------------------------------------------------------------------------


ANNOUNCEMENT: perl-RSA "Munitions T-shirt" ready

From: aba@dcs.exeter.ac.uk (Adam Back)
Date: Sat, 1 Jul 1995 17:56:33 GMT
Organization: Department of Computer Science, University of Exeter, U.K.
Newsgroups: alt.security.pgp, talk.politics.crypto, comp.org.eff.talk,
sci.crypt, comp.lang.perl, alt.2600, sci.crypt, alt.politics.org.nsa
    ------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----

Finally I have sorted out ordering info for the UK printing of the
munitions T-shirt, and also have found a brave volunteer to print them
in the US.  Orders are now being taken for both US and UK shirt
offers.

If you can think of any more relavent forums to post this to, feel
free to distribute, last announcement someone posted to some
compuserve forums, maybe someother places.  Let me know if you do
this, so I have an idea of where it's been so nobody sees it twice.
(I have also posted to the cypherpunks mailing list, so don't post
there, other than that look at the Newsgroups line for groups I have
covered).

If you're new to the Munitions T-shirt story, read this bit ...
otherwise skip to the end for order info.

The aim of this shirt is to demonstrate the ridiculous nature of ITAR
(crypto regulations) and to show defiance to the NSA and the US state
department for their rabid defense of ITAR which they falsely tout as
being in the "National security interests".  Also the aim is to
develop revenue for the Phil Zimmermann Legal Defense Fund.  If you
don't know who Phil Zimmermann is you should, he put his livelihood,
(and possibly his freedom if they indict) on the line for you and your
future.  If you don't know what ITAR is, you should find out, it is
adversely affecting the US software industry, and the whole worlds use
of secure crypto on the internet.  It is a fight between the rights of
the individual and the ever growing power of 'Big Brother'.  The loss
of privacy, and erosion of freedom of speech for individuals, so read
on...

- --------------------------------------------------------------------------
Munitions-T EXPLANATION

So the question you might be asking yourself is what could you
*possibly* print on a T-shirt which would get the T-shirt classified
as an export controlled munition?

A good question indeed.  Well it's all tied up with a set of US
regulations called ITAR, and the prosecution of a selfless US software
developer name of Phil Zimmermann who is being persecuted by the US
state department.

There is a set of US regulations called ITAR which make it illegal to
export heavy artillery, military aircraft, tanks, chemical and
biological weapons, and (spot the odd one out) crypto software.

Crypto software (of sufficient strength, the RSA implementation below
being capable of using 1024 bit or larger PGP generated RSA keys
qualifies amply) is listed on the defense export control list.  But
all of the openly published algorithms are available and used outside
the US.  So, for PGP for instance it's pretty silly to restrict
export, as PGP uses RSA and IDEA.  IDEA was developed in Switzerland,
and the RSA algorithm was published in the international CACM journal
back in 1978 (and yes there's a copy here in the library at Exeter
Univ, as well as just about any other academic library in the world).
The RSA algorithm was developed by researchers at MIT one of whom (the
'S' in RSA, Adi Shamir) is an Israeli national, then a researcher at
MIT, the other two (Ron Rivest, and Len Adelman) are american.  These
days RSA programs are sold on the streets of Moscow for a few roubles
on floppy disks.  And yet the NSA and state department are admant that
it is in the "National Security interest" to control export of such
software.  In reality it is costing the US software industry many
millions in lost trade to European, and other software producers who
are able to ship secure software without restriction.

That mouthful is the motivation behind this small piece of perl code
(optimised for size rather than readability :-):


#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print pack('H*'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die"$0 [-d] k n\n")&~1)/2)


(WARNING for US people: think carefully before quoting the above 3
lines of code, ITAR may be silly, but the penalties are pretty high
($1,000,000 fines and 10 year prison terms per count of export), you
can't say you haven't been warned).

That piece of code implements RSA encrypt and decrypt, and is able to
use 1024 bit (and larger) PGP generated RSA keys.  (RSA being one of
the key components of PGP).

try it out if you're on a unix system, have a look at:

        http://dcs.ex.ac.uk/~aba/rsa/

for details of usage etc.

