legal EAR work-around/Paper based remailers
EAR says that you can't export crypto in electronic form. EAR says you can export crypto in textual form. We have electronic cash in terms of MT banks digicash. Email is more convenient for exporting crypto source code and binaries that snail mail. Let's do it. Here's what we need: 1. US entrepreneur to accept mail with :: Snail-To: <street address (outside US)> Snail-Fee: <Fee + 2c/sheet + postage stamp charge, digicash> Scanning-Fee: <50c/sheet, digicash> Request-Remailing-To: <cypherpunks@cyberpass.net> Anon-Post-To: alt.cypherpunks US volunteer strips off first two headers, prints out the document in a large OCR friendly font. Puts in envelope and posts at highest priority snail that can be paid for out of the included postage (overnight/air-mail/slow-boat). 2. Non-US entrepreneur to scan and remail results :: Scanning-Fee: <50c/sheet, digicash> Request-Remailing-To: <cypherpunks@toad.com> Anon-Post-To: alt.cypherpunks US volunteer scans the sheets, mails/post them to the requested email address/newsgroup, and collects his digicash fee per sheet. I volunteer for #2. (You understand the importance of the Scanning-Fee, I can pay someone to feed sheets into a scanner if needs be with a fee, without that I can become overloaded with a ream of paper representing the binary for PGP5.0). Legal questions: I'd be interested in legal interpretations of whether the above scheme is legal for the US entrepreneur. Peter Junger said a short while ago on the list that printed material could be exported under the EAR regulations administered by Commerce Dept. Does this scheme qualify? Technical questions: If this is to include uuencoded or radix-64 mime encoding, we might want to think about redundancy to allow error correction. Perhaps we want that anyway to ensure that what we have is 100% character-by-character perfect. Or perhaps not as it may damage the legality aspects. They may start saying that you can only export human readable stuff on paper, etc. Then we move on to `texto' apparently human readable steganographically encoded paper based remailer messages. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
-----BEGIN PGP SIGNED MESSAGE----- In <199705310853.JAA00659@server.test.net>, on 05/31/97 at 09:53 AM, Adam Back <aba@dcs.ex.ac.uk> said:
EAR says that you can't export crypto in electronic form. EAR says you can export crypto in textual form. We have electronic cash in terms of MT banks digicash. Email is more convenient for exporting crypto source code and binaries that snail mail.
Let's do it.
Here's what we need:
1. US entrepreneur to accept mail with
:: Snail-To: <street address (outside US)> Snail-Fee: <Fee + 2c/sheet + postage stamp charge, digicash> Scanning-Fee: <50c/sheet, digicash> Request-Remailing-To: <cypherpunks@cyberpass.net> Anon-Post-To: alt.cypherpunks
US volunteer strips off first two headers, prints out the document in a large OCR friendly font. Puts in envelope and posts at highest priority snail that can be paid for out of the included postage (overnight/air-mail/slow-boat).
2. Non-US entrepreneur to scan and remail results
:: Scanning-Fee: <50c/sheet, digicash> Request-Remailing-To: <cypherpunks@toad.com> Anon-Post-To: alt.cypherpunks
US volunteer scans the sheets, mails/post them to the requested email address/newsgroup, and collects his digicash fee per sheet.
I volunteer for #2. (You understand the importance of the Scanning-Fee, I can pay someone to feed sheets into a scanner if needs be with a fee, without that I can become overloaded with a ream of paper representing the binary for PGP5.0).
Legal questions: I'd be interested in legal interpretations of whether the above scheme is legal for the US entrepreneur. Peter Junger said a short while ago on the list that printed material could be exported under the EAR regulations administered by Commerce Dept. Does this scheme qualify?
Technical questions: If this is to include uuencoded or radix-64 mime encoding, we might want to think about redundancy to allow error correction. Perhaps we want that anyway to ensure that what we have is 100% character-by-character perfect. Or perhaps not as it may damage the legality aspects. They may start saying that you can only export human readable stuff on paper, etc. Then we move on to `texto' apparently human readable steganographically encoded paper based remailer messages.
