The Return of Crypto Export Controls?

Last month, for the first time since US export restrictions on cryptography were relaxed over a decade ago, the US government has fined a company for exporting crypto software without a license.

News article.

No one knows what this means.

Posted on November 14, 2014 at 9:18 AM • 45 Comments

Comments

aaiNovember 14, 2014 9:43 AM

It seems to be the new policy in the land of the free:
We protect ourselves and hack all the rest of the world. We're the best!

Wonder if they really believe it could be pulled off...

ThothNovember 14, 2014 9:58 AM

They will never go further than that as I believe the community would do it's best to ensure certain levels of sanity. We as a community have won the 1st Crypto War and we can win again and again as long as we don't lose our cohesiveness, will and sanity.

More open research, open source hardware and software, easy to access researches and resources (including communities) would make it exceptionally hard to stop the poisoning and tampering of high assurance security.

An overwhelming critical mass is required to turn the vicious tides against free and open high assurance security systems. That is exactly what we have been working on down here in Schneier's blog.

one who knowsNovember 14, 2014 10:11 AM

I work in a field where we export products to foreign countries including South Korea and India. We export products containing strong modern crypto software all the time, its not illegal, you just have to get the proper license to export it. From the article

".. sold encryption software products to foreign government customers and to organizations identified on the BIS Entity List without the required Department of Commerce licenses."

The issue isn't that they exported encryption, the problem was that they did it without 1st getting the correct licenses. Its not hard to get the correct license it just requires following the government export rules for selling anything to a foreign country. Pretty much any technology requires getting a export license before selling to a foreign entity.

When applying for the license you must provide detailed info on the type of technology and crypto involved and 99.9% of the time you will get a license to export without issue as long as it's not going to North Korea.

I don't see a story here, just a company that screwed up and did not get a license 1st.


That said the recent FBI fear mongering on encrypting phone contents does have me concerned.


kNovember 14, 2014 10:12 AM

It seemed ominous to see OpenSUSE, now swallowed by Novell, put an export-control warning in its licensing agreement. Evidently Novell is another the router suppliers dragooned to work for NSA.

ThothNovember 14, 2014 10:36 AM

@k
You don't want the powers that be to crash your good security business so you apply them out of fear. Whereas the open community is pretty much formless with very little centralization making such researches and technologies more readily available.

I am not surprise the techniques applied by the open community are much more advanced than the corporations (considering they are still stuck on 3DES/TDEA/TDES) and I dont see much momentum or will from them to move beyond their tiny myopic world. Stability of technology is a large concern but heck, they have the resource to devote manpower to do tests on advanced crypto and security techniques before deploying them but they prefer to just leave ITSec as a two man team or three man team including the manager or director and put more focus on fat profits.

The reason is the Return of Investment (ROI) of security and advanced crypto techniques take a while to manifest and to have tangible value but their never ending thirst for cold hard tangible cash makes them ignore security (unless mandated) and make do with pure defaults.

The security advisory people in the Governments don't want their citizens to be empowered (Crypto Wars) and so they simply ignore civilian security and are fed wrong information and misguided on the nature of civilian security.

We have so much security products that don't even make it to a decent assurance level and are so badly designed that waking through the front gates without even needing the backdoor keys is rather plausible.

Some little comparison of the NIST/NSA Suite B algo with community ones on the left and Government ones on the right:

Password Stretching: Scrypt/Bcrypt vs. PBKDF2
Ciphering: AES, Blowfish, Twofish, Serpent, TDEA/TDES ... vs. AES, TDEA/TDES
ECC: Safecurves vs. Brainpool, Certicom
Non-ECC Asymmetric: RSA, DSA vs. RSA, DSA too ?
Hashing: SHA3 hashes, Whirlpool, RIPEMD, MD5 vs. SHA1, SHA2, MD5

I maybe wrong but the community do have a ton of uses algorithms with us that those NIST/NSA Suite B can be jealous of.

Doctor Who?November 14, 2014 10:58 AM

It seems we won a cryptobattle but not the cryptowar.

