Another good read (and discussion) on the dissonance of current law and business practice with both technological capabilities and the sense of justice of the customers. Keep in mind that he is a well-regarded game author in both print and electronic formats, and has been through the copy-protection wars.
3:32:13 PM    

Last week, a portion of the US export regulations equating cryptography with munitiions died quietly, as a US judge dismissed a freedom of speech suit against the government, on the DOJ's admission that it was not and would not enforce regs against publishing cryptographic research and algorithms. I have mixed emotions.

I have been an outspoken opponent of these regs for over ten years, as a private citizen and at times as a spokesman for the companies where I worked. I believed that the attempts to forbid discussion of a technology were more likely to spread it than curb it. The damage to free and commercial speech was also evident. And I had a great deal of difficulty believing the assurances from those blue ribbon panel members with security clearances that "If you only knew what we knew," the wisdom of the policy would be evident. Just a little too convenient.

I was wrong about the degree of threat, as became all too obvious two years ago. And I have been chagrined to find that at least some of my fellow travelers are in fact downright irresponsible when it comes to security, even after the threat is evident. On the other hand, the futility of attempting to control thought and speech re cryptography is retrospectively evident. The advent of such offshore security projects as Thawte in South Africa, and SSLeay/OpenSSL around the globe was in part due to animosity created by the embargo attempts. They were doubly futile given the wide awareness in the security industry that many of the best trained experts originated in Israel and in post-Soviet Russia. (And every darn one of them an (ahem!) civilian communications engineer.)

In hindsight, the mendacious licensing policies of RSA Data, and the inherent deployment and useability problems of PKI, did more to delay the deployment of strong crypto than anything the NSA and US government attempted. To the extent the technology is in use, it is largely in point-to-point applications such as VPN tunnels and SSL sessions to commerce servers. Encrypted e-mail is still a rarity. One might surmise that traffic analysis of networks of non-typical ciphered traffic is nearly as useful as breaking crippled crypto systems would have been.

So it might just be time for the powers-that-be to suck it in and get this body of regs officially off the books. However real the threats, it's always been a counterproductive policy, and an affront to the values of freedom we need to uphold to win the current struggle.
2:33:04 PM