Re: A question on law and regarding accountability



hayes.gr@xxxxxxxxx writes:

On Sep 8, 1:14=A0pm, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:
hayes...@xxxxxxxxx writes:
On Sep 7, 7:10=3DA0pm, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:
hayes...@xxxxxxxxx writes:
On Sep 7, 2:25=3D3DA0pm, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:
hayes...@xxxxxxxxx writes:
Ok, say you create a product that is not approved for export use. =
You
find a US retailer willing to carry the product.
Who then is responsible for ensuring the end user is a US citizen =
or
person authorized to use it?

Whoever distributes it. The retailer certainly is. YOu may be be

Lets also say you provide the source code for the software include=
d o=3D
n
disk. The reason for that is so the parties buying the software ca=
n
analyze it, compile for themselves or even incorporate it into oth=
er
software they may be using and so on.
What happens when one of the so called trusted parties involved ha=
s
security issue were by the disk is lost stolen, the source code is
transmitted or given to a party who should not have it.

They may or may not be have legal problems. It will depend on wheth=
er =3D
or
not those "security issues" were such that it was reasonable to ant=
ici=3D
pat=3D3D
e
that the software would get into foreign hands.

These are all issue to be raised with a lawyer as they are legal is=
sue=3D
s.
Any advice you get from the web is probably worth less than it cost=
yo=3D
u t=3D3D
o
get it.

Where does one's accountability end. If it was common sense it wou=
ld
be that you did your part by selling it to authorized persons and =
it
would be up to the prosecuting side to prove otherwise or negligen=
ce
on your part. But the law or more precisely the courts don't alway=
s
work that way.

Well, back in teh days Zimmermann was investigated for transmission=
of=3D
PG=3D3D
P
to non-authorized people (ie posteing it on the web) He was never c=
har=3D
ged=3D3D
,
in part because it was found to be difficult to argue that he had d=
one
it/authorized it. Sometimes the law does work that way.

Quite honestly. They should not allow anyone access to our country=
wh=3D
o
can not purchase such software.

I think you mean hyperbolically, not honestly.

And "access to out country" is not needed, since the web has access
everywhere. Or perhaps you are advocating a Chinese system be insti=
tut=3D
ed =3D3D
in
the USA.

One, of the biggest things that gets me with the law is they expec=
t
you to ensure anyone you sell the software to is authorized to hav=
e i=3D
t
be it a US citizen or person from an approved country or territory=
.
What gets me about that is they can't even seem to do that 100%
themselves but they expect you to do so.

Who is "they"?

Then there is a entire list of objects they allow source code to b=
e
printed on in text that they don't see a need to check. Their
reasoning there is that it is to easy to compile it. Have they hea=
rd
of scanners?

Freedom of expression and all that. At least one court has ruled th=
at
source code IS expression. The criteria on limitations of free expr=
ess=3D
ion
are quite tight.

Then I had a though pictures where on the list. So if I inserted t=
he
raw image of the file into a BMP and then created a program to ext=
rac=3D
t
it and set it to memory and then set the cpu instruction pointer t=
o
the beginning of it I technically am with in their law of it being=
a
picture. It just requires a second program to start it.

No, you almost certainly would not be within the law.

I spent enough time going through thehttp://www.access.gpo.gov/bis=
/ea=3D
r/e=3D3D
ar_data.html
Any so the question again is were does the accountability fall? I =
am
waiting for a response fromhttp://www.bis.doc.gov/onthesubject. If
they get back to me before someone else answers this I'll post the=
ir
reply.

For legal issues talk to a lawyer. Any response you get either from=
th=3D
e w=3D3D
eb
or fromwww.bis.doc.govwillnothave any legal weight.
"They" is in the US federal government.
The law allows for photographs, paintings and a lot of other things.

No, freedom of speech is not absolute. Shouting fire in a crowded thea=
tre
is illegal, even if you claim you did it to make a point about the her=
d
instincts of the common populace. Telling Russia about the American se=
cre=3D
t
codes is illegal. Many acts of expression are illegal. But the onus is=
on
the state to demonstrate that the limitation is necessary because of t=
he
severe and immediate harm that that the speech would cause. You cannot=
ba=3D
n
certain forms of speech with vague laws. Congress could certainly ban =
the
publication of all crypto and could probably get it past the supreme c=
our=3D
t.
The executive cannot ban it by fiat however. But if it were banned, pu=
tti=3D
ng
it into photographs, etc would not get you around the law. And the way=
th=3D
e
law is at present there is a licensing issue, that any publication of
crypto must be reported to the Govt. Thus if you put it into pictures =
and
did not tell the gov't you had done so, they could certainly arrest yo=
u f=3D
or
violation of those requirements. (Of course now adays, they could prob=
abl=3D
y
also do it under terrorist legislation since that needs no justificati=
on)