I do not see it as a serious threat, at least to non-U.S. corporations, as we have the highest quality security related projects --like OpenBSD-- based outside the United States. In fact, I will never trust on a U.S. based corporation for serious security business. I will not trust on closed source products either.

Nick PNovember 14, 2014 11:04 AM

@ Bruce Schneier

"Return" of Crypto Export Controls? They've been there since we lost the Crypto Wars...

None of you should be surprised after this document was published. It shows the relaxation of export controls on strong, general-purpose cryptography never happened. Instead, they allowed strong cryptography with escrow built-in and kept that a secret. Apparently, most companies knew about it but were happy to screw their foreign users for the profit. Such behavior only expanded post-9/11 when the NSA's operational powers were expanded.

If anyone is asking questions, it should be about the details of the Dept of Commerce policy the CIA document refers to. What's the specific policy? How is it implemented? And are we to assume everyone exporting strong crypto is involved? Did it not get implemented as much as they envisioned in the document? That the document was Top Secret and about what many *companies* were doing is worth a discussion in and of itself.

So, I encourage you to send that document to people like Susan Landau, Greenwald, etc who are writing about these kinds of things. Anyone you know. We need to get past this idea that we won the crypto wars and they're repeating. We never won: they did. Further, it was an epic win for them in that our suppliers worked with them to promote the illusion our crypto was strong and private while they slipped NSA keys on the side. That nobody leaked it or reverse engineered the evidence out in 10+ years is icing on the cake for them. That they admit it in a declassified document and most INFOSEC writers *still don't get it* is probably making them breathe a sigh of relief.

Gotta realize the current situation before you can fix it. The crypto or strong INFOSEC export process is probably rigged in private. In public, they admit it needs a license under their (NSA dictated) terms. Crypto Wars must resume and our side can't let itself be bluffed into defeat a second time.

tzNovember 14, 2014 11:38 AM

They probably refused to install the backdoor.

This was not some superchip, some obscure new way of doing crypto, it was software. Probably the same kinds of things in OpenSSL/SSH (remembering when it was sslEAY and hosted in Australia).

Windows and OSX should have at least the same and go to those countries.

This is like YouTube pulling down videos of people singing long public domain songs.

oschurr1@gogglemail.comNovember 14, 2014 11:41 AM

Hi Bruce

At this point in time, is there anybody that serious gives a damn about the laws at all?
Let them export the encryption all over the globe, the better to thwart the attempts at espionage of citizens by the jack-booted thughs of the government.

Jason SewellNovember 14, 2014 11:58 AM

In all likelihood, Wind River Systems declined to implement a back door into their crypto. This fine was punitive but not in the obvious way. There is a history here. Google "Joseph P. Nacchio" and "NSA".

SpellucciNovember 14, 2014 11:59 AM

@Nick P and @tz,

Does this mean that the best way to tell real security systems from back-doored ones is that only the real security systems get their vendors fined by the feds when the vendors try to export them? </snark>

subatomic_particleNovember 14, 2014 12:09 PM

Having worked with the BIS on exporting encryption, I can tell you from experience if it is any known cryptographic process include PKI, you are free to export except to blacklisted countries. Just submit the form that describes the crypto process used and they return approval very quickly.

Judging by the countries mentioned, my first guess is whatever is in use is novel. This sets off a longer review process. Again, exporting known crypto standards is quite easy. Just fill out the form listing the standards used.

But, maybe something has changed at the BIS?

Nick PNovember 14, 2014 12:56 PM

@ Spellucci

Lol. Might work. One of my old heuristics on secure systems was "If NSA allows them on the open market, they can hack them. If they can't, they get backdoored or become one of the defense-only products." So, with that heuristic, I determined almost everything available to the public was insecure or backdoored. ;)

@ subatomic

Is BIS in the United States? Not familiar with that acronym. If so, then it contradicts what I pointed out in the above post. That means one of two things: (a) they didn't require backdoors or key escrow for approval; (b) a different organization handled that & you weren't cleared for it. The CIA document on such policies was classified Top Secret. Leaked post-9/11 "SIGINT enabling" projects were Top Secret/SCI codeword & SAP protected. So, it could go either way and I'm assuming Option B because Snowden files confirm they're doing it across the board. (Not just exports.)

