governemtn
NICE! Spell check ftw.
"US governemtn fines Intel subsidiary over crypto exports"
The US Government has imposed a $750,000 fine on an Intel subsidiary for exporting encryption to China, Russia, Israel and other countries Wind River Systems was fined for exporting products that incorporated encryption to foreign governments and to organisations on the US government restricted list. The controversial move …
This post has been deleted by its author
It is pretty easy to see that the Intel AES instructions do implement the AES maths correctly, so part 1 of the tin-foil equation seems to be settled.
However, that aspect the truly paranoid would want to know is part 2 - is there an undocumented method to recover previous keys (or parts of keys) used by said AES instructions? You know, something that windows, flashplayer, or similar closed source software might just run and report as a footnote to some other data dump...
The intel CPUs are fabbed in Kiryat Gat in Israel, so are Intel fined for exporting CPUs to Israel that were made in Israel ?
Stranger things have happened - we were once refused export permission for a bit of kit from the US to the UK because it contained an ARM processor
I demonstrated exactly that on a simulated CPU at a security conference earlier this year - a plain old Intel CPU with AES-NI ... and an FDIV instruction which just happened to leak the crypto keys when you divided a particular pair of numbers. It didn't even need closed source software to do the sneaking: a few lines of Javascript did the trick.
(The harder question is "how do we guarantee the real CPU isn't doing this too?" - and it really is a hard question.)
I'm beginning to think the Federal Government is on the tail end of the local cities concept of "fines are a revenue stream". This, I guess, would be "trickle up"? I'm just reading more and more where companies (and not just tech) are getting fined and the fines are going up.
It's not hard. When we sell stuff that has an element of strong encryption (usually carrier grade servers and network equipment), to dodgy places, we fill in the proper paperwork and apply for a network licence. Then we wait a long time. Bloody annoying (has put us as risk of LDs, even when we've applied in good time), but not hard.
As for China and Russia, I can't belief the US has sleepwalked into this when they've effectively been conducting large scale cyber warfare. Alas, I think I smell stale horseshit, but the stable door has been open for a long time.
So the Russians and Chinese are too dumb to write their own crypto and wouldn't be able to keep secrets from Uncle Sam if they didn't buy Intel's off the shelf stuff - while at the same time being super cyber-ninjas (and cossacks?) who can break into any US government or corporate system unless we give the NSA more powers to protect us?
Their devices were designed in the United States of America. Will BIS start going after them, too?
This is pressure from the spooks.
BIS to revoke Apple and Google's crypto export licenses. You read it here first, people!
The spooks are pretty pissed off with those two right now - and they don't care about job losses.
I don't see why they couldn't create a graphical interpretation of the software and claim it's art that is exportable under freedom of expression. That way you only need some sort of quasi compiler that a bitmap into software which isn't a "weapon". I know, it's just a spin on Phil Zimmermann's printing the PGP source code as a book but twisted for the QR code generation.
Exactly. Faced with SCO Unix missing libcrypt back in 19 something or other, I simply obtained the berkeley unix source, compiled it, debugged it and installed it.
The algorithm is not the secret, after alll.
Neither really is the implementation.
Given the algo it's what - a days work to write an encrypt/decrypt routine?
1. I thought this BS ended like a decade ago.
Nope. Export restrictions were relaxed, not eliminated. You still can't sell to the "enemy" states, and you still need an export license, in both the US and the UK. I've been through the process.
Fortunately, once you have the licenses, renewals are generally easy, provided nothing significant has changed in how the crypto tech is used in the product. (We've added new TLS ciphersuites and had our renewals rubber-stamped, for example.)
Suddenly the US government is all against encryption. Now they've been caught (like deer in the high beams) (and implicating the rest of the Famous Five -and by extension- every other government raping everyone's privacy like it ain't no thang) it's damage limitation time.
I have a message from the proletariat...who the fuck do you think you are to legislate yourselves the right to read my private fucking emails? Fuck you; the horse you rode in on; and the entire legislative apparatus that gives you the tissue-thin excuse to empower yourselves by raping information.
This post has been deleted by its author
According to the article, the company was fined for failing to apply for a licence. For all we know, a licence may well have been granted if the company had bothered to apply for it. It sounds to me as though this isn't the US wanting to stop exporting crypto, it's the US wanting to make sure that it knows what crypto companies are exporting, and has the opportunity to stop it if necessary.
The point of the article is that the handling has changed from a slapped wrist if you made an after-the-fact revalation to a penalty. This raises a number of questions which have relevance due to the nature of the items in question.
Are all businesses now being fined for exporting without a license and admitting it later?
Are all other fines in line with the level of this one?
Does the treatment match any documented process to handle companies which export with no license?
They're not clueless at all. They're assigning penalties based on someone's failure to jump through the hoops (ie, get an export license). That's precisely what they're employed to do.
And while Joan Daemen and Vincent Rijmen are indeed Belgian, they submitted Rijndael to the AES competition. You could say it was "imported", but that's rather a strained claim. And it has nothing to do with US export licensing in any case.