The US Bureau of Industry and Security just published an FAQ about the proposed implementation of the Wassenaar Arrangement.
Click here for the FAQ - after checking it out (or the quotes below)…
What are your thoughts on the proposed changes and the clarifications in this FAQ?
Some highlighted sections:
Doesn’t the rule potentially criminalize hacking?
No. The rule would control the export of hardware and software delivery tools, as well as the export of technical data for developing exploits (“intrusion software”). The rule as proposed would not control the export of exploits to a target system since “intrusion software” would not be controlled. Also, the Export Administration Regulations (EAR) do not control services, only the export of commodities, software and technology. Thus, “hacking”, as that term is generally understood, does not fall under the jurisdiction of the EAR, except to the extent there is an associated export of hardware, software, or technical data.
Doesn’t the rule expose researchers to criminal prosecution if they carry information on exploits to a public conference, unless they publish it before the conference?
Under Section 734.7 of the EAR, information that is published, or released at an open conference, is not subject to the EAR. That section also specifies that it would not be an export to transfer the technical data to conference organizers with the intent that it will be published at the conference.
BIS welcomes comments on whether further clarification is needed on when information potentially subject to these rules would be considered “publicly available” and not subject to the EAR.
I’m trying to figure out how
“Also, the Export Administration Regulations (EAR) do not control services, only the export of commodities, software and technology. Thus, “hacking”, as that term is generally understood, does not fall under the jurisdiction of the EAR, except to the extent there is an associated export of hardware, software, or technical data.”
meshes with FAQ#1 where it says
“Thus, transferring or exporting exploit samples, exploit proof of concepts, or other forms of malware would not be included in the new control list entries and would not require a license under the proposed rule.”
I’m pretty sure exploit samples are technical data. Perhaps the FAQ is not explicit enough regarding the intent (just as the original proposal was not explicit enough and required an FAQ to explain), which is worrisome, because when passing cyber legislation I think we need to be REALLY CLEAR what it covers.
One important part in the FAQ is number 10. > Q: If
an IT security researcher had done an analysis on a software
application to find a vulnerability in the code, had written up code to
then take advantage of the vulnerability and then sent that code to an
anti-virus company or the software manufacturer, would that code require
an export license?
A: “The code that takes advantage of
the vulnerability would not require a license. As stated above,
“intrusion software” itself would not be controlled by the proposed
For any associated technology for the
“development” of “intrusion software”, under section 734.7 of the EAR,
any technical data sent to an anti-virus company or software
manufacturer with the understanding that the information will be made
publicly available, would not be subject to the EAR.”
Unfortunately, the words publicly available aren’t defined.
It is interesting how things sort of come full circle. Almost 25 years ago Phil Zimmerman was all but run out of this fair country of ours because a tool he created to foster civil liberties had found it’s way across the pond. It took 5 years to convince Bill Clinton to sign EO 13026 (Thanks to Mr Junger). The Executive order transferred Cryptographic systems with greater than 40bit key length from the Munitions list, to the Controlled Commerce list. What followed was some comical back and forth between the Justice Dept, the Commerce Dept, Civil Libertarians, and Silicon Valley…in the end the Fed threw up its hands and in 2000 opened the flood gates. My point, and the reason why we are going down memory lane – during all of this turmoil and uncertainty encryption never died – the technology evolved, the research still went on – even when it was considered taboo to do so.
Today, I can go to any online gunsmith and purchase an unregistered AR15 80% lower ( like this one: http://daytonatactical.com/products/80-ar15-lower-receiver). While purchasing a full 100% lower (the only part of a firearm the US Govt tracks, controls, and regulates ) would require paperwork, and (here in California) a background check. Buying a precision piece of aluminum that a machinist with ADD started and never finished – requires nothing more than coming up with the money to pay for it. Even better, using Bitcoin and a drop shipper – the Govt would have 0 trace of knowing that I purchased a lower – let alone have a complete weapon. Again, my point? IIf the Govt wants to define “intrusion” tools – then, that definition only covers what they consider to be runnable code. A so-called “80%” exploit – would be perfectly legal. You can get creative on how you want to slice and dice your 80% – but it would have to require some amount of “machining” that would be non-trivial ( such as the remaining 20% of the AR15 ) – but relatively simple for somebody with enough expertise to get some legitimate value out of the exploit/poc.
Thirdly, and finally – this whole industry was founded on living outside the prescribed boundaries. Our ‘security research’ has only really been legitimized in the last 10yrs – for most of us, we were working long before that – and we will be working long after this bill and all the rest of them. If the idea of living on the edge of legal/illegal is too close to home, and a tough burden – then maybe a change in career is what is needed. How effective of an industry can we be – if we are constantly butting up against the very laws our representatives are passing. Our value is that we need to think, act and be like our enemy – and sometimes that means throwing off the shackles of government conformity and accepting the responsibility and risk of operating outside the law.
The term ‘stunt hack’ has been used to characterize operations that are more for the people playing the home game, than the industries they serve – this bill is a similar piece. It is meant to show the public that congress is doing ‘something’ .
Just my $0.02…and change…