AnuraNovember 14, 2014 1:12 PM

@Nick P

BIS is Bureau of Industry and Security. They are the agency that manages export controls and issued the fine (see first link in the article).

oblivious pangolinNovember 14, 2014 1:23 PM

@NickP
> None of you should be surprised after this document was published

Since the author can't spell Zimmermann nor state what PGP stands for do you trust his other facts?

kNovember 14, 2014 4:12 PM

Nick P., that's a great specimen of the black-world mindset, thanx a million. Schwartzbeck is a prime example of the hermetic lunacy of the beltway bandits. He wants to pass a resolution (or referendum; he's shaky on the nomenclature) from the same UN Agencies that have established, as a requisite of responsible sovereignty among UN member nations, this:

Article 15

"1. The States Parties to the present Covenant recognize the right of everyone:

(a) To take part in cultural life;

(b) To enjoy the benefits of scientific progress and its applications;

(c) To benefit from the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author."

"2. The steps to be taken by the States Parties to the present Covenant to achieve the full realization of this right shall include those necessary for the conservation, the development and the diffusion of science and culture.

"3. The States Parties to the present Covenant undertake to respect the freedom indispensable for scientific research and creative activity.

"4. The States Parties to the present Covenant recognize the benefits to be derived from the encouragement and development of international contacts and co-operation in the scientific and cultural fields."

This is from an instrument that the US has not ratified, so it's understandable if he never heard of it. But it would have been impossible to ignore in the international space. At that time his fanciful notion would have got shot down by people at State (back then they still had FS people who knew shit from shinola.) The spooks' probable response would then be to intimidate every company they could into collusion, and attack independent efforts. That was working well until about '04, when Europe mutinied against the war on terra (see wikileaks cable 04BRUSSELS4274 which is suggestive but only (C). The poor bastard who took the brunt of that for Powell I know from way back, they really tore him a new one.) Then communities and states mobilized to expose and repair US state sabotage. Without that groundwork, Snowden would never have gotten out alive, and with his contribution, the spooks are on the back foot. That's why all these clumsy attempts at repression.

MrCNovember 14, 2014 4:41 PM

Having subjected myself to reading the BIS regulations, I'm left with the definite impression that they've accepted the utter futility of their appointed task and have refocused their efforts on collecting filing fees as efficiently as possible. The exceptions to the licensing requirements cover more ground than the rule. And we're talking exceptions like: "Go ahead and post any crypto source code you like on the internet, just e-mail a link to us and the NSA" (EAR 740.13(e)), "Exporting crypto is OK without any license or even any notice to us at all so long as the foreign nationals who receive it are interns at a foreign subsidiary of your US corporation (but not to Cuba, Iran, North Korea, Sudan, or Syria)" (EAR 740.17(a)(2)), "For most crypto stuff, just file the registration forms online and you can start exporting as soon as the automated system kicks back a receipt number (but not to Cuba, Iran, North Korea, Sudan, or Syria)" (EAR 740.17(b)(1)). This does not sound to me like an agency hellbent on making sure that no crypto leaves the country until it's been backdoored. This feels more like an agency that seized an opportunity to grab $750k and make themselves look important.

I don't doubt that the NSA is "persuading" companies to backdoor their crypto, but it doesn't seem like BIS very interested in helping with that.

HillaryNovember 14, 2014 5:16 PM

This looks like a fairly straightforward settlement on export violations. BIS's quarterly Don't Let This Happen To You has plenty of examples of other violations, and there will probably be more info about this case in the next issue. If someone is on a control list, more likely than not it would be illegal to sell them anything.

I heard our local Office of Export Enforcement agent speak at a class a couple weeks ago. He said they'll always negotiate on penalties, but they won't ever agree to confidentiality. There's always a press release.

Nick PNovember 14, 2014 9:18 PM

Addendum: Legal analysis to support or reject claims in my essay

The Executive Order

Executive Order 13026 is what creates the escrow requirement mentioned in the document. Here's a link to it:

http://www.gpo.gov/fdsys/pkg/FR-1996-11-19/pdf/96-29692.pdf

(Note: The author did a typo in the original document that said it was EO 13206, a later EO by Bush on... export controls. Interesting coincidence.)

