[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spam the Sign!

>  Jeff Simmons <[email protected]> said...
> >Then suppose you hand software to MIT to put on its export-controlled ftp
> >site (which would seem to follow your requirements to take reasonable
> >precautions to observe the ITAR, etc.) and you don't do the nudge, nudge,
> >wink, wink - BUT you know that it's going to be available on major ftp
> >sites in Europe within a few hours anyway.  The intent to export isn't 
> >there, but the export occurs anyway.  Is it the intent, or the knowledge
> >that's important?

What's important to the government is that the crypto not be exported.  If
Netscape did this, the government might try to take them to court to make
an example of them, or might leave them alone to support the information
superhighway, or might refuse to ever buy any Netscape, or whatever.  The
point for Netscape is than none of these are good for the corporation.

> >Or, to bring it down to a practical question, what's stopping Netscape?  How
> >does Netscape setting up an 'export controlled' ftp site based on the MIT
> >version lead to one of their executives going to jail?

Maybe their executives don't want to deal with the possibility of going to
jail and are staying far from the edge of the law.  Maybe they are too busy
trying to find some way to make money.

> I very much agree with the direction you appear to be headed in.  It seems
> to me that Netscape should have no problem devising some sort of scenario in
> which such a program eventually gets onto the nets, but in a way that is
> squeaky clean, at least for THEM.  

But why would they want to risk this? As squeeky clean as it is, we now
all know that they know that making it available this way is exporting
it.  It's also possible that one of the people who took part in it would
turn State's evidence, or that this would result in a loss of
shareholder confidence, or that the people running Netscape support the
government position, or even that they just don't want the controversey.

> In addition, why should they even need to write the encrytion part of their
> software IN the US?  It occurs to me that one way to do this might be to
> send one of their programmers to a conveniently-located place, such as
> Vancouver BC , Montreal Canada, or a few other nearby places, with a great
> deal of fanfare, and tell him to "write some crypto."  He does, and brings
> it back into the US with him, leaving a copy of it "outside" the country for
> international distribution.

This is illegal as well.  The programmer is exporting the cryptosystem,
and may even be guilty of treason (probably not).  If you really want
strong crypto, just buy it fom one of the hundreds of legitimate
overseas suppliers.  If you want to export strong crypto Netscape,
rewrite Netscape outside the US.  It's not that complex a program.

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236