Vladimir: put up or shut up
Most of the recent cypherpunks traffic from Vladimir has been a reiteration of the position that discussing ITAR is bad because it discourages cypherpunks from releasing good crypto software. Well, here's one cypherpunks who recently released some software, and futhermore did so making significant (some might say extreme) concessions to the ITAR rules. I made the software available only on an export-restricted Web server, and asked explicitly several times for it not to be exported. If my timezone math works out right, it took about half an hour for it to be available on utopia. The ITAR did _nothing_ to stop, or even slow down, the reease of my software. Why is it, then, that we still don't have usable strong crypto tools? I'd say the reason is complex, much more so than could be explained by a simple conspiracy theory or even too much discussion of ITAR. The main reason is that it is very damned hard to write good crypto-enabled applications. Trust me, I know. I have done the best I could with the software I released, but I'm still quite frustrated with its limitations, especially with respect to nontechnical users. Ultimately, to create really good crypto-enabled applications, it's going to take money. And there's where ITAR is most effective. If the powers that be disapprove of your software, then there goes your foreign market. There go your government sales. There go those "strategic alliances" with the other companies in the market, because the pressure can be applied transitively too. ITAR is actually only a small part of the process. Still, free software has a lot of vitality left in it. It's still strong at blazing new trails in software design. Where it's weak (and this is what really counts now), is being usable, easy to learn, and easy to install. I think if we explicitly work towards these goals, there's hope for great free crypto-enabled applications. Hell, PGP came pretty close, and it's saddled with all kinds of lousy design decisions. But back to Vladimir: instead of whining at us about how our fear of the law is hurting the acievement of our goals, why don't _you_ write that killer crypto-app and distribute it to the world? Who's stopping you? Raph
Most of the recent cypherpunks traffic from Vladimir has been a reiteration of the position that discussing ITAR is bad because it discourages cypherpunks from releasing good crypto software.
excuse me, but you seem to be implying I am somehow responsible for "cypherpunk traffic" S/N. I have posted only a few messages recently. also, this is a mischaracterization of my position. (gad, why do I always have to reiterate something so trivial). my point is that if ITAR is discussed, at least, I would like to see caveats and encouragement in the same message by everyone here to challenge it.
Well, here's one cypherpunks who recently released some software, and futhermore did so making significant (some might say extreme) concessions to the ITAR rules. I made the software available only on an export-restricted Web server, and asked explicitly several times for it not to be exported.
congratulate yourself for doing NSA's job so well, and following the letter of the law so meticulously!!
If my timezone math works out right, it took about half an hour for it to be available on utopia. The ITAR did _nothing_ to stop, or even slow down, the reease of my software.
"export restricted Web server"? "ask several times for it not to be exported"? are you, or are you not, following the ITAR? or perhaps you want to have your cake and eat it too?
Why is it, then, that we still don't have usable strong crypto tools? I'd say the reason is complex, much more so than could be explained by a simple conspiracy theory or even too much discussion of ITAR.
for example, consider the idea that MS refuses to sign outside crypto packages because merely *signing* them would somehow violate the ITAR. I consider this a very good example. where is this law? even if it were a law, what kind of bonehead would give it legitimacy by following it? if you want to hang yourself, fine, go ahead, but please do not publicly question where the rope is coming from.
The main reason is that it is very damned hard to write good crypto-enabled applications. Trust me, I know. I have done the best I could with the software I released, but I'm still quite frustrated with its limitations, especially with respect to nontechnical users.
it is hard for *one*individual* to write a good crypto application. again, cypherpunk bias/mindset/prejudice. it is far easier for a large company to do so. maybe cpunks should reconsider their antagonism to "any organized group of people larger than 2". Netscape had no problem peppering the world with crypto, and they are advancing nicely. I am suggesting the logical next step: a company openly ignore the ITAR crypto sections.
Ultimately, to create really good crypto-enabled applications, it's going to take money. And there's where ITAR is most effective. If the powers that be disapprove of your software, then there goes your foreign market.
"powers that be". a faceless bogeyman I don't believe in. sorry to challenge your religion of fear and powerlessness. there are major big companies, *lists* of them, that want to export crypto. why not try to persuade MS to sign foreign packages, to import them, or whatever? answer: because cypherpunks like to pretend they are powerless.
There go your government sales. There go those "strategic alliances" with the other companies in the market, because the pressure can be applied transitively too. ITAR is actually only a small part of the process.
that's right. FEAR is the basic part of the process. as long as you help support that framework of fear, NOTHING WILL CHANGE. when someone openly defies the ITAR and nothing happens, or an actual court case emerges, the spread of crypto will be immensely facilitated.
Still, free software has a lot of vitality left in it. It's still strong at blazing new trails in software design. Where it's weak (and this is what really counts now), is being usable, easy to learn, and easy to install. I think if we explicitly work towards these goals, there's hope for great free crypto-enabled applications. Hell, PGP came pretty close, and it's saddled with all kinds of lousy design decisions.
look, I really respect your own software capabilities. but my main thesis, which you appear to agree with, is that "guerilla crypto programmers" can only get so far. there are some logical next steps. but because of "one individualitis" bias on this list, they are always roundly dismissed.