The first thing that I see that's interesting in Clinton's directive is this quote from section 1:

"have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests."

That's kind of a whopper in quite a few ways and leaves me with more questions than answers. The first one being which encryption or security products counted as munitions.

The Munitions List

http://fas.org/spp/starwars/offdocs/itar/p121.htm#C-XIII

Section B is quite broad. Plus, it gives me what I needed in a previous discussion with Skeptical on government sabotaging high assurance:

"Software designed or modified to protect against malicious computer damage, (e.g., viruses). "

"Systems, equipment, assemblies, modules, integrated circuits, components or software providing certified or certifiable multi-level security or user isolation exceeding class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) and software to certify such systems, equipment or software. "

So, secure computers or proven anti-malware capabilities were considered munitions like the VAX Security Kernel paper claimed. I never knew for sure because I didn't export. Now I know it was worse than I thought. The page also immediately answers my next question: did the policy change only apply to encryption products or INFOSEC in general? Answer:

"A procedure has been established to facilitate the expeditious transfer to the Commodity Control List of mass market software products with encryption that meet specified criteria regarding encryption for the privacy of data and the associated key management."

So it only applies to mass market products using encryption meeting specific criteria. More on that later. Back to the EO.

The EO states the following parties can review a license application: Depts of State, Defense, Energy, and Justice; Arms Control and Disarmament Agency. Section 1 (e) has the escrow requirement worded as "the development of a key recovery management infrastructure." (f) says they can add more conditions on top of that. Takes effect the first time something hits the Commerce Control List. So, the EO modifies existing law to allow export of encryption products if those exporting them build key recovery systems. The implication is that a backdoor of sorts is required.

It seems even writers back then knew about the escrow requirement. Example. Microsoft's NSAKEY scandal also ended with them saying it was a key recovery system related to export approval. Whether they're lying about escrow or NSA cooperation is up for others to decide, but if they were cooperating it's exactly what it would look like.

Export legislation on INFOSEC products

This article has plenty of other links and data for us to go through on the subject. I first went to this document: Commerce Control List Category 5 Part 2 Information Security. As Wikipedia states, the stuff they relaxed is code "5A992." It has quite a narrow definition and applies to a small number of categories. Everything else, including 5A992 stuff that's not mass market, remains in the "002" categories (esp 5A002). I confirmed they're still effectively munitions under export laws by consulting this document they reference: License Exception.

Interestingly, the 5A992 list that's considered the relaxed standard is only for mass market products that are sold in common mediums (eg retail store, mail order, website) with prices listed beforehand and with no assistance needed for setup. That would've disqualified Orange Book era systems with higher assurance due to the system generation and trusted distribution requirements. (Of course, it specifically mentions EAL6+ certified products as classified under 5A002...) The other stuff that's allowed strong security includes copy protection, medical devices, banking, etc where the crypto serves a fixed function and *the user can't change the product to leverage it for other reasons.* Interestingly, the exception for cell phones specifically forbids the crypto from being end-to-end: it can only be from phone to the service provider.

Almost everything that can stop a nation state, even a good black hat, is classified under the 5A002 category. This even includes processes, tools, etc to develop secure products. Conceivably, they could go after vendors of testing or static analysis tools if they chose. The 5A992 category is just blocked to terrorist supporting countries (AT). The 5A002 gets the National Security (NS) and/or EI (NS-equivalent) designation that further restricts sales without a license. There's an NS in at least one column on every country on the list except for Canada. Strange, as you'd think Five Eyes would all get instant approval rather than just Canada. There's a chart for how they handle 5A002 license requests. The crypto faq indicates the distinction still applies in licensing as of 2010.

So, under current export laws, high security systems and strong encryption (esp custom) are still munitions that require a license from the government for export. This has unknown level of difficulty unless the recipient is Canadian. However, this confirms the declassified CIA document's claims that the positive changes wfsere for a very narrow range of products and suppliers. Most of that seems to be the stuff that opposing team in Crypto Wars produced and sold. The policy change might have been a clever compromise to end opposition by powerful private parties and reduce it from researchers mainly interested in publishing work (not products). Everyone else, esp wanting to buy high assurance, would still have the same situation.

