On 1998-03-26 at 12:15:23, Jeffrey Altman wrote:
> Software developed within the U.S. or by a U.S. citizen that contains
> either encryption code or hooks to an external program or library that
> contains encryption code (whether or not the program or library is
> shipped with the product) may not be provided to citizens of countries
> other than the U.S. or Canada without a permit.
This is all a biiig can of worms, but I just got a weird idea;
understanding it requires an intimate knowledge of the FTP protocol. :)
Imagine an U.S. developer, putting a strong crypto code up for ftp. Of
course, he doesn't want the spooks coming, so he makes it available only
in a special, invisible directory (maybe even changing hourly), or
perhaps only accessible via a password. This hardly qualifies as
"making it available", so he puts up a note where to request the
directory name or password. In that request, he requires to declare the
downloader that he is an U.S. citizen, and won't export the software
neither, and won't even tell the password/directory to others. This is
all should be acceptable, and indeed, looks even familiar.
Now, imagine a foreign developer wanting to see this code, he approaches
an U.S. citizen to request information to download the package; which
the man of the land of the free can do. Now comes the technical part.
Our foreign friend asks the domestic citizen to proceed with the login
to the ftp site with telnet, just to the PORT or PASV instruction, and
asks him to tell what the server said to this command. With this
information, he could download the package abroad, without knowing the
passwords or secret directory names, assuming the ftp server did not
have protection against "bounce attack". In this case, who exported the
software? Maybe even everyone complied to the lame law to the letter
the best he could. :)
Another chance would be to take advantage that export to Canada is free,
unless it's being done to avoid the export restrictions to other
countries. So if an U.S citizen asks a Canadian to mirror his package,
and a few other Canadian fellows mirror that Canadian site further, at
the end, accidentally someone might get it in Europe.
There was a famous loophole in ITAR, you could export crypto
devices/software, if it left the country on a ballistic (orbit?),
presumably to allow strong crypto devices to attack foreign countries,
so you could in theory throw your disks over to Mexico.. :) But I guess
this has changed with the new regulations from the Commerce Department..
The real solution, until everyone will be enlightened about how bad that
export restriction is, to *never* let you be temptated to write free
crypto software if you are in the U.S. (And probably not even start a
commercial company there to do it commercially, since your market is
artificically limited.)
Of course, IANAL, and not even an U.S. citizen, so all this probably has
just a value of amusement.. :)
Hmm.. sorry for all this rambling, please (*please*) don't follow up
here, unless you feel it's very on-topic with SSLeay. Easter is too far
away, anyway. :)
--
Janos - Don't worry, my address is real. I'm just bored of spam.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
