Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Details About New Crypto Export Regulations 72

Posted by CmdrTaco from the stuff-to-read dept.
Codex The Sloth writes "The Industry Standard has a story about industry feedback to the Clinton Administrations new Crypto Regulations which are being developed behind closed doors. Evidently it's requires high security like Hillary Clinton's health care reform plan..." Worth a read. It sounds like we're getting somewhere, although not everywhere.
This discussion has been archived. No new comments can be posted.

Details About New Crypto Export Regulations More

Details About New Crypto Export Regulations

Comments Filter:
  • i really don't even understand why the usa has to be so bitchy about crypto products... i hope someone develops better ones like gnupg and bans the usa from using them :)
  • but boy was that vague. They want to relax some of the export restrictions? So that whatever you're selling might only constitute 10% munitions? Or maybe only if you're using it wrong, or in the wrong market?

    If this made sense to you, please post and clear it up for us. This doesn't even look like the government is considering giving us more bits for encryption! (They don't allow enough bits, and no kibbles, so write to your Congressman!)
    ---
    pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
  • I'm told that the DVD standard was hackable partly because of mandatory weakening of exportable products from the US. Will the next generation of players come from Japan or Germany and ignore US limits entirely?

    Now, I like the fact that DVD is now just data stored on a medium. But I suspect Hollywood is wishing that they had bought into a non-USA standard that was allowed to be as strong as the builders wanted it to be.

  • Re:Looks interesting... (Score:1)

    by Anonymous Coward
    Interesting was that they only used the word "sale" and said nothing about giving things away. Which could be good, but you're right, that article says basically nothing.
  • here's a link,http://www.cdt.org/crypto/admin/regs112399.sh tml.

  • My expected outcome to this (Score:4)

    by renegade187 ( 95300 ) on Tuesday November 23, 1999 @05:03PM (#1509214) Homepage
    Encryption is now limited to rot13 so theres no need for key escrow. Of course all governmental encryption will be increased to tripleDES!

    If I have data needing protection, i RAR it with a password, then put it on cd and hide the cd.
  • Man, it's BS until it's completely unregulated. The current US system is so completely harebrained that it could only have been dreamed up by politicians.

    Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.

    Of course, it's all for naught -- quantum encryption means that they'll have to mass deploy cranial implants to be sure of what I'm up to.

    ----

  • What new thing about the export restrictions on cryptography have we learnt?

    Nothing except rumours. And a date of Dec 15 for release of the draft.

  • Why are there different laws for foreign Govenments and foreign private use?

    That has got to be one of the most stupid things I've ever heard of, even compared to the stupidity of the laws at the moment.

    A (non-US) country's citizens are allowed to buy strong crypto, but that govenment isn't???

    Maybe (and this maybe wayyyyy wrong) foreign govenments might not like that much?

    If anything, this is going to encourage non-US software companies to enter the crypto market.

    Imagine this: Network Associates spends millions of $'s on a big advertising campaign in Europe, so some govenment department decides they need strong crypto.

    They head down to the local computer shop with a nice $10 Mil to equip all their offices only to be told "Sorry - you are govenment, we can't sell this to you, because it made in the US"

    "Oh no! I've got this $10 Mil for strong crypto software. How can I use it?"

    "Well... there is this local company.. it is crappy bit of software, but we can sell it to you"

    So the govenment buys CrappySoft Encrypter, and CrappySoft then enters the US market, with a nice claim "We are the official supplier to a million European govenment workers" - what US company can boast that?

    --Donate food by clicking: www.thehungersite.com [thehungersite.com]

  • Here's some conjecture.... (Score:4)

    by Dwarf_Sibling ( 118360 ) on Tuesday November 23, 1999 @05:21PM (#1509218)
    I have some third party knowledge from a DoD official regarding the new regs. The information was current as of Comdex last week. Take this with several grains of salt as it is most definitely hearsay. I'm only offering it up because the included article seemed to raise more questions than it posed answers to.