What I did not see in the regulations was key escrow. That was in the Executive Order, government statements at the time, third party writers following EO's and discussions at that time, and apparently Top Secret CIA reports following NSA/FBI's actions. It's also going on somehow in NSA SIGINT-enabling black programs which might or might not involve export pressure. So, my escrow requirement claim is an unknown until more people with experience in 5A002 exports weigh in. And that's assuming they can legally tell us.

We can say, though, that the end of the crypto wars wasn't necessarily the full victory we're told about. Instead, people selling insecure, mass market products were given permission to increase risk across the board while those exporting high security technology were still regulated. Some "victory"...

(Least the source of crypto can be downloaded anonymously from web sites. That was a win.)

Note: Someone in a foreign, but allied, country could ask Green Hills if they will export INTEGRITY-178B (with NDA'd source code) to them. They're EAL6+ and a defense contractor. Might give a hint. Could just ask their lawyers, too.

Nick PNovember 14, 2014 9:42 PM

@ Anura

Thanks. Btw, you might want to read the Category 5 Pt 2 INFOSEC PDF and just skim through noting what constitutes 002 category vs 992. The 002's are restricted more like the old days, with 992's being the permissive policy. Want to see if you think like I do that it looks more like a ploy than any real approval of strong security.

@ oblivious pangolin

"Since the author can't spell Zimmermann nor state what PGP stands for do you trust his other facts?"

A spelling error is irrelevant to the quality of his information. His description of PGP's function and effect in the crypto wars was accurate. What bothered you?

@ onewhoknows, subatomic, MrC

Were your products classified under 5A002 or 5A992? As in, was the encryption just a component in a mass market product using a standard crypto library? Was it custom stuff? High assurance? Even better, did they tell you the actual category number the encryption fell in? It's important to figuring the situation out.

@ All

re Wind River case

It's most likely that they just didn't get a license as Hillary said. However, per my legal analysis, Wind River's stuff would fall under 5A002. That puts extra restrictions on who they can sell to, licensing, and so on. My model says they'd risk getting slammed for selling to a country like Russia or South Africa without permission. That's what we're seeing. So, it might be a combination of no license and what they're selling. I look forward to seeing how exports go on their VxWorks MILS platform once its certified (and the 5A002 immediately applies).

HillaryNovember 14, 2014 9:52 PM

Nick, you might be interested to know that the rules are changing very fast right now. There's an effort underway by the administration to simplify export rules, including software and encryption. The timeframe of this settlement was under the old rules. This isn't my area of expertise (I do import/export compliance but not for technology), but the Commerce Control List and Export Administration Regulations are both being updated now.

Nick PNovember 14, 2014 9:55 PM

@ k

That's a good catch. Yes, there's a contradiction but it's more a paradox. The key to understanding the paradox is that some treaties or laws are more lawful than others. The rules against spying or for limiting cryptography appeal to these many corrupt governments interested in their own power. Additionally, to not so corrupt governments that still want to maintain their power against enemies. That's why there was a lot of international support for the escrow proposal, even by countries your cable references. In their minds, it's the ultimate win-win proposal for public sector needing information and private parties needing secrecy.

Then there's reality...

Nick PNovember 14, 2014 10:33 PM

@ Hillary

That doesn't tell us if the simplification will make things better or worse for us. That does tell us to keep an eye on it. So, thanks for the tip!

Jonathan WilsonNovember 15, 2014 1:20 AM

I was reading my copy of Cryptography Engineering earlier today and there is a footnote on page 80 that says "Whatever you may think about the NSA, so far the cryptography it has published has been quite decent". I think all the revelations to come out of Snowden et al make it clear that said footnote is wrong (and was wrong even in 2010 when the book was published although the authors of the book wouldn't have known it)

01November 15, 2014 1:59 AM

Okay, "That guy" mode on :)

@Nick P

I don't think that considering this indication of "refusal to backdoor" is a good idea.

