Schneier on Security
A blog covering security and security technology.
« Bug Bounties Are Not Security |
| Bomb-Sniffing Wasps »
December 28, 2005
Are Computer-Security Export Controls Back?
I thought U.S. export regulations were finally over and done with, at least for software. Maybe not:
Unfortunately, due to strict US Government export regulations Symantec is only able to fulfill new LC5 orders or offer technical support directly with end-users located in the United States and commercial entities in Canada, provided all screening is successful.
Commodities, technology or software is subject to U.S. Dept. of Commerce, Bureau of Industry and Security control if exported or electronically transferred outside of the USA. Commodities, technology or software are controlled under ECCN 5A002.c.1, cryptanalytic.
You can also access further information on our web site at the following address: http://www.symantec.com/region/reg_eu/techsupp/enterprise/index.html
The software in question is the password breaking and auditing tool called LC5, better known as L0phtCrack.
Anyone have any ideas what's going on, because I sure don't.
Posted on December 28, 2005 at 7:08 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interesting: last week, I got an email from Symantec, which said in part:
"Dear LC Customer,
The purpose of this letter is to notify you that Symantec Corporation is discontinuing its L0phtCrack (LC) product line and will no longer provide product code updates, enhancements or fixes to this product line.
Key dates in this process are listed below.
Last Order Date: February 28, 2006
Last Ship Date: March 3, 2006
Customer Help Until Date: December 16, 2006"
Export controls have never gone away, they've just become a minor inconvenience. You still need an export license to ship cryptographic stuff overseas. In most cases companies that export cryptographic software merely have to keep a record of their buyers and file a report once a quarter with the government. (Of course, things are very different for export to North Korea, Iran, etc..) I don't know if Symantec triggered an exception to what's normally just a formality in the process, or if they're using export controls as an excuse to withhold service.
LC5 cracked 80% of the passwords at our company in under 2 minutes. It was a real eye-opener.
Are there any other good alternative password auditing tools available?
This sounds similar to recent EU export regulations: cryptography software is left pretty much alone, but cryptanalytic tools are watched much more carefully. It may be that the old COCOM fraternity have decided to try and draw a new line over codebreaking software, having lost the battle at codemaking tools.
@Kevin Davidson: Maybe try John the Ripper.
I prefer LCP and LMCRACK. Both are free.
Either disable LMHash and/or force 14+ character passwords and you won't have to worry too much.
The @stake/research directories are gone now. In fact I'm not able to find any info on the corp web site, and the phone-sales people aren't answering the phone (yet?). At first glance it seems most likley that a business decision was made to end-of-life the product, which kind of sucks because I had just told some Windows admins to buy the thing to test their systems.
Fortunately, I guess, lcsrc.zip is still widely available (as are lc201.exe and lc3setup)...alas, source is good.
I was searching part of the US export controls related Web site and haven't yet found any publicised changes. Among the sites checked, and which might be useful for other crypto export matters, are:
(This one is very interesting. But like the other BIS pages has no specific cryptanalysis product reference. Also, there seems to be lot of shuffling of documents since a year ago and older links are broken for the BIS and the BXA units.)
It is possible that the export changes that affected Symantec might been specific for the company and its particular product. It will be interesting to see if other password audit/cracker vendors, such as AccessData.com (which has some interesting password recovery tools), start changing their sales policies.
Or could Symantec just revised its interpretation of existing rules and took a more stringent approach to be a "good US corporate citizen"? Just speculations.
Crypto export controls are certainly still around. I work for a company that makes (among other things) ethernet switches, and you can't get the SSH/SSL/SNMPv3 version of the switch software in any 'unfriendly' countries.
"Symantec Corporation is discontinuing..."
It really looks as if Symantec is just killing the LC product outright. I don't know if they have any comparable product and are just eliminating the competition or something else is at hand. Maybe the IT community should stand up in unison and say "Oh my God! You killed L0phtCrack! You bastards!"
Unfortunately, the LC product doesn't appear to be a competitor, requiring federal regulatory oversight to prevent monopoly marketshare attainment.
Maybe there are some underlying reasons for this move. I'm just speculating, so none of these hypotheses are backed up with any evidence.
* NSA (or similar agency) paid Symantec to do this.
* Symantec has a secret vulnerability to their protection software that is exposed by LC (and similar) use.
* Symantec can now claim that they've made PCs more secure by withholding software, rather than delivering software.
