The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: crypto export question

Hi,

[  This is a rant about ITAR, mostly concerning things like pgp, but what
   about when IP-Sec and the like end up in the Linux Kernel ?      ]

>  http://www.epic.org/crypto/export_controls/interim_regs_12_96.html

I just scanned this for comparisons between export and re-export, and it seems
to lump these two activities together.  The only bit that I had trouble with
was the meaning of ``de minimis'', as in:

   (b) There is no de minimis level for the reexport of foreign-origin
       items that incorporate the following ...

I presume that it means that it does not matter how little the item was
modified while in the US.

If re-export is OK, then we could just make ftp.debian.org a mirror of
ftp.debian.org.uk or whatever, but I think the rules prohibit this.

If re-export is not OK, then these rules can be shown to be totally moronic
with the following example:

  I live in the UK.

  Let's say I set up an ftp server here with a copy of PGP, or some
  equally subversive ITAR restricted software on it.

  Then I use a Compuserve dial-up account to access my FTP site (assuming
  Compuserve's Internet connection is going to be in the US), and download
  a copy of PGP (from the computer that is on the other side of the room),
  via the US.

  As far as the US laws are concerned I think I just imported, and re-exported
  a copy of PGP.  I wonder who is guilty in their eyes --- Compuserve I expect,
  since I'm not in their jurisdiction.

Alternatively, 

  how about if I manage to convince my routers that the shortest route to a
  non-us site is via one of the routers at whitehouse.gov or similar, does
  that mean that when I download some ITAR restricted software that someone
  in the US government is guilty ?

And this is without considering higher level stuff like squid or nntpcache
servers running in the US, or posting restricted material to unmoderated
newsgroups.

In conclusion, if re-export is OK then I think we should make the master site
be somewhere in the ``free world'', and the US site simply a mirror (even if
in reality the US site is still the default site for people to connect to).

If re-export is not OK (which I strongly suspect is the case), then perhaps
our comments should include pointing out the silliness of this, although I
suspect we'll need to be rather diplomatic about it ;-)

Cheers, Phil.



--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com