will I be able to sleep at night, the fact that terrorists can bring safty siccors and mustach trimmers realler has be on edge.
Re:Violation of my rights (Score:3, Interesting)
I agree with you! A militia is a great way to keep our people strong and able. A militia prevents us from running around the globe trying to instill through force a system that came through voluntary cooperation (over time). Government is supposed to defend ou
Re:Violation of my rights (Score:2, Interesting)
Re:Violation of my rights (Score:2)
I don't do business with the Sauds, I said Dubai. Dubai is the most free city in the world.
The pro-State Middle East regime want US dollars as the Fed inflation funds the Middle East policy. Many Middle East company prefer gold and other currency over the US dollar in recent months.
My business is signing into long term agreements. I am 100% open and honest with my customers about my beliefs, and they like it. You work with going contracts, I bet. I work to find the loopholes.
Many of the most ra
Re:Violation of my rights (Score:2)
Sounds like the bush administration.
Re:Violation of my rights (Score:2)
Laws and procedures, such as this, restrict the freedoms of everyone, for the supposed reason of stopping
Re:Violation of my rights (Score:2)
Re:Violation of my rights (Score:2)
Re:Violation of my rights (Score:3, Interesting)
In fact, the Commerce clause gives Congress the right (and the power) to regulate commerc
Re:Violation of my rights (Score:3, Interesting)
You picked one of maybe 5 places where I don't have a good response -- yet. I do believe th
Re:Violation of my rights (Score:2)
Re:Violation of my rights (not hardly) (Score:2, Interesting)
OR (Score:3, Interesting)
JTR + Rainbow Tables = Teh Shit
http://rainbowtables.shmoo.com.nyud.net:8090/ [nyud.net]
Bittorrent to Download.
FYI
Alpha-Numeric and 14 Symbols = 11 GB
All Characters and the Space Character = 43 GB
It helps if you have enough RAM to load each 700MB section of table into memory. The longest part of this process (for me) is waiting for my puter to finish reading the tables off the DVD I burnt them too.
BTW- If something is illegal for export, that means th
Piracy (Score:2, Redundant)
Really now, do they think if they just dont sell it that it wont end up in the hands of those who they dont want to have it? Please.
Marketing.... (Score:2)
If you just have to have an automated tool for hash cracking, skip LC and do SamInside. Same functionality, cheap, no copy protection, and integrates with Rainbow Tables as well. Hey Mudge! Still think selling out was a good idea?
Now... (Score:5, Funny)
Good News/Bad News (Score:5, Funny)
Good news: According to another Slashdot story, I can download one for free from a French web site!! [slashdot.org]
Re:Good News/Bad News (Score:2)
Bad News about Good News: Until that actually comes to pass (and there is some doubt), you may in fact be pilloried [theregister.co.uk].
Secret Word (Score:2)
Maybe it provides an excuse for something (Score:2, Interesting)
Since I think the administration is at least semi-intelligent, I am looking for the ulterior motive.
Stupid (Score:2)
It's a bit of stupidity mixed with deviousness. This isn't about restricting tech to foreign countries so likely as it's the ability to arrest/incarcerate anyone who distributes them. The might not be able to control the flow of such tech outside of the country, but it gives them another reason to arrest anyone who they can nail as a distributor should they need an extra charge or two to lay down.
laughable (Score:2, Funny)
LC5 - L0phtCrack (Score:5, Interesting)
Yeah, I know, I'm partly at fault. Still, things could have been great.
But hey, we were all just a bunch of FBI Snitches [theregister.co.uk] anyway. Which if true means that there is probably a secret back door in L0phtCrack and still in LC5 that transmits all cracked passwords direct to the FBI so that they can get into any server anywhere. Of course if that is true (and of course it is) DHS and Symantec should actively promote the use and distribution of LC5. All the more passwords they can get. Whatever.
- Space Rogue
L0pht Heavy Industries
Whacked Mac Archives
Hacker New Network
Sell Out
FBI Snitch
(Pay no attention to this rambling bitter old man.)
Personal question for Space Rogue (Score:2)
(I worked for Symantec for 4.5 years. The money was really nice, but I didn't feel like I sold out to get it...)
Re:Personal question for Space Rogue (Score:5, Insightful)
I think what Symantec has done to @Stake is sad, really sad. They're sitting on some really cool software technology and not doing anything with it. My guess is that the same heebie-geebies that make them do export restriction on L0phtCrack (a.k.a. LC5) are making them sit on this decompilation technology.
