[Cryptography] Wind River Security Features and Cryptography Libraries
iang at iang.org
Fri Nov 7 10:05:39 EST 2014
On 5/11/2014 11:57 am, Collin Anderson wrote:
> On Wed, Nov 5, 2014 at 3:58 AM, Jerry Leichter <leichter at lrw.com
> <mailto:leichter at lrw.com>> wrote:
> What it *looks* like has happened is that Wind River (and they are
> probably not alone) simply ignored the "pointless" step of applying
> for an export license. I'll bet many companies today do, too - they
> treat these regs as relics of a bygone era.
> There is a meaningful difference between VxWorks and consumer operating
> systems – even with regard to the Mass Market Encryption Exemptions. OS
> X for example is classified as 5D992, whereas VxWorks is 5D002 – these
> numbers make a huge difference.
Given the strategic obfuscation of the crypto controls, is anything
derived from analysis reliable?
> Don't sell non-mass-market crypto to the PRC, don't sell to Chinese
> military, don't sell to persons on the Department of Commerce's Entities
> List, and mind which governments elsewhere.
> That's not to say that the encryption export regulations are
> appropriate, but the interpretations of BIS's actions seem misinformed.
BIS's actions may be misinformed, our views may be misinformed, and it
may be that there is no meaningful information to be found at the source
of this strange turn of events.
We don't know what's going on. In such a case, the wildest possible
claims are as confirmed as the most sensible explanation.
"We believe this to be the first penalty BIS has ever issued for the
unlicensed export of encryption software that did not also involve
comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea,
Sudan or Syria). This suggests a fundamental change in BIS’s treatment
of violations of the encryption regulations.
Historically, BIS has resolved voluntarily disclosed violations of the
encryption regulations with a warning letter but no material
consequence, and has shown itself unlikely to pursue such violations
that were not disclosed. This fine dramatically increases the compliance
stakes for software companies — a message that BIS seemed intent upon
making in its announcement."
So, out there in crypto-product land, there has been a sea-weather
change. BIS, Snowden revelations, open source, and the politics of the
USA administration in its war on everything. In practical advice, the
above legal guys say:
"Encryption is ubiquitous in software products. Companies making these
products should reexamine their product classifications, export
eligibility, and internal policies and procedures regarding the export
of software that uses or leverages encryption (even open source or
third-party encryption libraries), particularly where a potential
transaction on the horizon — e.g., an acquisition, financing, or initial
public offering — will increase the likelihood that violations of these
laws will be identified."
Your average crypto-CEO is advised to ramp up on cost but provided no
guarantees! This means for American proprietary sellers: raised costs
across the board. Uncertainty of exportability, uncertainty of risk
explosion (can an exporter reasonably predict BIS's next actions). Add
to that, thanks to Snowden uncertainty of interference and *perception*
of interference for branded "made in USA" crypto product.
If I was them, I'd say "it just ain't worth it to sell good stuff overseas."
Just like the Crypto Wars in the 1990s, the new war will push a lot of
cryptographic work out of USA.
More information about the cryptography