Security Researchers Wary of Wassenaar Rules

← Back to Stories (view on slashdot.org)

Security Researchers Wary of Wassenaar Rules

Posted by samzenpus on Thursday May 21, 2015 @10:08AM from the rules-of-the-game dept.

msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

8 of 34 comments (clear)

Min score:

Reason:

Sort:

Eh? by dtmos · 2015-05-21 10:12 · Score: 3, Informative

How does that first sentence read again? I think someone left out a verb.
Re:How do we submit comments? by Anonymous Coward · 2015-05-21 10:42 · Score: 2, Funny

I believe you should submit comments here : http://www.regulations.gov/?_e...
I know I did.
The government says.... by sconeu · 2015-05-21 11:07 · Score: 4, Insightful

The .gov says it won't be used against researchers.... until it is.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Stupid by backslashdot · 2015-05-21 11:34 · Score: 3, Insightful

This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that? Also, a lot of times it's hard to draw the line between debugging tools and penetration testing tools.
1. Re:Stupid by phantomfive · 2015-05-21 12:45 · Score: 2
  
  Here's the 'clarifying' quote by the director of BIS:
  
  “Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” said Randy Wheeler, director of the BIS, today during a conference call. “The development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale, is controlled.”
  
  After reading that several times, I'm still not sure what is allowed and what is not.
  
  --
  "First they came for the slanderers and i said nothing."
In Practice by Ken+McE · 2015-05-21 12:45 · Score: 2

In practice this would seem to mean that you are fine so long as the Commerce Department approves of whatever it is you are doing. Tick off the wrong people and the same activity becomes a felony.
Re:Do as we say not as we do. by tnk1 · 2015-05-21 13:37 · Score: 3, Interesting

I don't think that's particularly odd.
Try operating a private military and see how long you get away with that.
Spying and hacking is basically the same: considered to be weaponized and therefore the state monopoly of force applies.
Note, I am not passing a judgement on whether the state monopoly on force is a good thing, only that it is generally accepted.
Dual use nature of sticks and stones by WaffleMonster · 2015-05-21 16:08 · Score: 2

This document appears to be a comprehensive list of all the technology in the world worth using.