    According to this individual, they are completely relaxing any bit-length restrictions on encryption technology. When sold through "retail", it is completely free of restriction. However, when sold to government at least, or perhaps major corporations, encryption vendors are required to track the end user. It wasn't specified whether or not this information needed to be expressly given to the government at point-of-purchase or only after a subpoena. If its the latter, I'll sleep better. If its the former, I think we just traded relaxation of one regulation for a tightening of another. Btw, countries like Iran, Iraq, Lybia, etc. are still on the black list. But we can't even sell them a stick of gum, let alone an encryption device.

    -DS

  • What I dont get (Score:3)

    by True Dork ( 8000 ) on Tuesday November 23, 1999 @05:26PM (#1509219) Homepage
    is why Network Associates is referred to as being able to weigh in with their opinion. I personally think they showed us their opinion when they became members of the Key Recovery Alliance (http://www.kra.org). After I saw they had joined, we promptly banned all Network Associates products in our offices. Does this not bother anyone else?

  • Re:i wish the usa would lighten up (Score:3)

    by EngrBohn ( 5364 ) on Tuesday November 23, 1999 @05:28PM (#1509220)
    You realize, of course, that any license which forbids use by residents of the U.S. would not satisfy the the Open Source Definition [opensource.org]. Of course, neither would one that would forbid use by residents of Cuba, Syria, Iraq, etc.
    Christopher A. Bohn

  • Unacceptable (Score:3)

    by bnenning ( 58349 ) on Tuesday November 23, 1999 @05:28PM (#1509221)
    The fact that the regulations are being developed secretly is not a good sign. I seriously doubt the revised laws will offer any improvement in the area of personal freedom. They may make it easier for commercial companies to make money selling their products, but as long as the FBI and NSA are calling the shots don't expect to be able to freely distribute strong crypto.

    I don't believe compromise is possible on this issue. Either I can write open source crypto code and post it publicly without going to jail, or I can't. I see no indication that the FBI and NSA are prepared to allow that. My guess is that they're stalling for time, since they know if this issue ever gets before the Supreme Court all restrictions are likely to be struck down.

  • Who needs organized cryptography, neway?? (Score:3)

    by EL8 DOOD ( 118486 ) on Tuesday November 23, 1999 @05:31PM (#1509222)
    Mainstream crytography is for wusses! If you use your own proprietary crypto system, then not only will the cracker have to factor to hell, they will also have to figure out what the fsck is going on first. It's too easy to crack these days with evereyone using normal des.

    Anyway, I have a new super crypto algorithm that is freely exportable, I think. Feel free to use it all you want, just give credit where it is due.

    THE NINJA/LINE NOISE ALGORITHM by EL8 DOOD

    Ok, here is the basic idea: Say you have a 2000 word secret message you want to send to someone. You could just substitute letters for new letters, ie a=x, b=d, etc, but that would die to a stastical analysis attack since the most common letter would be e, and so on.

    Now, here is where the line noise comes in: After doing a substitution cypher, you fill a file with a billion random characters! Then you randomly insert the secret message somewhere in the middle of the randomness! There will be so many characters that those in the actual message will not be stastically significant and will thus be undetectable. There is _NO WAY_ to crack this unless you want to go through every possible substitution cypher(26 factorial possibilities) and search a billion bytes for something which resembles English.

    In short, my algorithm is better than des and freely exportable too. Once word gets out on my great achievement, Reno might try to get my algorithm banned overseas, so use it while you can!
  • IIRC, these regulations just make it easier for people (read companies) to get export licences.

    in no way to they do away with the requirement that you obtain a license before exporting strong crypto.

    of course, the getting of a license takes money, and, gee, free software folks don't have the money...

    shit happens again, the gov't looks after its sponsors first. they're not doing this becuase they want to free crypto, or because we're making a noise or because they reasise that it's stupid. they're doing it because the companies will take thier campaign money elsewhere if they don't. bah.

  • Re:Not Good Enough (Score:3)

    by Floyd Turbo ( 84609 ) on Tuesday November 23, 1999 @05:35PM (#1509224) Journal
    Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.


