Re: Schneier's source code
Oh come on, all this talk about OCR makes it sound like nobody would ever be willing to just type in the code by hand. It only need be done once, .... But seriously, isn't the point that you may make some silly typing mistake that compiles anyway, but ruins the algorithm?
Since it's perfectly legal to *import* crypto code to the US, that's simple - ship it back to the US to check if it's correct. You also do checksums for each page and maybe each line, and have them run the checksums to make sure they've typed the page correctly as well, but use the ship-back-here method for final diffs. Meanwhile, since much of crypto is eventually about economics, it's worth pointing out that you can probably hire typists in Russia who speak English and C well enough to type it in accurately, and pay them an amount of money that's small here and quite large there. I don't know if Russia has crypto import/export laws? There's certainly Russian crypto software available in the West.
There is also the interesting realization that even if the Schneier source code were to be mailed or FTP'ed outside the country, without actual evidence of those acts there would be nothing to disprove an assertion that it was typed in from the legally exportable book. But, as they say, "that would be wrong". I'm *still* waiting for a response to my CJ request for this disk. They either ignore my calls or put me off with "it's coming soon", but it's now almost May and I still don't have an official ruling on my "15-day" request, which was filed in early March. Phil
Phil Karn <karn@qualcomm.com> wrote:
I'm *still* waiting for a response to my CJ request for this disk. They either ignore my calls or put me off with "it's coming soon", but it's now almost May and I still don't have an official ruling on my "15-day" request, which was filed in early March.
How long did your original request take? It could be that they're just being slow as usual, or you've got them in a tough position and they don't know what to do. If the latter, my guess is that they'll delay it as long as possible, but eventually approve it. Here's why: if they deny it, they're setting themselves up as a target for a lawsuit that they'll likely lose. If they lose the lawsuit, it will basically be the end of most crypto regulation. If they approve it, however, although it will be a setback, they could claim the power to deny requests in the future (even though the set precedent makes it less likely that they would). I'm curious as to what your plan of action would be if it is denied. Have you asked the EFF or other groups about their willingness to provide legal funding for this?
As you can tell from John Gilmore's files (ftp://ftp.cygnus.com/pub/export) I filed my original request, for the book itself, by fax on Feb 12. The letter in response was dated March 2, but I didn't receive it in the mail until March 8. That puts it within their 15 business day limit if you don't count the mail delay. My second request (for the floppy containing exactly what was in the book) was filed by fax on March 8. I had to revise the title, so the actual filing date is more like March 10 (that's the date you get if you call up their automatic license status system and punch in the case number). That makes it 7 weeks, well over their 3-week (15 business day) limit. Odd that it should take so long to clear information that has previously been cleared on another medium, eh? Yes, I think they're clearly stalling since either way they rule they're putting themselves in a tough spot. That was exactly my intention. As to what to do next, I don't know. I don't think the 15-day rule is binding in the sense that 10 days is binding under the FOIA (not that that makes any difference, of course). They say that CJ requests normally take upwards of two months, and could claim that the 15-day rule is something they advertise without actually promising to meet it. Just like 2-day priority mail. It has occurred to me that it wouldn't hurt for others to file CJ requests for other cases of published cryptographic source code, to help build up a foundation of these things. There are plenty of examples to choose from. For a list, see http://www.quadralay.com/www/Crypt/DES/source-books.html. Filing CJ requests is actually quite easy; see John's "CJR kit" (in the aforementioned FTP directory on ftp.cygnus.com) for all the details. If you do file a CJ request, be sure to send a copy to John so he can include it in the files. Phil
participants (3)
-
Matthew J Ghio -
Phil Karn -
wcs@anchor.ho.att.com