But back to Vladimir: instead of whining at us about how our fear of the law is hurting the acievement of our goals, why don't _you_ write that killer crypto-app and distribute it to the world? Who's stopping you?
no one is stopping me from *distributing* any software, nor from writing it. I don't think the problem is a shortage of inspired programmers as you nicely demonstrate. the problem is the aura of fear associated with those programmers unleashing their full creativity on the problem, esp. those inside companies. and my point is that laws do not create fear. the programmers are responsible for their own fears. we can help eradicate that fear by egging them on. does anyone really believe anything bad will happen to individual programmers? don't you see that if anything did, how much it would win for *our* cause? "sometimes you win by losing, and lose by winning". your bias again shows: "what is preventing us from succeeding is finding a lone programmer who writes that killer app that spreads around the world". that's blatantly specious in my opinion. the killer apps such as the MS crypto toolkit, various apple products, and Netscape, Eudora, etc. exist *now*. the trick is to encourage the companies to put strong crypto in them, and to say to Hell with the ITAR, and accept a court challenge as an important part of the battle. you will not get that result by endlessly reiterating why even THINKING about doing so is prevented by the ITAR. you will sabotage that result. imho, the period of the lone programmer writing a killer app is over with. I believe that PGP is going to start a slow slide into obscurity at this point unless Zimmermann links it to some major vehicle like a web browser or wysiwig mail program. of course I know what I write is blasphemous. of course it sounds contrary to the basic philosophies on this list. but how far have these philosophies gotten the cpunk "movement"?? look around you, and ask yourself if your tactics are succeeding. p.s. thanks for taking me seriously.
On Mon, 29 Jan 1996, Raph Levien wrote:
Most of the recent cypherpunks traffic from Vladimir has been a reiteration of the position that discussing ITAR is bad because it discourages cypherpunks from releasing good crypto software.
Vladimir made my kill file for good reason
Well, here's one cypherpunks who recently released some software, and futhermore did so making significant (some might say extreme) concessions to the ITAR rules. I made the software available only on an export-restricted Web server, and asked explicitly several times for it not to be exported. If my timezone math works out right, it took about half an hour for it to be available on utopia. The ITAR did _nothing_ to stop, or even slow down, the reease of my software.
the point is: YOU did exactly as required by ITAR. you had nothing to do with its export. the point the government is missing is the exact same point the Chinese government failed to understand with Tiannamen (?) square: the greater the power to communicate, the less government objectives of suppressing information are enforceable. once the Russians took the total clamp off the media it was all over --degeneration into anarchy, albeit, obviously somewhat less than idealistic or self-policed (non-utopian). I believe our goal is to provide tools for the protection of individual liberties (Bill of Rights, etc) in the face of both the governments increasing police state mentality and the enormous increase in technology enabling the state to abuse its power to retain control. maybe even look at our position as electronic counter-measures! I look at debating ITAR as futile --the powers that be never will give up power that maintains their power. Our task is to help render their supposed power ineffectual.
Why is it, then, that we still don't have usable strong crypto tools? I'd say the reason is complex, much more so than could be explained by a simple conspiracy theory or even too much discussion of ITAR. The main reason is that it is very damned hard to write good crypto-enabled applications. Trust me, I know. I have done the best I could with the software I released, but I'm still quite frustrated with its limitations, especially with respect to nontechnical users.
for Joe SixPack to demand crypto tools, they must be virtually automatic, including protecting the user from his own ignorance. for instance: it took me less than a few minutes to compile and install MixMaster. OK, I've been involved in this stuff for 30+ years, but MixMaster went together without a ripple faster than most. MM is a great product for unix, or text-based usage; write it in emacs and send it one --painless. why is MM usage not universal? 1) unawareness, 2) it takes a Windoz GUI product for Joe SixPack (please do an OS/2 version version first as I refuse to run Billy's toys (this is NOT a topic for discussion). You need the functions of MM built into all the real world's sexy mail programs; and maybe everyone would think think twice about filling dejanews.com with embarrassing files. meanwhile, while we wait for the ultimate GUI --how about hacking it into Pine?
Ultimately, to create really good crypto-enabled applications, it's going to take money. And there's where ITAR is most effective. If the powers that be disapprove of your software, then there goes your foreign market. There go your government sales. There go those "strategic alliances" with the other companies in the market, because the pressure can be applied transitively too. ITAR is actually only a small part of the process.
for example: IBM/Notes. any large company, or startup for that matter can not afford to risk the government market. guess that follows one of my basic rules: intimidation is just another form communication.
Still, free software has a lot of vitality left in it. It's still strong at blazing new trails in software design. Where it's weak (and this is what really counts now), is being usable, easy to learn, and easy to install. I think if we explicitly work towards these goals, there's hope for great free crypto-enabled applications. Hell, PGP came pretty close, and it's saddled with all kinds of lousy design decisions.
free software really is all that remains as a weapon against government intimidation. the net is virtually transparent: witness tcm's change in his "speedbump" sig. If we wish to scream about our freedoms, putting out _good_, free software is the opening bid, and each time the opposition raises the ante (cracks a cypher methodology), raise 'em one back.
But back to Vladimir: instead of whining at us about how our fear of the law is hurting the acievement of our goals, why don't _you_ write that killer crypto-app and distribute it to the world? Who's stopping you?
well, Vladimir --do you have it or do you not?
Raph
__________________________________________________________________________ go not unto usenet for advice, for the inhabitants thereof will say: yes, and no, and maybe, and I don't know, and fuck-off. _________________________________________________________________ attila__ To be a ruler of men, you need at least 12 inches.... There is no safety this side of the grave. Never was; never will be.
participants (3)
-
attila -
Raph Levien -
Vladimir Z. Nuri