Federal restrictions will be relaxed on the export of open-source software that incorporates strong encryption, the US government announced on Friday in a lengthy disclosure. The effect of the changes announced in the US Federal Register is that cryptography software now may be exported to Cuba, Iran, North Korea, Syria, and …
Effect on OpenSSL
So to ask the question that many will naturally ask - how does this affect the OpenSSL project? Does this change effectively mean the export restrictions on distribution of OpenSSL (source and/or binaries) would be lifted?
Feds cracked it then?
So basically the feds have a computer system now that can crack any encryption system (quantum computing) then. This is the only reason I can think of right now.
I don't think you need to assume they've cracked anything. Perhaps reality has finally broken in: open source means what it says, and anyone who wants this stuff has it anyway, so why penalise law-abiding exporters?
I mean it's only 15 years since RFC1984 said:
" Encryption is not a secret technology monopolized by any one country,
such that export controls can hope to contain its deployment. Any
hobbyist can program a PC to do powerful encryption. Many algorithms
are well documented, some with source code available in textbooks.
" Export controls on encryption place companies in that country at a
competitive disadvantage. Their competitors from countries without
export restrictions can sell systems whose only design constraint is
being secure, and easy to use."
(And no, the RFC nunber was not pure chance,)
@Dick Emery: Yeah, and M.I.B. is Real
A three-eyed monkey-like create will break any code while sipping coffee and a shot of hydrofluoric acid.
Seriously, the simple explanation is that they hired a sane person who realized that GPG and OpenSSL cannot be stopped from entering Syria by means of Legislation. There is more than one Arab capable of downloading the stuff in Germany and emailing it to his nephew in Damascus.
And yes, the NSA employs a lot of smart people, so they might have mastered some modern ciphers. So get a book on crypto and hack your own cipher. Concatenate that to AES, 3DES and Blowfish. The cipher would be encoded in a Java class file and sent inside a GPG container.
If thousands do that, it will give NSA and GCHQ a royal headache.
It means that these countries can get hold of the software anyway, embargo or not, and the rules just put US software houses at a disadvantage compared to companies in other countries that don't have to comply with them.
The work-around by the way for the existing regulations is to print out the code on sheets of paper, mail it to another country, then someone in that country can scan and OCR the code. Printed source code is protected free speech rather than munitions.
Memo to those who imagined these restrictions :
Switch brain back to ON.
It's a piece of cake to export that crypto software to a white-listed country that doesn't have stupid legislation.
As a bonus, relaxing these rules will solve the ridiculous situation where US can import crypto software from one of these black-listed countries but can't export it back there.
Roll Your Own Cryto - Suggestions
A) DES with s-boxes defined by the key.
B) java-based SIGABA
C) DES with slowly modifying s-boxes (based on a key or a primary DES keystream)
D) DES with some s-boxes replaced by a non-linear function of your choice.
E) Enigma w/o reflector and w/o Steckerbrett (you need several engines to achieve more than 2^80 keyspace)
F) java-based Fialka
G) Chain existing ciphers based on a key. The key determines the chaining order.
H) java-based TypeX
J) multiple RC4 streams XORed. Make sure each engine is functionally independent keyed.
Always make sure each cipher engine is functionally independent keyed. Make sure your key generator generate truely random bits, in the Physical Sense.
Where The Code Is
"...exporters must first notify the federal government exactly where the code is located."
Uh, it's "in the cloud"?
P.S.: TheReg should add a 'cloud' icon.
It's not because the Feds can suddenly crack all encryption - this doesn't make it any easier for N Korea to get pgp.
What it does prevent is some embarrasing cases where major bits of open source software couldn't be hosted in the US because the license said free to anyone but the US made you click a bunch of disclaimers that you wouldn't use it to build WMD or export it to N Korea.
It also meant somebody could in theory sue any US company for violating the GPL - they are using the GPL software but cannot distribute their changes - because they can't be exported.
So you could go after Oracle, IBM, etc and possibly get some judge to block them using FOSS whileit's all sorted out (or until they settled out of court with you)
Surely you export the crypto to an overseas offshoot who onsell to a local entity that exports it? Like they weren't getting the stuff anyhow.
Curious Side Effect?
There's quite a few companies and products that rely on closed-source encryption. Is the encryption for region-locking of DVDs officially open or closed? An Xbox?
The potential market increase for any of these is relatively small, and language differences get in the way of American exports. At most, it clears up any doubts about licensed manufacture outside the USA. Whoever makes Arabic-language DVDs and DVD players, they've a chance of being in the clear now over the sales to Syria.
Juniper tend to ship routers internationally *without* SSH in their installed software, which can be a bit of a pain in the arse. If you're in a *bare* DC/office and your corporate laptop has a restrictive personal firewall that prevents FTP, using SCP is much preferable to upgrade software.....a minor point, but I've run into it before :-)
Cisco are the same with their Routers and Switches - they ship without K9 images (and are therefore incapable of SSH)
The first thing we do is drop a K9 on every new router / switch we procure, then disable Telnet.
These stupid US export restrictions have probably been one of the major reasons why Telnet is still in use today, and has without a shadow of a doubt caused numerous security incidents due to lazy sys/network admins.
Maybe now manufacturers can start shipping all devices with SSH only, and resign telnet to the protocol graveyard where it should have gone over 10 years ago.