I very well doubt that NSA and their ilk could keep this under wraps given how they utterly failed to keep the (much more subtle) PRISM affair under wraps.
Do suggest that out of hundreds companies involved in crypto exportation to "questionable countries" not a single one would have whistleblowers (or simply disgruntled workers) onboard ?

It's quite more likely that this particular company has run afoul of some bureaucratic quirk in the system, or perhaps even disliked by someone "upstairs" out of entirely personal reasons (not as unlikely as Americans like to imagine)

NileNovember 15, 2014 5:29 AM

So what is the logical endpoint of this policy?

If US companies can't export software and devices with embedded cryptographic capabilities, what will US companies and consumers be permitted to import?

Tech companies spend a lot of money on lobbyists; if they can't unblock the policies of the National Security bloc, what will they buy instead?

Import tarriffs?

A block on the import of arbitrarily-defined 'insecure' technology?

*That* idea offers the possibility of an unholy alliance of monopolists and protectionists among the manufacturers, and neo-Stasi national-security bureaucrats whose definition of 'secure' is 'we own the only backdoor'.

Protectionism is always out there, waiting to reemerge under new excuses. Sometimes, compelling ones: "We're banning the import of US consumer technology to protect our citizens the proven danger of embedded security vulnerabilities intended for surveillance", and "We're imposing tarriffs because they won't allow us to sell our software and smartphones to their consumers".

Taken to absurd extremes, the endpoint is a 'hermit kingdom' with no imported technology and televisions 'tuned' by hardcoding to one state-approved station, all enforced by oppressive licensing conditions and pervasive surveillance.

And, somewhere sensibly forseseeable without the extremes and the hyperbole, I can see severe economic damage and arbitrarily enforced laws exposing us to undisclosed incursions of the security state.

Incursions like (hypothetically): "You didn't put in the backdoor we asked you to in our polite suggestion in July. Have a crypto-export violation lawsuit, a six-figure fine, and a ban on exporting your product".

ThothNovember 15, 2014 7:10 AM

@Nile
The USA can simply throw out their high assurance security export products while the rest of the world have a chance to fill up the gaps (especially the EU) although some agencies in EU are the best buddies of the US IC, helping them to poison the EU.

SeanNovember 15, 2014 8:57 AM

First, Bruce Schneier, I love your blog, I have been reading for years.

Next, I beleive we will see more cases like these. Fines generate revenue, and the added "bonus" is control of encryption technologies. Also, I wonder if Truecrypt was taken down with the same set of export laws and regulations.

SeanNovember 15, 2014 8:59 AM

First, Bruce, I love your blog and have been reading for years.

Next, I believe we will see more cases like these. Fines generate revenue, and the added "bonus" is control of encryption technologies. Also, I wonder if Truecrypt was taken down with the same set of export laws and regulations.

kNovember 15, 2014 9:25 AM

Since Cheney set the constitution aside for COG and his secret-police dreams came true, the intelligence agencies have stepped on their crank with crampons. CIA is implicated in crimes against humanity, while NSA has crippled the export capacity of the defense industrial base - not just munitions or dual-use goods but all high-value-added exports. Accordingly, much of the turmoil we see is kind of like a sack of cats heading for the river. Heads will roll at CIA, but nomenklatura with impunity see a chance to absorb the disgraced NSA wrecking crew. Booz Allen (and therefore Carlyle) is siding with CIA, and that might well be decisive.

Nick PNovember 15, 2014 12:24 PM

@ 01

That's what people said before the Snowden leaks. Then, the documents slowly revealed relationships with all kinds of companies. One also indicates that the FBI "compels" U.S. companies to participate in "SIGINT enabling." It doesn't say how they do that. Others they just pay off. Many have lucrative defense contracts that could get canceled if they act unfavorably. That the programs are classified means you might get 15 years minimum for espionage if you talk. All these companies and individuals have been doing this for years with only a few whistleblowers, only one with damning information. That's reality.

We should remember this when looking into the next situation and not be so quick to say "but all kinds of people would talk." In practice, they often don't.

