"a quirk of the U.S. legal system meant that cryptography was, until the late 1990s, placed on the U.S. Munitions List, alongside semi-automatic firearms and tanks."
This was no quirk. The US government made deliberate efforts to limit the availability of encryption software, even adding it to international export control lists where it previously did not exist:
We should remember that DJB was a key person in making cryptography fully legal in the US.
«The State Department was unsympathetic to Bernstein's situation and told Bernstein he would need a license to be an arms dealer before he could simply post the text of his encryption program on the Internet. They also told him that they would deny him an export license if he actually applied for one, because his technology was too secure.
The Electronic Frontier Foundation pulled together a top-notch legal team and sued the United States government on behalf of Dan Bernstein. The court ruled, for the first time ever, that written software code is speech protected by the First Amendment. The court further ruled that the export control laws on encryption violated Bernstein's First Amendment rights by prohibiting his constitutionally protected speech. As a result, the government changed its export regulations.» From https://www.eff.org/about/history
I believe (citation needed :-)) there was (is?) restriction on the maximum length of private key. This was arrived at based on the computing resources available with NSA so that they be able to break a cypher by brute force.
There's a very interesting passage in the book "The Code Book" towards the end as to how the inventor of PGP was harassed by slapping him with charges under Arms Export Control Act[1].
Zimmermann's law [2] is also very relevant to be mentioned here.
Yeah. I seem to remember the limit being 64-bit at the time, although maybe it was only 56-bit. Netscape used to have different download links for "American" and "International" users and put up a stern warning on the US link saying that international users couldn't grab it.
So, of course, everyone just downloaded the American edition... :)
There was the RSA t-shirt which supposedly could be classified as a munition because the source code on the shirt would provide a high enough level of encryption:
PGP released a really nicely bound version of their source code typeset in an OCR font that they exported because a book would theoretically fall under the First Amendment:
Instructions to produce a nuclear bomb also fall under the First Amendment.
There was a contradiction in the laws. That's hardly novel or unprecedented. The higher courts pretty much spend all day dealing with contradictions in laws.
Cryptography is a defensive weapon. Zero-days on the other hand, are an offensive weapon. There are distinctions between helmets and clubs, you know, and the law should recognize these.
There are also laws against defensive items being owned by civilians as well. I disagree with them, but when I had an officer friend tell me my dragon skin armor I bought and used in Iraq was technically illegal now that I am a "civilian", that was one of the moments when I realized how much damage the national security state has done to the constitution.
I expect incoming comments about the LA bank robbery in 3, 2, 1...
I think danielweber is referring to systems designed to intercept and destroy ballistic missiles, not to ballistic missiles used for defensive purposes
>The kind of cryptography that lets people communicate securely?
I don't know of any other kinds of cryptography...
>Belongs on the same list as physical objects that intended to pierce walls and flesh?
War has a lot less to do with shooting people and a lot more to do with information than you seem to appreciate.
The public algorithms are public and there is no need or usefulness in export restrictions now on things known worldwide (and the usefulness of such restrictions was gone for a considerable time before they were lifted).
This seems a bit harsh, perhaps. Bletchley park was still in the minds of many people. It would have been conventional wisdom to keep this stuff away from "bad guys". Recall, gps was spoofed at this stage as well for civilian purposes. The other issue--although perhaps unsaid--is that ultimately this may have hastened tactics to make HW unsecure, and to collect undisclosed/zero day expoits in widespread SW and other things that could compromise a comms system that was perceived to be secure.
It kind of made sense during the pre-Internet Cold War days when the only people with use for strong cryptography were nations and their militaries. These days it's just silly.
The US makes a lot of money from the government allowing defense contractors to sell the stuff they design for it to its allies as well. The munitions-export provisions exist because, although we aren't too worried about our allies reselling the tents or latrines we send them to our enemies, we really don't like the idea of having the guns we've manufactured pointed back at us.
A secure softphone implementing http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography is a lot more like a gun than it is like a tent or a latrine, in terms of what an enemy nation that gets their hands on it will do with it.
The "Taliban" were never armed by the US. There were some members who were US allies during the Soviet-Afghan war. Just like they are some members of the Northern Alliance, US ally during the Afghan campaign, that were allies of the Soviet Union.
In the end one war ended and groups broke up. Then the next war came and alliances had changed.
The names may have changed but the people didn't. We funded Gulbuddin Hekmatyar, and provided numerous FIM-92 stingers which after the war was over turned into the buyback fiasco, where many of these stingers were never recovered.
Not to mention the third-party plausible denability effect, through which arms may not have passed directly to "Muj" or Taliban, but were supplied by the US.
So to say the "Taliban" were never armed is completely factually incorrect, both in relevance to the Soviet war and the current one.
If you want to learn more about the US involvement as the number one arms dealer in the word, the revised Shadow Factory book is out and worth the long read.
> So to say the "Taliban" were never armed is completely factually incorrect
By this logic the US has armed every one of its enemies. I said the US never armed the Taliban. You are saying that through enough backchannels and shifting alliances the US did arm the Taliban. Now who is being obtuse?
The US funnelled hundreds of millions of $ through Pakistan to help fund the Mujahideen in Afghanistan. The CIA also provided direct support, in training and weapons, etc.
Here's an Afghan with a Stinger missile (and there are lots of similar photos), not sold on the open market then, could realistically only have been acquired in bulk with US government assistance:
So, would that also cover citizens? As in, if I made my own encryption method and then supplied that to some friends overseas, would that be violating munitions exporting if crypto was still covered?
Essentially, yes. A well educated person with the motivation and no cooperation from existing tech is very much capable of making the state department rather unhappy by exporting their own creation.
Few things are more valuable in war than the secrecy of long distance communications. Though we haven't been at a conflict which posed any credible threat for the better part of a century, holding on to technological advantages when they're fresh is in our best interest and in the best interest of the American Peace we have going.
It's fairly unfortunate that a majority of computer technology is imported from foreign manufacturers for many reasons, but export control isn't really one of them.
Supercomputers, yes ... general components... not particularly.
In a lot of ways 'modern' computer technology isn't all that essential. It certainly isn't present in a whole lot of our military hardware because of realities of acquiring and maintaining such hardware _and_ the lack of an exponential increase of computing needs to match capabilities.
In fewer words, computer technology is valuable, but not extremely so. Restricting the flow of anything remotely related to consumer computer tech wouldn't have much benefit, even if it were possible considering most of it is made in Asia.
Then just focus on basic computer technology. Restricting the export of semiconductors in the early 60s could have created a significant advantage for the US, but would be absurd to support a decision like that.
Military benefit alone is not enough to justify an export restriction, one has to consider the cost on society as a whole. The cost of restricting the export of cryptography is too large to justify.
The processors and basic hardware have been mostly commodity since the mid 90s, the interconnects and related technology have mostly been specialized hardware though you could always do grid computing with Ethernet and the like.
True. Things like the Crays have their own, specialized interconnects and OS (on work nodes). A lot of things that aren't trying to be in the top can use fiber channel for similar results, though.
This was no quirk. The US government made deliberate efforts to limit the availability of encryption software, even adding it to international export control lists where it previously did not exist:
http://cryptome.org/jya/wass-suks.htm