Wind River is the vendor behind vxWorks, which is one of the most widely-used embedded operating systems in the world. vxWorks isn't especially common in consumer products (although you can find SOHO-type routers running it) but it's very important in industry, aerospace, manufacturing, RF and telecom, and things like that.
The "sharp departure" Goodwin refers to here is the detente between industry and the USG for the past ~12 years. In the late '90s, crypto export controls were vigorously enforced. When you went to download Netscape, you had to select the US-specific installer to get cryptography that wasn't trivially brute-forced. If you shipped products that included SSL/TLS, or even just MD5, you had forms to fill out.
It seems like there'd need to be a backstory on this Wind River enforcement action. Surely there's quite a bit of crypto code in various vxWorks distributions, but it pales in comparison to the cryptography shipped by Mozilla and the Chromium projects. Maybe the issue is "enabling technology" versus consumer products?
It's also unclear to me whether this is a return to form or the BIS being especially aggressive about deliberate exports to specific countries.
Incorrect... You sometimes had to download binaries from a source outside the US. Usually not, since the user was simply expected to click the link for the non-US version.
In cases where the server actually looked at your source IP you could either proxy or just download the binary from a source in Europe. The dev teams were and still are seldom located in the US alone, but distributed all over the world. The authors of encryption packages were often not US citizens, either.
The rest of the world looked at the US policy on encryption with wide-eyed disbelief due to the horrifying ignorance that just had to lie behind it.
The US is far from the only western country that had laws restricting the use of cryptography, and export rules governing crypto were common throughout Europe as well.
Back in Australia in 1994 or so, I clicked on a download link for PGP without really reading the warnings, reading them during the download, and then wondering when the US SWAT team was going to swing through my window.
It could be that the crypto part is just incidental, the BIS press release doesn't really make much of a fuss about it. They focus on the duration and repeated non-compliant actions.
It sounds almost like they're saying 'if you screw up once or twice up but self-report quickly, we'll send you a sternly worded note but if you tell us you've been violating the regulation for years we're obliged to give you a firm but not too painful slap on the wrist'
The "sharp departure" Goodwin refers to here is the detente between industry and the USG for the past ~12 years. In the late '90s, crypto export controls were vigorously enforced. When you went to download Netscape, you had to select the US-specific installer to get cryptography that wasn't trivially brute-forced. If you shipped products that included SSL/TLS, or even just MD5, you had forms to fill out.
It seems like there'd need to be a backstory on this Wind River enforcement action. Surely there's quite a bit of crypto code in various vxWorks distributions, but it pales in comparison to the cryptography shipped by Mozilla and the Chromium projects. Maybe the issue is "enabling technology" versus consumer products?
It's also unclear to me whether this is a return to form or the BIS being especially aggressive about deliberate exports to specific countries.