[ISN] PGP's 6.0: Cat Out of the Bag

From: mea culpa (jerichoat_private)
Date: Fri Sep 04 1998 - 08:28:29 PDT

  • Next message: mea culpa: "[ISN] Vehicle-license database compromised"

    Forwarded From: blueskyat_private
    
    [It never ceases to amaze me that the US Congress really thinks
     they can stop the flow of information and software. Or perhaps
     they just think passing useless laws makes them appear to be
     productive and useful.  - bluesky]
    
    http://www.wired.com/news/news/technology/story/14819.html
    
    PGP's 6.0: Cat Out of the Bag
    by Chris Oakes 
    12:50pm  3.Sep.98.PDT
    
    How fast does software that shouldn't be exported from US shores get
    exported anyway?  So fast, the company that makes it hasn't even announced
    the software's existence.
    
    That's what happened to the latest version of Pretty Good Privacy(PGP)'s
    freeware Wednesday, when the author of a Web site in England posted the
    software for download.  PGPfreeware 6.0 is a software utility that uses a
    form of strong encryption to scramble data, such as email messages, into
    unreadable code.
    
    Because it uses strong encryption technology -- code that is scrambled
    using "keys" that are longer than 40 bits in length -- PGPfreeware 6.0,
    like earlier versions and similarly strong products, is subject to strict
    US export rules administered by the Commerce Department.
    
    A Commerce Department spokesperson said the agency was unaware of the
    incident and therefore had no comment.
    
    This isn't the first time the popular software has found its way quickly
    outside US borders, thanks to the Net.
    
    "This happens every time we do a release of the product. And it happens
    despite the precautions we take," said Kelly Blough, director of
    government relations for PGP's vendor, Network Associates (NETA).
    
    Those precautions include distributing the software via a special
    "export-controlled" server.  When a user requests a download of
    strong-encrypted software like PGP, the company server runs a domain check
    on the downloading party. The analysis is meant to determine that the
    download destination is a domestically based computer (at least according
    to its official Internet Protocol markings). A series of questions on the
    download page also asks the user to confirm that he or she resides in the
    US.
    
    Network Associates had put up the download page for the software in
    advance of its plans to announce a PGP product suite next Tuesday. 
    PGPfreeware 6.0 is the freeware client version of the upcoming suite.
    
    Encryption technology expert Bruce Schneier was as unsurprised by the news
    as Network Associates. "On the Internet, there is no such thing as place.
    This basically shows it's impossible to enforce domestic policy in an
    environment that is, by its very nature, global."
    
    Schneier said he experienced the same sequence of events with strong
    encryption software of his own. When he submitted his "Two-fish"
    encryption technology for use in a next-generation government encryption
    standard, AES, the software was posted on internationally based Web sites
    within 24 hours.  Schneier even includes the international links on his
    own Web site.
    
    Wired News was able to download the PGP software from the UK site. The
    accompanying software license agreement matched that of the version
    available at Network Associates.
    
    The event threatens to become an annual one. 
    
    A little more than a year ago, PGPfreeware 5.0 quickly made its way from
    the US to Europe in similar fashion. Shortly after PGPfreeware 5.0 was
    available on servers at MIT, there were reports that the software had
    already been transmitted to a foreign file server.
    
    The event happened just as a Senate bill seeking to codify the
    government's encryption policy was introduced. In the same week, an
    academic/corporate team succeeded in breaking the government's standard
    56-bit code, a very weak form of strong encryption.
    
    Crypto advocates used the timing of the converging news to underscore both
    the importance of strong encryption technology and the futility of any
    rules restricting its flow across international boundaries.
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:10 PDT