The Wassenaar Arrangement attempts to limit traffic in conventional arms. The trouble is, they're trying to add security software to the list. The Register is carrying a story about the proposed rewrite of the Arrangement which specifies limitations on such trade. As with so many other tools, they can be used for good or evil, and many claim restricting good guys' access leaves everyone vulnerable to the bad guys. This is viewed with alarm in security circles.
Then, mid-2015, the US government said it had heard all the complaints against the changes, and agreed to go back to the drawing board. Now it's confirmed there will be a public consultation on the next draft update.
Speak now or forever lose your defenses. Unfortunately, TFA specifies no date or method for submissions.
(Score: 5, Interesting) by Anonymous Coward on Tuesday February 09 2016, @09:37AM
Meh, as a cryptographer this is great.
Once you understand cryptography, it's simple to string together your own cipher from cryptographic primitives.
So what if I can't export my crypto? Think of it like the 80's and everyone was dicking around with BASIC interpretors. Restrictive laws on cryptography will fragment the crypto communities so much that no centralized agency will be able to break anyone else's crypto.
Currently, crypto is the greatest boon to intelligence agencies. The fact that all certificate authorities can produce fake certs on demand for any domain desired is glorious. One gets compromised, you have the world's SSL traffic at your fingertips. Remember how Diginotar produced a cert for Google.
Even the public key crypto system is just moving the problem of symmetric cipher key distribution from exchanging passwords (which could otherwise be done in person, for high security like at a bank) up into "Which CA is SUPPOSED to be signing the certs for this site? And how do I know which?" YOU DON'T! So, the current state of liberal crypto laws allows top level agencies to MITM whatever the hell they want.
Go ahead and kill the goose that laid the golden egg, just because the lower level agencies are getting greedy, and we'll have teens dicking around with crypto primitives making unbreakable crypto systems in their garages just for the hell of it. Like back in the BBS era, except replace shitty BASIC games and LOGO drawings with impregnable cryptographic systems.
No Crypto Laws? Everything stays the same, and we can interoperate nicely on the current completely broken SSL(TLS) stack. Strong Laws against non-borked Crypto? They bring about what they say they fear as everyone starts thinking it's hip to "go dark". Either way, the crypto I made to protect my own stuff is still unbreakable. Next step is to outlaw the creation of strong crypto itself. Good luck preventing people from twiddling their bits. I moved to stenography for in-transit coms a long time ago.
Protip: HTTP Auth exists. We need to use it to key our symmetric stream ciphers and we're done. Rather than using a MITM ready, compromised CA system handshake on every "secure" connection, we already have a PW shared with the endpoint we want to talk to, so exchange a random nonce token, use that to salt your passphrase: Hash( nonce, pass ) = sessionkey. STOP! Both server and client know the password already. They take session key, drop it into whatever symmetric cipher you want to use, and continue talking in an encrypted MITM proof connection. The only reason we're not doing this right now is because browser devs are actually daft as fuck, and IETF is compromised by alphabet soup. I'm already using a system like this for my VPNs, and have a plugin to add "HTTPX" for administering my sites (which know how to do salted symmetric stream encryption).
This is trivial to create, and absolutely secure. No one knows my admin credentials but me, and no CA can help inject a MITM cert. We already have shared secrets everywhere. Public Key Crypto should only be used to create the initial PW exchange, and there's no need to use a cert signing system for that since the window is so small -- the MITM could get you during that phase, but this is already the case with the CA system, but they would have to be actively proxying all of your future password protected connections. One missed proxy and you discover the man in the middle. Furthermore, you then have the OPTION to NOT use PKI CA system at all. You exchange a PW in person with your husband / wife, friend, or the bank. Then every connection after that has zero chance of MITM.
If your browser is showing you a login form ON THE WEB PAGE (not in a browser security specific dialog box), you're doing it wrong. And yes, everyone who is not a moron knows that the entire current crypto industry is fucked. [youtube.com] Keep pushing these bullshit laws and we'll unfuck it very quickly.
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @09:59AM
https://www.schneier.com/blog/archives/2015/05/amateurs_produc.html [schneier.com]
(Score: 2) by Farkus888 on Tuesday February 09 2016, @11:21AM
That is true and certainly a valid counter to his argument. It doesn't change that the current system requires a small number of sometimes difficult exploits. The outcome the first AC predicts would require a massive number of mostly trivial exploits. That is a lot of legwork for those breaking crypto and it would slow them down or eat more of their resources. For those who aren't important enough to warrant a tailored access operation, unique flawed crypto is more secure than homogeneous flawed crypto.