    It's called www.kerneli.org [kerneli.org]. They have a pretty good ftp site, too :)
    • From their old export policy, one might infer the insular attitude "Our encryption is American, therefore it's the best".
    • The effect of the policy was that other, more effective, forms of encryption were developed outside the United States, and they're now wising up to the fact that if an Iranian terrorist wants to send military grade encrypted attack plans, he can.
    • The insistance of government authorities around the world on key escrow / backdoors is destined to fail, as independent software authors will always be willing to write commercial/military grade encryption products which do not provide key escrow / backdoors.
    • Government authorities worldwide now realise that it is expedient to allow encryption for the growth of e-commerce.
    From these points, it can be concluded that the US restriction on export of encryption products has only harmed US business, as similar/better products are available outside the US.

  • This part bothers me... (Score:3)

    by diaphanous ( 1806 ) <`pgarland' `at' `gmail.com'> on Tuesday November 23, 1999 @05:43PM (#1509227)
    "Last night, the government group released a preliminary draft to several companies that manufacture encryption products. The government asked the firms to keep the details secret for the time being" I don't see any reason for the government to restrict the public from reading the report except to minimize nettlesome grass roots opposition to the new regulations. In a democracy the whole/B public (not just a selct few corporations) is supposed to able to review, discuss, and agitate for or against rules that will affect everyone. Though by and large it seems as if most companies have tried to stand up to the NSA and the Clinton administration when faced with absurd crypto regulations, I worry that they may find a path that optimizes their profits but minimizes our privacy.

  • Re:My expected outcome to this (Score:2)

    by Anonymous Coward
    rot13 is for export. Within the US, you'll be allowed to use rot26.

  • Re:A comment on regulating crypto. (Score:1)

    by Anonymous Coward
    The encryption key was weak, only 40 bits, so it could have been eventually cracked. However, the way DVD was cracked was because one of the vendors (Xing) didn't encrypt their private key, and thus made the whole system vulnerable. (other keys were cracked using Xing's key, so they can't just kill support for that one vendor).

  • Purpose? (Score:1)

    by YoJ ( 20860 )

    What exactly is the point of banning strong crypto products? I was under the impression that the reason crypto is "bad" is because "bad people" can use it for nefarious purposes. Aren't there any "bad people" in the US? If people in the US can use crypto for benign purposes, why can't people in other countries do the same?

    It might make sense to restrict the sale of cryptographic products going to governments with a known track record of abusive behavior. Anything more than this is lunacy. It appears (from my reading of the article) that Netscape won't be able to ship a strong-crypto version of Navigator to people in Cuba. Where is the logic there? The Cuban government might get a hold of it and be able to order missiles from www.nukes.com and not have to worry about their credit card number being stolen?

    -Nathan Whitehead

  • New regulations don't help free software (Score:3)

    by Anonymous Coward on Tuesday November 23, 1999 @06:39PM (#1509233)
    The administration says that the regulations were modified to allow noncommercial source code export. But then the draft of the regulations says that it is specifically still illegal to send source code to the Seven (e.g. Cuba). Since that's the case, it could still be illegal to post crypto code on the web, in anonymous CVS, on an anonymous FTP site, or in a newsgroups -- just as it is now. Unless the government specifically says that open and unrestricted electronic publication of crypto code is legal, the situation may not change at all -- because FTP site operators and so on could still be threatened with prosecution, because someone in Cuba can still download the code.
  • They want to snoop... and if they want to but can't, the want to change the game.
    All coding a key into the thing is going to do is allow A) them to snoop on everyone, b) invite some (un)srupulous person to find it, then send it out.

    Sounds alot like DVD.

  • I generally don't read the crypto articles so excuse me if this question has been asked (and/or answered) before, but what are other countries' crypto regulations like? Is the US the only country with such regulations? If not, how strict are other countries and are any worse than the US? I can read tons and tons of articles about why people think this is so awful, but I personally can't really understand all the venom unless I understand the context.
  • <flame&gt

    I wish our fucking politicians would get their god damned heads out of their fucking asses so I could get some actual fucking work done.

    You know what should be criminal? It should be criminal that I have to ftp to finnland to get my crypto products because no one will post them here in the states. It should be criminal to say that if I do that and then send the source to my friends in, say, Romania, that I could and probably would be arrested for what amounts to trafficking in arms over international borders. It should be criminal that I can't get a mail program that incorporates strong crypto here in the states because of the government stance on cryptography, including "Crypto enabling APIs." I think it should be criminal that in 10 years my country is going to be a fucking THIRD WORLD COUNTRY because even goddamn ETHOPIA will have surpassed us in the new world economy. That's what I think should be criminal.

