Forwarded From: blueskyat_private [It never ceases to amaze me that the US Congress really thinks they can stop the flow of information and software. Or perhaps they just think passing useless laws makes them appear to be productive and useful. - bluesky] http://www.wired.com/news/news/technology/story/14819.html PGP's 6.0: Cat Out of the Bag by Chris Oakes 12:50pm 3.Sep.98.PDT How fast does software that shouldn't be exported from US shores get exported anyway? So fast, the company that makes it hasn't even announced the software's existence. That's what happened to the latest version of Pretty Good Privacy(PGP)'s freeware Wednesday, when the author of a Web site in England posted the software for download. PGPfreeware 6.0 is a software utility that uses a form of strong encryption to scramble data, such as email messages, into unreadable code. Because it uses strong encryption technology -- code that is scrambled using "keys" that are longer than 40 bits in length -- PGPfreeware 6.0, like earlier versions and similarly strong products, is subject to strict US export rules administered by the Commerce Department. A Commerce Department spokesperson said the agency was unaware of the incident and therefore had no comment. This isn't the first time the popular software has found its way quickly outside US borders, thanks to the Net. "This happens every time we do a release of the product. And it happens despite the precautions we take," said Kelly Blough, director of government relations for PGP's vendor, Network Associates (NETA). Those precautions include distributing the software via a special "export-controlled" server. When a user requests a download of strong-encrypted software like PGP, the company server runs a domain check on the downloading party. The analysis is meant to determine that the download destination is a domestically based computer (at least according to its official Internet Protocol markings). A series of questions on the download page also asks the user to confirm that he or she resides in the US. Network Associates had put up the download page for the software in advance of its plans to announce a PGP product suite next Tuesday. PGPfreeware 6.0 is the freeware client version of the upcoming suite. Encryption technology expert Bruce Schneier was as unsurprised by the news as Network Associates. "On the Internet, there is no such thing as place. This basically shows it's impossible to enforce domestic policy in an environment that is, by its very nature, global." Schneier said he experienced the same sequence of events with strong encryption software of his own. When he submitted his "Two-fish" encryption technology for use in a next-generation government encryption standard, AES, the software was posted on internationally based Web sites within 24 hours. Schneier even includes the international links on his own Web site. Wired News was able to download the PGP software from the UK site. The accompanying software license agreement matched that of the version available at Network Associates. The event threatens to become an annual one. A little more than a year ago, PGPfreeware 5.0 quickly made its way from the US to Europe in similar fashion. Shortly after PGPfreeware 5.0 was available on servers at MIT, there were reports that the software had already been transmitted to a foreign file server. The event happened just as a Senate bill seeking to codify the government's encryption policy was introduced. In the same week, an academic/corporate team succeeded in breaking the government's standard 56-bit code, a very weak form of strong encryption. Crypto advocates used the timing of the converging news to underscore both the importance of strong encryption technology and the futility of any rules restricting its flow across international boundaries. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:10 PDT