Question regarding linux source code and encryption export regulations

Question regarding linux source code and encryption export regulations

Post by Jonathan Wilso » Wed, 01 Dec 1999 04:00:00



some facts (correct me if I am wrong here)
1.linux is open source, and you must provide the source whenever you
provide
the binaries (at least those parts that are under the GPL, which
includes, for
example, the code that handles the password checking and the runtime
library,
which contains encryption code (I think))
2.linux contains encryption for the passwords and other stuff
3.linux and the source are available from various US servers
4.it is illegal to export source code containing sncryption from the us
without
an export licence
5.linux does not have such a licence
my question are the people running the us servers with linux on them
breaking
the law? and if not then why not?

--
Jonathan Wilson

http://members.xoom.com/wilsonj/

  -----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
   http://www.newsfeeds.com       The Largest Usenet Servers in the World!
------== Over 73,000 Newsgroups - Including  Dedicated  Binaries Servers ==-----

 
 
 

Question regarding linux source code and encryption export regulations

Post by Joseph Dal » Fri, 03 Dec 1999 04:00:00



> some facts (correct me if I am wrong here)
> 1.linux is open source, and you must provide the source whenever you
> provide
> the binaries (at least those parts that are under the GPL, which
> includes, for
> example, the code that handles the password checking and the runtime
> library,
> which contains encryption code (I think))
> 2.linux contains encryption for the passwords and other stuff
> 3.linux and the source are available from various US servers
> 4.it is illegal to export source code containing sncryption from the us
> without
> an export licence
> 5.linux does not have such a licence
> my question are the people running the us servers with linux on them
> breaking
> the law? and if not then why not?

I don't have any solid facts on this, but I would think that this
depends upon the strength of the encryption involved. I am sure that Red
Hat is aware of the legal issues as far as what kind of security can be
included in their distribution... SSH, for example, does not ship with
Red Hat; it must be obtained separately.

- Show quoted text -

> --
> Jonathan Wilson

> http://members.xoom.com/wilsonj/

>   -----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
>    http://www.newsfeeds.com       The Largest Usenet Servers in the World!
> ------== Over 73,000 Newsgroups - Including  Dedicated  Binaries Servers ==-----


 
 
 

Question regarding linux source code and encryption export regulations

Post by Richard Watso » Fri, 03 Dec 1999 04:00:00


Quote:>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<


regarding Question regarding linux source code and encryption export
regulations:

Quote:> 4.it is illegal to export source code containing sncryption from the
us
> without
> an export licence

What makes you think that the linux source code is being exported from
the US?

Do you believe that the linux kernel is only made in the US?

Rich.

 
 
 

Question regarding linux source code and encryption export regulations

Post by Joseph Dal » Fri, 03 Dec 1999 04:00:00



> >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<


> regarding Question regarding linux source code and encryption export
> regulations:

> > 4.it is illegal to export source code containing sncryption from the
> us
> > without
> > an export licence

> What makes you think that the linux source code is being exported from
> the US?

Certainly not, but wouldn't you agree that, as the OP pointed out, many
US servers do offer Linux, and that, besides that, many of the *
Linux distros (i.e. Red Hat) are produced/packaged/built in (to whatever
extent this involves creation of encryption software) inside the US.

Quote:

> Do you believe that the linux kernel is only made in the US?

This question doesn't only involve the kernel, but all sorts of
security-related parts of Linux.
Quote:> Rich.

 
 
 

Question regarding linux source code and encryption export regulations

Post by Bill Unr » Fri, 03 Dec 1999 04:00:00



]>
]> some facts (correct me if I am wrong here)
]> 1.linux is open source, and you must provide the source whenever you
]> provide
]> the binaries (at least those parts that are under the GPL, which
]> includes, for
]> example, the code that handles the password checking and the runtime
]> library,
]> which contains encryption code (I think))

All of the kernel is under GPL.

]> 2.linux contains encryption for the passwords and other stuff

No. It is NOT encryption, it is a hash. The fact that the hash function
uses DES (in cyrpt(3) ) does not mean it is encryption. Hash functions
are explicitly exempt from the encryption control.

]> 3.linux and the source are available from various US servers
]> 4.it is illegal to export source code containing sncryption from the us
]> without
]> an export licence

It is illegal to export encryption of any form without a license. But
the password functions are not encryption. They are a hash. Furthermore
programs designed for authentication are explicitely excluded from
encryption control as long as they are not easily converted to a true
encryption program. The fact that any hash algorithm can, with three
lines of code, be converted to an encryption routine is irrelevant.