    </flame&gt

  • Here's how it works:

    Take your message. Say... "Hail Eris"...

    Put all the vowels at the end ("HLRSAIEI")

    Reverse Order ("IEIASRLH")

    Convert letters to numbers: (9-5-9-1-19-18-12-8)

    Put into numerical order (1-5-8-9-9-12-18-19)

    Convert back to letterse ("AEHIILRS")

    This cryptographic cypher code is GUARANTEED to be 100% unbreakable.

  • Encryption regulations are a royal pain, especially for small developers. I had an idea for a program that uses cryptography, so I got together with a friend to write this. After nearly half a year, our software is almost done, but the issues regarding crypto regulations are unresolved.

    In order to comply with the export regulations, we had to cripple our software (56bit DES instead of 3DES), because we plan to offer our software for download over the internet but we don't have the resources to limit our software to people in the US only. Even then, there are still more problems. We have to submit our software for a "one time technical review". After spending hours and hours pouring through the regulations and making phone calls to the BXA, we finally figure out what has to be done. There are half are dozen forms to fill out, we have to describe our software in detail, spend time modifying our code so that the encryption strength cannot be easily increased, etc. etc.

    We haven't managed to find the time or energy to do this yet. I'm still studying and my friend holds a full time job. We barely have time to work on the software proper, let alone deal with legal crap like this. Perhaps someone has some advice to offer on how we should go ahead?
  • Most US citizens don't bother with crypto either, because they can't get a mail program that integrates strong crypto. So they send all the E-Mail in the clear, allowing Echelon to work much more efficiently and not spend the 15 microseconds it takes the NSA to factor primes, something they've been able to do with ease since the 1960's when they discovered the formula for fast factoring. They've managed to steer every educational institution in the US and many other countries away from the relatively simple math it takes to do that. Any math professor who gets too close gets a little visit from the men in black. In a nutshell, the whole crypto scene is a red herring to distract us from the REAL facts, that they ARE listening to EVERY communication on the planet, and compiling the SINGLE largest database of PORN anywhere on the planet.

    Nukes to Saddam? They couldn't care less.

  • You know, there are african-americans on slashdot who go about their business, commenting insightfully on discussions, and trying to help the free flow of information we have here by not using inflammatory racial slurs. I suggest you try to be more like them.

    --
    Harvey
  • I thought the seven deadly countries weren't on the net, since you can't export anything to them.
    Something to do with acceptible use tarrifs requiring that you cannot connect your network to a network in a country on the perscribed list. Am I right, or are Cuba, Libia, Iraq, et al on the net w/o me realizing it...

    Warner
  • Xing having forgotten to encrypt their key only made the inevitable easier. It was a software-only player which presumably would work without a network connection. Thus, even if they encrypt their DVD key, they have to have the decryption key for THAT cipher in the clear, or else the key to the cipher for THAT key, etc. Since it's software, it takes only someone with way too much time on their hands to walk through the disassembly line by line until they figure it out.
  • It varies. Some countries ( a lot of Europe, Canada, and Australia ) are much better than the US ( ie you can export crypto ) but a few countries are as bad as the US ( eg France )

    Cheers,

  • Someone needs to just open a Strong Encryption company outside the US (Mexico? That's where I'd put the factory anyhow) and start mass-shipping crypto-enabled software and phones to the US.

    Sure, it's done all the time (Datafellows ssh, Stronghold Apache etc.). The only losers are the IT industry in the states, who can't export similar stuff that others importing every day!

  • Just you need to tell the reciever of the message where in all this the message is. Still you have to hide that Information from the Attacker...

    BTW for 99% of all Applications bloating the Data is just not acceptable.
  • Do you really think people from outside US can't make Crypto software that compares well to the one made by Network Assosiates?

    Where does GnuPG come from? Where are OpenSSL and FreeSWAN developed. Not to speek of the russian, chineese and indish Math gurus.

