Wind river
@rjh thanks for your earnest answer to my sloppy and somewhat provocative post. This doesn't make any sense to me. Makes perfect sense to me, once you understand three things: (a) at one point all the good crypto came out of either the US, UK, or France, I have to concede that I mostly agree with you. While i think the most dangerous current threat to our freedom and democracy is ubiquitous eavesdropping and spoofing by NSA, GCHQ and their likes, I admit US scientists also gave us the means to defend against it(strong cryptography). After reading an Scientific American Article about asymmetric cryptography by Adleman (not the original one in 1977, but a later one from the 1990ies ;-) I was fascinated. Then I heard about the issues around export restrictions and immediately sat down and coded it as an act of a physicists self respect. For me the claim to own some mathematics by an administration is pure hybris and ignorance. My little exercise didn't get any momentum back then and I ceased to pursue that any further. And yes, if you want to discuss matters of cryptography seriously, there are hardly any quality posts in german language. I have some trust in the strength of the opposition against ubiquitous government surveillance within the US and hope they will overcome current antidemocratic moves. Presumably and sadly the opposition against such tendencies is weaker in germany. If you google open source elliptic curve cryptography you will find my current activities regarding cryptography. You might notice that the softwares menus as well as the documentation is held almost completely in english language. One reason is to keep dumb german nationalistic morons off. In my opinion the current behavior of the US soup letter agencies nourishes dumb nationalistic anti-us tendencies in other countries including mine! I don't want to be forced into an alliance with nationalistic people. The US judicial system should IMHO no longer let people, who lie to congress under oath, go unharmed and pursue people, telling the truth, with all might. Please apologize me having gone somewhat off topic here (c) laws and regulations change so slowly they make glaciers look swift. agreed. Probably my (the german) administration isn't any better in this aspect. I respect you for defending your (the us) administration, yet in my opinion both our administrations deserve some bashing once in a while for excessive ignorance and/or sluggishness. Cheers, Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Wind river
While i think the most dangerous current threat to our freedom and democracy is ubiquitous eavesdropping and spoofing by NSA, GCHQ and their likes... It's a popular opinion. I admit US scientists also gave us the means to defend against it(strong cryptography). In the immediate postwar period up until, oh, maybe 1980, most of the good civilian cryptographic work came out of the United States. But since then, it's very much been a collaboration from around the world. AES was developed by a pair of Belgians, for instance. I respect you for defending your (the us) administration... That wasn't my intent. I think ITAR and EAR are remarkably silly regulations when it comes to crypto. However, it's a good idea to learn about the historical forces that shaped ITAR and EAR. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Wind river
http://www.ecfr.gov/cgi-bin/text-idx?SID=f8a7e639bbbcdd460e881f7ae4a927b3node=pt22.1.120rgn=div5#se22.1.120_110 Has 120.10 a b but no 5. See: http://pmddtc.state.gov/regulations_laws/documents/official_itar/ITAR_Part_120.pdf That dates from April 1, 2013, and apparently has been updated since then -- but yes, I was quoting from an official ITAR issuance. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Wind river
Robert J. Hansen wrote: ... All this being said, the laws aren't *wholly* stupid. ITAR has a couple of nice commonsense exceptions. (See, e.g., ITAR 120.10 (5): ITAR does not include information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities or information in the public domain.) FYI: https://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations USA national regs. http://www.ecfr.gov/cgi-bin/text-idx?SID=f8a7e639bbbcdd460e881f7ae4a927b3node=pt22.1.120rgn=div5#se22.1.120_110 Has 120.10 a b but no 5. http://www.ecfr.gov/cgi-bin/text-idx?SID=f8a7e639bbbcdd460e881f7ae4a927b3node=20140513y1.10 e-CFR Data is current as of October 20, 2014 or information in the public domain as defined in \xa7120.11 of this subchapter PS Wait, you mean like the U.K. did after WW2 when it sold Enigma machines Fascinating (well, I'm British :-) Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with . Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Wind river
