Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Proposes Tighter Export Rules For Computer Security Tools

Posted by timothy on from the we'd-like-to-inspect-that-package dept.

itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.

11 of 126 comments (clear)

  1. better open source the tools by Anonymous Coward · · Score: 3, Insightful

    and publish them well away from USoA soil.

    1. Re:better open source the tools by pixelpusher220 · · Score: 4, Insightful

      Let alone no 'increase' in security it's measurably made security WORSE as lots and lots of websites can still use the watered down tools/certificates created by that misguided policy.

      --
      People in cars cause accidents....accidents in cars cause people :-D
  2. Whoops! Here we go again by fustakrakich · · Score: 4, Insightful

    Ah, but this time it's different!

    --
    “He’s not deformed, he’s just drunk!”
  3. Stupid ... by gstoddart · · Score: 5, Insightful

    Once again lawmakers don't understand the issue.

    Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

    It also assumes that the best such tools come from America.

    This is idiot lawmakers who don't understand technology passing laws trying to fix it. So, saying it's extra special illegal to break the law achieves absolutely NOTHING, and it prevents people from studying actual security holes because the tools are limited.

    Can we make it illegal to be stupid? That would be awesome!

    --
    Lost at C:>. Found at C.
    1. Re:Stupid ... by anagama · · Score: 5, Insightful

      Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

      I think there is a better than even chance that the lawmakers understand this perfectly well, but that the real purpose of the law is to harass people who hold and publish views the government doesn't like by putting together a persecution [intended typo] with a 100 year sentence based on extreme applications of criminal laws. Their hope is that the target either plea bargains to something less that will still remove that person from the general population, or better yet from the Fed's perspective, prompts that person to just kill him/herself out of hopelessness.

      --
      What changed under Obama? Nothing Good
    2. Re:Stupid ... by fustakrakich · · Score: 2, Insightful

      Once again lawmakers don't understand the issue.

      I hate it when you people say that! They have their orders. They understand perfectly well what they are doing. It is the voters that are ignorant and stupid and thus blindly follow them. And in that ignorance it is the voters that give value to the campaign dollar. The politician is not the idiot here.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Stupid ... by Endymion · · Score: 4, Insightful

      It is dangerous to assume stupidity - especially when the people in question are making threatening gestures in your direction. What you describe is one possibility. Another is that these lawmakers (or the people they work for) DO understand these issues, and the inevitable problems that arise are the expected outcome.

      Yes, Hanlon's razor is a good heuristic most of the time, but in this case we have a pattern. Technology that empowers people (e.g. real crypto/security, better communications technology like the internet) has been attacked fairly consistently. Tools and methods have been criminalized in the past with alarming frequency. For this specific issue, there are a lot of people invested in the status quo of where computers ("ii.e. "most products", eventually) are easily monitored/tracked, and easily attacked if the need arises. Dan Geer described our situation very accurately in his outstanding talk last year: the current strategy of the US government (and others) with regards to network security is "all offense".

      When proposals like this happen, people are tying to shape your future. Maybe they want to get an actual law passed. They just want to use a confusing topic in a show for the benefit of their constituency. Maybe the goal is propaganda or shifting the Overrton window. Whatever the purpose, we would be lucky to have stupid lawmaker which we can at least attempt to fix with education. Unfortunately, what looks like stupidity is often agenda, and underestimate their threat at your own peril.

      --
      Ce n'est pas une signature automatique.
    4. Re:Stupid ... by Uniquitous · · Score: 3, Insightful

      You're both right. Both the politicians and the people are ignorant. The politicians are simply more cunning at manipulating people.

  4. Logjam by Kippesoep · · Score: 5, Insightful

    So, just as the net is reeling from the latest SSL/TLS vulnerability, Logjam, which is in large part due to the export restrictions on cryptographic technology from 20 years ago, politicians are at it again. I wonder how this will end up biting everybody in the arse in the future. Possibly not as directly as in the case of Logjam, but perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.

  5. WARNING BADTHINK MINDCRIME DETECTED! by Thud457 · · Score: 5, Insightful

    no, MONEY is speech.
    sourcecode is munitions.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  6. Great tool for bullying US security researchers by Simon · · Score: 5, Insightful

    Sure, this law won't stop these tools from leaving the USA, but may still be effective in bullying and retaliating against US based security researchers when they piss off the wrong people.

    You presented your research at a conference outside the US? => That's export.
    You put your software up on the web for everyone? => That's export.
    You posted details to a mailing list which is hosted outside the US? => That's export.