[ISN] Porn out, encryption in

From: InfoSec News (alerts@private)
Date: Mon Sep 11 2006 - 01:29:14 PDT


http://www.computerworld.com.au/index.php/id;1018323284

By Jon Espenschied
08/09/2006

The government of Sudan started seizing and quarantining laptop
computers for inspection last week, ostensibly to stem the import of
pornography and seditious material. Official assurances that the
inspection of each laptop will take no more than 24 hours have done
little to assuage fears of foreign visitors. Many are understandably
reluctant to hand over collections of business and personal
information for Sudanese officials to pore over in search of hostile
or titillating tidbits.

Like many government policies across the globe, this directive was
apparently drafted with a clear social goal in mind, but with little
understanding of the use and pace of technology. Surely anyone serious
about transporting intelligence information or treasonous material
will use methods of encryption and obfuscation that would take more
than a few hours of inspection to discover. Likewise, pornography has
a way of finding its way to interested consumers no matter how it's
hampered. In any case, one would think the low-wattage beacons of
leadership in Khartoum would have more pressing business in Darfur.

While the Sudanese government has been on spin cycle for half a
century, the country's leaders have been able to stabilize certain
technology and energy-related aspects of the economy over the past few
years. Recent ventures away from an otherwise solidly agrarian market
have brought an increase in the number of affluent nationals and
foreign businesspeople traveling in and out of the country -- each
carrying little devices with lots of data. Apparently it occurred to
government officials that they didn't understand what was in the
devices and that the devices might be the conveyance for objectionable
material.

The immediate effect of the quarantines and data inspections is sure
to be a dampening of business interest in an already risk-fraught
environment. Over the long term, however, silly rules regarding
technology tend to be corrected by individuals' use of even more
advanced technology. Governments rarely win this sort of
oneupsmanship. In a bit of mild hysteria that peaked in the 1990s, the
U.S. government clamped down on the export of both powerful computers
and encryption software, to somewhat different and unexpected ends.  
Both situations are worth considering in the context of Sudan.

The U.S. Department of Commerce's Bureau of Export Administration
(BXA) maintains a formal definition of what our government considers a
supercomputer, along with a few other thresholds for computing power
that can be exported to hostile or politically bewildered foreign
states. Relevant regulations at the time included 15 CFR Parts 770,
772, 773, 776, and 799. When Apple introduced the PowerMac G4 in the
late 1990's, its capacity to process over 1 billion instructions per
second (1GFLOPS) qualified it as a supercomputer. Because powerful
computers can be used to do things like compute missile trajectories
and simulate conflict outcomes, such machines were considered
munitions under U.S. export law.

While the starched shirts of the Defense Department were deadly
serious about preventing export of "munitions" technology to hostile
states, Apple astutely turned this into a marketing bonanza, appealing
to power-hungry computer users across the country. Other PC makers
followed suit, and new versions of the Intel Pentium processor were
similarly promoted as personal supercomputers. Market pressures
convinced the BXA and the Defense Department to adjust the standard
much more quickly in light of advancing technology and to ease export
restrictions so the G4 and similarly powerful systems could be
marketed overseas.

I'm sure that back in the '60s, agents of the then-young National
Security Agency would have had a collective aneurysm at the thought of
commonplace digital watches with 16-bit processors and 32K of memory
-- about the same computing power as the NASA guidance computer
systems that managed Apollo missions to the Moon. But today's critical
computing infrastructure and top-secret technology is tomorrow's
disposable tchotchke, and it took a long time for the policy-makers to
realize that they needed a comparative standard rather than an
absolute one.

A similar situation arose in the U.S. around encryption technology,
but with different effect. The U.S. Department of State's Directorate
of Defense Trade Controls (DDTC) is responsible for defining
munitions, and for publishing the official United States Munitions
List of weapons and information that we wouldn't want to end up in the
hands of naughty people. The munitions list enumerates such specific
cases as "Technical Data and Defense Services Not Otherwise
Enumerated" and "Miscellaneous Articles." This leaves plenty of room
for computer hardware and software that make governmental people
nervous. The DDTC is also given the authority to regulate the export
of anything defined as a munition under the Arms Export Control Act.  
AECA is in turn implemented as the International Trafficking in Arms
Regulations or ITAR.

It's this ITAR that caused Phil Zimmerman, the author of Pretty Good
Privacy, so much trouble. ITAR prohibited the export of any encryption
using more than 40 bits for its key until 1996. When Zimmerman and RSA
couldn't settle a dispute in 1993 regarding an early agreement, RSA
complained to U.S. Customs that Zimmerman was exporting
munitions-grade encryption. But a funny thing happened: Zimmerman was
harassed and investigated about the export of 128-bit encryption but
never prosecuted. By the time a thorough investigation had taken place
in Zimmerman's case and others, it was pretty clear the effect of the
law was to wash a lot of encryption research and product development
away from U.S. shores.

The prohibition on the export of strong encryption technology led
several commercial research organizations to relocate or outsource
their encryption groups and projects to more friendly locales. Over
the course of a half-dozen years, a significant chunk of
state-of-the-art encryption research and development left the United
States for Finland, Russia, Ireland, Australia, India and the like. Of
course, not everyone left in the U.S. was hung out to dry. Major
academic institutions and commercial powerhouses such as RSA still
cranked out encryption tools, but the availability of top-notch
commercial products from outside the U.S. (such as the
Finnish-developed BestCrypt) made many portions of the U.S. export
restrictions meaningless.

Subsequent relaxing of export controls over encryption didn't undo the
spread of technology to other nations. For example, in late 1997, a
year after the first major easing of encryption export controls, RSA
acquired a Japanese company to form Nihon-RSA, a subsidiary not
subject to U.S. encryption export rules. At the same time, Sun
Microsystems announced it would begin selling a 128-bit VPN product
developed by a Moscow firm called ElvisPlus Co. as part of its own
SunScreen product line.

Clearly it's easy to write a policy that drives encryption research
and development away. How would one pull these technologies into a
country? Easy -- ban pornography and start randomly searching people's
personal data storage. However unintentionally, the Sudanese
government is creating a strong internal demand for technical privacy
controls. The people subject to these new quarantine and search laws
are rather affluent by Sudanese standards and clearly have access to
foreign sources of data and software. It would be foolish to assume
they would not take steps to protect their data. If Sudanese people
with resources are forced to commission or create their own security
tools, those tools will likely be made available in both English and
Arabic-language versions -- another step forward for the spread of
security and privacy tools.

As Sudanese nationals and visitors become more comfortable with the
security of their own data -- and count on others protecting their
data -- the expectation of secure data storage and communications will
surely insinuate itself in financial transactions and other areas of
business. Perhaps the level of invasiveness into portable data storage
will even have a positive effect on the deployment and improvement of
GSM and third-generation data services. I doubt it's what the
policy-makers had in mind, but I'll bet the effect over the next few
years is the best thing ever to happen to computer security in Sudan.



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Mon Sep 11 2006 - 01:48:59 PDT