back to article US government fines Intel's Wind River over crypto exports

The US Government has imposed a $750,000 fine on an Intel subsidiary for exporting encryption to China, Russia, Israel and other countries Wind River Systems was fined for exporting products that incorporated encryption to foreign governments and to organisations on the US government restricted list. The controversial move …

  1. NP-Hardass

    governemtn

    NICE! Spell check ftw.

    "US governemtn fines Intel subsidiary over crypto exports"

    1. returnmyjedi

      Re: governemtn

      Proofreading worthy of the Grauniad. The Gestrier, anyone?

    2. JeffyPoooh Silver badge
      Pint

      What about Apple?

      When you have "strong" on-device crypto with the lengthy keys protected behind a weak 4-digit PIN (probably 7852), does that constitute an Export Controlled item?

      1. LukeTeyssier

        Re: What about Apple?

        Crypto only has to be present on the device. It doesn't have to be well implemented, or even used.

  2. This post has been deleted by its author

    1. The Man Who Fell To Earth
      Boffin

      Re: I cant believe it.

      This problem should be self correcting in that no one trusts any encryption coming from a US company anymore. The US will shortly become an importer of crypto. Should people trust the AES-NI instruction set in Intel Processors? One has to wonder.

      1. Paul Crawford Silver badge
        Black Helicopters

        Re: I cant believe it.

        It is pretty easy to see that the Intel AES instructions do implement the AES maths correctly, so part 1 of the tin-foil equation seems to be settled.

        However, that aspect the truly paranoid would want to know is part 2 - is there an undocumented method to recover previous keys (or parts of keys) used by said AES instructions? You know, something that windows, flashplayer, or similar closed source software might just run and report as a footnote to some other data dump...

        1. Yet Another Anonymous coward Silver badge

          Re: I cant believe it.

          The intel CPUs are fabbed in Kiryat Gat in Israel, so are Intel fined for exporting CPUs to Israel that were made in Israel ?

          Stranger things have happened - we were once refused export permission for a bit of kit from the US to the UK because it contained an ARM processor

          1. LukeTeyssier

            Re: I cant believe it.

            It's not that you can't export crypto to Israel, you just have to get permission first, and document who and where you are sending it so that the State Department can keep tabs on US companies producing products with crypto.

        2. James 100

          Re: I cant believe it.

          I demonstrated exactly that on a simulated CPU at a security conference earlier this year - a plain old Intel CPU with AES-NI ... and an FDIV instruction which just happened to leak the crypto keys when you divided a particular pair of numbers. It didn't even need closed source software to do the sneaking: a few lines of Javascript did the trick.

          (The harder question is "how do we guarantee the real CPU isn't doing this too?" - and it really is a hard question.)

          1. ATeal

            Re: I cant believe it.

            Did you simulate the CPU in Javascript? Is this a really advanced troll post and you just got me?

          2. Paul Crawford Silver badge

            @James 100

            I doubt the FPU would do it, too much science checking results to notice odd values.

            Now the random number generator, there is one you could use to leak key bits in a manner known only to the creators and those chosen to be 'in the know'...

      2. DonCXX

        Re: I cant believe it.

        My thought was that Israel and South Korea were on the list. If the US doesn't allow encryption products to be exported there, they will certainly create encryption products superior to what the US offers, making the folks at NSA have to work a lot harder.

      3. LukeTeyssier

        Re: I cant believe it.

        You can check the instructions yourself for validity. As for back doors, it's really hard to implement crypto with no (easy) side channel attacks, but that was a major goal of NI.

  3. Mark 85 Silver badge

    Fined.. really?

    I'm beginning to think the Federal Government is on the tail end of the local cities concept of "fines are a revenue stream". This, I guess, would be "trickle up"? I'm just reading more and more where companies (and not just tech) are getting fined and the fines are going up.

  4. Henry Wertz 1 Gold badge

    Time to leave...

    "This penalty should serve as a reminder to companies of their responsibility to know their customers and".... get their crypto divisions the f*ck out of the US. Thanks a lot BIS, now there'll be even fewer tech jobs here.

  5. Anonymous Coward
    Anonymous Coward

    Entertainment industry DRM == encryption???

    Eh?

    What's the entertainment industry's DRM, MS's Trusted Computing, etc, without worthwhile encryption?

    Stop that stuff being built in China (and/or chips designed in Israel, etc) and then what happens?

    Or maybe that's the idea?

  6. frank ly

    re. " ... the renal original turf ..."

    That's where someone has marked their turf by pissing on it. It's primitive but effective.

  7. Anonymous Coward
    Anonymous Coward

    Well, if the British way of doing things is anything to go by

    It's not hard. When we sell stuff that has an element of strong encryption (usually carrier grade servers and network equipment), to dodgy places, we fill in the proper paperwork and apply for a network licence. Then we wait a long time. Bloody annoying (has put us as risk of LDs, even when we've applied in good time), but not hard.

    As for China and Russia, I can't belief the US has sleepwalked into this when they've effectively been conducting large scale cyber warfare. Alas, I think I smell stale horseshit, but the stable door has been open for a long time.

    1. Yet Another Anonymous coward Silver badge

      Re: Well, if the British way of doing things is anything to go by

      So the Russians and Chinese are too dumb to write their own crypto and wouldn't be able to keep secrets from Uncle Sam if they didn't buy Intel's off the shelf stuff - while at the same time being super cyber-ninjas (and cossacks?) who can break into any US government or corporate system unless we give the NSA more powers to protect us?

