Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Wary of Wassenaar Rules

Posted by samzenpus on from the rules-of-the-game dept.

msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

21 of 34 comments (clear)

  1. Eh? by dtmos · · Score: 3, Informative

    How does that first sentence read again? I think someone left out a verb.

    1. Re: Eh? by Anonymous Coward · · Score: 1

      I think the missing word is 'forgot' or is that a reflection on the reading comprehension of the /. editor? I really cannot tell - I'm still trying to re-read the first sentence and decide...

  2. I think mrs. reagan got this one by evilrip · · Score: 1

    Just say no.

    --
    "To err is human, to forgive, beyond the scope of the Operating System"
    1. Re:I think mrs. reagan got this one by MobSwatter · · Score: 1

      For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

      Because nobody wants to piss off military force, that being the NSA because they will be put out of business and they know it. Already to many security related businesses that actually conceptually cared about security has had to shut down as a result of fear of previous interpretations of the law made by these military forces. And ya'll thought it was just the airline industry was fuxored.

  3. Do as we say not as we do. by Anonymous Coward · · Score: 1

    They can develop and weaponize exploits which means of course how DARE you expose this bullshit illegal activity or harm the reputation of a business by showing that they are FALSE ADVERTISING when saying a product is "secure".

    So let me get this straight....

    1. They launched actual weapons and were caught (stuxnet, flame, etc)
    2. Security researchers have not done this, or they'd be in jail already....
    3. A law is written that bans the security researcher from doing his job or sharing his tools, while legalizing what the government did.

    Cliffnotes: Do as we say not as we do.... Got it.

    1. Re:Do as we say not as we do. by tnk1 · · Score: 3, Interesting

      I don't think that's particularly odd.

      Try operating a private military and see how long you get away with that.

      Spying and hacking is basically the same: considered to be weaponized and therefore the state monopoly of force applies.

      Note, I am not passing a judgement on whether the state monopoly on force is a good thing, only that it is generally accepted.

    2. Re:Do as we say not as we do. by ale2011 · · Score: 1

      Note, I am not passing a judgment on whether the state monopoly on force is a good thing, only that it is generally accepted.

      Guns and software are both subject to bugs, operating errors, and bad or wrong usage. However, software by itself can never kill. Thus, the argument of lowering casualties by restricting weapon traffic does not apply to software. All the arguments that inspired the second amendment, instead, do apply. The right to bear software —any software— deserves to be recognized as an auxiliary to the long-established natural right of thinking and watching, auxiliary to the natural and legally defensible rights to life.

    3. Re:Do as we say not as we do. by tnk1 · · Score: 1

      Obviously, software, even weapons software, does not deliver lead or steel to an opponent directly.

      What I think everyone is having trouble with is the fact that software can often make less effective weapons much more effective, or even weaponize information itself.

      It would be interesting to have a Second Amendment like set of rights for encryption and hacking. I don't know that I would oppose that, although I'd like someone to do some serious thinking about the consequences of such. Like the actual Second Amendment, it is what I would consider to be the acceptance of a certain risk enshrined in the Constitution for the purposes of preventing tyranny and allowing for individual or local self-defense. That risk should not be played down, but it can be accepted.

  4. How do we submit comments? by rwwyatt · · Score: 1

    It would be nice to have some arguments. I am definitely not in favor of export restrictions again.

    1. Re:How do we submit comments? by Anonymous Coward · · Score: 2, Funny

      I believe you should submit comments here : http://www.regulations.gov/?_e...

      I know I did.

    2. Re:How do we submit comments? by rwwyatt · · Score: 1

      Thanks. For once, I have submitted comments on an issue. I doubt they will have any effect, but at least I went on record.

  5. Interpretation is the point by SuperKendall · · Score: 1

    researchers say that's up for interpretation

    What good is a law if it cannot let the government arrest Sandor silence anyone arbitrarily based on the prevailing political winds?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. The government says.... by sconeu · · Score: 4, Insightful

    The .gov says it won't be used against researchers.... until it is.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:The government says.... by formfeed · · Score: 1

      The .gov says it won't be used against researchers.... until it is.

      They wont. They will only use it against cyber-terrorists.

      If you have pen testing tools and they come after you, you are a cyber-terrorist. If they don't, you are a researcher.

  7. Stupid by backslashdot · · Score: 3, Insightful

    This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that? Also, a lot of times it's hard to draw the line between debugging tools and penetration testing tools.

    1. Re:Stupid by phantomfive · · Score: 2
      Here's the 'clarifying' quote by the director of BIS:

      “Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” said Randy Wheeler, director of the BIS, today during a conference call. “The development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale, is controlled.”

      After reading that several times, I'm still not sure what is allowed and what is not.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Stupid by drinkypoo · · Score: 1

      This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that?

      Visiting China with such tools on your laptop? Pretty stupid, unless you're going there to spend a lot of money.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. In Practice by Ken+McE · · Score: 2

    In practice this would seem to mean that you are fine so long as the Commerce Department approves of whatever it is you are doing. Tick off the wrong people and the same activity becomes a felony.

  9. Dual use nature of sticks and stones by WaffleMonster · · Score: 2

    This document appears to be a comprehensive list of all the technology in the world worth using.

  10. Re:Just some research by davester666 · · Score: 1

    Surrender them? Why bother. The FBI prefers to just erase them. Take your clubbing and hope you still remember your name. Maybe plan ahead and write down your name and where you are going on a sheet of paper before they helpfully wipe your memories.

    --
    Sleep your way to a whiter smile...date a dentist!
  11. Re:Pretty stupid politicians by drinkypoo · · Score: 1

    You probably can't even list the apps installed on your laptop, let alone want to uninstall and reinstall them later. You're not 'pretty stupid' for that, its normal.

    Uh, what? I most certainly can list the apps installed on my laptop, in a variety of ways. What kind of moron are you that you can't?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"