Educause Security Discussion mailing list archives

Re: VPN/ssh and foreign travel

From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 19 Nov 2008 14:34:56 -0500

Thanks for the clarification Ken.  I expect faculty will account for a
combination of "tools of trade" and "personal use".  In the referenced
webpage, it would appear that personal use does not have a 1 year
restriction.

Do you have a reference for which countries don't allow any encrypted
communications?

Brad Judy

----- Original Message -----
From: "Rowe, Ken" <kenrowe () UILLINOIS EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wednesday, November 19, 2008 1:49 PM
Subject: Re: [SECURITY] VPN/ssh and foreign travel


Let me clarify this:
Cryptography is ALWAYS export controlled in the USA, but under the
"tools of trade" and "personal use" categories they may be taken out of
the country for up to 1 year.
See  http://www.bis.doc.gov/encryption/lechart1.htm for guidance.

I wouldn't consider anything but encrypted communications for most
situations. Note that it is illegal in certain countries to use
encrypted communications. In that case you may be forced to use a less
secure means with an associated reduction in access allowed to your
campus assets.

Ken.

Ken Rowe
Director of Enterprise Systems Assurance and Information Security
University Office of Administrative Information Technology Services
University of Illinois
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, November 19, 2008 11:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] VPN/ssh and foreign travel

There shouldn't be an export control issue if you're talking about
employees
travelling to another country with encryption software installed on
their
notebook.  These travelers are presumably keeping the computer in their
own
possession and bringing it back with them, in which case nothing was
exported.

Now, if they are travelling to a more heavily restricted country like
North
Korea, you might have different issues.

Many campuses (including my former one) have been requiring encrypted
authentication to campus systems for years.

Brad Judy

----- Original Message -----
From: "jeff murphy" <jcmurphy () BUFFALO EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Wednesday, November 19, 2008 12:20 PM
Subject: [SECURITY] VPN/ssh and foreign travel

We're trying to eliminate use of cleartext password transmission for
access to university systems. One point of discussion involves dealing

with US export controls. What I'd like to hear from you (sec@educ) is
your thoughts on whether it's practical to require encrypted access

given

the export issue?

Thx

Jeff

Current thread:

VPN/ssh and foreign travel jeff murphy (Nov 19)
- <Possible follow-ups>
- Re: VPN/ssh and foreign travel Brad Judy (Nov 19)
- Re: VPN/ssh and foreign travel Gary Dobbins (Nov 19)
- Re: VPN/ssh and foreign travel Josh Drummond (Nov 19)
- Re: VPN/ssh and foreign travel Gary Flynn (Nov 19)
- Re: VPN/ssh and foreign travel Rowe, Ken (Nov 19)
- Re: VPN/ssh and foreign travel Brad Judy (Nov 19)