]> 5.linux does not have such a licence
]> my question are the people running the us servers with linux on them
]> breaking
]> the law? and if not then why not?
]>

]I don't have any solid facts on this, but I would think that this
]depends upon the strength of the encryption involved. I am sure that Red
]Hat is aware of the legal issues as far as what kind of security can be
]included in their distribution... SSH, for example, does not ship with
]Red Hat; it must be obtained separately.

SSH IS encryption. It is not simply an authentication process but is an
ecryption program. It encrypts all traffic between the two machines.
(Under current regulation it does not depend on the strength. All
encryption needs a license. No hash or authentication system does)

 
 
 

Question regarding linux source code and encryption export regulations

Post by Bill Unr » Fri, 03 Dec 1999 04:00:00



Quote:>What makes you think that the linux source code is being exported from=20
>the US?

If any encryption product is placed on a ftp or web site from which it
can be downloaded from a foreign country without controls, then it has
been, by definition of the regulations, exported, even if it is never
thus downloaded. The Redhat ftp site for example is in the USA and has
no controls to prevent downloading from a foreign site. If it contained
encryption products it would have exported those products by definition.

Quote:>Do you believe that the linux kernel is only made in the US?

It does not matter where the encryption product is from.
 
 
 

Question regarding linux source code and encryption export regulations

Post by Joseph Dal » Sat, 04 Dec 1999 04:00:00




> > Certainly not, but wouldn't you agree that, as the OP pointed out, many
> > US servers do offer Linux, and that, besides that, many of the *
> > Linux distros (i.e. Red Hat) are produced/packaged/built in (to whatever
> > extent this involves creation of encryption software) inside the US.

>         But, debian (I do not know other distributions as well) has a
> special 'non-us' part, which I think is only available outside US.

Is this only available in packaged versions? If it is, then I suppose
someone who put that up on a server for access from everywhere
(including US) *would* be violating the law, yes?
Quote:> --
>  SP: Vivemment une bonne WWDC pour remettre tout ?a plat, je crois.
>  Ol: "MacOS X Server 1.0 will ship on Intel and PowerPC", WWDC'98.
>  SP: Arggg, l c'est plus de la perversit, c'est du *e...
>  + SP in Guide du Macounet Pervers : World Wide Developer Couillonade +

 
 
 

Question regarding linux source code and encryption export regulations

Post by wa.. » Sat, 04 Dec 1999 04:00:00


On Tue, 30 Nov 1999 22:08:57 +0800, Jonathan Wilson


>some facts (correct me if I am wrong here)
>1.linux is open source, and you must provide the source whenever you
>provide the binaries (at least those parts that are under the GPL, which
>includes, for example, the code that handles the password checking and the runtime
>library, which contains encryption code (I think))

Technically inaccurate, but you got the basic idea.

Quote:>2.linux contains encryption for the passwords and other stuff
>3.linux and the source are available from various US servers
>4.it is illegal to export source code containing sncryption from the us
>without an export licence

Incorrect.

SOME encryption software (the good stuff) it is illegal to export from
the US without an export license.  If for example you're in Mexico and
download good Russian security software (a fair share of the good
stuff originates in Russia) from a mirror site in the US, you're in
trouble.  (You can evade this law by, in the US, printing the software
onto paper, then, in Mexico, using an OCR scanner to read the software
from the paper into a computer: exporting the software ON PAPER is
perfectly legal.  Or, in this example, if you just go get the software
from the Russian server, rather than a US mirror, no problem.)

However, there's a tremendous amount of encryption software that is
NOT covered by this requirement, because it isn't really that good.

Quote:>5.linux does not have such a licence
>my question are the people running the us servers with linux on them
>breaking the law? and if not then why not?

If you are referring to running a server *using* Linux, certainly not:
they aren't exporting the software, they are simply using it.

If you are referring to the servers where you can download Linux, see
above. Some encryption software is restricted because it's hard for
the CIA to read messages encrypted with it.  Passwords are routinely
not decrypted; at least some network software uses a password
encryption scheme in which it is not merely difficult, but
theoretically impossible, to decrypt the password.  What's the point
of decrypting the password the user provided and the password in the
password file - why not just compare the encrypted strings?

>--
>Jonathan Wilson

>http://members.xoom.com/wilsonj/

>  -----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
>   http://www.newsfeeds.com       The Largest Usenet Servers in the World!
>------== Over 73,000 Newsgroups - Including  Dedicated  Binaries Servers ==-----

 
 
 

Question regarding linux source code and encryption export regulations

Post by Joseph Dal » Sat, 04 Dec 1999 04:00:00




> > Is this only available in packaged versions? If it is, then I suppose
> > someone who put that up on a server for access from everywhere
> > (including US) *would* be violating the law, yes?

