[Cryptography] Wind River Security Features and Cryptography Libraries
jon at callas.org
Fri Nov 7 16:11:09 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
I've been involved in producing and exporting crypto for close to twenty years. I've been involved in doing whatever is needed, from filling out paperwork to printing source code on paper.
Since 1997, there's been a steady liberalization of export control in the US. One might argue that it's not monotonically decreasing, but it's decreasing continually. Right now, it's easier to get an export license than it is to do your taxes. Similarly to doing one's taxes, you can do it yourself, but if it's at all complex there are pros who can do it for reasonable prices.
Collin Anderson's note was right on, and I almost feel sheepish for adding to it.
In many cases, there are outright exemptions for export control. There's an exemption for "mass market" crypto. There's an exemption for open source source code releases. I apologize for forgetting who said this on what list, but in this discussion, someone said that this was a reason for an anonymous source code release, and ironically a source code release is on the exemption list, so you don't need it to be anonymous if you're releasing source!
So that leads us to what we've all been saying -- we have no idea what is really going on here. We're all speculating. I think that Goodwin Proctor's speculation:
This suggests a fundamental change in BIS’s treatment of violations
of the encryption regulations.
Is both speculation and something to strongly disagree with. Really? What leads you to this? Given that they're a law firm that does export filings, this speculation is a speculation that drives more business to them. This is like someone bringing up a case of food poisoning in hamburgers and saying this why you should pay me to inspect your kitchen. Consider the source. (And by the way, if someone needs to know a good export lawyer, write me off-list. I am happy to share, but feel it inappropriate to plug anyone here.)
There are other reasonable speculations, as well. Mine is that Wind River has been really sloppy about export control filings on many things, there's a lot of behind-the-scenes drama, and BIS decided to slam them for this because they admitted they're guilty. Effectively, this is the get-Capone-for-taxes story.
The huge irony in crypto today is that the more one is interested in the sort of crypto that is the general milieu of this list, the less one needs to worry about export licenses. Publishing your source gets you an exemption. The export definition of "mass market" means "generally available" not quantities or anything like that. If you have closed-source, secret algorithms, sold only to LEA/Military, you don't get any of the exemptions that we all do. Whatever's going on with Wind River, they are doing something that they admit they needed a license for that they didn't get.
So -- something's going on here and we don't know what it is. But it's almost certainly not what's being speculated about here. Yeah, yeah, if you're doing crypto professionally (by which I mean for pay), get an export license. Really, it's easier than doing your taxes, reasonably inexpensive, and if you ever end up in a different export battle -- for example, you didn't realize that those FPGAs or GPS chips might be considered "dual use" -- you won't get smacked with the crypto stick because they decided you needed to get smacked and that was the closest stick.
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
-----END PGP SIGNATURE-----
More information about the cryptography