[geekcrypt] Re: Introducing Peter Trei

  • From: Peter Trei <petertrei@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Thu, 5 Jun 2014 23:02:05 -0400

On Thu, Jun 5, 2014 at 10:31 PM, Bill Cox <waywardgeek@xxxxxxxxx> wrote:

> Hi, Peter, and welcome!
> On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:
>> I've just joined the list.
>> I hope to contribute as a developer and architect; I spent 10 years
>> developing cryptographic products at RSA Security, among other things.
>> I'm also responsible for the Symmetric Key Challenges RSA posted from
>> 1996 on, which contributed to the relaxation of export regulations around
>> 2000. Back then, ITAR placed draconian regulations on export of binaries,
>> code, and even knowledge; and 'export' could be something as simple as a
>> chat over beer. Things are much better now.
> That's a truly outstanding background!  Also, thank you for helping defeat
> the Clipper Chip and 32-bit limits on browser keys!  The world economy owes
> a ton to our ability to make semi-secure online transactions, not to
> mention at least some safeguards on privacy.
> I have suggested that PID0 and Frank belong before me on the list of core
> devs, and it sounds like you do to.  If we get enough world-class
> crypto-geeks involved, I will be happy to step down to the level of
> non-core contributor.

It's far from clear how much time I can devote to the project, I'd rather
be down in the weeds, and take on tasks as needed.

I'm very happy with the open and transparent principles at ciphershed.org.
>> In this kind of project, accountability creates confidence. But it also
>> creates responsibility.
>> ...which leads me to my first question...
>> Have we cleared what want to do with a lawyer knowledgeable in the field?
>> There are three main concerns I have, and one minor one.  They may be
>> nothing, but...
> Getting lawyers involved is generally a bad idea in my experience.  Just
> talk to your friends to got separate lawyers for a divorce versus the ones
> who just went to mediation.  The current silence from truecrypt.ch is
> likely due to having talked to lawyers.  What truecrypt.ch should
> *really* be worried about is their trademark violation.

My hope is that we can get some free help from the legal team at EFF. I'd
hate to see any of us wind up in court over an EAR violation.

> In any case, there are two ongoing popular forks: RealCrypt and
> VeraCrypt.  We're just a 3rd fork.  No one gets sued in the US for working
> on non-profit open source crypto anymore, and it sounds like we have to
> thank your for that!
>> 1. Licensing. According to Wikipedia, a company called SecurStar claims
>> IP in at least some of the early source code. Has this been investigated?
> They never sued before.  Why worry now?
> 2. Export regulations. US EAR regulations require entities exporting
>> cryptography - even free public domain source code - to register with BXA
>> and report exports. This may require setting up a foundation or something,
>> to create a legal nexus.
> See
>> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
> TrueCrypt fork will be imported, rather than exported.  If someone in the
> US government wants to explain why I am not allowed to contribute to a
> Swiss based crypto FOSS project, I'd love to hear it.  That sounds like a
> freedom worth defending.

I suggest you look at the Bernstein and Junger cases. While they came out
favorably for crypto rights,  there are still rules in place.

I think we can wait for BXA to ask for notification.  Given that all our
> git commits on github will be public, I'm sure it's simpler for them to
> simply notice commits rather than bothering to even talk to us.  I haven't
> heard a word from them about all my Tinycrypt commits on SourceForge.

That's what I'd like us to ask the EFF about. My <I AM NOT A LAWYER>
impression is that US persons can commit source code with wild abandon, but
compiled code would require a BXA notification. </I AM NOT A LAWYER>.

> I strongly suggest that someone on this project contact a team with
>> similar concerns - for example, OpenSSL or OpenSSH, so we can leverage
>> their experience, or we should talk to the EFF. I don't have strong
>> personal contacts in those organizations, but perhaps someone else here
>> does.
> Good idea.  I've sent a few emails to the TAILS dev list, and support
> list.  They've already been very helpful.  I'd love to have someone from
> one of those groups involved.  In any case, we at a minimum need someone in
> a similar project who can help guide us.
>> A non-anonymous international team developing strong cryptographic
>> products for general use needs to tread carefully, in today's climate.
> In today's climate, it is more critical than ever to stand up for our
> right to privacy.
>> 3. Do we need to post a Warrant Canary? Do we need one for each team
>> member? Should we add them to emails? Example at
>> http://www.rsync.net/resources/notices/canary.txt
> Yes!  It also has to be international and diverse enough for it to be
> difficult for the NSA to silence the whole core dev team at once.
> Normally, I think 3 devs might be the best number, but because of this
> issue, I'm leaning more towards 5.
>  Actually, it would be nice if everyone contributing had one. I'm
attaching a first try to this letter. My main fear is that at some time I
will forget to add it, make people worry.


At the time of writing the above letter,
I, Peter Trei, am not under any personal legal compulsion
regarding my participation in this project, nor have I been
served any warrants, nor do I know of any search or seizure
of my assets.

Other related posts: