Slashdot Mirror
US Proposes Tighter Export Rules For Computer Security Tools
itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.
and publish them well away from USoA soil.
Ah, but this time it's different!
“He’s not deformed, he’s just drunk!”
Citizenship status of any individual seeking to acquire any such tools ought to be checked.
Sourcecode is speech.
Opensource people: Do NOT obey this.
Once again lawmakers don't understand the issue.
Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.
It also assumes that the best such tools come from America.
This is idiot lawmakers who don't understand technology passing laws trying to fix it. So, saying it's extra special illegal to break the law achieves absolutely NOTHING, and it prevents people from studying actual security holes because the tools are limited.
Can we make it illegal to be stupid? That would be awesome!
Lost at C:>. Found at C.
Hot air, nothing compared to the US self imposed brain drain caused by fucked up policy, gamed and broken system. If they don't want to see things that are better in the hands of other countries then they should rethink the way things have been going in the US for the last 60+ years. The policy of 'keeping the people stupid' is not going to produce a superior product in any sector anyway so where are these idiots coming from on this?
Why would they want software running around that could conceivably reveal what the US governments & friends are up to? No sir, we can't have that.
The funny thing is that this will just obliterate what little economy they still had in that area and send the whole thing overseas. So the net result will be, if anything, even less control over that software than before. Good jawb guys!
Didn't we try something like this already? It seems like the only thing this would really do is move the development of some pretty popular tools to overseas locales.
IANAL, does anyone know what effect this would have on things like Wireshark and Metasploit?
An internal system operation returned the error "The operation completed successfully.".
Haha! No more Norton AV for you!
The US government still thinks that the US is still ahead of everyone when it comes to computer and software technology.
So, all that work that's offshored is done by programmers with memory issues? And the same with the H1-bs?
Requirements for job:
Security and penetrations programming and testing. Early onset Alzheimer's and/or severe drug and alcohol addiction, ....
So, just as the net is reeling from the latest SSL/TLS vulnerability, Logjam, which is in large part due to the export restrictions on cryptographic technology from 20 years ago, politicians are at it again. I wonder how this will end up biting everybody in the arse in the future. Possibly not as directly as in the case of Logjam, but perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.
I'm interested in whether this is limited to ONLY proprietary research.
I could actually see an argument for banning export of such research. Do we really want companies finding flaws in widely-used software, keeping those flaws secret from the software vendors and the general public, but then selling details on those flaws to others who could potentially turn around and exploit them? In a sense, this does sound like a munition.
I don't see the same concern with public research. If you disclose a vulnerability publicly, then everybody can fix it, and that strengthens the ecosystem instead of weakening it.
If the ban were limited to proprietary research, I don't see it as a bad thing. Of course, it does nothing to keep companies from selling their findings to NSA contractors and such, but I don't expect the US to lift a finger to ban practices like these.
...What they mean by "export" is posting downloads or links to downloads of source code or binaries on the 'net.
Just another restriction on the communication of knowledge & free speech in the "Land of the Free".
The US I grew up in during the 1960s/'70s is dead.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
no, MONEY is speech.
sourcecode is munitions.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Is "information wants to be free" too cliche?
let's repeat our folly.
I am very small, utmostly microscopic.
Say goodbye to responsible disclosure.
WTF? Theyre online
Yeah... Let's make "security through obscurity" the law of the land.
That'll help so much.
Effin' idiots.
CUR ALLOC 20195.....5804M
When Carmen Ortiz wants to abuse the law with the next Aaron Swartz she can use this to compel a plea bargain.
David Sternlight is that you? You know you can legally buy both ski masks and crow bars, right? In fact, I think REI sells ski masks, crow bars (cleverly disguised as climbing hardware), and backpacks all in the same store, and they haven't been shut down yet.
Every time I see a moronic hyperlink that makes no sense, it inevitably leads back to IT world.
You are all worthless empty suits who are faking it.
First Amendment says "Kiss my ass" to export restrictions.
Welcome to the Panopticon. Used to be a prison, now it's your home.
You can find any piece of software you want online with almost no effort, and the folks who want this kind of software are going to be better at finding it than me. So why create restrictions to block something that is so ridiculously easy to obtain already?
Sure, this law won't stop these tools from leaving the USA, but may still be effective in bullying and retaliating against US based security researchers when they piss off the wrong people.
You presented your research at a conference outside the US? => That's export.
You put your software up on the web for everyone? => That's export.
You posted details to a mailing list which is hosted outside the US? => That's export.
This would make developing things such as metasploit and nmap near impossible, as well as most Free/Open security testing tools.(there is no way to really prevent Free software from crossing borders)
has a global monopoly on this sort of product. where export controls might actually do something---for a little while, anyway.
absolutely worthless idea.
will make politicians feel good about "doing something" but the hackers will just use something else...
besides, it's not like hackers will follow export restrictions, either.
... it will discourage hackers from just breaking in and getting the stuff.
It little behooves the best of us to comment on the rest of us.
Well you can't stop people from getting these tools, you may be able to keep people from selling them.
"If any question why we died, Tell them because our fathers lied."
While this particular instance isn't worse than many other similar acts of legislative stupidity foisted on tech, I happen to have had a lengthy and related conversation last night. To be brief, the people in power are crippling development by attempting to use it for their increasingly outdated ends. This is just one small example. "They" are struggling to bend rapidly emergent tech to fit a political/economic system that just doesn't match.
I have no idea how to resolve this worsening problem. In some ways, I wonder how "democracy" can continue to function in the US (even by its already low standards) when neither the voting public nor its representatives are able to understand the function and meaning of its infrastructure...yeah, that escalated quickly.
ps-I recently travelled overseas with nmap on my laptop because I was learning how to use it--purely because I wanted to, and not for any professional reason. I wonder how long before that act becomes "transporting cyber-weapons across international borders."
pps-I don't think I've ever posted to slashdot, despite reading it for over a decade.
Your jurisdiction, unlike the traffic of the internet, is limited to your own country. And the countries you control. Which is a lot, I give you that, but by no stretch whatsoever it's all.
Also: Money trumps laws. Twice so if corporations are involved. If $evil_bastard_country wants to throw money at whoever sells them $supersecret_technology, corporations will not obey your law, they will race against each other to find the loophole. Which usually ends in the tech involved being developed abroad by those suspicious foreigners and then sold to the $evil_bastard_country.
The net effect for the US of such a ban is a loss of jobs, loss of knowledge and most of all valuable IT security information in the hands of whatever foreign country was smart enough not to be as stupid as you are, putting shackles on your own ITSEC industry.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We are still suffering from the previous time they did this and new issues pop up all the time, as recent as this month: https://weakdh.org/
The opened a public comment period. Please send them your comments and let them know what you think. https://www.federalregister.go...
The only way to stop a bad guy with a script kiddie tool is a good guy with a script kiddie tool.
computer security tools, are basically computer programs which are in turn information. so the new rules are intended to stop what are essentially LEAKS of information from PRIVATE sources, many of whom have less than complete and total respect for the law, esp. when the law is STUPID, to individuals, institutions, groups, companies, etc., WORLDWIDE.
This from the same group of assclowns who cant stop leaks from inside their own organization, to a tiny handful of people whose names are mostly known! ha!
good luck with that!
At this point, it's pretty much moot.
The tools are already out there.
Cutting off now accomplishes JACK SHIT. And all the tools will simply be mirrored outside the US.
The especially bad part? Look at the whole encryption export debacle.
Basically most of the meaningful security jobs and development will move outside the US.
Sure, we'll have in-country development, but it'll be happening in a vacuum, as nobody else will want to touch development of tools they can't legally use.
Meaning that security tools in general will stagnate in the US and slow down elsewhere as they have to now gear up for development without using resources inside US borders.
Chas - The one, the only.
THANK GOD!!!
The idea that the US is some how in charge of how security researchers spend their energies will be its own undoing. Research will be done outside the US. Security researchers have long memories. Nothing stops them from doing all of their research outside the US. And nothing will stop them from denying US interests access to their tools, research, and discoveries.
Customers in the united states will still find out about the vulnerabilities. They'll find out after they are penetrated.
Thankfully stupidity is not an invitation to have violence committed upon you. IF it were such an invitation; then the author of the newly proposed export controls would be in danger of being beaten to death.
People who can defend themselves tend to make their own decisions. This has not escaped the notice of governments.
If you don't like this idea, send an email (as they request) to Sharron Cook, publiccomments@bis.doc.gov. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments. Explain why you think it's a bad idea, with reasoned arguments. Before commenting, you should read the proposal first: https://www.federalregister.go...
- David A. Wheeler (see my Secure Programming HOWTO)
I see the idiocracy of the USA is alive and well
Go USA, we're no 28, we're no 28!!!
>>David Sternlight
Shit you just gave me a flashback. Stop triggering :-)
We did this with encryption and ended up causing a shit ton of problems down the road, problems that are seriously affecting us today.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Penetration tools are critical to almost all IT professionals and it's often to recommend tools to friends all over the world. The reason penetration tools exist is to test your network, software and all other manors of holes. So why need a license to export?
NOT!
Considering most of the good ones come from Russia, China, and India.