Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Wary of Wassenaar Rules

Posted by samzenpus on from the rules-of-the-game dept.

msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

34 comments

  1. Eh? by dtmos · · Score: 3, Informative

    How does that first sentence read again? I think someone left out a verb.

    1. Re: Eh? by Anonymous Coward · · Score: 1

      I think the missing word is 'forgot' or is that a reflection on the reading comprehension of the /. editor? I really cannot tell - I'm still trying to re-read the first sentence and decide...

  2. I think mrs. reagan got this one by evilrip · · Score: 1

    Just say no.

    --
    "To err is human, to forgive, beyond the scope of the Operating System"
    1. Re:I think mrs. reagan got this one by MobSwatter · · Score: 1

      For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

      Because nobody wants to piss off military force, that being the NSA because they will be put out of business and they know it. Already to many security related businesses that actually conceptually cared about security has had to shut down as a result of fear of previous interpretations of the law made by these military forces. And ya'll thought it was just the airline industry was fuxored.

  3. Just some research by Anonymous Coward · · Score: 0

    -FBI! Lower your mouse and come out with your hands up!
    -I was just doing some research..
    -FBI! Lower your suitcase and surrender your memories!
    -I was just about to fly to a security conference..

    1. Re:Just some research by davester666 · · Score: 1

      Surrender them? Why bother. The FBI prefers to just erase them. Take your clubbing and hope you still remember your name. Maybe plan ahead and write down your name and where you are going on a sheet of paper before they helpfully wipe your memories.

      --
      Sleep your way to a whiter smile...date a dentist!
  4. Do as we say not as we do. by Anonymous Coward · · Score: 1

    They can develop and weaponize exploits which means of course how DARE you expose this bullshit illegal activity or harm the reputation of a business by showing that they are FALSE ADVERTISING when saying a product is "secure".

    So let me get this straight....

    1. They launched actual weapons and were caught (stuxnet, flame, etc)
    2. Security researchers have not done this, or they'd be in jail already....
    3. A law is written that bans the security researcher from doing his job or sharing his tools, while legalizing what the government did.

    Cliffnotes: Do as we say not as we do.... Got it.

    1. Re:Do as we say not as we do. by tnk1 · · Score: 3, Interesting

      I don't think that's particularly odd.

      Try operating a private military and see how long you get away with that.

      Spying and hacking is basically the same: considered to be weaponized and therefore the state monopoly of force applies.

      Note, I am not passing a judgement on whether the state monopoly on force is a good thing, only that it is generally accepted.

    2. Re:Do as we say not as we do. by ale2011 · · Score: 1

      Note, I am not passing a judgment on whether the state monopoly on force is a good thing, only that it is generally accepted.

      Guns and software are both subject to bugs, operating errors, and bad or wrong usage. However, software by itself can never kill. Thus, the argument of lowering casualties by restricting weapon traffic does not apply to software. All the arguments that inspired the second amendment, instead, do apply. The right to bear software —any software— deserves to be recognized as an auxiliary to the long-established natural right of thinking and watching, auxiliary to the natural and legally defensible rights to life.

    3. Re:Do as we say not as we do. by tnk1 · · Score: 1

      Obviously, software, even weapons software, does not deliver lead or steel to an opponent directly.

      What I think everyone is having trouble with is the fact that software can often make less effective weapons much more effective, or even weaponize information itself.

      It would be interesting to have a Second Amendment like set of rights for encryption and hacking. I don't know that I would oppose that, although I'd like someone to do some serious thinking about the consequences of such. Like the actual Second Amendment, it is what I would consider to be the acceptance of a certain risk enshrined in the Constitution for the purposes of preventing tyranny and allowing for individual or local self-defense. That risk should not be played down, but it can be accepted.

  5. How do we submit comments? by rwwyatt · · Score: 1

    It would be nice to have some arguments. I am definitely not in favor of export restrictions again.

    1. Re:How do we submit comments? by Anonymous Coward · · Score: 2, Funny

      I believe you should submit comments here : http://www.regulations.gov/?_e...

      I know I did.

    2. Re:How do we submit comments? by rwwyatt · · Score: 1

      Thanks. For once, I have submitted comments on an issue. I doubt they will have any effect, but at least I went on record.

    3. Re:How do we submit comments? by Anonymous Coward · · Score: 0

      You can speak out during the intervals they stop pouring water on your face and remove the towel.

  6. Interpretation is the point by SuperKendall · · Score: 1

    researchers say that's up for interpretation

    What good is a law if it cannot let the government arrest Sandor silence anyone arbitrarily based on the prevailing political winds?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  7. problems... by Anonymous Coward · · Score: 0

    "Wassenaar" isn't even an American English word, so it doesn't apply.

