Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site utcsri.UUCP Path: utzoo!utcsri!outer From: outer@utcsri.UUCP (Richard Outerbridge) Newsgroups: sci.crypt Subject: Re: Chris Lewis on obeying governments Message-ID: <3605@utcsri.UUCP> Date: Fri, 7-Nov-86 05:20:01 EST Article-I.D.: utcsri.3605 Posted: Fri Nov 7 05:20:01 1986 Date-Received: Fri, 7-Nov-86 17:21:42 EST References: <1176@hoptoad.uucp> <1889@well.UUCP> <7201@utzoo.UUCP> <180@spectrix.UUCP> <1251@hoptoad.uucp> <187@spectrix.UUCP> Organization: CSRI, University of Toronto Lines: 136 [....] > > > Arguing for the supremacy of the > > government and the hopelessness of fighting the police state (McCarthy). > > The general tone of "Give up! It's hopeless" is unhealthy for freedom. > > You'd never get me arguing for the supremacy of any government (including > ours and especially yours). Nor for the naive assumption that resistance > is simply a matter of legal bills. > [....] As has become clear, this discussion is getting needlessly silly. So relax. There are a number of issues: Canadian sovereignty; export controls; and the tension between public and private sector cryptology, or lack thereof. I have a software DEA. The posting that started all this, by hoptoad!gnu, is an early version of the one I have. The BBS he got it from got it from me. The silly thing is that mine was posted to net.sources on October 19th, 1984. As far as I could tell it made it out of Canada. Besides, its been sitting in the data-libraries of a number of the SIGs on CompuServe since March of 1984, so anyone with a CIS account can download it anytime, anywhere. Besides the DEA, I have LUCIFER and a package of routines based around a DEA variant that are designed to supplant or fill in for crypt(1) and crypt(3). If you'd like any of these just let me know. I'll send them anywhere within North America. Outside of that all I can promise is listings of the software >after< export approval has been obtained. If you'd prefer to keep the net out of this arguably anti-social activity, we can arrange a dial-up to the machine I'm using at home. All these >algorithms< are in the public domain. Canada is a tributary state of the American empire, and Canadians really just can't pretend that we're not. Canada survives at American sufferance and because of American protection. It's not a bad deal: the U.S. of A. is the greatest nation in the world, and as a Canadian I have most of the advantages of being American without actually having to be American. Besides, they're friends. Sometimes difficult friends, but always good friends. When I first discovered the close parallels betwen Canadian export law and American law I was outraged. But by and large it isn't all that surprising that technology within the western alliance is subject to embargo. Uranium refining equipment, for instance; or lathes capable of turning out gun barrels. The embargo of ideas >is< repulsive. But that's not what we're talking about. The prohibition against "technical data in any material form" being exported is not surprising - but at first it seems a little questionable. When does the expression of an idea become technical data? Perhaps when it becomes capable of performing work, as in a computer program for instance. Say a program that controls a pilotless aircraft, or runs an automated factory, or performs a complex encryption algorithm. So these days I try to stay within the rules. I may not think they're enforceable; I may not think they have a rational purpose; I may not think they have any justification whatsoever. But unless there's a very good reason for breaking them I'd rather obey them - at least to the letter, if there's no fathomable spirit. The rules are there because someone was afraid of what would happen without them. While caution has never been the hallmark of my conduct, pointless risk taking is recklessness. It is often more frightening than reassuring. As concerns cryptology, typically the rules are rationalised by appeal to the spectres of organised criminal elements and international terrorism. These are motherhood issues, of course, but from my limited perspective they're not very convincing. Terrorists will use whatever cryptology their sponsor teaches them - obviously a double-edged sword, and so likely to be doubly dull. Criminals will use whatever they can afford and always have. So there's more here than meets the eye if these are the best justifications. Loss of third-world or client state ELINT? Maybe. Who knows? Most of the third world can't begin to use modern cryptology even if they recognised their need for it: computers are embargoed too, as is the technology for making them. Perhaps client state ELINT is closer to home. Would NSA object if Canadian communications became (if not already) opaque? What about NATO alliance communications? Israeli? Saudi? Rather more directly I'm needlessly worried that the export rules are being used as excuses, or levers, to perpetuate or re-establish the state monopoly on cryptologic technology. The issue is not whether >they< should have the latest and greatest (presumably they do) but whether or not >we< should. The issue is whether the free citizens of the democratic American empire should have access to the state of an art which historically only sovereign states have had the need, resources and ability to employ. Note that there's no question of 'right' involved here: like so many computer-related social problems the power is not new, simply newly affordable. "Needlessly" because there is no private market to spur competition. Someone mentioned that NSA candidly admits that unbreakable systems are verboten, and I think there's a fairly obvious inference that we can draw from that about the security of the DES. But the experts were telling us that ten years ago! Who - among the private-sector consumers, principally the U.S. financial community - listened? The government has successfully held onto its monopoly through a combination of a) telling us we have no need of the power; b) actively discouraging the development of private sector resources; and c) limiting private sector power through the promulgation of weak or "secret" standards and counter-intuitive laws on radio reception. The sad thing is that by and large that's all "we" seem to want: a soggy security blanket. We all sort of know that security is a myth, like the value of a dollar bill: its value is what you believe it to be. Rather than get into expensive and confusing arguments about the gold standard - that is, taking matters seriously - we'd much rather the government told us we were secure. Remember, whatever role NSA played in promulgating DES it was subsequently sanctioned by the U.S. congress ("...no known mathematical or cryptologic weaknesses...": true enough, but known to whom?). With the domestic market conveniently sewn into a pig's ear, whatever else export controls are designed to accomplish they effectively reduce the available market for private-sector cryptology to nil. This form of social contract, do-what-you're-told-and-we'll-all-be-secure, is the basis of the Russian state, and in this regard increasingly our own. Fundamentally, though, this can only happen with our assent. Cryptology was recognised as >the< single most effective tool for computer security long before the DES came out. There wouldn't have been a standard except for this recognised need. This is not the place to argue the quality of DES: the strange key, the crazy fixed permutations, etc. Let's assume it's perfectly adequate - after all, "we" still don't know how to break it and it's already being replaced. Let's even accept that unbreakable ciphers are correctly the preserve of sovereign states. So: perceived need, viable solution. Does it play in Peoria? Fat chance. People have gone bust trying to sell DES. The Apple LISA motherboard has an empty, unsocketed spot for a WD2001 chip. On an already overpriced machine the omission is understandable, but why is there no real estate on the IBM PC board? Why hasn't security been built into all hardware/software architecture since then? Well, obviously, because no one is silly enough to bother. The domestic market doesn't want to pay the price, and as an added disincentive there are no foreign markets. Throughout this discussion people have been asking whether the government really thinks that export controls make a difference to the spread of technology. Based on the North American attitude towards computer security in general and employing cryptology in particular, the correct question is probably: Do you? That's what I think at any rate. Richard Outerbridge -- Richard Outerbridge (416) 961-4757 Payload Deliveries: N 43 39'36", W 79 23'42", Elev. 106.47m.