[LeoPanthera]

*in the USA.

Radio receivers and scanners sold outside the USA, even if they are made inside the USA, have no restrictions. US manufacturers usually label these radios as "export" versions.

It reminds me of the early days of web browsers when "export" versions of Netscape and IE only supported a maximum of 56-bit encryption for SSL.

[nabla9]

Or GPS receivers not working at high altitude unless you buy some Asian brands with right chipsets.

[t0mas88]

Note that the rules require GPS receivers not to work when above 60,000ft AND at a speed higher than 1000kt. Some manufacturers made that an OR, but that's not required.

You're very very unlikely to ever make it above 60,000ft at a speed faster than 1000kt unless you own a fighter jet.

[nabla9]

If you build nanosatellites or cubesats or do rocketry those limits are exeeded. For example NovAtel OEM-719 GPS has no COCOM limits.

Fortunately COCOM limits for GPS are not enforced. It's empty clause.

[t0mas88]

Rockets that go above 60,000ft and at 1000kt are the case that this limit was designed for, they didn't want enemy ballistic missiles guided by GPS.

Of course that regulation is now useless because foreign receivers don't implement the limit and competing GNSS systems also don't have it. But at the time it was written this was a sensible restriction because it was a unique technology.

[BenjiWiebe]

High powered model rocketry can and does exceed this.

[kzrdude]

Since it's so unlikely, I guess most manufacturers haven't even tested it.

[LMYahooTFY]

I take it that was related to the munitions classification for encryption?

[gerdesj]

Yes. lol.

I worked for a chopper factory in the UK back in the day. We had Novell servers. NetWare CAs back then did as they were told and would only offer rubbish encryption. We used it for throwaway stuff and manually cranked out certs with OpenSSL for important stuff. We also watched firewall logs ...

[LeoPanthera]

Yep. https://en.wikipedia.org/wiki/56-bit_encryption

[KMag]

All of the SSL 3.0 / TLS 1.0 EXPORT cipher suites are actually limited to https://en.wikipedia.org/wiki/40-bit_encryption , see for instance page 60 of https://www.ietf.org/rfc/rfc2246.txt

For a while, exports were limited to 40-bit symmetric key strength and 512-bit moduli for DH and RSA. I had forgotten about the limits being raised to 56 bits for a few years before being fully dropped by the Clinton administration.

There was a brief attempt to get around the pushback against key length restrictions with the Clipper chip[0]. The idea was to give everyone 80-bit Skipjack encryption while enabling U.S. law enforcement intercept by having the chip refuse to function if it wasn't shown a valid escrow message (LEAF) for the key it was using. Skipjack was classified at the time and supposedly stronger than anything commercially available at the time. The problem was that LEAF itself only used a 16-bit authentication code, so it was trivial to bruit-force another LEAF message that would work with your session key, but yield garbage data in a wire tap.

[0] https://en.wikipedia.org/wiki/Clipper_chip#Technical_vulnera...

[giantg2]

I would imagine SDRs with "export" software are easy to get and can tune in.

[jcrawfordor]

A large portion of SDRs have no FCC equipment authorization at all, and so don't necessarily comply with regulations---including the lack of an AMPS lockout. This makes them a little bit iffy for sale in the US, but there is generally a rule that allows "test equipment" to be sold without equipment authorization under certain conditions on its use. I (not being an expert on this, I am not a lawyer, etc) would describe most hobby SDR use as being a gray area, but one that is probably not of too great concern since most hobby SDRs on the market are receive-only and obviously these weird part 15 rules about scanning receivers don't really matter in the modern age.

SDR transceivers like the HackRF are probably still not being purchased by people who will cause any trouble, but I do worry a little bit more about unintentional disruption of important radio applications like aviation navaids or whatever. If I were to take a policy angle here, I think it might be a good idea to restrict such devices to people with amateur radio licenses since they are not especially hard to obtain (DE AE5JL). I'm sure there's a thousand people here who would vehemently disagree with me on that though.

[tonyarkles]

> I think it might be a good idea to restrict such devices to people with amateur radio licenses

Am a Canadian HAM, and also the owner of multiple transmit-capable SDRs. While I don't disagree with you on principle, one tricky part with that is that the majority of my usage of these devices has been commercial. Requiring an amateur license to do commercial work is kind of the opposite of how the system is supposed to work (i.e. no commercial activity on the HAM bands).

The real saving grace for the transmit-capable SDRs is that they're generally quite low power. I think the most powerful one I have can do... 100mW? Sure, you could be disruptive with that, but it's not going to go very far.

[jcrawfordor]

That's true - any locking down of SDRs probably also requires a "fast track" experimental license program so that commercial users (including individuals who are performing commercial experiments, not just well-resourced companies with a licensing specialist) can obtain them easily.

[giantg2]

"I think the most powerful one I have can do... 100mW?"

Until you add an amp hehe

[BenjiWiebe]

SDRs don't have the 800Mhz restrictions.

[KMag]

The limit was 40-bits for a while. Maybe briefly in the late 1990s the export limit was 56 bits, but all of the EXPORT cipher suites in TLS 1.0 (from 1999)[0] have limits of 40-bit symmetric keys, or a NULL cipher. Also the RSA and DH moduli for export cipher suites were limited to 512 bits.

[0] Page 60 of https://www.ietf.org/rfc/rfc2246.txt