  8. Wassernaa Arrangement by Anonymous Coward · · Score: 0

    Lisa you are tearing me apart!

  9. More Republican hatred of tech by Anonymous Coward · · Score: 0

    They don't understand it so they hate it and want to destroy it. That would be fine if they didn't also want to murder others that do understand it. That is what their xian religion demands. They think their gods (holy goat, old man w/ beard, and younger man with holey hands) demand that they kill us. That is the way of their kind.

    1. Re:More Republican hatred of tech by Anonymous Coward · · Score: 0

      Republicrats have always hated tech, showing their blindness from the DMCA to Mickey Mouse Copyright Extension Acts to those silly anti-Net Neutrality bills. Bunch of fucking whining old assholes need a collective tech enema full of jagged old motherboards reclaimed from China's "recycling" junkyards.

    2. Re: More Republican hatred of tech by Anonymous Coward · · Score: 0

      Kill you? That would be too kind. We want to rape, torture and kill your family first. We want to cook them on a fire and force-feed you their charred flesh. We want to slice off your genitals and burn them as offerings to our Republican God of Hatred. We want to brutally rape you, then split you open, climb into your carcass and romp around. THIS is the way of our kind.

  10. The government says.... by sconeu · · Score: 4, Insightful

    The .gov says it won't be used against researchers.... until it is.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:The government says.... by Anonymous Coward · · Score: 0

      I quote "Drones will never be used on domestic soil".

      Anyone remember hearing that one? It's a gasser let me tell ya.

    2. Re:The government says.... by Anonymous Coward · · Score: 0

      The Patriot Act is vital for our war on terror, and will be used to fight America's enemies.

      And potheads.

      And copyright infringers.

      And protestors.

      And traffic violators.

    3. Re:The government says.... by formfeed · · Score: 1

      The .gov says it won't be used against researchers.... until it is.

      They wont. They will only use it against cyber-terrorists.

      If you have pen testing tools and they come after you, you are a cyber-terrorist. If they don't, you are a researcher.

  11. This is horrific by Anonymous Coward · · Score: 0

    The language here seems far more powerful and restrictive than I had thought:

    Intrusion software is defined as "Software ‘specially designed’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing . . . the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or . . . [etc.]."

    So in other words, using Tor could fall under the new definition, at least by my reading of those words. Anyone with a more rigorous legal background able to set me straight? Or reaffirm my worst fears?

  12. Stupid by backslashdot · · Score: 3, Insightful

    This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that? Also, a lot of times it's hard to draw the line between debugging tools and penetration testing tools.

    1. Re:Stupid by phantomfive · · Score: 2
      Here's the 'clarifying' quote by the director of BIS:

      “Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” said Randy Wheeler, director of the BIS, today during a conference call. “The development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale, is controlled.”

      After reading that several times, I'm still not sure what is allowed and what is not.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Stupid by drinkypoo · · Score: 1

      This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that?

      Visiting China with such tools on your laptop? Pretty stupid, unless you're going there to spend a lot of money.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Stupid by Anonymous Coward · · Score: 0

      After reading that several times, I'm still not sure what is allowed and what is not.

      That's the point

  13. In Practice by Ken+McE · · Score: 2

    In practice this would seem to mean that you are fine so long as the Commerce Department approves of whatever it is you are doing. Tick off the wrong people and the same activity becomes a felony.

  14. Pretty stupid politicians by Anonymous Coward · · Score: 0

    You probably can't even list the apps installed on your laptop, let alone want to uninstall and reinstall them later. You're not 'pretty stupid' for that, its normal.

    What it would do is make THE WESTERN security researchers wary, while Chinese/Russian security researchers would have a free hand. Which makes WESTERN security less secure. Why would you risk it? They'd go into a different field of IT, or not explore that field.

    It's idiotic and shows a piss poor understanding of the situation. Currently if you find a security hole in a server and are in the west its best to SHUT THE FUCK UP, about it because people get arrested for pointing to security holes IN THE WEST. As security research is becoming equated with hacking, so nobody wants to do it.

    So how many security holes go undocumented because of that. This law would take it further down that route, where security holes are intentionally not found because the tools to find them are risky to carry.

    1. Re:Pretty stupid politicians by drinkypoo · · Score: 1

      You probably can't even list the apps installed on your laptop, let alone want to uninstall and reinstall them later. You're not 'pretty stupid' for that, its normal.

      Uh, what? I most certainly can list the apps installed on my laptop, in a variety of ways. What kind of moron are you that you can't?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Dual use nature of sticks and stones by WaffleMonster · · Score: 2

    This document appears to be a comprehensive list of all the technology in the world worth using.