    I think the main mistake the American Government is making is that they assume they can prevent anyone from using strong encryption. Actually they cant.

  • AFAIK There is one way around that:

    1. Write a Book about your Software
    2. Put the complete Source Code in the appendix (including stuff like coments for the Page numbers, etc.)
    3. Find someone outside the US that scanns the Pages and after running an ORC Software compiles and distributes it.

    4. You should check the actual Laws before. You should be able to label your Book as "Scientific Work". AFAIK you allowed to export that.

  • :-)

    Milk is bad because bad people can drink it...

  • ... I don't even play one on TV.

    That said: I can't figure out if your post is satire or meant to be factual, or some delirious blend of the two. There are portions which are factual, portions which are obviously satirical, and a lot that's in between.

    Most US citizens don't bother with crypto either, because they can't get a mail program that integrates strong crypto. So they send all the E-Mail in the clear, allowing Echelon to work much more efficiently...

    Pretty accurate, except that it isn't a dearth of cryptographic EMail clients that's doing us in; rather, crypto is too daunting technically for the average user. When PGP 5.0 came out it was hailed as making it accessible to the masses, but in independent testing it was shown that one Real User in three was unable to use PGP properly in a way which did not compromise the security of PGP.

    Crypto has been widely available to the technically knowledgable since the '70s, with the invention of public-key crypto and DES, the first truly modern symmetric algorithm. IMO -- and remember, I am not a cryptographer, and my opinion on this may not count for much -- by the time breaking DES became a trivial task for world intelligence agencies, TripleDES was already known.

    Basically, we've had good crypto tools available for the last twenty-five years or thereabouts. We've had the algorithms and we've had the software. What we lacked twenty-five years ago -- and what we still lack now -- is, IMO:

    1. A way to educate the public about crypto and security without requiring anything more advanced than 9th Grade algebra. I may be overestimating the mathematical education of the general public here, but it's hard to imagine talking about crypto without using any mathematics.

    2. PKI (Public Key Infrastructure). Somehow, there needs to exist a mechanism for the safe and trusted exchange of public keys. To the best of my knowledge, at present there is no suitable PKI anywhere in the world. PGP's Web of Trust is not scalable to the worldwide community (and has a whole host of other problems, besides).

    3. A political climate which considers cryptography, privacy and information security to be worthy topics in the national discourse. Almost every time I see privacy brought up in the mainstream news media, it's always in the context of "you are losing your privacy", never "you are losing your privacy, but there are things you can do about it, on a personal level through your own action, and on a national level through our collective action". People who discount the "unwashed masses" are in for a rude surprise. The hordes of Real Users out there will either make or break national policy. Remember that. You want to get ITAR and those other silly rules thrown out? You need the help of John Q. Public. The forces who want to restrict crypto access even more than they're already restricted are also courting John Q. Public.

    ...and not spend the 15 microseconds it takes the NSA to factor primes, something they've been able to do with ease since the 1960's when they discovered the formula for fast factoring. They've managed to steer every educational institution in the US and many other countries away from the relatively simple math it takes to do that. Any math professor who gets too close gets a little visit from the men in black.

    I hope this is satire with a kernel of truth. Yes, factoring has never been proven to be a difficult problem, merely conjectured to be so. However, if a polynomial-time factorization algorithm were to be discovered, it would have such revolutionary impacts on the computer industry that I don't think it could be concealed. Honestly. If factorization can be done in P time, then all sorts of related problems can be done in P time, and suddenly... wow. All sorts of incredibly thorny problems suddenly become made clear.

  • Notice that this USA Today summary [usatoday.com] points out there are important phrases which are undefined. So the encryption export proposal is itself in code.

    I like the Fiat example. At what point is a company a government entity and thus different restrictions apply?

  • I can't find any description of what encryption algorithm RAR uses on their web pages or anywhere else. That usually means it's a home-grown piece of crap. Furthermore, the password is limited to 10 characters, so it's weak. See On Cryptosystems untrustworthiness [instinct.org] or this page on Russian Password Crackers [stu.neva.ru] including a couple of RAR crackers to get the picture about how bad the situation is.