This doesn't make any sense to me. Makes perfect sense to me, once you understand three things: (a) at one point all the good crypto came out of either the US, UK, or France, (b) nuclear weapons are scary, and (c) laws and regulations change so slowly they make glaciers look swift. A lot of WW2 historians believe the Allies' ability to read Purple and Enigma traffic at-will resulted in the war being shortened by a few years and saved millions of lives. The lesson politicians learned was, we must protect our communications and exploit those of other nations. Prior to the advent of the civilian cryptographic community, it was perfectly rational to restrict the export of strong cryptography in order to help keep the nation secure. The dawn of the nuclear age happened to occur at the same time. The importance there is that it's really, really hard to validate a nuclear weapon design without computers. It can be done -- the U.S. did it, twice -- but it's really hard. With computers, machining and building a nuclear weapon is mostly pretty easy. (Enriching U-235 and/or creating Pu-239 is still really hard, but it's the only really hard step.) So, for a long time, it was perfectly rational to restrict the export of high-powered computers in order to limit nuclear proliferation. The world has moved on, though, and Congress has shown itself mostly either unable or unwilling to recognize this. When the PlayStation 2 was coming to market Sony discovered that it couldn't be exported out of the U.S. without an arms control export license -- the laws hadn't kept pace with technology, and by the (outdated) standards in the laws the PlayStation 2 was a supercomputer. Oops. Sony pushed for changes in the definition of 'supercomputer', and the PS2 suddenly could be exported worldwide. (Mostly due to the console gaming market, the definition of 'supercomputer' keeps on creeping upwards. Sony and Microsoft really, really want to be able to export their consoles worldwide without worrying about ITAR compliance.) The internet is a fascinating place, but it's also a world completely unlike the one that existed when Congress drafted its laws. As libre hackers who like crypto, we run smack into ITAR and EAR on two fronts. Our computers keep getting more and more powerful, which runs afoul of the regulations originally designed to counter nuclear proliferation, and our crypto keeps getting better and better, which runs afoul of the regulations originally designed to make sure only the good guys had strong crypto. All this being said, the laws aren't *wholly* stupid. ITAR has a couple of nice commonsense exceptions. (See, e.g., ITAR 120.10 (5): ITAR does not include information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities or information in the public domain.) Unfortunately, those exceptions aren't enough to save you from really expensive legal bills. When I was assisting in the teaching of a a graduate-level computer security course at the University of Iowa back in 2007, we had to get briefed by the University's lawyers about the foreign students in our class and what we were and were not allowed to say in front of them about computer security subjects (!!). The University's concern wasn't that we could be successfully prosecuted for violating ITAR -- the First Amendment and the ITAR's own provisions for education provided safe harbors. It was that we could be prosecuted *at all*, and forced to spend money we didn't have resolving a legal headache. Better by far, in the University's view, to be very careful what information we taught to foreign graduate students and avoid any possible legal headache. Anyway. These regulations make sense when you consider the historical context in which they were created, and consider just how hard it is to get old and outdated laws changed. Are they stupid in the present day? Yeah. But they're also still the law, and Wind River was *freaking* *stupid* to knowingly, willfully violate ITAR/EAR some 50-odd times. Now, before armchair lawyers leap up to say, $750,000? For that money, I'd take the case to court and see if I could get the court to agree that ITAR doesn't apply to what I was exporting!... Wind River has lawyers, too, and the lawyers signed off on this. For whatever reason, Wind River's lawyers thought this was a good plan. Maybe they were worried about what other violations the USG might find and they were able to fold an amnesty into the deal. Maybe they were concerned about the hit in the court of public opinion. Maybe... etc. We don't know why Wind River chose to pay the fine instead of challenge it in court. We just know they decided that paying this fine was in their company's best interests. Either US administration has completely gone nuts and assumes others are too stupid to implement strong crypto by themselves or else -and this semms more probable
Wind River
I just saw this news story yesterday, and I wasn't sure if folks around here already knew about it or not, but since the subject of silly export restrictions had come up on this list recently, I thought that I should share... http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users