Tuesday, October 9, 2012
hard. The government has stepped up censorship of currency exchange websites such as Mesghal.com and Mazanex.com, which had rates blanked out for the rial’s value against other nations’ currencies on Tuesday. Several major foreign airlines announced that they were discontinuing service into Tehran due to the volatility of the Iranian rial and shipping giant Maersk halted all port calls to Iran.
If severe currency devaluation and disruptive Internet cyber-attacks were not enough, the regular people of Iran have had access blocked to certain open source software sites for downloading applications such as Bitcoin. The 32-month-old blockade hasn’t been instigated by Iran’s mullahs but by the U.S.-led embargo which prohibits certain persons from receiving services via open source hosting sites.
The original and ‘reference’ Bitcoin client is hosted in the United States on GeekNet’s SourceForge.net who explained their denial of site access policy on their blog:
"The specific list of sanctions that affect our users concern the transfer and export of certain technology to foreign persons and governments on the sanctions list. This means users residing in countries on the United States Office of Foreign Assets Control (OFAC) sanction list, including Cuba, Iran, North Korea, Sudan, and Syria, may not post content to, or access content available through, SourceForge.net. Last week, SourceForge.net began automatic blocking of certain IP addresses to enforce those conditions of use."Then, after an angry reaction from project administrators and developers, SourceForge removed the blanket blocking and modified their policy to put the power of determining a block trigger in the hands of each project’s leadership, as announced in their February 2010 blog posting:
"Beginning now, every project admin can click on Develop -> Project Admin -> Project Settings to find a new section called Export Control. By default, we’ve ticked the more restrictive setting. If you conclude that your project is *not* subject to export regulations, or any other related prohibitions, you may now tick the other check mark and click Update. After that, all users will be able to download your project files as they did before last month’s change."Therefore, the export control determination has to be made by the project’s registered administrator on SourceForge, which for Bitcoin is lead developer Gavin Andresen after assuming the role from Bitcoin creator, Satoshi Nakamoto.
Export of software from the U.S., including software that deploys encryption functions, is controlled by the Bureau of Industry and Security (BIS) in accordance with the Export Administration Regulations (EAR).
Andresen, who is also Chief Scientist for Bitcoin Foundation, stated that Bitcoin compiles against the full OpenSSL library and the wallet encryption feature uses AES-256 which is what places Bitcoin in the above category. The SourceForge option that Bitcoin.org selects to remain in compliance with U.S. law states, “This project incorporates, accesses, calls upon or otherwise uses encryption software with a symmetric key length greater than 64 bits (“encryption”). This review does not include products that use encryption for authentication only.”
Forget about the mere difficulties of obtaining and trading bitcoin for national fiat currency in Iran — without the client software, they are not even there yet. Other Bitcoin “experts” have alluded to alternative methods of downloading the Bitcoin client such as using non-U.S. independent mirrored sites, Virtual Private Network (VPN) for IP address masking, Tor if your country has an exit node, or BitTorrent file sharing.
Aside from the inherent weaknesses within the entire SSL infrastructure, other download channels, and even SourceForge itself, present challenges. The initial install code would need to be verified for authenticity and the only way to accomplish that is to have the core developer sign the code personally or have a neutral third-party like the Bitcoin Foundation sign downloadable code with their certificate as a registered developer.
In extreme circumstances the verified source code can be compiled directly by the user so that downloading binaries is not necessary. Source code can also be distributed in text-based form like a PDF or scanable book which is what MIT did for Phil Zimmermann and later what 70 international volunteers did for the PGPi Scanning Project in 1997. More and more, the Bitcoin Project is starting to look like the Pretty Good Privacy (PGP) secure email program with each passing day.
For further reading:
"More surreal events in the Crypto Cold War - the BitCoin blockade of Iran", Ian Grigg, October 14, 2012
"US Laws Restrict Individual Freedom and SourceForge Complies", Ryan Bagueros, March 4, 2010
"Should open-source repositories block nations under U.S. sanctions?", Sharon Machlis, Computerworld, January 25, 2010