Software you can buy but can't sell

[David Farber <farber () central cis upenn edu>]

Posted-Date: Sun, 7 Nov 1993 22:14:29 -0500
From: <jxm () engin umich edu>
Date: Sun, 7 Nov 93 22:12:45 -0500
To: farber () central cis upenn edu


Subject: Software you can buy but can't sell


Hi there,


Here's something I spotted on the Clarinet Newswire feed. It's one
of the usual stories about the Internet becoming available to
everyone, and about the export of encryption software.


What bothers me is not so much that detail, but rather the jingoistic
attitude which starts somewhere around the comment that American-made
software is "better" than anybody else's. This attitude continues, and
culminates in the notion that anything Saddam Hussein could buy
elsewhere is not the "rock-solid American computer code that people
are used to"!!


Huh? Are these UPI guys for real??  What people, where? Does
everyone else in the world use subtly inferior algorithms, or
do they just not check their return codes as well as we do?




John Murray, HCILab
University of Michigan


  ---------------


Computer Comment - United Press International (Copyright 1993)


        True story: When Operation Desert Storm was raging, U.S. forces had a
very difficult time knocking out Sadaam Hussein's computerized military
command and control operations.
        It wasn't that Iraq's dictator had hired the world's best technical
wizards to work for him. It was because the technical minds which were
already in Iraq recognized the fact that standard Internet Protocol
routers were designed well. Knock one out and another takes over,
invisibly. The computer network keeps running.
        This was off-the-shelf technology -- technology for the people, the
kind of stuff that made millions for Henry Ford and Thomas Edison. The
kind of stuff that made America great.
        And the fact that technology such as this is available to anyone who
wants it may, indeed, be where the federal government got this paranoia
about exporting technology.
        The problem today isn't with IP routers. It's with software encryption.
        There are a lot of good reasons to encrypt something you're sending
over a computer network. With good encryption, proprietary business
information stays away from prying eyes. Financial dealings remain
secret and personal letters you're posting to a loved one on a net far
away stay personal. They don't wind up posted on someone's bulletin
board with your name circled.
        In mid-October, the House Subcommittee on Economic Policy, Trade and
Environment began a round of hearings on legislation to reauthorize the
Export Administration Act, which sets export control policy for the
United States.
        It's this legislation that stops American software publishers from
legally doing what they do better than anyone else in the world -- write
code that is better than anything that can be obtained abroad. In this
case, the software in question is used for data encryption.
        During those hearings, former National Security Agency employee Steve
Walker of Trusted Information Systems testified that the policy of the
U.S. government in this matter is just futile.
        Encryption technology exists in the United States because code
writers want security for their data. They just can't export their
products to other countries because the government treats this as
cryptographic technology, the old ``secret code'' stuff of spy stories
from long ago.
        Of course, if you wanted to use some of that already extant American
encryption software abroad, all you'd really have to do is walk into
Egghead, buy something like Borland's SuperKey, walk outside, go to the
airport, get on a plane with it, and fly away. And in fact, that's what
a lot of people do.
        Let's say that you worked for Sadaam Hussein, and he wanted a copy of
SuperKey. You could take the diskettes you bought at a discount software
house, dial into the Internet, and post the software to an Iraq-friendly
country in a couple of minutes. You wouldn't even have to get on a plane.
        There is indeed a real military use for cryptographic software. If
Sadaam Hussein wanted to use any of several public key encryption
routines already floating around on the Internet, he could have
virtually assured that the NSA would have to work hard to get the
information he was sending across computer networks. It's not impossible
to get that information -- just expensive. It takes a lot of computer
resources and time to crack a public key encryption code.
        If Sadaam Hussein were reading this column, he should probably know
that he can buy software off the shelf in 21 foreign countries that will
let him encrypt his data.
        The Software Publishers Association has identified 264 products for
sale outside of the United States that do just that. It's not the rock-
solid American computer code that people are used to, and some of the
programs will work better than others, but then, caveat emptor, Sadaam.