[geekcrypt] Re: Introducing Peter Trei

  • From: Bill Cox <waywardgeek@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Fri, 6 Jun 2014 00:02:23 -0400

On Thu, Jun 5, 2014 at 11:02 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:

> I have suggested that PID0 and Frank belong before me on the list of core
> devs, and it sounds like you do to.  If we get enough world-class
> crypto-geeks involved, I will be happy to step down to the level of
> non-core contributor.
> It's far from clear how much time I can devote to the project, I'd rather
> be down in the weeds, and take on tasks as needed.

We'll take what time you can offer!

>  My hope is that we can get some free help from the legal team at EFF.
>>> I'd hate to see any of us wind up in court over an EAR violation.
Here's an example of someone doing jail time over an EAR violation:


Basically, he sold $3M of radar-grade export-controlled amplifiers to China
and other export restricted countries.  He deserved the jail time, IMO.  Do
you know of any FOSS crypto devs who've had to serve jail time for EAR
violations, who didn't ever sell anything to anyone?  I'm not aware of any.

> In any case, there are two ongoing popular forks: RealCrypt and
>> VeraCrypt.  We're just a 3rd fork.  No one gets sued in the US for working
>> on non-profit open source crypto anymore, and it sounds like we have to
>> thank your for that!
>>> 1. Licensing. According to Wikipedia, a company called SecurStar claims
>>> IP in at least some of the early source code. Has this been investigated?
>> They never sued before.  Why worry now?
>> 2. Export regulations. US EAR regulations require entities exporting
>>> cryptography - even free public domain source code - to register with BXA
>>> and report exports. This may require setting up a foundation or something,
>>> to create a legal nexus.
>> See
>>> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
>> TrueCrypt fork will be imported, rather than exported.  If someone in the
>> US government wants to explain why I am not allowed to contribute to a
>> Swiss based crypto FOSS project, I'd love to hear it.  That sounds like a
>> freedom worth defending.
> I suggest you look at the Bernstein and Junger cases. While they came out
> favorably for crypto rights,  there are still rules in place.

These guys are two of my heros.  The way Bernstein learned the law well
enough to represent himself in court was awesome.  These are unsung heroes
who fought for our rights and thankfully won!  The crypto export laws are
much more relaxed now days as a consequence.

> I think we can wait for BXA to ask for notification.  Given that all our
>> git commits on github will be public, I'm sure it's simpler for them to
>> simply notice commits rather than bothering to even talk to us.  I haven't
>> heard a word from them about all my Tinycrypt commits on SourceForge.
> That's what I'd like us to ask the EFF about. My <I AM NOT A LAWYER>
> impression is that US persons can commit source code with wild abandon, but
> compiled code would require a BXA notification. </I AM NOT A LAWYER>.

I like the idea below of talking to some other project leaders who can tell
us what they do.

>>  Actually, it would be nice if everyone contributing had one. I'm
> attaching a first try to this letter. My main fear is that at some time I
> will forget to add it, make people worry.
> Peter

I would be interested in understanding more about the threat model here.
If the devs all live in the same town and work at the same office in the
US, they could all be NSL-ed at the same time, and without a warrant
canary, there may be no way to know that they have been forced to back-door
their code for the government.

With team members all over the world, all checking each others code for
possible back doors, how could the US do serious harm to the project with
national security letters?  This brings up a fun topic I wanted to post
anyway... in the next email.


Other related posts: