1996-01-30 - Re: Vladimir: put up or shut up

Header Data

From: “Vladimir Z. Nuri” <vznuri@netcom.com>
To: Raph Levien <raph@c2.org>
Message Hash: 1693691ca5c9bcb7d9382f5e4490d1ef5b9919cc1a0bbc16a98533450ec5d4ae
Message ID: <199601301947.LAA04349@netcom18.netcom.com>
Reply To: <Pine.SUN.3.91.960129162111.27262B-100000@infinity.c2.org>
UTC Datetime: 1996-01-30 23:53:32 UTC
Raw Date: Wed, 31 Jan 1996 07:53:32 +0800

Raw message

From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Wed, 31 Jan 1996 07:53:32 +0800
To: Raph Levien <raph@c2.org>
Subject: Re: Vladimir: put up or shut up
In-Reply-To: <Pine.SUN.3.91.960129162111.27262B-100000@infinity.c2.org>
Message-ID: <199601301947.LAA04349@netcom18.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



>Most of the recent cypherpunks traffic from Vladimir has been a 
>reiteration of the position that discussing ITAR is bad because it 
>discourages cypherpunks from releasing good crypto software.

excuse me, but you seem to be implying I am somehow responsible for
"cypherpunk traffic" S/N. I have posted only a few messages recently.
also, this is a mischaracterization of my position. (gad, why do I always
have to reiterate something so trivial). my point is that if ITAR
is discussed, at least, I would like to see caveats and encouragement
in the same message by everyone here to challenge it.

>Well, here's one cypherpunks who recently released some software, and
>futhermore did so making significant (some might say extreme) concessions
>to the ITAR rules. I made the software available only on an 
>export-restricted Web server, and asked explicitly several times for it 
>not to be exported.

congratulate yourself for doing NSA's job so well, and following the letter
of the law so meticulously!!

> If my timezone math works out right, it took about 
>half an hour for it to be available on utopia. The ITAR did _nothing_ to 
>stop, or even slow down, the reease of my software.

"export restricted Web server"? "ask several times for it not to be
exported"? are you, or are you not, following the ITAR? or perhaps you
want to have your cake and eat it too?

>Why is it, then, that we still don't have usable strong crypto tools?  I'd
>say the reason is complex, much more so than could be explained by a
>simple conspiracy theory or even too much discussion of ITAR. 

for example, consider the idea that MS refuses to sign outside crypto
packages because merely *signing* them would somehow violate the ITAR.
I consider this a very good example. where is this law? even if it were
a law, what kind of bonehead would give it legitimacy by following it?
if you want to hang yourself, fine, go ahead, but please do not publicly
question where the rope is coming from.

>The main
>reason is that it is very damned hard to write good crypto-enabled
>applications.  Trust me, I know. I have done the best I could with the
>software I released, but I'm still quite frustrated with its limitations,
>especially with respect to nontechnical users. 

it is hard for *one*individual* to write a good crypto application. again,
cypherpunk bias/mindset/prejudice. it is far easier for a large company
to do so. maybe cpunks should reconsider their antagonism to "any organized
group of people larger than 2". Netscape had no problem peppering the world
with crypto, and they are advancing nicely. I am suggesting the logical
next step: a company openly ignore the ITAR crypto sections.

>Ultimately, to create really good crypto-enabled applications, it's going 
>to take money. And there's where ITAR is most effective. If the powers 
>that be disapprove of your software, then there goes your foreign market. 

"powers that be". a faceless bogeyman I don't believe in. sorry to challenge
your religion of fear and powerlessness. there are major big companies,
*lists* of them, that want to export crypto. why not try to persuade
MS to sign foreign packages, to import them, or whatever? answer: because
cypherpunks like to pretend they are powerless.

>There go your government sales. There go those "strategic alliances" with 
>the other companies in the market, because the pressure can be applied 
>transitively too. ITAR is actually only a small part of the process.

that's right. FEAR is the basic part of the process. as long as you help
support that framework of fear, NOTHING WILL CHANGE. when someone openly
defies the ITAR and nothing happens, or an actual court case emerges,
the spread of crypto will be immensely facilitated.

>Still, free software has a lot of vitality left in it. It's still strong 
>at blazing new trails in software design. Where it's weak (and this is 
>what really counts now), is being usable, easy to learn, and easy to 
>install. I think if we explicitly work towards these goals, there's hope 
>for great free crypto-enabled applications. Hell, PGP came pretty close, 
>and it's saddled with all kinds of lousy design decisions.

look, I really respect your own software capabilities. but my main thesis,
which you appear to agree with, is that "guerilla crypto programmers" can
only get so far. there are some logical next steps. but because of 
"one individualitis" bias on this list, they are always roundly dismissed.

>But back to Vladimir: instead of whining at us about how our fear of the
>law is hurting the acievement of our goals, why don't _you_ write that
>killer crypto-app and distribute it to the world? Who's stopping you? 

no one is stopping me from *distributing* any software, nor from writing
it. I don't think the problem is a shortage of inspired programmers as you
nicely demonstrate. the problem is the aura of fear associated with those
programmers unleashing their full creativity on the problem, esp. those
inside companies. and my point
is that laws do not create fear. the programmers are responsible for their
own fears. we can help eradicate that fear by egging them on. does anyone
really believe anything bad will happen to individual programmers? don't
you see that if anything did, how much it would win for *our* cause?
"sometimes you win by losing, and lose by winning".

your bias again shows: "what is preventing us from succeeding is finding
a lone programmer who writes that killer app that spreads around the world".
that's blatantly specious in my opinion. the killer apps such as the MS
crypto toolkit, various apple products, and Netscape, Eudora, etc. 
exist *now*. the trick is to encourage the 
companies to put strong crypto in them, and to say to Hell with the ITAR,
and accept a court challenge as an important part of the battle. you 
will not get that result by endlessly reiterating why even THINKING about
doing so is prevented by the ITAR. you will sabotage that result.

imho, the period of the lone programmer writing a killer app is over with.
I believe that PGP is going to start a slow slide into obscurity at this
point unless Zimmermann links it to some major vehicle like a web browser
or wysiwig mail program. 

of course I know what I write is blasphemous. of course it sounds contrary
to the basic philosophies on this list. but how far have these philosophies
gotten the cpunk "movement"?? look around you, and ask yourself if your
tactics are succeeding.

p.s. thanks for taking me seriously.







Thread