Which can always be scanned with another software. What would be the
difference if I wrote a code using the open source software available
to scan the pages in transfer to a file and compile it with gcc or an=
y
other compiler. In fact I could very well incorporate the compiler
right into the project so it does so automatically. It would probably
take me a week to do so with all the other stuff I currently got goin=
g
on but even if it took a year. It is do able. So what is the
difference. There are countless image formats. What is to say I don't

Difference between what?

write an image format that utilizes a compiler and stores visible tex=
t
or C or C++ source code in an image file. That would be even easier

You break the law.

than the above. I could use a simple format like bmp to do it. That
would take me a lot less time. Then since the program for loading the
encryption software is not covered under the same laws it should be
with in the bounds of each portion of the law.
Ok, say I put it on a T-shirt. Mr. X buys it gets on a plain flies to
timbucktwo and scans it in his computer. Or he buys a painting or

And exporting it without a license violates the law.

video that has it on or images. Doesn't matter how he gets it if the
plain text is readable it can be easily transferred to source code
files in less than 15 minute and then compiled. Ok, lets make it
longer than that. My strongest algorithm currently is 15 pages long.
It would take 1 minute a page to scan and put in a C or CPP file. The=
n
5 seconds to compile. Wow so all one did is what gain 15 minutes.
Yea, I know any real advice should come from an attorney. Even then a
lot of them have no idea even the so called ones that specialize in
export laws. It is easier to determine the law when it comes to
shipping firearms and other weapons than it is dealing with
cryptography. Primarily because the laws are obscured with politics.
As to what I meant by not allowing people into the US who can not
purchase such software.
If that is really a national security issue then they should not allo=
w
anyone into the US who they don't want acquiring strong encryption.
Because the number of ways to get hold of real strong encryption in
the US is amazingly easy if you want to do a little search or go sign
up for a few college courses and or go to work for a company that use=
s
strong software on their systems. The fact is the ability to acquire
strong software is even easier out side the US. My real point is with
that comment the laws they have in place give nothing more than a
false sense of security or a false sense that they actually have a
handle on strong encryption methods. The US is probably 10 stages
behind many countries when it comes to cryptographic technology we ar=
e
no longer the front runners.
There is only one reason what so ever the US government approves a
product for export. They can break it in a short period of time. I
spent 7.5 years working for DOD after I got out of the Nuclear Power
Program.

Nuts. =3DA0Arguments like that is why the US abandonded their restrict=
ions =3D
on
export, except for specialised systems. At present there are export
licensing requirements, and licensing requirements fall well outside t=
he
first ammendment.
The first thing you should read is 734.3(b) of EAR, The following
items are not subject to the EAR:
example 734.3(b)(2)
Prerecorded phonograph records reproducing in whole or in part, the
content of printed books,
pamphlets, and miscellaneous publications, including newspapers and
periodicals; printed
books, pamphlets, and miscellaneous publications including bound
newspapers and periodicals;
children's picture and painting books; newspaper and periodicals,
unbound, excluding waste; music
books; sheet music; calendars and calendar blocks, paper; maps,
hydrographical charts,
atlases, gazetteers, globe covers, and globes (terrestrial and
celestial); exposed and developed
microfilm reproducing, in whole or in part, the content of any of the
above; exposed and
developed motion picture film and soundtrack; and advertising printed
matter exclusively related
thereto.

And if you think that a spy could get up in court and say "I embedeed by
microdots in a childrens book, and there are no restrictions on exporting
books, so I should get off" and get off, then go ahead. Hope you enjoy yo=
ur
stay in Uncle Sam's hotel.

As soon as you embed restricted items within those materials all bets are
off.

The difference I was referring to is between an image being containing
text of the source code which can easily be scanned in and compiled in
a very very short time. One of my strongest algorithms encompasses a
total of 15 pages. Assuming 1 minute per a scanned page then 30
seconds to compile. You gained what 15 minutes and 30 seconds. What in
heck difference does that make between embedding the file into a bmp
file so you can see it as an image as well. The difference is only in
perspective literally One is a view of source code the other is a view
of the machine level code. Both require a secondary software to
extract the data to run it from the image.

And the fact that it was embedded in an image helps you in no way legally=
.

Remember looking at the list above what is allowed. There is several
film types listed. So what happens when some one transfers those to a
digital media are they now in violation of the law. So they take the
microfilm or film out of the country and scan it in there.
These laws may have protected us at one point in time when a scanner
with text reading software was crappy at best but it does protect
anything these days in fact I would have to argue because of the
current laws we have fallen behind many other countries.

It is unclear how those restrictions have make the US fall behind, since
imports are free of restrictions. And as you point out, other countruy's
expoert restrictions no more effective than the US's.

