US Proposes Tighter Export Rules For Computer Security Tools

← Back to Stories (view on slashdot.org)

US Proposes Tighter Export Rules For Computer Security Tools

Posted by timothy on Thursday May 21, 2015 @02:10AM from the we'd-like-to-inspect-that-package dept.

itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.

29 of 126 comments (clear)

Min score:

Reason:

Sort:

better open source the tools by Anonymous Coward · 2015-05-21 02:19 · Score: 3, Insightful

and publish them well away from USoA soil.
1. Re:better open source the tools by ShanghaiBill · 2015-05-21 03:25 · Score: 5, Informative
  
  and publish them well away from USoA soil.
  This is what happened with the encryption ban in the 1990s. Companies did their development outside America, using non-Americans. The result was job losses for Americans, atrophy of American skills, and no increase in security. That was predictable, and continued long after the stupidity of the policy was blatantly obvious. But it really takes a special kind of idiocy to do it all over again.
2. Re:better open source the tools by pixelpusher220 · 2015-05-21 03:53 · Score: 4, Insightful
  
  Let alone no 'increase' in security it's measurably made security WORSE as lots and lots of websites can still use the watered down tools/certificates created by that misguided policy.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
Whoops! Here we go again by fustakrakich · 2015-05-21 02:20 · Score: 4, Insightful

Ah, but this time it's different!

--
“He’s not deformed, he’s just drunk!”
1. Re:Whoops! Here we go again by houstonbofh · 2015-05-21 02:55 · Score: 2
  
  Ah, but this time it's different!
  Yes. The companies already know how to set up foreign subsidiaries that will officially develop the tools restricted by this so there is no export. They learned from last time.
Stupid ... by gstoddart · 2015-05-21 02:21 · Score: 5, Insightful

Once again lawmakers don't understand the issue.
Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.
It also assumes that the best such tools come from America.
This is idiot lawmakers who don't understand technology passing laws trying to fix it. So, saying it's extra special illegal to break the law achieves absolutely NOTHING, and it prevents people from studying actual security holes because the tools are limited.
Can we make it illegal to be stupid? That would be awesome!

--
Lost at C:>. Found at C.
1. Re:Stupid ... by anagama · 2015-05-21 02:44 · Score: 5, Insightful
  
  Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.
  I think there is a better than even chance that the lawmakers understand this perfectly well, but that the real purpose of the law is to harass people who hold and publish views the government doesn't like by putting together a persecution [intended typo] with a 100 year sentence based on extreme applications of criminal laws. Their hope is that the target either plea bargains to something less that will still remove that person from the general population, or better yet from the Fed's perspective, prompts that person to just kill him/herself out of hopelessness.
  
  --
  What changed under Obama? Nothing Good
2. Re:Stupid ... by fustakrakich · 2015-05-21 02:48 · Score: 2, Insightful
  
  Once again lawmakers don't understand the issue.
  I hate it when you people say that! They have their orders. They understand perfectly well what they are doing. It is the voters that are ignorant and stupid and thus blindly follow them. And in that ignorance it is the voters that give value to the campaign dollar. The politician is not the idiot here.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:Stupid ... by houstonbofh · 2015-05-21 02:57 · Score: 2
  
  It also assumes that the best such tools come from America.
  And doing crap like this makes sure that if it is still the case, it will not be for long. Development with either move, or get surpassed.
4. Re:Stupid ... by Endymion · 2015-05-21 03:30 · Score: 4, Insightful
  
  It is dangerous to assume stupidity - especially when the people in question are making threatening gestures in your direction. What you describe is one possibility. Another is that these lawmakers (or the people they work for) DO understand these issues, and the inevitable problems that arise are the expected outcome.
  Yes, Hanlon's razor is a good heuristic most of the time, but in this case we have a pattern. Technology that empowers people (e.g. real crypto/security, better communications technology like the internet) has been attacked fairly consistently. Tools and methods have been criminalized in the past with alarming frequency. For this specific issue, there are a lot of people invested in the status quo of where computers ("ii.e. "most products", eventually) are easily monitored/tracked, and easily attacked if the need arises. Dan Geer described our situation very accurately in his outstanding talk last year: the current strategy of the US government (and others) with regards to network security is "all offense".
  When proposals like this happen, people are tying to shape your future. Maybe they want to get an actual law passed. They just want to use a confusing topic in a show for the benefit of their constituency. Maybe the goal is propaganda or shifting the Overrton window. Whatever the purpose, we would be lucky to have stupid lawmaker which we can at least attempt to fix with education. Unfortunately, what looks like stupidity is often agenda, and underestimate their threat at your own peril.
  
  --
  Ce n'est pas une signature automatique.
5. Re:Stupid ... by brunes69 · 2015-05-21 04:06 · Score: 2
  
  It's a law against export, not possession.
  The only result of laws like this is the off-shoring of jobs related to the creation of computer security tools.
  This is why I had to laugh at the slant of the summary for the Kaspersky article yesterday, claming that it was negative that the product came from Russia. In actual fact, the fact that the product is not made in the US protects it from crap like this.
6. Re:Stupid ... by fustakrakich · 2015-05-21 04:20 · Score: 2
  
  Looks like you haven't figured out who the politicians serve. Greedy, lying, clever, conniving little rats with illusions of grandeur, absolutely, the only stupid ones are those that lose, or get caught. They don't need to 'know' anything. The lobbyists tell their aides (they all carry their own stories) who tell them who to speak with and how to vote.
  
