Fw: Risks of letting NSA near your laws (security fixes embargoed)

Rohit Khare (khare@www10.w3.org)
Fri, 24 Jan 1997 18:04:39 -0500


Wow... lots of good stuff on dee-interest today. This one, to be sure, is
originally from RISKS Digest, so I'm quite concerned...

> From: Donald E. Eastlake 3rd <dee@world.std.com>
> To: dee-interest@cybercash.com
> Subject: FWD: Risks of letting NSA near your laws (security fixes
embargoed)
> Date: Friday, January 24, 1997 5:46 PM

Message-Id: <v03010d03af0e10901085@[205.180.136.72]>
Date: Thu, 23 Jan 1997 23:10:10 -0800
From: Jon Callas <jon@worldbenders.com>
Subject: It's now illegal to export bug fixes (from RISKS)

Date: Tue, 21 Jan 1997 14:15:40 -0800
From: John Gilmore <gnu@toad.com>

Lucky Green is right in RISKS-18.75. Security fixes and virus-protection
software are now export-controlled. Under the old ITAR, virus-protection
software was part of the list of *exempted* crypto software in
XIII(b)(1)(ix). Even if it used crypto, it wasn't embargoed if the
software's purpose was protection against malicious code.

In the new EAR, such software is specifically included as export-controlled
under category 5D002 -- even if it doesn't include crypto!

It's now illegal to build worldwide products that are designed or modified
to protect against malicious computer damage.

This sounds like a manufacturer can't even fix bugs in their products if
the
fix eliminates a security breach, since the fixed product is "modified to
protect against malicious computer damage". This is not a joke.
Everybody,
it's time to call your lawyers...

It looks to me like the Information Warfare hawks have shot themselves in
the foot. They were probably trying to prevent American products from
defending foreign countries against infrastructure attacks by the US
military. Instead, as usual, they just leave our own infrastructure wide
open to attacks.

I encourage companies to comment to the Commerce Department about these new
regulations. They are listening for comments by Feb 13th; see the web
reference below for details. Don't expect your comments to change
anything;
the NSA (which is pulling the strings here) seems to *want* the US to be
wide-open to both wiretapping and active attacks on computer-based
infrastructure.

John

[David Holland's contribution to RISKS-18.76 gave an http address
that pointed to a draft version. John points out that the
www.epic.org URL is correct, and so is http://jya.com/bxa123096.txt.]