Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wassenaar Treaty Will Hamper Bug Bounties

Posted by Soulskill on from the writing-laws-they-don't-understand dept.

msm1267 writes: If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.

35 comments

  1. Re:RAID! by __aaclcg7560 · · Score: 1

    Multiple hard drive failures will do that.

  2. Re:RAID! by Anonymous Coward · · Score: 0

    Kills them DEAD !!

    Kills them ALIVE!!

  3. Of course it is a bad idea... by houstonbofh · · Score: 3, Informative

    Of course it is a bad idea! Most government ideas are. And yes, it will have a chilling effect on the white hats and no effect at all on the black hats. (Other than some people getting darker hats to continue to work.) The black hat 0day markets will love it, however!

    1. Re:Of course it is a bad idea... by Anonymous Coward · · Score: 0

      +1 ... surely in 20..30 years you'll need a gov't license to submit patches, and a permit to read bug-reports. nvm github. that's the kind of freedom that's already enabling terrorism!

    2. Re:Of course it is a bad idea... by fustakrakich · · Score: 2

      Yep, nothing helps the 'underground' economy like good old prohibition. It's almost like the Black Hatters wrote the treaty.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Of course it is a bad idea... by gstoddart · · Score: 3, Insightful

      It's almost like the Black Hatters wrote the treaty.

      You're almost there ... it was Black Hatters ... but ones who see themselves as the good guys and want to prevent information about security from being publicly discussed.

      Because the only thing they care about is their continuing access to computer systems, and pretending they're doing it for our own good.

      This is the shady government agencies taking out the competition, and keeping information secret.

      Now, ask yourself ... 10 years ago how crazy would that sound?

      Because these days, it's not crazy at all.

      When they outlaw security, only governments and outlaws will have security. And then they'll be able to find you because you have security.

      If you have nothing to hide, you have nothing to fear. The pretext of keeping us safe is just bullshit window dressing.

      --
      Lost at C:>. Found at C.
    4. Re:Of course it is a bad idea... by Anonymous Coward · · Score: 0

      The most disgusting part is the US government is doing this because they don't want other governments to have tools with which to spy on their citizens.

      Hypocrisy much, Uncle Sam?

    5. Re:Of course it is a bad idea... by fustakrakich · · Score: 1

      The pretext of keeping us safe is just bullshit window dressing.

      It's an ancient social exploit that still works. What is there to say?

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:Of course it is a bad idea... by Anonymous Coward · · Score: 0

      Because US government rules apply to other goverments exactly how? If our government wants to spy on me they bloody well can do it just fine no matter what the US does or doesn't.

    7. Re:Of course it is a bad idea... by Anonymous Coward · · Score: 0

      Try having your mommy read what the Wassenaar Treaty is about, you illiterate little shit.

  4. This is the moment by Anonymous Coward · · Score: 0

    for Brazil to shine!

  5. Worldwide ? by Anonymous Coward · · Score: 0

    You think computer security relies on Americans ? really ?

    try reading an Atlas dumb asses

    1. Re:Worldwide ? by OrangeTide · · Score: 1, Offtopic

      California roughly has the same GDP as Italy. Tennessee's is roughly that of the Republic of Ireland.

      An old American joke:

      Q: "Where does an 800-lb. gorilla sit?"

      A: "Anywhere it wants to."

      --
      “Common sense is not so common.” — Voltaire
    2. Re:Worldwide ? by Anonymous Coward · · Score: 0

      The Netherlands represented 0.2% of the world population, have about 1% of the world's wealth (by GDP versus GWP). But influence world politics and decision making for many nations far beyond 1%.

      While there are countries outside of the United States, their importance is often dramatically overstated.

      India has about 15% of the world population and 10% of the world's wealth. But doesn't seem to get any extra representation in the UN when compared to The Netherlands.

      We live in a Eurocentric world, and if the US were to begin recognizing those irrelevant nations by "reading an Atlas", we would only contribute further to this terrible problem that the vast majority of arrogant Europhiles seem to deny.

  6. Are they delusional? by ZorinLynx · · Score: 5, Insightful

    Why do governments think they can control the flow of security software and exploits over the Internet?

    Bad guys already don't follow the laws, and will obtain and use them anyway.

    Good guys testing security will probably obtain and use them anyway because the probability of actually getting caught and prosecuted for it are nearly nil if it's not being used in a crime.

    In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?

    1. Re:Are they delusional? by fustakrakich · · Score: 2

      What's the point?

      Provides *probable cause*...

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Are they delusional? by Anonymous Coward · · Score: 1

      No they don't.

      But some well-connected business entities think they can buy legislation that lets them silence people that publish embarrassing information about their products.

      To them that's all that matters because the stock market has become a sort of a money fashion show. Quarter-to-quarter moves that, in reality, are completely governed by outside appearances. They don't give a damn if their products are insecure. Frankly, products are just a formality. Modern companies mostly exist to game the stock market.

      The government's don't really think anything. They're too busy being pushed over by the multibillion lobbying industry while trying to run countries on ever-shrinking budgets.

      And all of the above is your fault. Yours. Personally. You wanted weak governments that are "business friendly" and cater to "job creators" - Well, you got them. The TPP is a result of that.

    3. Re:Are they delusional? by Anonymous Coward · · Score: 0

      To be fair, most governments also think that they can control criminals ownership/use of fire arms with legalese which controls the law-abiding ownership/use of firearms. Same people making this up.

    4. Re:Are they delusional? by gstoddart · · Score: 1

      In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?

      To intimidate researchers into staying quiet, to force them to provide information about exploits so they can use them for their own purposes, to criminalize providing these tools to anybody, and to keep them secret for as long as possible.

      You think this is a clumsy attempt to legislate security risks.

      I think it's a ham-handed play to claim national security jurisdiction over these things ... allowing them to both exploit these things, and be able to use secret provisions to do anything they want to with computer security.

      This isn't government ineptness, this is government overreach and a police state.

      Anything they want to do, because, terrorism.

      Behold my friends ... the inexorable creep of the fascist oligarchy.

      I keep putting on more tinfoil ... but it just ... doesn't ... fucking ... work.

      --
      Lost at C:>. Found at C.
    5. Re:Are they delusional? by Anonymous Coward · · Score: 0

      You're answering your own question. Governments don't want white hats operating because they keep closing doors governments can use. They don't want totally secure systems, and they want to control the flow of bug reports and bug fixes.

    6. Re: Are they delusional? by Anonymous Coward · · Score: 0

      Thank you for being rational. This kind of thing happens when government works at the behest of the rich and not of the people. The idiots who keep saying to slash and burn the government have yet to provide an explanation as to just what will keep corporations in check without it. Their mythical free market has never worked in all of history yet they believe in it like a religion.

      Proper regulation HAS worked, and it gave us the best economy and greatest middle class ever seen, which the de-regulators and benefit cutters have all but destroyed now.

      Is government too intrusive? Yes. Absolutely. It's too intrusive for regular people because that's in the interests of the one percent. We need government that represents the people, that tells corporations they can't do certain things that we the people don't want them doing. That is how you reign in the sociopaths in the executive suites, and they know it.

      If we could do that, we'd make it possible for people to run businesses instead of running their stock price. People actually used to do that, and it was a good thing. You can't run an honest business making a decent profit and employing people when your competitors run dishonest ones who outsource overseas. That is what we have government to stop, and it's not doing it now because we keep electing corporate friendly politicians and believing the libertarian garbage about how we can all be rich if other people would just stop taking our stuff. Only they don't care who takes YOUR stuff--they care about protecting the ones who already took your jobs, your stability, and your economic future. They want you to give them more and stop complaining about it. If you do want to complain, then complain about these other guys over here, just don't speak the truth about us. That's what they want. It's time to give them what they fear.

  7. Licensing should be mandatory by Stan92057 · · Score: 1

    I think so called security researchers need to be tested and licensed to do what they do. A hairdresser needs a licensed, an auto mechanic who inspects cars for inspection needs to pass tests get a license. But anyone with a PC can hack whatever ,whoever whenever and answer to no one? is somehow fair?

    --
    Jack of all trades,master of none
    1. Re:Licensing should be mandatory by smaddox · · Score: 1

      Fairness is irrelevant. If you make it illegal to do security probes, many of the white hats will just go black hat. There's no way to effectively regulate it.

      Or you can start a "war on hackers", which will be even less effective than the other ill-defined wars.

    2. Re:Licensing should be mandatory by bezenek · · Score: 3, Insightful

      In most cases, software engineers do not need to be licensed. Maybe this is another item for the general licensing debate.

      --
      Omne ignotum pro magnifico.
    3. Re:Licensing should be mandatory by Wintermute__ · · Score: 1

      I can see it now, licensing test:

      1.) Hack the computer containing this test to give yourself a passing score.

      If you can do this, you are qualified to find security bugs in computer systems. If you cannot, you are not qualified.

      But seriously, what is it that you would be testing for exactly? Proficiency? Morals (people can lie, you know)? Responsibility (ditto)?

    4. Re:Licensing should be mandatory by parenthephobia · · Score: 2

      But anyone with a PC can hack whatever ,whoever whenever and answer to no one?

      Uh, no. That's already illegal.

      The proposed changes to the law are sufficiently broad as to potentially make it illegal for me to notify a non-US software vendor about a security flaw I found in their software when probing it on my own computer.

    5. Re:Licensing should be mandatory by Stan92057 · · Score: 1

      Who said make security probes illegal? i sure didnt. No hacker should have the power to put everyone at risk because a software maker is taking too long to fix a bug. No software maker should be allowed to sick lawyers and wave copyright in order to get out of fixing bugs. No hacker should be allowed to create software to exploit any bugs,no hacker should be allowed to show the code or a working exploit for at least 2 years after a bug fix has been issued. That,s my suggestions to create a safer web, a safer computing experience. As it stands now both sides are being dicks IMO

      --
      Jack of all trades,master of none
  8. lets find ways to screw each other!!!!! by Anonymous Coward · · Score: 0

    Hmm..

    Human kind..

    objective, screw any one and every one you can.. Find ways around things, who cares about your fellows, who cares about the work around you and how certain decisions affect our society!!!

  9. Bad headline by dlenmn · · Score: 2

    Here's a better headline: Wassenaar Treaty _DRAFT__MAY_ Hamper Bug Bounties

    The summary makes it sound like the treaty is a done deal; it's not. (TFA makes that point.) There's an open comment period through July 20th.

    Yes, it sounds like the proposed wording isn't good. However, the final version isn't done. Give them useful feedback if you'd like. I'm sure the companies who use bug bounties have already given feedback.

    Don't panic, yet.

    1. Re:Bad headline by Anonymous Coward · · Score: 0

      I just hope sane heads prevail here. In the US, treaties supersede the Constitution, so what passes there will take precedence over the First Amendment.

      (Oh, and before people step in to "correct" this, please cite a -single- example where a treaty, or -any- parts of a treaty have been struck down because they were unconstitutional. Marbury vs. Madison was for laws passed domestically, and does not apply to international treaties.)

    2. Re:Bad headline by Anonymous Coward · · Score: 0

      Well, poor reporting by the media never helps, but I spend a lot of time hunting through software looking for possible
      bugs (i.e. - lack of sanity checking, failure to check return values, lack of input validation, etc) in many pieces of
      Open Source Security Tools, and I'd hate to think they want to turn me into a bad guy just for finding and fixing
      stuff...SIGH

  10. Dual-use weapons? by Anonymous Coward · · Score: 0

    From TFA:
    > The rules are meant to curb the sale and trade of dual-use weapons ...

    What other use does a weapon have besides killing people?

  11. Great, what could possible go wrong? by Anonymous Coward · · Score: 0

    'That means researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question.'

    So we are going to create an economic incentive to move this research outside the US.

    Sounds like an economic opportunity for folks in a more shady part of the world.
    The research won't stop, it will just move somewhere it can do more harm and make more money.

    (Well maybe two more shady parts of the world if you consider inside a TLA also.)