From:	SMTP%"everhart@star.zko.dec.com"  2-OCT-1996 18:39:49.03
To:	EVERHART
CC:	
Subj:	RSA "munitions" t-shirt - alt.security #39591

Date: Wed, 2 Oct 1996 11:16:39 -0400
Message-Id: <96100211163889@star.zko.dec.com>
From: everhart@star.zko.dec.com (Glenn C. Everhart 603 881 1497)
To: everhart@gce.com
Subject: RSA "munitions" t-shirt - alt.security #39591
X-VMS-To: smtp%"everhart@gce.com"

In article <ABA.96Oct1233100@exe.dcs.exeter.ac.uk>, aba@dcs.exeter.ac.uk (Adam Back) writes:

Subject: RSA "munitions" t-shirts

Sometime ago I wrote a minimal implementation of RSA, to be used as a
.sig program.  The motivation was to provide a suitably small piece of
code which could be used to violate ITAR.  ITAR is the US regulation
used by the NSA, and people like FBI director Freeh, who wish to have
government back doors into all encryption (such as the rejected US
govt. "Clipper" initiatives).  Many people have been using this
program as a .sig, as a form of civil disobedience.

Soon after I posted the .sig to the cypherpunks mailing list, Josh
Osborne suggested making a T-shirt of the .sig.  Technically it may be
illegal for a US citizen to export this shirt from the US.  It may
even be an ITAR violation for a US citizen to let a foreign national
see him _wear_ an RSA t-shirt.  Sound far fetched?  Here's a verbatim
quote from the US ITAR regulations, read for yourself:

: ITAR section 120.17 (4)
: 
: Disclosing (including oral or visual disclosure) or transferring
: technical data to a foreign person, whether in the United States or
: abroad

The technical data referred to includes cryptographic software, and
even discussion of cryptographic techniques.

Here is the latest version of my perl implementation of the RSA public
key cryptosystem (consider carefully the impliciations before quoting,
or using as a .sig if you're in the US :-):

  #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
  $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
  lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

(I am indebted to many perl hackers who contributed ways to shorten
the code, see: http://www.dcs.ex.ac.uk/~aba/rsa/story.html)

The shirt also has a barcode of the same code on it.  (The reasoning
behind this was due to Phil Karn's experience trying to get permission
to export the floppy disk set for Bruce Schneier's book `Applied
Cryptography'.  The NSA (in their infinite wisdom) decided to allow
the export of the book, but not of the floppy disks.  (The floppy
disks contained precisely the same source code as that in the book,
and could be reproduced by anyone with the patience to type in the
example code.)  The reasoning (he has a priceless letter from the ODTC
saying this) was that the floppy disks were in `machine readable
form'.  To forstall this argument, the shirt is machine-readable.
(OCR-A font for the program, and a CODE128 bar-code.  A shirt owner
informs me that the bar code scans.))

Raph Levien filed a Commodity Jurisdiction request (CJR) for an RSA
T-shirt (He actually posted the required paper work, and a sample
T-shirt to the US ODTC (Office of Defense Trade Controls)).  A CJR is
the paper work that you have to go through in the US to ask permission
to export crypto software.  If your crypto can't be broken relatively
easily, they turn down your application.  The CJR was filed some time
ago now, and the ODTC has not answered to date.  (We were kind of
hoping they'd ban it, but as you might imagine they are probably
loathe to draw such publicity to themselves :-)

(See, for T-shirt info:

	http://www.dcs.ex.ac.uk/~aba/uk-shirt.html
	http://www.obscura.com/~shirt/

and for info on the .sig:

	http://www.dcs.ex.ac.uk/~aba/rsa/
)

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)