Hi Adam, Why bother with all of this. If you want to export crypto then just do it. As long as we keep up with this mickymouse approach to exports trying to appease the FEDs who are acting unconstitutionaly on this matter things will never change. Put up a web page or a ftp site with the crypto binaries and let whomever wishes to download them download them. I have done this and I will continue to do this dispite what the goons in DC have to say about it. We must all hang together or we will all hang. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM5ApvI9Co1n+aLhhAQF/dAP/QeszxCEIyhXTSpQqBuNJuNaOFO+ZpEva 0neIPkVKUXXqPbVxzpC+32+sXlL89gWN7OjPXuxTY+2zMzE7GUfC39F7oUnqqhVD sGi9pS7jXXLBZKo6+mYiR6VDIYqWrRX5XFtiKHOZKwBUpU9MJYea1JHuYJp8W3ze Odu+QO7gVEk= =Ps+E -----END PGP SIGNATURE-----
William Geiger <whgiii@amaranth.com> writes:
Adam Back <aba@dcs.ex.ac.uk> writes
[export via printing out on paper, and scanning via automated for pay email gateway]
Why bother with all of this. If you want to export crypto then just do it. As long as we keep up with this mickymouse approach to exports trying to appease the FEDs who are acting unconstitutionaly on this matter things will never change. Put up a web page or a ftp site with the crypto binaries and let whomever wishes to download them download them.
Do you have a copy of PGP5.0 on there? I wouldn't mind looking at that.
I have done this and I will continue to do this dispite what the goons in DC have to say about it.
We must all hang together or we will all hang.
If you export it, and make a big deal of it advertising your web page as widely as you can, and talk to newspapers about how you're purposefully violating the export law, I'd predict you'd get a visit from the Feds in a few days. As long as you're low key, you're just one of the hundreds getting away with it, and not worth the effort to stop. I think the key is to make fun of them, so that they loose credibility. They don't like being laughed at. So Sun Microsystems did a real good job by getting stuff produced in Russia. Russia of all places, given the average US persons jingoistic antagonism towards the "Commies". Excellent. So my proposal is aimed at being another stunt. It might be news-worthy (ie get reported on enough that it get discussed, and to make the US government look exceedingly stupid). And it's perfectly legal, so you can't be stopped. If PGP Inc wants to mail out the latest version of PGP, they are welcome to. I mean come on, next thing, the providor of this service will be offering web space too, so that US firms can link to their own binaries which they exported themselves 100% legally. Now all they need is some reseller agreements, or overseas sales offices to export worldwide unrestricted, dumb laws or not. It has been speculated that this change to the regulations might have been due to Phil Karn's ploy of asking to export the source code disks of the examples in Applied Crypto. I think that is a cool speculation. Now we all know all the freeware and shareware crypto gets everywhere anyway. But no US companies are not exporting high grade crypto generally, and US companies produce the lions share of application and OS software. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
-----BEGIN PGP SIGNED MESSAGE----- In <199705311800.TAA00253@server.test.net>, on 05/31/97 at 07:00 PM, Adam Back <aba@dcs.ex.ac.uk> said:
William Geiger <whgiii@amaranth.com> writes:
Adam Back <aba@dcs.ex.ac.uk> writes
[export via printing out on paper, and scanning via automated for pay email gateway]
Why bother with all of this. If you want to export crypto then just do it. As long as we keep up with this mickymouse approach to exports trying to appease the FEDs who are acting unconstitutionaly on this matter things will never change. Put up a web page or a ftp site with the crypto binaries and let whomever wishes to download them download them.
Do you have a copy of PGP5.0 on there? I wouldn't mind looking at that.
No I have limmited space on that ISP so I only have OS/2 software there: E-Secure, PGP 2.6.2 & 2.6.3 OS/2 binaries, PGP 2.6.2 & 2.6.3 source code, and RSAREF 1.0 source code. If I ever get it finished I should have SSL & Mixmaster OS/2 binaries & source available also.
I have done this and I will continue to do this dispite what the goons in DC have to say about it.
We must all hang together or we will all hang.
If you export it, and make a big deal of it advertising your web page as widely as you can, and talk to newspapers about how you're purposefully violating the export law, I'd predict you'd get a visit from the Feds in a few days. As long as you're low key, you're just one of the hundreds getting away with it, and not worth the effort to stop.