* Symantec is planning to offer a PW-cracking service. I wonder if it will be based in India, like their tech support call center..."@*#$!$^*"
* Symantec is positioning themselves to be acquired by someone.
* The LC folks needed cash for the upcoming holiday shopping season.
I'm being pedantic, but...
It came up on slashdot last week. The Register had their article a month ago. I'm surprised the Crypto community didn't pick up on it sooner.
Anyway, just sounds like typical corporate marketspeak - take the product off the market, blame someone/something outside the company. Can't they just own up and say "We don't wanna do this anymore..."?
Is LC a successful product line for Symantec? Does anybody really know? Are the free alternatives eating up a significant chunk of the market for password cracking (sorry, password auditing) utilities? This kind of sounds like a business decision to me and Symantec is simply using export regulations as a quick excuse for discontinuing what might be only a slightly popular product line.
Whenever a product is discontinued and support for that product ends, customers line up around the block to complain and raise a stink over it -- understandably so in many cases. I imagine that Symantec can save a lot of money fielding customer questions on this matter by simply saying, "The government made us do it," rather than trying to explain why the product line is no longer worth supporting.
With bad security decisions making the evening news on a nearly nightly basis, it's a believable story that's unlikely to be questioned by most of Symantec's customers (present company excluded of course). Invoking some unknowable secret export regulation in this new era of illegal NSA wiretaps and radiation monitoring is probably a pretty easy way for a company like Symantec to just close the issue without further discussion.
"It came up on slashdot last week. The Register had their article a month ago. I'm surprised the Crypto community didn't pick up on it sooner."
We're not always paying attention to everything all of the time.
My understanding was that export restrictions on crypto never went away, except for fairly broad exemptions for open source software. It's been a couple of years since I've paid any attention to the issue, though, so things may well have changed -- a LOT.
As for l0phtcrack, I'm sad to see it die. It was an extremely useful piece of software. Now I'll have to go dig up an old copy or something...
"We're not always paying attention to everything all of the time."
Well, except for the NSA :^(
The real question about export restrictions is: Does it matters?
Today almost all security algorithms are public available and there are lots of excelent books teaching how to use them. And even if you do restrict its sales, would be preety easy to buy it at a local store and send it by fedex to a foreign country. The same applies to any software, you can easily buy and mail it. A foreign officer could even buy it and send by diplomatic mail. Export restrictions are just smoke and mirrors.
The free tool Cain seems to be as good as LC, maybe better due to less restrictions.
Just wondering what's the point of export regulations when all the information to implement just about anything is already publicly available.
Good thing is non-US companies benefit as the US ones are prevented to export (and are thus prevented from selling and making profits).
It appears that the company has just decided not to deal with the export issue. They looked at the regs, didn't go past the first listing, deciding it was controlled for national security column 1. The classification is off in any case, software is category D as in 5D002. I don't know enough about the software to determine if the classification as 5D002 is correct. It doesn't sound like it to me though.
The applicable EAR is at
Could the software meet the criteria for the note quoted below?
"Note 3: Cryptography Note: ECCNs 5A002
and 5D002 do not control items that meet all of
a. Generally available to the public by being
sold, without restriction, from stock at retail
selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be
easily changed by the user;
c. Designed for installation by the user
without further substantial support by the
d. When necessary, details of the items are
accessible and will be provided, upon request, to
the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note."
Good point. Cain is a fine alternative, especially with the wireless sniffer built in, etc. but one has to wonder what's up with such a famous and well-established product being terminated so abruptly.
L0phtCrack was like a clear beacon to take the Windows Admins towards truly secure passwords in spite of the dense field of Microsoft marketing chaff and smoke.
Mudge, weld, or even hobbit for that matter...what have they done to you?
Exporting products has always required getting permission from the Bureau of Export Administration (BXA -- has a new name as of last year, but I don't remember it). There are two basic classifications that apply to crypto products: encryption (SSL, SSH, and friends) and analysis (packet sniffers, etc.) The former are generally dumped in the same bucket as consumer grade products with a special clause with regard to open source based products. (They finally figured out that the "other guy" already has the source so they aren't hiding anything...) As part of the disclosure process, these details are listed out including out all of the algorithms implemented in the product. I don't recall whether there is an explicit allow list, but it would not surprise me if there are upper bounds in the crypto stratosphere.
The analysis side of the equation gets treated much more stringently. While I started the process once for a sniffing product, the product ended up getting killed before we finished the export processing. It was clear from the start of the process that it would be long and likely would require a lawyer's time. Obviously this would have to factor into the business justification for making a product available outside of the US.