>         Which law ? Certainly not US law, since it forbids export, but
> not import.

Then what's the point of having "a special 'non-us' part, which I think
is only available outside US."?
 
 
 

Question regarding linux source code and encryption export regulations

Post by Rod Smi » Sat, 04 Dec 1999 04:00:00


[Posted and mailed]





>> > Is this only available in packaged versions? If it is, then I suppose
>> > someone who put that up on a server for access from everywhere
>> > (including US) *would* be violating the law, yes?

>>         Which law ? Certainly not US law, since it forbids export, but
>> not import.

> Then what's the point of having "a special 'non-us' part, which I think
> is only available outside US."?

So that non-US FTP mirror sites, CD manufacturers, etc., can use it and
distribute the encryption technology. US manufacturers might be able to
use it, too, but only if they mark the product "not for export." Silly? Of
course.

There is one other issue, though, beyond US law: patents. Some encryption
algorithms are patented in the US, but most other countries don't
recognize the legitimacy of these patents. Therefore, programs that use
these algorithms without approval from the patent holders are legal
outside the US but not in the US.

--

http://members.bellatlantic.net/~smithrod
Author of books on Linux networking & WordPerfect for Linux

 
 
 

Question regarding linux source code and encryption export regulations

Post by Richard Watso » Sun, 05 Dec 1999 04:00:00


Quote:>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<


regarding Re: Question regarding linux source code and encryption export
regulations:


> > >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<


> > regarding Question regarding linux source code and encryption export
> > regulations:

> > > 4.it is illegal to export source code containing sncryption from the
> > us
> > > without
> > > an export licence

> > What makes you think that the linux source code is being exported from
> > the US?
> Certainly not, but wouldn't you agree that, as the OP pointed out,
many
> US servers do offer Linux, and that, besides that, many of the
*
> Linux distros (i.e. Red Hat) are produced/packaged/built in (to
whatever
> extent this involves creation of encryption software) inside the US.

I apologise.

I'm not trying to belittle the underlying point I'm sorry if it
sounded like that. Over the water here away from uncle Sam things look
differently.

I agree that it's an issue. I know I'm not "supposed" to download a
version of Netscape with 128 bit encryption as this originated in the
US. But who will it affect exactly?

Let's say that SUSE offered "strong" encryption built into one of its
distributions. Is it true that if this is available on a US server it
can't be made available anywhere else? If so under which law? Not
under a law that could affect Suse? I'd say that they would have the
backing of their own government to go right ahead and distribute it.

The server is just part of the distribution system. It's like saying
"If a boat carrying a crate of linux distributions stops of at New
York does that count as a US export?". OK so that's a bit simplistic
but you get the point.

If I download linux from a US server over here in the UK (unlikely I
know but possible) can I possibly be breaking us law anyway and do I
care? US law can't touch me over here. What are they going to do - fly
over and arrest me for downloading something legally available in
their own country?

Don't get me wrong I think these are very important matters but it's
trying to go against the tide for the US to try to prohibit the
overseas sale of software with strong encryption especially when even
the long arm of the US law couldn't reach the perpetrators. Why does
my server deserve less security than an identical one in the us?

The real issue is who do we trust for our security? Our governments or
ourselves.

Rich.

 
 
 

Question regarding linux source code and encryption export regulations

Post by Richard Watso » Sun, 05 Dec 1999 04:00:00


Quote:>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<


regarding Re: Question regarding linux source code and encryption export
regulations:

Quote:> I don't have any solid facts on this, but I would think that this
> depends upon the strength of the encryption involved. I am sure that
Red
> Hat is aware of the legal issues as far as what kind of security can
be
> included in their distribution... SSH, for example, does not ship with
> Red Hat; it must be obtained separately.

Interesting problem:

Lets say that an encryption algorithm was written by someone, call him
Jose (<wink>) in, lets say, Spain who offered their software free
under GPL.

US Citizen Fred likes Jose's software and writes a graphical front-end
for it (or makes some other adaptation) incorporating Jose's code. He
distributes this under GPL as he should indeed -must- if I'm at all
familiar with GPL.

Can Fred, under the terms of GPL, limit his downloading audience to US
people only?

Similarly can't Netscape who have branches all over the world issue
two identical but differently named products containing 128 bit
encryption one for US and one for the rest of us? I'm sure that they
could find a programmer out of the US to write it for them.

OR am I missing the point by a huge margin?

Rich.

 
 
 

Question regarding linux source code and encryption export regulations

Post by Rod Smi » Mon, 06 Dec 1999 04:00:00


[Posted and mailed]



Quote:> Let's say that SUSE offered "strong" encryption built into one of its
> distributions.

I'm not positive, but I believe they do -- on a German-only version of
their product.

