some limits are emerging on the crypto export liberalization

Philip Greenspun's Homepage : Philip Greenspun's Homepage Discussion Forums : 6805 : One Thread
Notify me of new responses

Easing on Software Exports Has Limits

By PETER WAYNER

October 11, 1999

When the Clinton administration recently announced plans to relax
restrictions on exports of data-scrambling software, a key issue
that escaped notice was that the new policies affect only
shrink-wrapped software, not the original source code -- the
lines of instructions that programmers actually write.

When it comes to source code, the undersecretary of commerce for
export administration, William Reinsch, said last week that
"nothing has changed."

The exclusion of source code from the relaxed rules threatens
to constrain software developed under the so-called open-source
model, most notably the Linux operating system, an upstart
competitor to Microsoft's Windows.

Linux and other open-source programs are created by loose-knit
coalitions of programmers around the world who exchange source
codes. Many of these teams have developed unusually error-free
software in part because access to the source code allows each
programmer to find colleagues' mistakes, improve on a program's
efficiency, offer fixes for bugs and add new features.

Before software written in any of today's more sophisticated
programming languages can run on a computer, it must be compiled,
a process that translates the text of the source code into
combinations of ones and zeros that can be understood by a
microprocessor.

Once a program is compiled, it is almost impossible to determine
what the original source code was. Thus it cannot be adapted or
modified by other programmers unless the source code itself is
published.

This happens to suit U.S. government intelligence and
law-enforcement agencies, which worry that access to the source
code for encryption and security software would enable
terrorists, drug dealers and other criminals to devise secure
communications networks that agents would not be able to monitor.

Last May, Attorney General Janet Reno wrote to the German justice
minister, Herta Daeubler-Gmelin, asking for her help in writing
new regulations to control the proliferation of the source code
for encryption software that is distributed over the Internet.

Paradoxically, the government is increasingly turning to
open-source software to build secure communications networks that
protect government secrets or citizens' privacy. Of particular
note is a cousin of Linux known as OpenBSD, which is popular in
government agencies because its development team conducted
unusually rigorous security audits to anticipate and plug holes
that attackers might use to gain entry.

While it might seem logical that the hidden code in compiled
software would offer greater security than code that anyone can
read, many security experts argue that the opposite is true. Open
source, they say, is ultimately more secure because the people
writing security software know exactly how the systems they are
protecting run.

Theo de Raadt, the leader of the OpenBSD development team, said
last week that his group's software had been bought by many
laboratories and agencies. "I went down a list," he said, "and it
includes hundreds of them." He refused to name the agencies but
said it was fair to assume that the list included some of the
government's most security-conscious operations.

OpenBSD is also used as the basis for many security applications.
For example, Network Flight Recorder, based in Washington, makes
a device that monitors activity on a network, watching for
packets of data that suggest suspicious or forbidden activity.

The problem is that by the government's definitions, OpenBSD is
foreign software. De Raadt lives in Calgary, Alberta, and he uses
many Canadian programmers to add security enhancements. He said
that the more liberal rules of the Canadian government made it
possible for his team to pursue absolute security without fear
that the government would regulate it. The OpenBSD CD-ROM bears a
label boasting, "Made in Canada, Land of Free Cryptography."

Yet the Internet and software development defy the notion of
national boundaries. OpenBSD originated at the University of
California at Berkeley (the BSD stands for "Berkeley software
distribution"). De Raadt led the push to increase the security
by adding software in Canada that could not be exported by
developers in the United States.

Even so, several key security enhancements came from programmers
in the United States. For example, the Naval Research Lab in
Virginia is using OpenBSD as a foundation of its new IPv6
project, an attempt to increase the security of both the Internet
in general and the secure parts of the global network used by the
military.

No open-source development can be a made-in-America project. The
Naval Research Lab's Web page thanks several Italians who
contributed some of the source code that works with OpenBSD.

Thus, the Navy's project is built with Italian enhancements to a
Canadian product that was born in a U.S. university. What is
more, it is likely that the software contains pieces of code
contributed by programmers in Finland, Germany, Eastern Europe,
Russia, Australia, India, Mexico and other countries.

Many security professionals argue that the nationality of a piece
of source code is irrelevant, that what matters is achieving a
blend of software produced by the best minds everywhere.

Gregory Perry, the chief technology officer of Network Security
Technology in Herndon, Va., said that OpenBSD is the most secure
operating system in the world. He added that his company already
used it for many projects and was exploring commercializing the
system or selling expert support.

The appeal is not only security but cost. Marcus Ranum, chief
executive of Network Flight Recorder, said the OpenBSD operating
system enabled his engineers to read the source code, check for
bugs and build a very secure tool for detecting attackers. If the
attorney general succeeds in persuading the Europeans and
Canadians to shut off the flow of open-source security software,
he said, "I think it would be a tragedy."

But in case Reno has her way, the software industry is developing
end runs. The administration, for example, has so far declined to
regulate the international movement of source code if it is
printed on paper, presumably out of concern that such regulation
would violate the First Amendment. Thus, several companies are
already shipping printouts of their code to Europe where it is
scanned into computers.

When asked about the policy's impact on the development of Linux,
FreeBSD, and other open-source projects that serve the
government's own needs, Reinsch, the commerce undersecretary,
said: "It's an important question which we need to study a lot
more. We don't have all of the answers."



-- Hal Abelson, October 11, 1999