Mr. Obama, Please Tear Down This Wall!
Paw Prints: Writings of the maddog
Only three days after posting my blog regarding the plight of Google's Chinese customers and how their data is now at the whims of a US-based company and its conflict with the Chinese government, I read about the issues of SourceForge.net and the U.S. State Department's Export lists and how the data stored in a US-based company, sometimes created by non-U.S. based citizens, is now being controlled by U.S. State Department rules.
In 1984 Digital Equipment Corporation was about to ship a commercial copy of Unix called "Ultrix". As we readied the product for shipment, Digital's export authority raised its hand and asked if there was any encryption code inside the product. Yes there was....both in the authentication process of logging into the system, and two little routines in libraries that allowed you to encrypt and decrypt files.
That was enough to block the shipment of the product. Never mind that there were thousands copies of AT&T Unix, Berkeley Unix, Sun OS and other Unix products shipping all over the world that had the same code in them. Nor could we argue that not only the binaries of these other products were shipping, but also the source code. Nor was the argument valid the the encryption algorithm was weak and could be broken faster than the old enigma codes....we had to stop shipment.
As one legal pundit wisecracked: "Engineers, do not look for logic here...it is the State Department."
Eventually we separated the libraries out into a separate software kit that could only be shipped to people and countries "not on the list", and we had to prove that the authentication code used for the login program was both relatively weak and "one-way" (i.e. you could encrypt the data, but could not decrypt the data, even if you had the same key).
As we investigated how to do this, more about the State Department's list of "no ship" for encryption codes came into view. Our lawyers explained to us that even if encryption code was written outside the United States, and we imported it and then exported it without change, we still could not export it to various countries...even the countries that wrote it.
My legal pundit then quoted the great cartoonist Walt Kelly, of "Pogo" fame: "We have met the enemy, and he is us."
In 1988 I had a friend of mine, a Canadian citizen extremely good at digital encryption, leave the United States to return to Canada just so he and his friends could start a business creating encryption products, which they could then sell to the United States and any number of other countries on the United States "do not ship" list.
We were creating a situation where the best cryptographers would, over time, situate themselves in places outside the United States.
It took until the Clinton era of 1993 for encryption controls to heat up again, and for the absurdity of the USA teaching militants how to use and create encryption in training camps, but allowing text books and T-shirts to be branded as "munitions" and prosecute loyal citizens.
In January of 1994 I was asked by my company, Digital Equipment Corporation, to travel to Hanoi, Vietnam and talk to the Vietnamese government about how to use our products. Despite the fact that I had spent five years of my college life trying to stay as far away from Hanoi as humanly possible for all sorts of reasons, I was told that then President Clinton (a Democrat) was going to drop the nineteen year old embargo against Vietnam at the advice of a former five-year Vietnam prisoner of war, Senator John McCain (Republican, Arizona) and that our company wanted to do business with the Vietnamese.
As a citizen of the United States, when I got to Hanoi I expected that I would be treated with animosity and suspicion. Instead I was treated with kindness and respect. There were questions about why a country of our might and abilities would intercede in what to them was first a war of independence and afterwards a civil war, but their main question at the time was why we still had this embargo against them, when they were easily able to get anything they needed from countries that the USA considered our allies. "The only country really suffering from your embargo", said my Vietnamese hosts, "is the United States."
Of course this was a bit of a misstatement, because as one of the bases of a capitalistic machine and a great consumer nation it is obvious that the influx of capital investment and buying power since the drop of the embargo has definitely helped Vietnam's economy. But it is also true that they could get anything they wanted even with the embargo in full swing.
In May of 1994 I met Linus Torvalds and became involved with Linux. Despite the fact that I had been benefitting from the equivalent of Free Software for many years, the deeper involvement in the community tuned me to the more assertoric values. I remember a discussion about how some developers did not want their software to be used to make atomic bombs, or used for military purposes. While some people walked away from Free Software because of these issues, others wisely pointed out that the software itself should not be limited, because you can not say what aspect of what piece of software is "only good" and "only bad". A hammer can be used to build a house, or kill a person. Do you stop making hammers?
Strong encryption can be used to code secrets by the enemies, or it can be used for good authentication by your allies....your allies of today may be your enemies of tomorrow, and vice versa.
Eventually, in 1999, Clinton eased the export laws for encryption products. Senator John McCain again crossed the congressional isle to help.
Today we have Free Software, contributed to by people all over the world. Yet if you go to the sites of Red Hat Software and Novell (SuSE), you find the statements of where and to whom they can ship this software, deliniated by the United States State Department, and now this list has migrated to SourceForge.
Does anyone really believe that "the bad guys" will be deterred by these efforts? Does anyone really think that blocking IP addresses will stop "the bad guys" from getting access to the code they need? That these same bad guys are smart enough to use Free Software but too stupid to change their IP address or set up a proxy?
Or will lack of access to this code hurt only the innocents, and create even more ill-will against the United States?
Is the argument being made that the populace of those countries will throw off their governments because it is hard for them to get access to Free Software? I suggest that it will simply be a matter of time before some entity will re-create a "SourceForge" in a more Free-Minded country, and yet another agency of Free Thought will be carried and championed outside of the United States.
This is no longer the era of sailing ships and brass cannons. Just as we have to use new techniques to win the war against terrorism by winning minds and hearts of potential terrorists and the people that support them, we have to balance the acts of Freedom of Software to the act of building a useless electronic "Berlin Wall".
Mr. Obama, please tear down this wall....perhaps you can find an ally in Mr. McCain.
U.S. export restrictions of SourceForgeGood article, thanks.
I feel that if the U.S. is ever to come to its senses on this issue, it will be in its own good time, and not because of popular opinion.
As such, I do hope that a SourceForge-like entity appears sooner than later, on non-U.S. soil, so that the good work of so many people can continue, unhindered by inane U.S. bureaucracy.
I purposely understated here....I purposely understated the amount of code that has been contributed by non-US citizens. It would not make any difference to my feelings on this issue if there was only *one* non-US citizen who had contributed, or even if all the Free Software had been completely written by US citizens.
US-based content on Sourceforge"...and how the data stored in a US-based company, sometimes created by non-U.S. based citizens, is now being controlled by U.S. State Department rules."
You can safely assume that the *vast majority* of hosted content on Sourceforge has not been created by US citizens... I have worked on a couple of projects and the developers and contributors were from all over the place. US citizens were at most 10%.
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.