US Proposes Tighter Export Rules For Computer Security Tools

itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.

Stupid ...

[gstoddart]

Once again lawmakers don't understand the issue.

Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

It also assumes that the best such tools come from America.

This is idiot lawmakers who don't understand technology passing laws trying to fix it. So, saying it's extra special illegal to break the law achieves absolutely NOTHING, and it prevents people from studying actual security holes because the tools are limited.

Can we make it illegal to be stupid? That would be awesome!

Re:Stupid ...

[anagama]

Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

I think there is a better than even chance that the lawmakers understand this perfectly well, but that the real purpose of the law is to harass people who hold and publish views the government doesn't like by putting together a persecution [intended typo] with a 100 year sentence based on extreme applications of criminal laws. Their hope is that the target either plea bargains to something less that will still remove that person from the general population, or better yet from the Fed's perspective, prompts that person to just kill him/herself out of hopelessness.

Logjam

[Kippesoep]

So, just as the net is reeling from the latest SSL/TLS vulnerability, Logjam, which is in large part due to the export restrictions on cryptographic technology from 20 years ago, politicians are at it again. I wonder how this will end up biting everybody in the arse in the future. Possibly not as directly as in the case of Logjam, but perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.

WARNING BADTHINK MINDCRIME DETECTED!

[Thud457]

no, MONEY is speech.
sourcecode is munitions.

Re:You can ban these so-called "tools" AFAIK.

[russotto]

David Sternlight is that you? You know you can legally buy both ski masks and crow bars, right? In fact, I think REI sells ski masks, crow bars (cleverly disguised as climbing hardware), and backpacks all in the same store, and they haven't been shut down yet.

Great tool for bullying US security researchers

[Simon]

Sure, this law won't stop these tools from leaving the USA, but may still be effective in bullying and retaliating against US based security researchers when they piss off the wrong people.

You presented your research at a conference outside the US? => That's export.
You put your software up on the web for everyone? => That's export.
You posted details to a mailing list which is hosted outside the US? => That's export.

Re:better open source the tools

[ShanghaiBill]

and publish them well away from USoA soil.

This is what happened with the encryption ban in the 1990s. Companies did their development outside America, using non-Americans. The result was job losses for Americans, atrophy of American skills, and no increase in security. That was predictable, and continued long after the stupidity of the policy was blatantly obvious. But it really takes a special kind of idiocy to do it all over again.