I spent the first part of my life through out Europe I was born in
Germany and my father was in the Air Force. Anyway most my education
came from overseas. If I can write what I have hear and there are
people such as my uncle who is probably far better at it than I am
well. We the USofA have to big of head in thinking we are a leader
anymore in this field or this is some sort of smoke screen and
outsiders are not who this is really designed to prevent getting it.
If you think about that last statement and how the laws effect the
sales of encryption software inside the US you might find something
sort of ugly. Most encryption software you see on the shelf is
approved for export use. Walmart and Fry's electronic alone with other
large chains are not going to ask for your DL, birth certificate or
naturalization papers or passport for proof of citizenship. Even so
they risk one of them being a forgery. People and company's are not
much willing to risk going to jail and fines for a profit they can
easily make better selling video games.
So what they have done is effectively made it difficult for even the
greater mass of US citizens in our own country to obtain decent
encryption.
With the 7+ years I worked for DOD up until 1999 and the time I served
in the military. I can say with full confidence anything our
government has approved for export or use in cell phones they are
reading in near real time.

Sorry, but that is nonsense.

Open source encryption software can be exported with only a reporting
requirement. And there is loads of open source encryption software that
they cannot read "in near real time".>Then the idea of single use softwar=
e has me laughing my rear off. How
hard do they really think it is to pull the code out of an executable
file.
This is a lame example but works to make the point:
You develop a software and you want to hide a set of tables in your
files. So you incorporate your own encryption algorithm in it. It gets
approved because it is a single use software and considered not easily
modifiable. How many of you heard of program like softice and
countless others. In fact there are several tutorials through
www.codeproject.comthat can teach you about this. One could also go
to Microsoft site and look up the PE file and how it is set up. The
have copies like I do of all the intel and AMD processor books with
the commands and so on so you can write your own compilers and
assemblers and such. So again they may gain 15 minutes to an hour at
best from someone getting the code.
What about the approved source we do allow distribution of how hard is
it to modify. so instead of using a int and int they decide to use two
long long instead. For those of you who don't recognize long long is a
64 bit int so two of them would be 128bits. How about they work with 4
or 8 of them. Still can run dang fast considering modern cpu power. If
you think of the quad core cpus they could split the work and handle
it extremely easy.
So what do the laws actually do for us. Protect us not a change in
hell. The only thing I can safely say our current laws do is make it
harder for us to distribute the software even to our own populace.

Ok, instead of throwing insults back and forth. Lets try a little
logic.
I'll ask a few questions and see if I can get a little thought going
behind this.

1. How many CPUs do you think NSA can put against any one problem at a
time?

Lets say 10^4

2. How much storage space do you think they have on things like Fibre
Channel Drive arrays (SAN) Storage area networks?

Lets say 10^4 TB

3. What do you think biggest benefit of creating encryption standards
has been for them?

??? Encrytion standards have been in place since -50BC at least. Standards
is the only way two people can communicate using encryption.


4. What is the maximum number of attempts you will need to make brute
force on approved for export software. (assuming worse case scenario)

10^50 for open source encryption.

So 10^4 CPU at 10^9 attempts/sec per cpu means only 10^38 years. If that is
"instantly " for you I guess I will have to concede that they can do it
instantly.




5. What methods of encryption do most commercial products use? Would
it happen to be the ones approved and allowed for export?

??? 128 bit RC4, 1024 bit RSA, 128 bit AES

6. How many times has there been products found that have security
issues of one kind or another?

Which products? And what has that to do with encryption? Are people able to
use viruses to infect a target's computer and get their password--
undoubtedly. Are they able to get the password by giving someone the
alternative of Gauntanamo or revealing the password-- probably? But what
has this to do with encryption?



That should be enough to get some thought going.

It should be.


.



Relevant Pages

  • Re: A question on law and regarding accountability
    ... encryption software is not covered under the same laws it should be ... export laws. ... books, pamphlets, and miscellaneous publications including bound ... Still can run dang fast considering modern cpu power. ...
    (sci.crypt)
  • Re: A question on law and regarding accountability
    ... security issue were by the disk is lost stolen, the source code is ... reasoning there is that it is to easy to compile it. ... export laws. ... anyone into the US who they don't want acquiring strong encryption. ...
    (sci.crypt)
  • RE: Encryption laws
    ... Good point starting with Export laws and attorneys. ... about what you can export and to whom as far as encryption goes. ... There is a website dealing with the ... and has links to many nations export controls: ...
    (Security-Basics)
  • Re: U.S. export laws on SSH/SSL?
    ... ]> server oversea and manage it with SSH/SSL, am I breaking the laws? ... ]> pick the encryption scheme, but what are needed for exports. ... Putting up public web servers in the US and letting people overseas ...
    (comp.os.linux.security)
  • Re: What the FUCK is Bush up to now?
    ... > There is no encryption that excludes the government. ... but with open source encryption ... It would be hard to imagine that the feds wouldn't have black boxes ... > I think they are trying to rapidly work up to a level where internet ...
    (alt.politics.bush)