  --
  “He’s not deformed, he’s just drunk!”
7. Re:Stupid ... by Uniquitous · 2015-05-21 04:28 · Score: 3, Insightful
  
  You're both right. Both the politicians and the people are ignorant. The politicians are simply more cunning at manipulating people.
Take that China! by Hrrrg · 2015-05-21 02:25 · Score: 4, Funny

Haha! No more Norton AV for you!
Logjam by Kippesoep · 2015-05-21 02:30 · Score: 5, Insightful

So, just as the net is reeling from the latest SSL/TLS vulnerability, Logjam, which is in large part due to the export restrictions on cryptographic technology from 20 years ago, politicians are at it again. I wonder how this will end up biting everybody in the arse in the future. Possibly not as directly as in the case of Logjam, but perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.
1. Re:Logjam by Dunbal · 2015-05-21 02:44 · Score: 2
  
  will mean that certain critical vulnerabilities may not be discovered in time, or not reported.
  Which, if you think about it, works in Big Brother's favor. Again.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Logjam by fustakrakich · 2015-05-21 03:09 · Score: 2
  
  ...perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.
  Well yes, that is the idea. Reporting these kind of things will become illegal (for an example how it's happening in meatspace)
  
  --
  “He’s not deformed, he’s just drunk!”
Just proprietary? by Rich0 · 2015-05-21 02:31 · Score: 4, Interesting

I'm interested in whether this is limited to ONLY proprietary research.
I could actually see an argument for banning export of such research. Do we really want companies finding flaws in widely-used software, keeping those flaws secret from the software vendors and the general public, but then selling details on those flaws to others who could potentially turn around and exploit them? In a sense, this does sound like a munition.
I don't see the same concern with public research. If you disclose a vulnerability publicly, then everybody can fix it, and that strengthens the ecosystem instead of weakening it.
If the ban were limited to proprietary research, I don't see it as a bad thing. Of course, it does nothing to keep companies from selling their findings to NSA contractors and such, but I don't expect the US to lift a finger to ban practices like these.
And Of Course... by BlueStrat · 2015-05-21 02:33 · Score: 3, Informative

...What they mean by "export" is posting downloads or links to downloads of source code or binaries on the 'net.
Just another restriction on the communication of knowledge & free speech in the "Land of the Free".
The US I grew up in during the 1960s/'70s is dead.
Strat

--
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
1. Re:And Of Course... by Anonymous Coward · 2015-05-21 03:26 · Score: 4, Funny
  
  And look what it gave us, the 80s, and he *who shall not be named*!
  That's a pretty rude way to make fun of Prince's trademark woes.
WARNING BADTHINK MINDCRIME DETECTED! by Thud457 · 2015-05-21 02:33 · Score: 5, Insightful

no, MONEY is speech.
sourcecode is munitions.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:You can ban these so-called "tools" AFAIK. by russotto · 2015-05-21 02:51 · Score: 5, Interesting

David Sternlight is that you? You know you can legally buy both ski masks and crow bars, right? In fact, I think REI sells ski masks, crow bars (cleverly disguised as climbing hardware), and backpacks all in the same store, and they haven't been shut down yet.
Why make a law you can't enforce? by Last_Available_Usern · 2015-05-21 02:56 · Score: 2

You can find any piece of software you want online with almost no effort, and the folks who want this kind of software are going to be better at finding it than me. So why create restrictions to block something that is so ridiculously easy to obtain already?
Great tool for bullying US security researchers by Simon · 2015-05-21 03:04 · Score: 5, Insightful

Sure, this law won't stop these tools from leaving the USA, but may still be effective in bullying and retaliating against US based security researchers when they piss off the wrong people.
You presented your research at a conference outside the US? => That's export.
You put your software up on the web for everyone? => That's export.
You posted details to a mailing list which is hosted outside the US? => That's export.
Re:US Proposes Tighter Export Rules ... by MobSwatter · 2015-05-21 03:18 · Score: 2

An economic/social collapse is what those in power need to roll out martial law and complete the final stages of the "fundamental transformation of America" to a police state.
They are going to get it because it is the desire of those in power, CIA analysts have come forward now stating that the "3rd world depression is no longer avoidable". I think world depression is a bit on the dramatic side though, I think the rest of the world is likely to contain it to the US/UK. Rusky/China have been getting cozy for a while now and getting in good with Saudi for oil and our dumb ass's keep printing money to keep the gubbmints doors open stressing the Saudi deal dating back to '71. I think what they are trying for is an economic reset of the world books, but I don't think China is going to go for that.
Re:US Proposes Tighter Export Rules ... by dave420 · 2015-05-21 03:41 · Score: 2

Paranoid, much?
Dear US law makers by Opportunist · 2015-05-21 04:26 · Score: 2

Your jurisdiction, unlike the traffic of the internet, is limited to your own country. And the countries you control. Which is a lot, I give you that, but by no stretch whatsoever it's all.
Also: Money trumps laws. Twice so if corporations are involved. If $evil_bastard_country wants to throw money at whoever sells them $supersecret_technology, corporations will not obey your law, they will race against each other to find the loophole. Which usually ends in the tech involved being developed abroad by those suspicious foreigners and then sold to the $evil_bastard_country.
The net effect for the US of such a ban is a loss of jobs, loss of knowledge and most of all valuable IT security information in the hands of whatever foreign country was smart enough not to be as stupid as you are, putting shackles on your own ITSEC industry.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Export???? by PPH · 2015-05-21 04:49 · Score: 2

Being online would qualify as exporting...
Not automatically. If its uploaded to a server from outside the USA and the server itself exists outside the USA, no export was involved.
This just pushes the remaining development of such tools out of the USA.

--
Have gnu, will travel.
Please Comment by terbeaux · 2015-05-21 04:57 · Score: 4, Interesting

The opened a public comment period. Please send them your comments and let them know what you think. https://www.federalregister.go...