Quote:> Is it true that if this is available on a US server it
> can't be made available anywhere else?

No. It means that the US server may not distribute that software to non-US
sites. I'm not a lawyer, though, and am unfamiliar with the minitiae of
this law; the implications may be somewhat different than this, such as it
might not be legal to put it up on a US FTP site at all, or the FTP site
might be required to only accept connections from the US. The point is,
the software can't pass from the US to other countries. It's not breaking
US law for, say, a user in Spain to download this hypothetical software
directly from Germany, nor for a user in the US to download it from
Germany, nor for a US company to press CDs and sell them in the US. The
moment that CD crosses the border, though, the US law has been violated,
despite the fact that the software originated outside the OS.

Don't get me wrong -- I am **NOT** trying to defend this law or claim it
makes sense. It's preposterous, IMHO, but it is the (US) law.

Quote:> I'd say that they would have the
> backing of their own government to go right ahead and distribute it.
> The server is just part of the distribution system.

Again, I am not a lawyer and all that, but if a US FTP site were to put up
some SuSE-created software with strong encryption, I rather doubt if any
charges would be brought against SuSE -- they'd be brought against
whoever's responsible for the US-based FTP site.

Quote:> If I download linux from a US server over here in the UK (unlikely I
> know but possible) can I possibly be breaking us law anyway and do I
> care? US law can't touch me over here. What are they going to do - fly
> over and arrest me for downloading something legally available in
> their own country?

There is such a thing as extradition. That said, I don't know if the law
is worded in such a way that anybody in the US would try to go after YOU.
They'd go after whoever made the software available to you -- the
maintainer of the US FTP site.

Quote:> Don't get me wrong I think these are very important matters but it's
> trying to go against the tide for the US to try to prohibit the
> overseas sale of software with strong encryption especially when even
> the long arm of the US law couldn't reach the perpetrators. Why does
> my server deserve less security than an identical one in the us?
> The real issue is who do we trust for our security? Our governments or
> ourselves.

Again, no argument here from me -- IMHO, the US export regulations on
encryption are ludicrous. The "perpetrators," though, would not be the
people in Germany, the UK, or wherever who wrote the software or who
distributed it FROM their home countries; it's the people who exported the
software FROM THE US.

--

http://members.bellatlantic.net/~smithrod
Author of books on Linux networking & WordPerfect for Linux

 
 
 

Question regarding linux source code and encryption export regulations

Post by Casey Schaufle » Tue, 07 Dec 1999 04:00:00



> US Citizen Fred likes Jose's software and writes a graphical front-end
> for it (or makes some other adaptation) incorporating Jose's code. He
> distributes this under GPL as he should indeed -must- if I'm at all
> familiar with GPL.

> Can Fred, under the terms of GPL, limit his downloading audience to US
> people only?

No.

Quote:> Similarly can't Netscape who have branches all over the world issue
> two identical but differently named products containing 128 bit
> encryption one for US and one for the rest of us?

Yes, but they can't use Jose's GPL code. In fact, they can't release
the source for the 56 bit version.

Quote:> I'm sure that they
> could find a programmer out of the US to write it for them.

Sure they could, but once the knowledge came into the programmer's
head, Netscape would be guilty of export violation.

Quote:> OR am I missing the point by a huge margin?

The point is that US law does not care where the bomb came from,
only where it is going. So long as cryptographic software is considered
munition, it will be treated like an explosive device. That means that
US companies, their subsidiaries and employees, may not deliver it
to forneigners without license.

--

Casey Schaufler                         voice: (650) 933-1634

 
 
 

1. Encryption in strange places (need source code)

I need to encrypt a file on an MVS machine before relaying it over
SNA to the internet.  Everything seems simple enough, except the
MVS part.

Is there C-language public domain (or otherwise) source code available
to do PGP encryption?  My guess is this would be embedded into any
Apache modules supporting encryption schemes, but I'd prefer if there
was a stand-along version.

Any tips, recommendations or sympathy can be sent to the email
address listed below.

--

(519) 422-1150 fax:422-2723 ---- RR1/F3 Sauble Beach, Ontario, Canada
TeleDynamics ----------- http://www.geocities.com/SiliconValley/7704/
-------------------------------------------------- Today's work today

2. 5.0 sanity checks list

3. Source code for password encryption wanted

4. Install does not recognize disk

5. Source code for Unix password-encryption scheme?

6. disk space

7. Telneting and FTPing in a Linux box

8. stupid linux question regarding patching sources..

9. Export regulations: Not just for crypto anymore

10. Question regarding exported symbols

11. Questions regarding hosts.equiv, .rhosts and exports

12. Coding regulations