  8. PassiveSmoking

    War on Crypto!

    Trying to shove the genie back in the bottle? Yeah, good luck with that.

  9. Will Godfrey Silver badge

    I wonder what Visa and Mastercard think of this.

    1. Mookster
      Holmes

      Mobile Phones, SIM cards, ...?

  10. Anonymous Coward
    Anonymous Coward

    Next, Apple, Google?

    Their devices were designed in the United States of America. Will BIS start going after them, too?

    This is pressure from the spooks.

    BIS to revoke Apple and Google's crypto export licenses. You read it here first, people!

    The spooks are pretty pissed off with those two right now - and they don't care about job losses.

  11. Old Handle

    Two thoughts

    1. I thought this BS ended like a decade ago.

    2. Open source your crypto. Sell your product with whatever weak encryption the government allows but design it to accept strong encryption as a plug-in

    1. Destroy All Monsters Silver badge

      Re: Two thoughts

      I raise you two decades.

      1. Eddy Ito Silver badge

        Re: Two thoughts

        I don't see why they couldn't create a graphical interpretation of the software and claim it's art that is exportable under freedom of expression. That way you only need some sort of quasi compiler that a bitmap into software which isn't a "weapon". I know, it's just a spin on Phil Zimmermann's printing the PGP source code as a book but twisted for the QR code generation.

      2. itzman

        Re: Two thoughts

        Exactly. Faced with SCO Unix missing libcrypt back in 19 something or other, I simply obtained the berkeley unix source, compiled it, debugged it and installed it.

        The algorithm is not the secret, after alll.

        Neither really is the implementation.

        Given the algo it's what - a days work to write an encrypt/decrypt routine?

    2. Anonymous Coward
      WTF?

      Re: Two thoughts

      Plugin was my immediate thought, well after calling BS. What I'd love to know is exactly what products, and especially hardware/software-algorithms, were involved. Then we could check for differential treatment by the bureaucrats involved.

    3. Michael Wojcik Silver badge

      Re: Two thoughts

      1. I thought this BS ended like a decade ago.

      Nope. Export restrictions were relaxed, not eliminated. You still can't sell to the "enemy" states, and you still need an export license, in both the US and the UK. I've been through the process.

      Fortunately, once you have the licenses, renewals are generally easy, provided nothing significant has changed in how the crypto tech is used in the product. (We've added new TLS ciphersuites and had our renewals rubber-stamped, for example.)

  12. moiety

    Suddenly the US government is all against encryption. Now they've been caught (like deer in the high beams) (and implicating the rest of the Famous Five -and by extension- every other government raping everyone's privacy like it ain't no thang) it's damage limitation time.

    I have a message from the proletariat...who the fuck do you think you are to legislate yourselves the right to read my private fucking emails? Fuck you; the horse you rode in on; and the entire legislative apparatus that gives you the tissue-thin excuse to empower yourselves by raping information.

    1. Destroy All Monsters Silver badge
      Angel

      Allah is great and will send Ebola to transform their sorry arses into festering heaps of bubbling biomass.

      1. moiety

        If Allah wants to read my personal stuff, he can go and fuck himself too. Unless he's holding a warrant.

        NOTE: A warrant obtained by due process. Some of these deities can be tricky buggers if Terry Pratchett is correct on the subject. Which of course he is.

      2. Anonymous Coward
        Anonymous Coward

        Not likely! They've got a working vaccine, just FDA in the way.

    2. Terry Cloth
      Unhappy

      ``[W]ho ... do you think you are to legislate ... the right to read my private ... emails?''

      Her Majesty's government?

      (I'd use a Joke Alert icon, but it's for real.)

  13. Def Silver badge

    If governments around the world all stopped being massive dicks, people might be less inclined to use encryption in the first place.

  14. David M

    The US isn't actually forbidding the export of crypto...

    According to the article, the company was fined for failing to apply for a licence. For all we know, a licence may well have been granted if the company had bothered to apply for it. It sounds to me as though this isn't the US wanting to stop exporting crypto, it's the US wanting to make sure that it knows what crypto companies are exporting, and has the opportunity to stop it if necessary.

    1. Kevin Johnston

      Re: The US isn't actually forbidding the export of crypto...

      The point of the article is that the handling has changed from a slapped wrist if you made an after-the-fact revalation to a penalty. This raises a number of questions which have relevance due to the nature of the items in question.

      Are all businesses now being fined for exporting without a license and admitting it later?

      Are all other fines in line with the level of this one?

      Does the treatment match any documented process to handle companies which export with no license?

      1. JeffyPoooh Silver badge
        Pint

        Re: The US isn't actually forbidding the export of crypto...

        Maybe the BIS was getting too many of these Self Declaration confessions, and they want to discourage them. It'll probably do exactly that.

  15. just_me

    Irony

    Isn't AES which is the DOD encryption standard, actually Rijndael, which is Belgian in origination? Looks like some more clueless bureaucrats at the helm here.

    1. Michael Wojcik Silver badge

      Re: Irony

      They're not clueless at all. They're assigning penalties based on someone's failure to jump through the hoops (ie, get an export license). That's precisely what they're employed to do.

      And while Joan Daemen and Vincent Rijmen are indeed Belgian, they submitted Rijndael to the AES competition. You could say it was "imported", but that's rather a strained claim. And it has nothing to do with US export licensing in any case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019