Phil Zimmermann is being investigated for possible ITAR violation for
writing PGP and allowing it to be exported (he didn't export it btw,
neither did the friend he gave a copy to, but some unknown third party
without their permission did, so his persecution is just as a scape
goat, they're trying to make an example of him to scare others off).
Places like MIT, and RSADSI and hundreds of .edu sites have PGP
available for ftp with various (not always very secure) export
restriction mechanisms, so it is hard to see how Phil is somehow more
guilty of ITAR violation than them.  Perhaps it is more to do with it
being easier to pick on an individual software developer rather than
well funded big business or prestigious educational establishments.


- --------------------------------------------------------------------------
ITAR

A little bit of ITAR should help explain the fun that can be had by
printing the program on a T-shirt.  Here, verbatim is section 120.17(4)
of the ITAR regulations:

(4)  Disclosing (including oral or visual disclosure) or transferring
     technical data to a foreign person, whether in the United States
     or abroad

So when you consider that the T-shirt is the technical data, and the
proud wearer is doing the disclosing you can see where the fun starts.

Note the

 "visual disclosure .. to a .. foreign person .. in the United States"

So you mustn't even let a foreign national *see* it whilst you walk down
the street!  Are we having fun yet :-)


- --------------------------------------------------------------------------
ORDER INFO

Either cost only (UK), or 25% proceeds to Phil Z (US)...

We now have 2 suppliers, one in the US (for US & Canadians only), and
one in the UK (that's me) for the 'free world', you know places like
Europe (with the strange exception of France), Australia, New Zealand,
Singapore, Japan, etc, etc.

US)

 US orders (25% of proceeds to the Phil Zimmermann legal defense fund):

        http://colossus.net/wepinsto/

 (It's all set up for WWW forms, you can use VISA, M/C, or NetCash buy
 on-line, optionally using PGP to encrypt CC number)

 kindly undertaken by Don Henson, WEPIN, if anything goes wrong, like
 he gets unwanted attention from the NSA, or the US state department, he
 reserves the right to redirect the 25% to a "Don Henson Legal Defense
 Fund" :-|  Hopefully it won't get to that, as he will only accept US
 and Canadian orders so that no ITAR violations happen.

 (If you don't have WWW forms access, send email to dhenson@itsnet.com
  with subject: SHIRT)


If you're not a US or Canadian citizen or permanent resident living in
the US or Canada, use the UK shirt offer below.

(If you're a foreign national living in the US or Canada, you must
obtain the shirt from the UK, as it would be illegal for Don to sell
you one.  There are no corresponding restrictions on import)

UK)

 Free world: printed in the UK for shipping to anywhere

        http://dcs.ex.ac.uk/~aba/rsa/uk-shirt.html

 Cost only (estimated cost, if there is any change, it goes to the
 PZLDF also) If you're in the US Don's offer is going to work out cheaper.

 (If you don't have WWW access, send me mail at aba@dcs.ex.ac.uk
  with subject: SHIRT)

And remeber, say NO to key escrow :-)

Adam
- --
HAVE *YOU* EXPORTED A CRYPTO SYSTEM TODAY? --> http://dcs.ex.ac.uk/~aba/rsa/
- --rsa--------------------------------8<-------------------------------------
#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print pack('H*'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die"$0 [-d] k n\n")&~1)/2)
- -------------------------------------8<-------------------------------------
TRY: echo squeamish ossifrage | rsa -e 3 7537d365 | rsa -d 4e243e33 7537d365

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBL/WLaSnIuJ1VakpnAQHXjwP/WIQAXuBuWEdqmKvsz7rVbARE/658BxfN
tD4mvK+aZLqUaqdYs6QAC8eFB0lyA0Q5emO81my3O/MZqBgFGZ5VudpI7S910xm8
zrVXtgr8F2XDvOGcGZEDHz2zGpK6jU+4FQNKIA3/55YcaGQIi2T1xLpt8KsaYtmd
eNXOJHlcOus=
=QSry
-----END PGP SIGNATURE-----

    ------------------------------------------------------------------------