Slashdot Mirror
Chilling Effect of the Wassenaar Arrangement On Exploit Research
Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
These were, in all likelihood, written by industry and handed to government to implement.
Which means they've been carefully crafted to mean whatever is most advantageous to corporate interests and interpreted however they need it to be interpreted.
These are noting more than gag laws, designed to block and intimidate people.
You're not supposed to be able to know when they apply.
Lost at C:>. Found at C.
He said the lack of clarity on exploits in the Wassanaar Arrangement was "creating a chilling effect on the security research community, as people are unsure if their research/company's work/interests will violate the arrangement or not".
"I would prefer exploits not to be regulated in such a tight manner as it prohibits people from learning and improving their security,"Wilcox said.
If you outlaw exploits, then only the outlaws (Hacking Team, Vupen, Gamma, [Insert Gov Intel/LEA/Military], etc. ) will have exploits.
It now becomes 100% legal to report any exploit to them an any time. Once an exploit has been submitted, they independently confirm it works and report the exploit to the appropriate author. They also give the author a deadline to fix, based on severity of the exploit - somewhere between one week and one year.
After that one deadline is up the Council itself will publish the exploit giving the original submitter full credit.
Anyone that has successfully submits an exploit gets official 'submitter' rights, granting them the right to vote on who replacements for the Academics. Anyone that has an exploit on their code submitted becomes an official 'victim' rights, granting them the right to vote on replacements for the Business council members. President continues to appoint the government chair.
excitingthingstodo.blogspot.com
Officials will be retrieving the assets including and within spitting distance of the development and testing of the exploits in... three... two... one...
Torify all of it. Now everything will be driven underground.
Research just has to be done under pseudonyms and posted to wikileaks or similar.
“He’s not deformed, he’s just drunk!”
You've been making profits for too long. From this day forth, you must pay a $250,000 licensing fee to conduct security research. General purpose computers are now tools of terror, owners must register their computers in 90 days and pay a yearly tax of $1000/computer or $5000/laptop. Anyone who fails to comply will be subject to the harshest penalties the CFAA has to offer.
Your pals,
The defense industry.
He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other.
Of course they were. And the old saw about "never ascribe to malice that which can be explained by stupidity" doesn't apply when it keeps happening ("once is happenstance, twice is coincidence, three times is enemy action").
These things are written by lawyers. The ambiguity ensures work for more lawyers. It also gives leverage to those in power. (See the monologue in "Atlas Shrugged" on the goverment passing laws so that it's impossible not to violate at least one, because they have no leverage on innocent people. Say what you will about Rand's philosphy, she got that part right.)
So how is the legalese more ambiguous that calling everything vaguely security related a hack, every activity related to that hacking, and every s'kiddie a hacker?
Especially in deeply technical fields with legal implications it is important that the practitioners know very well what they are doing and can explain it to lay people too. The cyber computer cyber security cyber industry has made it a point to deliberately confuse the issue to the point they reduced themselves to bickering over what colour their virtual hat was, and who is more "ethical" than whom. Thus it is no surprise that various laws in various countries and now even international treaties are worse than useless, simply because they are so vague and open for interpretation. Thus "justice" is available for the highest bidder, and so big interests win. Well done, would-be cyber freedom cyber cowboys of the cyber information cyber age. Well done indeed.
and you'll see that they don't apply to academic research or communication in general providing no items considered as standard products for the purpose of being distributed as such to clients.
There's a mechanism in US law to deal with this kind of thing. It's called a "declaratory judgment," where a plaintiff who has reason to be afraid that the law will be enforced to land him in prison or bankruptcy sues for a judgment that either the law doesn't forbid his (in this case) publication of his research or that the Constitution forbids a law that would. Yeah, such suits ain't cheap. Fortunately there are several nonprofits that exist to fight exactly that kind of battle.
Lacking <sarcasm> tags,
A recent SCOTUS case had the feds saying that a treaty trumps state law. The ruling went against the feds 9-0 but some justices said the decision did not go far enough in clarifying situations where Treaties conflict with State and Federal law.
Have gnu, will travel.
When will we start electing politicians that actually know about IT security? Or about IT? Or, if nothing else, about anything?
no, I don't have a sig
Shut up and be quiet. Knowledge is a weapon and we can only achieve a safe society if all the weapons are under the strict control of supranational entities whose leaders are not accountable to the populace. The recent events in Europe have demonstrated once and for all that democracy does not and can not work. Ever. We need an oligarchy that comprises only the Elite. The rest must obey, for their own good. End of debate. Dissent will not be tolerated.
...researchers are exchanging information with those subject to the gag being kept out of the loop because, well, if you can't bring anything to the table...
Or, in short, if you outlaw information, only outlaws have information.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The Wassenaar Arrangement is only valid in 41 countries. Many warm countries seem not to have signed it. Hmm, summers in Iceland, winters in Albania then.