I'd say that I'd like to see l0pht reborn from the ashes, but differently. Hasty Pastry is close to it, and I am glad I was able to my part and start it, and sad I couldn't afford to stay involved. But I think that more than HP is needed. Hasty Pastry is specifically non-commercial. L0pht become overly commercial. There needs to be something that's commercial but not a part of The Machine. A place where there's both money and fun. But that's not going to happen in Boston, this city has become too expensive.
Re:Personal question for Space Rogue (Score:2)
I'm sure that when you sell your company for a swimming pool full of cash, you automatically earn the ability to drown any such feelings in a sea of hot girls/boys and recreational psychoactives.
Re:Personal question for Space Rogue (Score:2, Interesting)
I wasn't around when @Stake was bought by Symatec. I was around for L0pht's sell-out to @Stake.
There were two issues back then, one we were greedy, we all were. We all saw $$ signs and ran towards them. However it wasn't just the money (Which really there wasn't that much of but some of us got more than others.) We had grand visions, "Make a dent in the Universe" and all that. We were niave and believed them. It took me a few months to see the writing on the wall, then HNN got canned and I saw the @S
Dark days indeed. (Score:5, Funny)
Re:Dark days indeed. (Score:2)
ironic. (Score:2)
Almost ALL the good pro cracking tools for passwords come out of the former USSR. We purchased a suite of them to crack documents and databases for use her at work and they work fantastically.
Oh come on... (Score:4, Insightful)
For that matter, there is a good chance that there are mirrors and/or legal copies of this tool in Europe already. So what's the point? This type of restriction is ridiculous.
Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix. Again, what's the point behind this restriction?
Re:Oh come on... (Score:2)
The TSA/customs. Remember! We are fighting the terrorists on many fronts including right here on our "homeland". Everyone in the government must do their part to stop those that are aiding terrorism.
If you think I'm joking, you're unfortunately only half right.
TSA/Customs? Don't make me laugh... (Score:3, Informative)
I mean, seriously, what's to prevent me from slipping the Symantec CD-ROM in a little Case Logic CD folder, among dozens of other CDs? Do you really think the customs officer are going to check me? Do you think they are going to review each and every CD in my little folder, looking for the illegal-to-export LC5 CD? (short answer: NO).
What abo
Re:Oh come on... (Score:3, Informative)
It gets even easier than that. Just grab this [eunet.no], put it on a floppy or CD-R, boot it, and follow the prompts. IIRC, the current version works with everything up to at least WinXP SP2. It'll unlock any account and clear the password; after that, you can boot normally and set whatever password you wa
Resetting the password loses the crypto keys (Score:2)
Re:Oh come on... (Score:3, Informative)
Shameless karma-whoring, coming right up:
Emergency Boot CD [pcministry.com]. Has a Windows password-reset tool on it. Run it, shows you the list of accounts, pick one, reset its password to anything you want.
So, anyone care to start a pool on how soon the US requests my extradition for posting that?
Won't stop them (Score:2)
Imposed? (Score:5, Informative)
For starters, section 5A002 of the ECCN covers hardware. Perhaps Symantec meant section 5D002, software. 5D002.c.1 covers their situation. But the list of restricted countries hasn't changed for quite a while - it's the usual gang: Syria, North Korea, Sudan, etc. It seems to me that Symantec is being a little lazy here. Yes, they have to have an export license to sell the software outside of the US, but the restrictions aren't any more onerous than they were in 1999, when the EAR was updated to move cryptographic software from munitions to commerce.
Oh, and this "news" is almost a month old.
-h-
Re:Imposed? (Score:3, Informative)
Having personally gotten a crypto product approved for export, this fellow is right on.
What's interesting to me is this is most likely a "business decision" more than anything else. A Suit at Symantec put a stop to this potentially evil tool for no other reason than it's too small potatoes for them to deal with the risk of it being used by bad non-Americans versus the sales numbers.
What this also suggest is there's a bit of a figurative "circling of the wagons" at Symantec. It suggests very
Re:Imposed? (Score:2)
Sure, because there's no possible way that any of those evil hackers and terrorists could get a copy without buying it from Symantec.... [snicker]
Yet another stupid law that only penalizes people that actually obey laws in the first place. Hackers will just download a copy off of BitTorrent and be done with it.
Re:Imposed? (Score:3, Interesting)
Well, no kidding, Captain Obvious, but that wasn't the point of my post. Let me try again. The Reg claims that Symantec can't sell the software outside of the US and Canada because the government imposed a regulation on them. Not true. Symantec claims that a certain section of the EAC prohibits them from selling overseas. Not only not true, but they cited the
Re:Imposed? (Score:2)
So what? You're suggesting that Symantec is being blocked by US export restrictions because they haven't bothered to renew their export license?
Seems the other way round from how 99% of the other comments read, including the summary at top. To read those, you'd think that it's the export laws themselves that had changed. Or that Symantec are hiding something (cue the conspiracy theorists).