Well I have posted the info to approx. 20 different newsgroups, plus numerous mailing list & fido echos. Haven't called any newspapers but I rank then right below lawers & politions so I am in no hurry to talk to them anyway. As far as the FEDs I allway liked the sound of Geiger vs The United States of America. I doubt that they could really do more than harrasment considering that they will allow fortune 500 to export PGP but not the little guy??
I think the key is to make fun of them, so that they loose credibility. They don't like being laughed at.
So Sun Microsystems did a real good job by getting stuff produced in Russia. Russia of all places, given the average US persons jingoistic antagonism towards the "Commies". Excellent.
So my proposal is aimed at being another stunt. It might be news-worthy (ie get reported on enough that it get discussed, and to make the US government look exceedingly stupid).
And it's perfectly legal, so you can't be stopped.
If PGP Inc wants to mail out the latest version of PGP, they are welcome to.
I mean come on, next thing, the providor of this service will be offering web space too, so that US firms can link to their own binaries which they exported themselves 100% legally.
Now all they need is some reseller agreements, or overseas sales offices to export worldwide unrestricted, dumb laws or not.
It has been speculated that this change to the regulations might have been due to Phil Karn's ploy of asking to export the source code disks of the examples in Applied Crypto. I think that is a cool speculation.
Now we all know all the freeware and shareware crypto gets everywhere anyway. But no US companies are not exporting high grade crypto generally, and US companies produce the lions share of application and OS software.
Well I would like to see the "big" computer (IBM,Microsoft,NetScape,Sun,DEC,...) companies tell the FEDs where to go and just export their software/hardware. What could the FEDs do? Shut down the entire computer industry? The whole power structure of the FEDs is built on fear & intimidation. Solong as we deside to play it "safe" and just go along this will never change. Whenever I think of ways of dealing with this problem I am reminded of how Gandi handled the British in India. Non-violent civil disobediance. The world governments are too dependant on the computer industry for its survival. If the CEOs would just have some balls and stand up to them this whole issue would have been dead before it ever got started. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM5BtvY9Co1n+aLhhAQEBeQP9E+0vcU9dcQhdTbV6+AlWtXWUpimIM9z9 sLSoJBXTsnffnGEkL5otTCqlbWCHgb2KnlOei5Mp+DiVOzxYmXoW79C6jOHwrTJU hyDmhwAAGwz4y5AcUvxo/AtHX85zQ8Ui0ecTfR+JGMdogVaA3AoU49yd1ZHFswgP +vvwxY8qmx4= =dKVi -----END PGP SIGNATURE-----
At 07:00 PM 5/31/97 +0100, Adam Back wrote:
Do you have a copy of PGP5.0 on there? I wouldn't mind looking at that.
PGP 5.0 can be obtained from the usual sources. --Lucky Green <shamrock@netcom.com> PGP encrypted mail preferred. Put a stake through the heart of DES! Join the quest at http://www.frii.com/~rcv/deschall.htm
Adam Back wrote: | Technical questions: If this is to include uuencoded or radix-64 mime | encoding, we might want to think about redundancy to allow error | correction. Perhaps we want that anyway to ensure that what we have | is 100% character-by-character perfect. Or perhaps not as it may | damage the legality aspects. They may start saying that you can only | export human readable stuff on paper, etc. Then we move on to `texto' | apparently human readable steganographically encoded paper based | remailer messages. The place we really want the redundancy is in the alphabet used, not in the data. Most OCR systems have clever algorithims to figure out that that blob after a 'q' is really a 'u'. To take advantage of this, you could encode everything in RFC1751(?, S/Key style) word lists. The expansion factor is extreme, so use gzip --best. Alternately, you could turn off context sensitivity on your scanner, and use an alphabet of abcdfgijknopqrstuvxyz (depending on your font--in lucida these are all pretty dissimilar, using a hueristic of 'more than one led bar' different.) With some experimentation, you might be able to expand that a bit with punctuation and numbers. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (4)
-
Adam Back -
Adam Shostack -
Lucky Green -
William H. Geiger III