Hardware crypto devices are still "special", as well as non-COTS systems for foreign governments/militaries.
Seagate's security dude claimed at RWC this year that NSA had threatened to ITARify their self encrypting devices if they allowed them to be used as engines for encrypting arbitrary data (to me and Perry Metzger, separately). IMO, this is likely bullshit.
"cause them to be regulated under ITAR and be non-exportable without a license". Even more complicated because they are US designs manufactured overseas, and I'm sure the design team includes a lot of non-citizens, so there are ITAR violations during design and production as well as (re) export.
Possibly the International Traffic in Arms Regulations? I only know this because at one time strong crypto was a munition in the US and these regulations specify what gets classified as such.
Interestingly, in Canada, encryption is still considered dual-use technology and sometimes subject to export control (with the main exceptions of: software "generally available to the public"; and all exports to the US). See Category 5, Part 2 of the Guide to Canada's Export Controls:
So we create a law to mitigate a possible threat, implement a complex bureaucratic process, fail to inform or train the people responsible for implementing it, waste the resources of everyone involved, create the opportunity for abuse, and presumably completely fail to achieve the original goal.
These kind of scenarios are aplenty and can turn people from all ideologies into a libertarian for at least a few seconds... but I'm left wondering what good options are for actually assessing policies and laws before and after they are implemented.
After living under a few different legal systems in different countries, I find the US pretty lacking in the "so did that work?" component. Laws which are contentious, directly expensive, cause loud groups harm, or show up in the press are given attention, but this is a small slice of the whole legal/policy universe.
A law or policy which nobody knows about or enforces is 'operationally' cost/effective, but a system which implements these policies continuously is going to run into unintended consequences eventually (abuse, or sheer costs of a large legal apparatus).
Shouldn't there be good built-in mechanisms to actively give feedback to government about policy effectiveness? What would that look like?
We need a modern-day equivalent that works over existing phone technology. I should be able to call anyone on their cellphone and have a secure call. With data it's straightforward (ZRTP or VPN), but not for voice channels. I wonder if its possible to get enough data throughput over GSM compressed audio for encrypted voice to work.
I really don't see the point, given how ubiquitous data is, at least at EDGE speeds, and how expensive international long distance remains. I'd rather have something which degraded to half duplex voice messages (and IM) relaxing hard realtime on the slowest data links. I also want wideband audio whenever possible (which is frequent).
There were open source systems which used CSD/HSCSD on Windows CE ("cryptophone", in early incarnations), and systems which did used analog phone lines and then modems and slip/ppp (I think a plugin for speak freely), but neither analog lines nor HSCSD are particularly common these days.
Speak Freely was pretty good, and had plugins for all sorts of compression and encryption systems. It could quite happily compress and encrypt intelligible voice sufficiently to be carried over a 1995-era modem.
ZRTP is for VoIP, Silent Circle offers a VoIP service. It doesn't help me if I don't have IP transit. I talked to Phil for several minutes about this but he wasn't convinced you could get enough bandwidth.
As rdl said, data is becoming prevalent everywhere so maybe it's not worthwhile.
Also: Because there is no symbol for quotation marks on the keyboard? Technically, " is a unit symbol for inch and not a quotation mark, which would be weird because there is only one of these on the keyboard but left and right quotation are different symbols.
> " is a unit symbol for inch and not a quotation mark
Can you think of any reliable source that supports this claim? The printable characters in the original standard are defined in a table of glyphs with no other meaning attached to them. In unicode, the corresponding character, U+0022, is defined as "QUOTATION MARK". You're not helping anyone by making things up.
I remembered reading an article that made the case that computer keyboards evolved from scientific calculators which had the arcmin and arcsec symbols but no use for quotation marks.
After thinking about this for a bit and reading Wikipedia (http://en.wikipedia.org/wiki/Quotation_mark#Non-language_rel...) I am starting to think that this is wrong. Keyboards obviously mirror the typewriter and not the calculator. Thanks for making me think about this!
Left and right quotes are only different symbols in print, as I'm sure you're aware. There's also no keys for stylistic ligatures on the keyboard, but people still manage to type "fi".
Seagate's security dude claimed at RWC this year that NSA had threatened to ITARify their self encrypting devices if they allowed them to be used as engines for encrypting arbitrary data (to me and Perry Metzger, separately). IMO, this is likely bullshit.