Re:Imposed? (Score:2)
Seems the other way round from how 99% of the other comments read, including the summary at top. To read those, you'd think that it's the export laws themselves that had changed. Or that Symantec are hiding something (cue the conspiracy theorists).
I'm not suggesting that Symantec is being blocked. I'm suggesting that if they want to sell their product outside of No
Re: (Score:2)
Re:Always look on the bright side of life! o/~ (Score:2)
Yeah, but we're all raging terrorists up here. You guys are *so* screwed now! We've been waiting years to be able to crack your Windows passwords, but now that we can buy Symantec software we can finally bypass the Win98 login screen on all the covert CIA workstations.
Muhahahaaaa
So how does that affect us Canadians (Score:3, Interesting)
Not that such laws would actually have a snowball's chance in hell of preventing this software from reaching other countries, but I do wonder when the US includes Canada in their private little party whether or no
Mysterious: perhaps this is why? (Score:2)
Let us suppose the NSA wants you to put backdoors into your security products and you refuse, what leverage does NSA have? Well, perhaps they might put commercial pressure on the company to comply: by refusing to allow them to sell the product until they do.
I am not sure this is the real reason, but it seems possible.
Re:Mysterious: perhaps this is why? (Score:2)
Arrogance? (Score:5, Interesting)
This is something that British Secret Services have used to their advantage. Public key encryption technologies were developed at GCHQ [gchq.gov.uk] in the early 70s but unlike the US, they didn't tell anyone until recently [ladlass.com] so they could use it without anyone knowing.
Something similar was done with Enigma. The fact that Enigma had been cracked was kept very quiet so that Enigma machines could be sold by the Brits to foreign governments after the war and we could listen in! News that we invented the World's first electronic computer was also kept secret [picotech.com] for the same reason.
The patent system helped too (Score:2)
Re:Arrogance? (Score:2)
four words (Score:3, Funny)
Q. make a familiar phrase out of the above
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
A. Closing the stable door after the horse has bolted
Tech Support (Score:2)
Yawn, another bullshit screed from The Register (Score:4, Interesting)
It's quite difficult to take The Register seriously when they post articles such as this. So many of The Register's articles are breathless screeds of the form Civil Liberties to be Abolished in the USA, Film at 11. Remember that the UK has oppressive laws (e.g., the Official Secrets Act) that make the PATRIOT Act in the USA look like a model of civil liberties protection by comparison. I wonder if The Register is secretly funded by the propaganda arms of the UK government.
Symantec doesn't like L0phtcrack (Score:2)
Meh (Score:2, Troll)
How incredibly hard it was for me to get lc5. (Score:3, Interesting)
Whew! (Score:2)
It's Going End Of Life Anyway... (Score:2)
--
Subject: Sunset Plan for L0phtCrack (LC) Products
Dear LC Customer,
The purpose of this letter is to notify you that Symantec Corporation is
discontinuing its L0phtCrack (LC) product line and will no longer
provide product code updates, enhancements or fixes to this product
line.
Key dates in this process are listed below.
Last Order Date: February 28, 2006
Last Ship Date: March 3, 2006
Customer Help Until Date: December 16, 2006
Syman
Maybe it's misclassified? (Score:2)
export laws are just a cover (Score:2)
The truth of the matter is that Sym's Legal dept is terrified of LC5, and this is a convenient excuse if it's true at all. Just as they were frightened by the liability and publicity implications of @stake's decompilation and automated app security checking to
Re:export laws are just a cover (Score:2)
Come on - you cannot tell me that nobody @@stake didn't know that this was bound to happen.
It's not rocket science - just mentally create a "short-list" of successful Symantec-aquisitions, compared to a "short-list" of aquisitions where the product ended as pure and utter crap.
Or how else can you explain the comment "Oh no - that was the only such service that was actually good and usable" someone blurted on a (mailserver-)mailinglist about the recent aquisition of Brightmail by Syman
Re:export laws are just a cover (Score:2)
It makes me wonder what Symantec DID buy @Stake for, if they're getting rid of the talented people and canning the products. The paranoid part of me says that they were put up to this task by some 'sinister force' that wants @stake gon
In other news... (Score:2)
Hmm. I'm a terrorist from Al Qaeda on a computer somewhere in Pakistan/Afghanistan/MiddleEast with an Internet connection. I need strong cyphers.
So hmm lemme see. What do I do? Either:
(1) I cry and whine that the US wont let me BUY a copy of symantec, in a country where 99% of the software is pirated. OR
(2) I google it up and download any tool I need. OR
(3) I goto the local software store
Re:OLD!!! (Score:2, Informative)