    Use PGP, or ScramDisk, or SFS, or similar systems which at least tell you what algorithms they're using.
    --

  • I think the main mistake the American Government is making is that they assume they can prevent anyone from using strong encryption. Actually they cant.

    Actually, they can, and have.

    There is a difference between "preventing anyone from using strong encryption" and "preventing everyone...". They can't stop everyone from using crypto but they can stop some people.

    In fact, they've stopped most people from using strong encryption. Most people don't have crypto-aware email software. Most people continue to use "export-grade" web browsers. Less than one percent of internet traffic is strongly encrypted. Cellphones are still using weak crypto or none at all. Landline phone traffic is almost completely unencrypted.

    The mess of government regulations has successfully slowed the spread of strong encryption. Promises about lifting those regulations have been used repeatedly to keep the industry from forming an effective opposition (why actively oppose something which will go away on its own "RSN").

    Don't be fooled into thinking that we've won. That's exactly what they want us to think.

  • Actually, a text message should stand out like a sore thumb in a random stream, even if it is substituted. Try reading applied cryptography.
  • One of the commercial products will bury your secret file into a WAV file, taking up to half of the file as apparent hiss behind the material you recorded. Even knowing the algorithm, there is no way to see that there even IS data there until you apply the algorithm WITH THE CORRECT PHRASE.

    (These claims from the publisher's website. Too bad that I forget who the publisher was.) Does this sound similar to what you are talking about?
  • Ok, the FBI/NSA/whatever want to stop criminals/terrorists having data that they can't get access to, so they're crippling stuff exported from the US. I can see the reasons, but there's a major flaw here.

    As it says in the article, there's >800 other crypto products which are freely importable to US, so the terrorists can just use those. If I wanted to hide data from the govt, I'd just download PGP (the war on that one has already been lost) and encrypt my data. I could use ssh with 1024 bit encryption to keep my data secure over the network.

    In short, all the US regulations do is:

    • Put .us firms at a disadvantage in competing against the rest of the world
    • Piss off the non-us-ians who can't get secure versions of eg Netscape (but check out Fortify) or NT or whatever.
    Somebody desperately needs to LART some clues into these people.
    --
  • ..the US has export bans on strong encryption products. Countries & governments to where export is banned can just simply download whatever they want [sometimes anonymously] via the Internet anyway.

    OTOH, and perhaps parodoxically, I have no problems in the government doing its best to snoop on the conversations of other governments. I don't think we should ever forget that World War II was essentially won by the fact that the US and UK could read German and Japanese messages. The damage at Pearl Harbour could possibly have been limited if certain messages had been decrypted and communicated faster. A lot of damage was caused by the US Governments line of "Gentleman do not read each others mail" before each World War.

  • There is a posting by Bruce Schneier in sci.crypt entitled "New U.S. Crypto Regulations (advance copy: do not distribute)". It han't reached DejaNews when I searched just now. It isn't signed (which is consistent with Bruce's usual postings), but it looks like a lot of work for a forgery or spoof.
    "open source code" is mentioned in the introduction, and "non-commercial encryption source-code" in the body.

    "Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export."

  • Re:Here it Is (Score:3)

    by nowan ( 4075 ) <nowan@TEAnowan.org minus caffeine> on Wednesday November 24, 1999 @04:25AM (#1509266)
    Ok, so:

    Sec.740.13 (e) Non-Commercial Source Code

    (1) Encryption source code controlled under 5D002 which would be considered publicly available under Section 734.3(b)(3) and which is not subject to any proprietary commercial agreement or restriction is released from EI controls and may be exported or re-exported without review under License Exception TSU, provided you have submitted to BXA notification of the export, accompanied by the Internet address (e.g. URL) or copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see Section 740.17(g)(5) for mailing addresses).

    (2) Source code released under this provision remains of U.S. origin even when used or commingled with software or products of any origin, and any encryption product developed with source code released under this provision is subject to the EAR (see Section 740.17).

    (3) The source code may be exported or re-exported to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

    -----

    * So does this mean that if a single line of the code is written in the US it's subject to this business? (see 2)

    * And what's this notification clause (1) mean?

