Wind river

[Robert J. Hansen]

> This doesn't make any sense to me.

Makes perfect sense to me, once you understand three things:

(a) at one point all the good crypto came out of either the US, UK,
    or France,
(b) nuclear weapons are scary, and
(c) laws and regulations change so slowly they make glaciers look swift.

A lot of WW2 historians believe the Allies' ability to read Purple and
Enigma traffic at-will resulted in the war being shortened by a few
years and saved millions of lives.  The lesson politicians learned was,
"we must protect our communications and exploit those of other nations."
 Prior to the advent of the civilian cryptographic community, it was
perfectly rational to restrict the export of strong cryptography in
order to help keep the nation secure.

The dawn of the nuclear age happened to occur at the same time.  The
importance there is that it's really, really hard to validate a nuclear
weapon design without computers.  It can be done -- the U.S. did it,
twice -- but it's really hard.  With computers, machining and building a
nuclear weapon is mostly pretty easy.  (Enriching U-235 and/or creating
Pu-239 is still really hard, but it's the only really hard step.)  So,
for a long time, it was perfectly rational to restrict the export of
high-powered computers in order to limit nuclear proliferation.

The world has moved on, though, and Congress has shown itself mostly
either unable or unwilling to recognize this.  When the PlayStation 2
was coming to market Sony discovered that it couldn't be exported out of
the U.S. without an arms control export license -- the laws hadn't kept
pace with technology, and by the (outdated) standards in the laws the
PlayStation 2 was a supercomputer.  Oops.  Sony pushed for changes in
the definition of 'supercomputer', and the PS2 suddenly could be
exported worldwide.  (Mostly due to the console gaming market, the
definition of 'supercomputer' keeps on creeping upwards.  Sony and
Microsoft really, really want to be able to export their consoles
worldwide without worrying about ITAR compliance.)

The internet is a fascinating place, but it's also a world completely
unlike the one that existed when Congress drafted its laws.  As libre
hackers who like crypto, we run smack into ITAR and EAR on two fronts.
Our computers keep getting more and more powerful, which runs afoul of
the regulations originally designed to counter nuclear proliferation,
and our crypto keeps getting better and better, which runs afoul of the
regulations originally designed to make sure only the good guys had
strong crypto.

All this being said, the laws aren't *wholly* stupid.  ITAR has a couple
of nice commonsense exceptions.  (See, e.g., ITAR 120.10 (5): ITAR "does
not include information concerning general scientific, mathematical, or
engineering principles commonly taught in schools, colleges, and
universities or information in the public domain.")

Unfortunately, those exceptions aren't enough to save you from really
expensive legal bills.

When I was assisting in the teaching of a a graduate-level computer
security course at the University of Iowa back in 2007, we had to get
briefed by the University's lawyers about the foreign students in our
class and what we were and were not allowed to say in front of them
about computer security subjects (!!).  The University's concern wasn't
that we could be successfully prosecuted for violating ITAR -- the First
Amendment and the ITAR's own provisions for education provided safe
harbors.  It was that we could be prosecuted *at all*, and forced to
spend money we didn't have resolving a legal headache.  Better by far,
in the University's view, to be very careful what information we taught
to foreign graduate students and avoid any possible legal headache.

Anyway.

These regulations make sense when you consider the historical context in
which they were created, and consider just how hard it is to get old and
outdated laws changed.  Are they stupid in the present day?  Yeah.  But
they're also still the law, and Wind River was *freaking* *stupid* to
knowingly, willfully violate ITAR/EAR some 50-odd times.

Now, before armchair lawyers leap up to say, "$750,000?  For that money,
I'd take the case to court and see if I could get the court to agree
that ITAR doesn't apply to what I was exporting!"... Wind River has
lawyers, too, and the lawyers signed off on this.  For whatever reason,
Wind River's lawyers thought this was a good plan.  Maybe they were
worried about what other violations the USG might find and they were
able to fold an amnesty into the deal.  Maybe they were concerned about
the hit in the court of public opinion.  Maybe... etc.  We don't know
why Wind River chose to pay the fine instead of challenge it in court.
We just know they decided that paying this fine was in their company's
best interests.

> Either US administration has completely gone nuts and assumes others are
> too stupid to implement strong crypto by themselves or else -and this
> semms more probable to me- they go for a cheap short term advantage and
> stage a theater to make others believe the software that was exported
> would be secure while it is not...

Wait, you mean like the U.K. did after WW2 when it sold Enigma machines
to half the world and told them that it was a strong, unbreakable
system?  Color me shocked.

(Yes, the U.K. was selling Enigma machines as late as the 1970s.  That's
why ULTRA remained so secret for so long: revealing ULTRA would have
told all these Enigma customers that the U.K. was able to read their
traffic at-will.)