[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New export controls to include code signing applications



The Men in Black made Lucky Green <[email protected]> write:
 
>[Listing specific software prohibited from export]
>"c.2. "Software" to certify "software" controlled by 5D002.c.1; "
>
>And, btw, virus checkers are also prohibited from export. Makes you wonder.
>
>"c.3. "Software" designed or modified to protect against malicious computer
>damage, e.g., viruses;"
>
>That includes every firewall product, every virus checker, every data security
>product, and this regardless if the product uses crypto or not. The new
>regulations go way beyond controlling crypto. The USG, in a massive power
>grip, has put data security as a whole on the export control list.
 
These aren't new regulations, they're old regulations which have resurfaced.
I've managed to obtain a copy of part of the old pre-Wassenaar COCOM
regulations, which contain the magic lines:
 
  5.D.2.c Specific "software" as follows:
 
    1. "Software" having the characteristics, or performing or simulating the
        functions of the equipment embargoed by 5.A.2 or 5.B.2.
 
    2. "Software" to certify "software" embargoed by 5.D.2.c.1.
 
    3. "Software" designed or modified to protect against malicious computer
        damage, e.g. viruses.
 
This is from the October 1991 version.
 
By October 1996 this had changed to:
 
  5D002 c Specific "software" as follows:
 
    1. "Software" having the characteristics, or performing or simulating the
        functions of the equipment embargoed by 5A002 or 5B002.
 
    2. "Software" to certify "software" specified in 5D002.c.1.
 
It looks like someone used the old COCOM regs as the basis for the EAR rather 
than the newer Wassenaar ones.  The two are almost identical anyway except for 
a few minor points.  It's likely that the anti-virus clause is due to 
bureaucratic bungling rather than malicious intent.
 
Peter.