Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnewsm!cbnewsk!cbnewsj!davet
From: davet@cbnewsj.att.com (Dave Tutelman)
Newsgroups: comp.binaries.ibm.pc.d
Subject: Re: Trojan version of VIRUSCAN version 78
Message-ID: <1991May30.122409.15797@cbnewsj.att.com>
Date: 30 May 91 12:24:09 GMT
References: <1991May16.175841.761@csc.canterbury.ac.nz> <1991May25.044559.26080@syacus.acus.oz.au> <1991May28.175016.21398@sun1.ruf.uni-freiburg.de>
Organization: AT&T Bell Labs - Lincroft, NJ
Lines: 52

>ash@syacus.acus.oz.au (Ash Nallawalla) writes:
>>Is it illegal for you to possess PKZIP110 (I think, without the EU), or is
>>it just illegal for someone in USA to export it?  

In article <1991May28.175016.21398@sun1.ruf.uni-freiburg.de> hartnegg@sun1.ruf.uni-freiburg.de (Klaus Hartnegg) writes:
>It can't be illegal because it's an US law that wants to prohibit 
>such software to spread. What I am doing here in Germany can hardly
>be restricted by US laws! 

Klaus is absolutely correct.  A few more points to explain (certainly not
excuse) what's happening here:

   1.	FACT: The US government requires permission to export weapons.
	Any cryptographic or cryptanalytic equipment (including computer
	programs) are weapons under the law.  Most program makers won't
	go through the red tape to get a weapons export license; if it's
	a well-known crypto algorithm they probably could, but it's trouble
	and expense.  I _suspect_ that someone once got in trouble for
	this, which makes everyone doubly cautious.  And after all, if
	the crypto stuff is a sideshow, not the major use of the program
	(e.g.- PKZIP), it's much easier to just put out an export version
	without the crypto features.

   2.	FACT: The US has gotten significant advantage in wartime when it
	had crypto superiority, especially when it maintained secrecy
	about that superiority.  (World War II, Pacific theatre comes to
	mind immediately.  Read about the battle of Midway and others.)

   3.	FACT: The US government has harrassed researchers in cryptography
	and cryptanalysis who either (a) did research independently of
	the government, or (b) tried to publish results.  (Diffie and
	Hellman come to mind immediately.)

   4.	UNSUBSTANTIATED RUMOR:  I've heard numerous times, from unreliable
	sources, that the Data Encryption Standard (DES) that's now a US
	standard has been analyzed and broken by the National Security
	Agency (NSA).  This same rumor has it that the NSA blocked adoption
	of the standard until it had cracked the code, then encouraged
	its adoption.  (It is currently a standard for all but military
	communication; that exception tends to support the rumor.  NSA is
	saying, "We can spy on you, but we won't allow national security use
	of the code because you may have broken it, too.")

Personally, I feel that the law is stupid.  Programs that implement
well-known crypto algorithms shouldn't be classified as weapons.  Except
for this, however, point #2 above gives the government some reasonable
argument for behavior like #1, #3, and perhaps #4.  I'm not saying it's
right (personally, I think it's wrong), but it's not outright stupid.

Hope this clarifies a little.

Dave