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @07:00PM
You write as if the only options are just two extremes. What will really happen is that each country/trade-zone will end up with a default crypto implementation and thus the best possible result is that the countries with the biggest populations will be just as vulnerable under these new restrictions because the cost/benefit ratio to cracking those implementations is basically the same as it is now.
The more likely result is that all the big countries will be just as vulnerable and all the little countries will have piss-poor amateur crypto because they don't have enough local talent to do better.
(Score: 2) by takyon on Sunday February 14 2016, @02:31PM
Interesting, but what's to say Schneier (or people who are still active programmers and researchers) won't release new open source crypto software into the wild? If there is no export restriction and nothing in the law about making encryption without "using" it, they can distribute it and "little countries" will adopt it. If it can't be done in the U.S., do it in Germany or somewhere.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @12:09PM
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @06:22PM
VkhkdklISnZkVzVrY3lCdlppQmlZWE5sTmpRZ1pXNWpiMlJwYm1jZ2IzVm5hSFFnZEc4Z1ltVWdaVzV2ZFdkb0xnbz0K
(Score: 2) by Gravis on Tuesday February 09 2016, @10:10AM
i doubt much of anything would change but if it did, what this really means is that companies won't be able to half-ass software security in the future because if they do, they will be a sinking ship in the sea. frankly, i wish people were attacking the software i use so that all the vulnerabilities/flaws could be exposed and the software be patched and improved.
(Score: 2) by maxwell demon on Tuesday February 09 2016, @10:39AM
So if you travel abroad with a laptop with an encrypted directory (and consequently, the corresponding crypto software on it), you'll violate the arm traffic regulations?
What about a browser with HTTPS support? An SSH client? A VPN client?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @10:52AM
Only if you are on a secret terror/do-not-fly list.
(Score: 3, Interesting) by MrGuy on Tuesday February 09 2016, @11:50AM
As I read it (and TSA seems to bear this out), this isn't a proposal for a return to the says where exporting strong crypto (for example, RSA) was illegal.
The targets here appear to be network monitoring and intrusion software. Things like metasploit [metasploit.com], which contain tools that can be used to target and break into networks.
That actually sounds sort of sensible on it's face. We're not outlawing locks, we're outlawing lock picking tools. Until you realize you just outlawed locksmiths, and created a whole different problem. Which is the case here.
As with lockpicks, the problem is security exploit tools can be used for good and for evil, and the "for good" use is a pretty necessary one. Security researchers who FIND vulnerabilities (and bring them to company's attention) use these tools. Penetration testers who provide expertise in reviewing corporate security and letting them know their weaknesses use those tools.
This really is a case where "when guns are outlawed, only outlaws will have guns."* Restrictions here will outlaw the good guys, leaving everyone more vulnerable to the bad guys.
* Disclaimer: I don't believe this slogan applies nearly as well to guns...
(Score: 2) by MrGuy on Tuesday February 09 2016, @11:41AM
this is a job for the Second Amendment! [xkcd.com]
Sorry, non-Americans. You just don't understand freedom.
(Score: 1, Touché) by Anonymous Coward on Tuesday February 09 2016, @12:12PM
Sorry, American. Your countrymen's actions and non-actions clearly show that most of you don't, neither.
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @01:46PM
Sorry, American. Your countrymen's actions and non-actions clearly show that most of you don't, neither.
You're not American?
You should shamefully consider own country's legacy of jingoism, colonialism, genocide, and religious persecution before pointing the finger too firmly in our direction.
(Score: 2) by turgid on Tuesday February 09 2016, @06:23PM
I am not responsible in any way, shape or form for anything my forefathers did, in fact for anything anyone else did but me myself.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by MrGuy on Tuesday February 09 2016, @02:46PM
True, but we do have the right to create and recognize sarcasm. So there's that.
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @02:53PM
https://www.cvedetails.com/google-search-results.php?q=dm-crypt&sa=Search [cvedetails.com]
(Score: 0) by Anonymous Coward on Tuesday February 09 2016, @05:03PM
Excellent, another law that I and thousands of other people will completely ignore.
Keep reminding us how irrelevant you are, government!
(Score: 2) by HiThere on Wednesday February 10 2016, @05:01AM
You don't understand the importance of widely ignored laws. Those laws allow anyone to be arrested, held, and convicted at the whim of the state. And they really will be guilty.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.