Nick PNovember 15, 2014 12:27 PM

@ Sean

It's unlikely that Truecrypt was done in that way: they offered source code & executable for download online in anonymous fashion. There was actually a license exception in the export laws for that sort of thing. It even allowed royalties to be collected. Not sure if you have to apply for it or the rules just don't apply in that case. I haven't seen them go after any FOSS software publishers over export law.

JimNovember 15, 2014 1:53 PM

"No one knows what this means."

Well is seems to me that one is pretty obvious. It means the backdoors are being discovered and removed from security products. When the backdoors were in place, the US Government (read NSA) didn't care, in fact welcomed those products getting sold overseas. Now that the products no longer offer NSA exclusive access to secured data, they need to clamp down again.

Dog-oc-nav-ow-hodNovember 15, 2014 1:54 PM

The simple reason for fines is that they did not "co-operate" with the state in tweaking the application; making backdoors for the governement.

HermanNovember 15, 2014 2:27 PM

They are lucky that they only got a fine. They could have gotten jail time too. Exporting high tech stuff without a license can be arms smuggling.

HermanNovember 15, 2014 2:30 PM

@ Sean: Arms export law applies to everyone. This is one of the reasons why OpenBSD is located in Canada.

BuckNovember 15, 2014 2:49 PM

@Herman

Like every good rule, there are bound to be exceptions! You might have been a little bit more accurate had you said, for example, "Arms export law applies to everyone but the ATF"

HillaryNovember 16, 2014 9:39 PM

To Herman's point, this fine is relatively small because Intel self reported. I'd bet that Wind River didn't have proper export control policies in place and Intel didn't move quickly on putting them in. Once that area started integrating, someone who knew the law found the issue, reported it to Intel's legal, and they negotiated a voluntary disclosure.

Clive RobinsonNovember 17, 2014 12:55 AM

@ Thoth,

With regards financial institutions and your observation of,

The reason is the Return of Investment (ROI) of security and advanced crypto techniques take a while to manifest and to have tangible value but their never ending thirst for cold hard tangible cash makes them ignore security (unless mandated) and make do with pure defaults.

A little story from a back in the 90's illustrates the issue.

A financial organisation that --has subsiquently been taken over-- was quite popular with consumers and had many branch offices in the UK with their own ATM network. For various reasons the encryption key used in the machines got fairly frequently erased. Thus there was a procedure in place involving both the branch office manager and the assistant manager, which split the eight charecter key into two parts, the first four known to the manager "only" and the second four to the assistant "only". There were a couple of issues, the first that apparently managment types had a poor memory --or so the senior central managers thought-- so very simple easy to remember key halves were used --1234 and ABCD--, which were the same for all branch offices for a considerable period of time, as the repair techs could testify having had to "help" various managers key them in...

What the clever senior managers had not thought about was that assistant managers got promoted to managers at another branch where they would get told the first half of the key, so within a couple of years even the dimmest of branch managers came to know the full key...

bitstrongNovember 17, 2014 6:01 AM

Notice that the USPTO blocks patent applications from being viewed according to export controls.

JustinNovember 20, 2014 2:31 AM

Apparently, enforcement of federal laws is discretionary. These crypto export laws were on the books all this while even though they weren't being enforced. They could have been enforced at any time, and just recently they were.

It's like they legalized pot here in Washington State. Even the Seattle city attorney openly buys pot. He knows good and well he's breaking federal law, but the federal government is simply choosing for the most part not to enforce federal laws against pot here. But anytime they want to, the feds can enforce federal law. And they do, very selectively. Some people are going to federal prison for pot here in Washington, but the vast majority of pot growers, users, and dealers are not.

According to the Constitution, "[the President] shall take Care that the Laws be faithfully executed ..." So apparently the President has a duty to enforce whatever laws are on the books. It just seems odd to me that we have so many federal laws on the books that don't get enforced. Didn't George Washington think it was his duty to enforce the laws?

If the laws are unreasonable, the solution is to have Congress change them, not to choose not to enforce them. It leaves the rest of us in an odd position if we want to obey some federal law, but, say, we are placed at a competitive disadvantage for doing so, which might well be the case with these crypto laws.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.