In short, I don't think there is any real change to the export rules, just a case of a dying product.
FWIW my vote goes with D
The takeover of @stake was announced as adding to symantec's consulting skills, its quite possible that LC was an unwanted accessory.
How many copies of Norton do they sell versus LC? Culture clash? If the relevant corporate product managers and developers don't see eye to eye, or understand the mindset needed...
Any hint about regulatory problems may be a convenient excuse for making 'savings' by a company operating in a squeezed market.
I imagine Sym's shareholders would like them to look for a buyer for the product...
Unfortunately in my opinion Symantec seem to have become a corporate form of the Borg. Rather than innovate they seem search out new products and absorb them. They then reemerge in yellow boxes. Two examples being Ghost and Atguard firewall software. I just hope Counterpane is not assimilated at some future point. Resistance would be futile.
All jokes aside it’s a sad day to see the work and innovation of the guys at @stake go this way.
"Unfortunately in my opinion Symantec seem to have become a corporate form of the Borg. Rather than innovate they seem search out new products and absorb them. They then reemerge in yellow boxes. Two examples being Ghost and Atguard firewall software."
That's why the philosophy of open source is so important, when people believe in something they can't be easily bought out like a money motivated corporation can.
I'm glad I'm free of Microsoft products, I no longer have to concern myself with free anti-virus programs and firewall programs and useless features being added to bloat the code, which software product will I have to switch to next because they started charging $ and discontinued the free version or got bought out by another company.
This, my friends, is one of the many reasons why I love Linux. iptables is easy to configure with a front end or learn with time, and no anti-virus is needed for the desktop.
I always read thus URL to globally advise friends. Maybe it is not up to date but it gives a nice information survey. Alas it is in Dutch
Something went wrong: here is the mentioned link
It is correct that Symantec is over-stating the US export controls on L0phtCrack. Under current US law, "cryptanalytic items" like L0phtCrack can be exported to all end users except "government end users" (which has a detailed definition) in all countries other than Cuba, Iran, Libya, North Korea, Sudan and Syria, after a one-time technical submission to the US government followed by a 30-day waiting period. See U.S. Code of Federal Regulations, title 15, section 740.17(b).
On the other hand, US export controls on encryption items never went away. They were substantially relaxed in January 2000, and have been further relaxed a number of times since then. But most products that use encryption for confidentiality, even with symmetric keys of 56 bits or less, still require some kind of submission to the US government before export. The widespread belief that encryption exports have been decontrolled leads to not infrequent inadvertent violations of US law by encryption software developers (particularly by smaller entities that have limited resources for regulatory compliance). Although this sort of violation produces work for law firms like mine (we think we are the leader on US encryption export controls), we would still prefer that the software community be accurately informed about the rules.
Our summary of current US controls on products using encryption for confidentiality is at www.steptoe.com/publications/EncryptionChart.pdf.
Nikolai's post of dec 28th, has the story correct as far as we can tell. the rules and laws never really went away, they were morphed into what is called "deemed export" rules and laws. BIS never had the money to actively pursue infractions of the law, so tried to monitor and catch the big stuff, like Boeing selling planes to China that had restricted attitude sensors in them for navigation and control, took them something like ten years to figure out Boeing was breaking the law. Suspect they didn't start getting serious until someone in Homeland Security saw that they really weren't inforcing the laws, so now they have started.
if Symantic went thru the process of classifying like Nikolai says, they would probably find they could still export the software anywhere except the Group E countries, or "axis of evil countries", Cuba,Iran, North Korea, Libya, Sudan and Syria. All this is laid out in excrutiating detail, actually mumble jumble legalese in 15 CFR, Chapter VIIm parts 700 to 774. Included are ways to figure out the items ECCN, Export Classification Control Number, which is used to determine to which group of countries something can be exported.
Just another way to expand the reach of lawyers into controlling commerce. There is software available commericially to assist in determining the ECCN, but not in making the decisions whether something can be exported. These rules apply even if the item is made or developed in a foreign country is imported to the US and then exported.
gov agencies have been targeted by BIS for ignoring the laws for over 10 years. sounds like they have started on the companies and students also. restrictions on foreign students in academia is all part of this effort also. must have been a huge infusion of money to hire more staff, mostly lawyers.
my residance in Dubai and doing business these days in this country, ineed to make renwal to my antivirus for this new machine,please allow for action
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.