[Cryptography] Wind River Security Features and Cryptography Libraries

Jerry Leichter leichter at lrw.com
Tue Nov 4 22:58:28 EST 2014

On Nov 4, 2014, at 9:28 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
>> Wind River Security Features and Cryptography Libraries (which appear to be the
>> basis of the $750,000 fine by BIS)
>> http://cryptome.org/2014/11/wind-river-security-crypto.pdf
> Perhaps Wind River's crime was advertising the details of their security systems ?
> Linux, Windows, OSX, iOS, etc., have extensive security capabilities, but they aren't as well advertised.
Highly unlikely.  Much the same information *is* published, if not perhaps in one place.

There's a plausible explanation of the whole business.  After the battles of the Clinton era, the export control regime moved into a very permissive mode:  If you want to export, you file a form and the government has a fixed, relatively short, period to say "no".  If you hear nothing, you have a license and can go ahead and export.

In practice, the government almost always has let the period expire without comment, and pretty much anything is thus exportable.

Even though the system lets almost everything through, the penalties for not going through the process are severe, including I'm pretty sure jail time.

What it *looks* like has happened is that Wind River (and they are probably not alone) simply ignored the "pointless" step of applying for an export license.  I'll bet many companies today do, too - they treat these regs as relics of a bygone era.

Apparently someone decided it was time to send a wakeup call to industry saying "Hey, we're actually still here, the law remains as it was - file the forms".

Whether there's something more behind it, I don't know.  It could be that Wind River was not just failing to file the forms, but also exporting to countries that we're currently unhappy with.  But, again, why now?  Why Wind River?  There may be no reason at all - just someone deciding to make a point.  Or there may be something we know nothing about, and likely will never learn anything about.

                                                        -- Jerry

More information about the cryptography mailing list