SourceForge, Encryption, and U.S. Export Control Restrictions

I was registering the Adapto project on SourceForge today, and when I got to the Export Control question, ended up spending more than few minutes researching U.S. export regulations relating to software and cryptography. Be warned though, I am not a lawyer and the following is not legal advice. I urge you to consult a professional for advice specific to your situation.

SourceForge is operated by Geeknet, Inc., a publicly traded US-based company. When someone outside the U.S. downloads code from a SourceForge project, SourceForge is actually exporting the code from the U.S.

Export of software including cryptography functions from the U.S. is controlled by the Bureau of Industry and Security (BIS) according to the Export Administration Regulations (EAR) and the Commerce Control List (CCL). This includes software that only calls encryption functions in an external library, such as the PHP openssl_public_encrypt and openssl_public_decrypt functions.

In 2010, the BIS amended the EAR by excluding software products where the use of encryption is ancillary to its primary function and the primary function is not information security or the sending, receiving or storing of information, where the cryptographic functionality is limited to supporting the primary function of the software product, and when details will be provided upon request to a U.S. authority (see EAR Controls for Items that Use Encryption on the U.S. BIS website).

Adapto is a small PHP framework targeted at creating data management applications with minimal code. Although Adapto includes cryptographic functions (implemented through PHP library functions), they are provided only for potential use by an application program and are not used in the normal operation of the framework. They are also not used in the tutorial demo application included with Adapto, and so it appears export of Adapto from the U.S. is not controlled.

Since Adapto does incorporate encryption, it has been noted in the SourceForge project Metadata, but since it is not controlled based on the above analysis, the project does not require reporting to the U.S. government as noted by SourceForge.

 

Continuous Learning and Innovation

It’s amazing how one thing leads to another. Recently I was finally annoyed enough by my laptops not automatically synchronizing Firefox bookmarks that I had to do something about it. I regularly use two Linux Mint laptops, a Windows 7 laptop, and a WinXP laptop, and was manually synchronizing bookmarks periodically, but what I really wanted was something automatic, real-time, secure and painless. My Google fu told me the Firefox SyncPlaces plug-in might be just what I needed, and I liked that it used my server for storing its synchronisation data.

First, I configured SyncPlaces to use ftp for uploading bookmark data to my server (which is good, because my day job’s firewall only allows http and ftp access). I happened to be at a McDonald’s having lunch, where WiFi is free but ssh is not allowed. However, I have Webmin installed and was able to start the ftp daemon with a quick “/etc/rc.d/ftpd onestart” using the Webmin’s Command Shell module. Once that was done, I cleaned up the bookmarks on the Linux Mint T61 ThinkPad I was using and uploaded them, later synchronising Firefox on my Win7 HP dv9000. So far so good. Now, why didn’t I do this sooner?

This morning, thinking I had better enable ftpd in rc.conf before the system was rebooted  and I had to troubleshoot why ftp no longer worked. I tried using Webmin’s File Manager module to edit rc.conf but instead of seeing my server’s file system I only saw the error “This module requires Java to function, but your browser does not support Java”.  What?!? Firefox doesn’t support Java?!?

Turning again to Google, I found Ubuntu (on which Linux Mint is based) had recently removed Java and the Java Firefox plugin from its repositories and had switched to OpenJDK and the IcedTea browser plugin. The problem was that out-of-the box Linux Mint didn’t include IcedTea! After installing “IcedTea-Web Plugin” using Linux Mint’s Software Manager, the Webmin File Manager module again worked and I was able to add ftpd to rc.conf. Whew!

Why do I put myself through this? It’s because the learning experiences provided help me to stay current with changes in technology. Abstracting a problem and its solution may aid the the growth of a new technology, but abstraction also makes it easy to lose connection with underlying technical aspects. When that happens, the ability to innovate is lost – along with any opportunity to add real value.

Maestro Business Opportunities

Where are the opportunities for Maestro? The greatest opportunities are in Small-to-Medium Enterprises (SMEs).

Small to Medium Enterprises (SMEs)

A small-to-medium enterprise (or SME) typically has less than 250 users, occupies a common physical office, and has an entry-to-mid-tier ERP system for managing operations and financial reporting. It may have a well-defined IT infrastructure, often from a single vendor (e.g., Microsoft DNS/DHCP/domain controller, an Exchange mail server, a SharePoint knowledge server, MS-SQL database Server, etc.), or an ad hoc structure with peer-peer networking providing shared access to resources such as shared data and printers. 

However, a SME often doesn’t have formal processes for document vaulting, non-conformance and issue management, change management/version control, and product data management. Also the ERP system may be perceived primarily as a financial system since it often is controlled by the Finance department, and is not available to engineering staff or provide traceability for serialized raw material or finished goods. Although SME’s may be certified to a QMS  (e.g. ISO 9001), operationally they are often dependent on people-driven document-oriented processes. If electronic documents are used, they are often stored either where they cannot be accessed by all users, or in an uncontrolled network share. 

An SME can also be distributed, where employees do not share a common physical office. In this case, it will typically not have formal resources for sharing information, and will rely on email or ad hoc cloud storage (e.g. Dropbox, OneDrive or iCloud).

Maestro

Maestro can be used to consolidate existing systems, regardless of whether the SME is centralized or distributed. It can be hosted on a user workstation, on a dedicated server on the local network, or with a cloud hosting provider. Internal hosting may be preferred for its perceived security advantages, but hybrid and cloud architectures can be just as secure – if not more so, since the same security policies will apply regardless of whether the user is connected through the internal network or the internet.

Information Management and Data Integrity

CA Magazine’s Sept. 2011 issue lists the top 10 tech issues facing the accounting profession, according to the Canadian Institute of Chartered Accountants. The number 1 issue is information management and data integrity.

This corroborates my own professional experience. For too many businesses, there is no way to tell which copy of a document is the one “true” version, all the more difficult if there are multiple copies of the document scattered across personal directories and shared network directories. Almost as bad, there is no way to tell what changes have been made to a document over time, by who, for what reason, and if they were authorized by someone in authority.

Big business solves this in typically big business ways, and with a big price tag. Achievo is a solution for SMEs (and medium organizations that know better).