    * I can't figure out what EAR is, but in section 740.17 which it refers to I find:

    (f) Open cryptographic interfaces. License Exception ENC shall not apply to exports or re- exports of encryption commodities and software including components, if the encryption product provides an open cryptographic interface (as defined in part 772).

    And below that in the definition of terms:

    Open Cryptographic Interface. A mechanism which allows a customer or other party to insert cryptography without the intervention, help or assistance of the manufacturer or its agents, e.g., manufacturer's signing of cryptographic code or proprietary interfaces.

    So all in all I'm not too positive on this, though I can't say as I really understand it.
  • Oh, and I forgot section (c) of 740.17:

    (c) Retransfers. Retransfers of encryption items listed in paragraph (a) of this section to other end-users or end-uses are prohibited without prior authorization.

    They seem to be trying to rule out GPL/BSD style licenses here.
  • I happen to know a Canadian consultant who helped get an ISP in Iran onto the net.

    While people in the US are restricted, the rest of the world isn't. As there isn't any particular reason to connect directly to the US, and plenty of non-US/non-restricted equpiment to use.

  • Generate your noise so it has the same statistical properties as your message.
  • Been mulling this over for a bit, and here's my conclusion:

    break the stream into, say, 64-byte chunks. Then perform your statistical analysis on each chunk. Once you get english from one of the chunks, apply the same translation to the other chunks. Search for dictionary words.

    Voila, you have plaintext english sandwiched between gibberish.
  • Two obvious answers
    1. One of the US government's main jobs is keeping other governments from attacking the US. Keeping US-made weapons out of the hands of potentially hostile governments (while not actually possible with crypto) maybe legitimately part of that job.
    2. Even if it's not a good excuse, it looks sufficiently like a good excuse that they can use it to cover the main purpose of export regulations, which is preventing widespread use of crypto by Americans, by interfering with development and distribution of mass-market user-friendly crypto in everyday software products.

  • That is exactly what I mean - and if Netowrk Associates can't sell their stuff anyway, that helps even more.

    I'm not from the US, BTW

    --Donate food by clicking: www.thehungersite.com [thehungersite.com]

  • They really can't.

    Everyone can change his browser to use strong encryption. At least everyone using a platform that is supported by netscape, but on the Atari e.g there is also a solution.

    Everyone can get and use a strong and legal copy of PGP or GnuPG, etc. That people don't do it doesn't relate to the US export restrictions.

    So they can not prevent anyone from using strong encryption (who thinks he needs it).

    As for Cell Phones: In GSM networks - which are almost any in Europe - an Encryption is used that is considered to be at least secure for this special purpous.

    There have been published attacks that can clone the SIM card, but you need the card for about one day - people will know when they don't have it for such a long time. Also this attack only applies to a recomendation in the standard that has been used by only one Network in Germany (there is a new one and I don't knot if they use it).

    Another attack is possible against the encryption itsself, but it is an adaptive chosen plaintext attack. You don't get that into the phone.

    We get back to the point that everybody who thinks he needs it can use strong encryption and not care about US export restrictions.

  • It is t here [deja.com] now.
    (Why is preview showing me "t here" when I have "there" in the text? View source shows the space. Happens with both HTML Formatted and Plain Old Text. Oh well.)
  • Simply make a script that will try the 26 different solutions and then run "strings" on it.

  • Everyone can get and use a strong and legal copy of PGP or GnuPG, etc. That people don't do it doesn't relate to the US export restrictions. So they can not prevent anyone from using strong encryption (who thinks he needs it).

    I still maintain that export restrictions have stopped people from using crypto.

    Export restrictions prevent strong crypto from being integrated with most common software applications. By forcing encryption software to be a seperate product, it makes encryption more difficult to use. Also, because export restrictions have prevented encryption from being installed by default on most computers, there are few people to exchange ciphertext with and therefor little incentive for people to install and learn the encryption software that does exist.

    The end result is that export restrictions have prevented the critical mass / network effect required for strong encryption to become widespread.

  • Comment removed based on user account deletion
  • Could you possible expound upon this topic? What exactly is bad about KRA and what does NA's joining mean about their products?

    Thanks!

Slashdot Top Deals

"An ounce of prevention is worth a ton of code." -- an anonymous programmer

Close