From owner-freebsd-security Wed Jul 26 05:30:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA17977 for security-outgoing; Wed, 26 Jul 1995 05:30:44 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA17971 for ; Wed, 26 Jul 1995 05:30:41 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id FAA25192; Wed, 26 Jul 1995 05:30:19 -0700 From: "Rodney W. Grimes" Message-Id: <199507261230.FAA25192@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 05:30:18 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <199507261149.EAA08682@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 04:49:10 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 4224 Sender: security-owner@freebsd.org Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Referring to crypto imports, Rodney W. Grimes wrote: > > Also you have to look at the applicable > > laws from where the goods originate, even if US law does not restrict the > > import of DES, the laws of many other contries forbid it's export. > > Point well taken. In fact, several countries (notably France and Russia) make > simple posession and use of crypto software illegal without a license, much > less export (and good luck trying to get the license). South Africa and the > Netherlands, on the other hand seem to have no restrictions on posession or > export, which is why anonymous ftp sites for crypto tend to be in those two > countries. ``Seem to have no restrictions'' and ``do not have restrictions'' are quite different. One is an opinion or assesment of a situation, the other is a definitive on a situation. I will not risk going to jail or even court over such assesments. > > Not some one who has done > > DES exporting, I know that can be done, it just takes paper work (on a > > per copy basis, I know all about it, been there done that, is what > > _NO_ one has done is go try to find out exactly what paper work customs > > want to allow the stuff accross the boarder if you clearly point them > > at the fact this stuff _is_ on the munitions list). > > If my memory serves, Prof. Matt Bishop, of U.C. Davis (a nationally > recoginized computer security type) did something like what you suggest. He > tried to temporarily export an AT&T secure phone containing a Clipper chip. > He found that Customs was supposed to be the agency with the appropriate > paperwork, the local Customs office said the folks at the airport would have > the necessary forms, and that the Customs folks at the airport weren't > interested. He finally got the airport Customs head honcho to write him a > note saying it was okay, and presented that note upon his return. His paper > on the subject made amusing reading. Proves only one thing, customs can get mighty sloppy at time, and if you don't know how to do exports and imports by the book you will probably defeat yourself in trying to test the hypothisis that importing munitions is regulated. Had he put his ``clipper phone'' in a box and attached a properly written US Commercial Invoice for exportation, and done another one for importation labeling the product as a ``munition'' it would have been looked at very carefully. Since he himself did not even know what paper work you need, nor did he seem to follow the typical government red tape to find out what it was this whole experiment was pretty much a waste of his time. > > You might just be > > in for a very big suprize, or I might be all wet. But I am not willing > > to risk Grand Jury indictment on this here say information. > > I'll suggest that since your opinion on crypto import is a minority (of one) > opinion on the net (at least as I observe the net), the burden of proof is > yours. If you would like to sample the net conventional wisdom on the > subject, just follow any crypto-related news group for a week or so. I have no burden of proof, my opinion and interprettation of the law is mine. I will say I stand 0 chance of being indicted for import law violation, as I simply plan to play it safe. If you folks are willing to play arm chair lawyer and risk going to court of ``seems to'' and ``may not'' and ``possibles'' that is your decission. Me, when it comes to playing games with the law, make damn sure that I play it on the safe side of things. I would need 2 professional opionions before I would import DES code, 1 from a lawyer specilizing in import/export law, preferably with some sited Federal rulings from cases, and the 2nd from a US Customs officier specializing in munitions. Those are 2 opinions I could go get if I so desired to import DES, however I have no desire to waste my time or energy to do this as I already have a legally obtained copy of DES. Simply put, anything less than what I outline above is here say. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD