Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Businesses Government Security Technology

Security Researchers Wary of Wassenaar Rules 34

Posted by samzenpus from the rules-of-the-game dept.
msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.
This discussion has been archived. No new comments can be posted.

Security Researchers Wary of Wassenaar Rules More

Security Researchers Wary of Wassenaar Rules

Comments Filter:

  • Eh? (Score:4, Informative)

    by dtmos ( 447842 ) * on Thursday May 21, 2015 @06:12PM (#49746975)

    How does that first sentence read again? I think someone left out a verb.

    • Re: Eh? (Score:1)

      by Anonymous Coward

      I think the missing word is 'forgot' or is that a reflection on the reading comprehension of the /. editor? I really cannot tell - I'm still trying to re-read the first sentence and decide...

    • For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

      Because nobody wants to piss off military force, that being the NSA because they will be put out of business and they know it. Already to many s

  • Do as we say not as we do. (Score:1)

    by Anonymous Coward

    They can develop and weaponize exploits which means of course how DARE you expose this bullshit illegal activity or harm the reputation of a business by showing that they are FALSE ADVERTISING when saying a product is "secure".

    So let me get this straight....

    1. They launched actual weapons and were caught (stuxnet, flame, etc)
    2. Security researchers have not done this, or they'd be in jail already....
    3. A law is written that bans the security researcher from doing his job or sharing his tools, while legalizi

    • Re:Do as we say not as we do. (Score:4, Interesting)

      by tnk1 ( 899206 ) on Thursday May 21, 2015 @09:37PM (#49747941)

      I don't think that's particularly odd.

      Try operating a private military and see how long you get away with that.

      Spying and hacking is basically the same: considered to be weaponized and therefore the state monopoly of force applies.

      Note, I am not passing a judgement on whether the state monopoly on force is a good thing, only that it is generally accepted.

      • Note, I am not passing a judgment on whether the state monopoly on force is a good thing, only that it is generally accepted.

        Guns and software are both subject to bugs, operating errors, and bad or wrong usage. However, software by itself can never kill. Thus, the argument of lowering casualties by restricting weapon traffic does not apply to software. All the arguments that inspired the second amendment, instead, do apply. The right to bear software —any software— deserves to be recognized as an auxiliary to the long-established natural right of thinking and watching, auxiliary to the natural and legally defensib

        • Re: (Score:2)

          by tnk1 ( 899206 )

          Obviously, software, even weapons software, does not deliver lead or steel to an opponent directly.

          What I think everyone is having trouble with is the fact that software can often make less effective weapons much more effective, or even weaponize information itself.

          It would be interesting to have a Second Amendment like set of rights for encryption and hacking. I don't know that I would oppose that, although I'd like someone to do some serious thinking about the consequences of such. Like the actual Secon

  • It would be nice to have some arguments. I am definitely not in favor of export restrictions again.

  • researchers say that's up for interpretation

    What good is a law if it cannot let the government arrest Sandor silence anyone arbitrarily based on the prevailing political winds?

  • The government says.... (Score:5, Insightful)

    by sconeu ( 64226 ) on Thursday May 21, 2015 @07:07PM (#49747275) Homepage Journal

    The .gov says it won't be used against researchers.... until it is.

    • The .gov says it won't be used against researchers.... until it is.

      They wont. They will only use it against cyber-terrorists.

      If you have pen testing tools and they come after you, you are a cyber-terrorist. If they don't, you are a researcher.

  • Stupid (Score:4, Insightful)

    by backslashdot ( 95548 ) on Thursday May 21, 2015 @07:34PM (#49747429)

    This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that? Also, a lot of times it's hard to draw the line between debugging tools and penetration testing tools.

    • Here's the 'clarifying' quote by the director of BIS:

      “Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” said Randy Wheeler, director of the BIS, today during a conference call. “The development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale, is controlled.”

      After reading that several times, I'm still not sure what is allowed and what is not.

    • This means if your laptop has nmap, burp suite, metasploit, or Ida pro etc. and you visit China with it .. you could be arrested when you come back. How freaking stupid is that?

      Visiting China with such tools on your laptop? Pretty stupid, unless you're going there to spend a lot of money.

  • In practice this would seem to mean that you are fine so long as the Commerce Department approves of whatever it is you are doing. Tick off the wrong people and the same activity becomes a felony.

  • Dual use nature of sticks and stones (Score:3)

    by WaffleMonster ( 969671 ) on Friday May 22, 2015 @12:08AM (#49748557)

    This document appears to be a comprehensive list of all the technology in the world worth using.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close