Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Government Security Software United States Your Rights Online

US Proposes Tighter Export Rules For Computer Security Tools 126

itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.
This discussion has been archived. No new comments can be posted.

US Proposes Tighter Export Rules For Computer Security Tools

Comments Filter:
  • by Anonymous Coward on Thursday May 21, 2015 @09:19AM (#49743333)

    and publish them well away from USoA soil.

    • by ShanghaiBill ( 739463 ) on Thursday May 21, 2015 @10:25AM (#49743917)

      and publish them well away from USoA soil.

      This is what happened with the encryption ban in the 1990s. Companies did their development outside America, using non-Americans. The result was job losses for Americans, atrophy of American skills, and no increase in security. That was predictable, and continued long after the stupidity of the policy was blatantly obvious. But it really takes a special kind of idiocy to do it all over again.

      • by pixelpusher220 ( 529617 ) on Thursday May 21, 2015 @10:53AM (#49744111)
        Let alone no 'increase' in security it's measurably made security WORSE as lots and lots of websites can still use the watered down tools/certificates created by that misguided policy.
      • by Anonymous Coward
        The idiocy you call special is not special, it's rampant.
        • by Flytrap ( 939609 )
          If I could give you a vote for insightfulness I would... I fully agree with you... idiocy is not as rare as the smart people of slash-dot think... its quite common place in the bowels of most governments around the world.
          • To be fair...idiocy isn't any more prevalent than it ever has been. It's just that it's broadcast to the world now instead of just the local bar.
            • by ebvwfbw ( 864834 )

              To be fair...idiocy isn't any more prevalent than it ever has been. It's just that it's broadcast to the world now instead of just the local bar.

              I disagree. We've gone to great lengths to help idiots. We did away with the Duel, we've empowered lawyers to help them and we have all kinds of warning labels now. We have bumper crops of stupid out there. Not only are they around, they're bold. Get pissed off if things aren't as they think they should be. Even if that way is very stupid. Then there are those that act offended.

              Help America - legislate that we remove all warning labels.

      • I totally agree. It seems the US government is out to drive any innovation in tech/IT to other countries, through their lack of understanding and fear of change.

      • The effects of the encryption export bans from the 1990s haunts us today in the form of the "logjam" vulnerability. Those stupid "export-grade" ciphers for HTTPS are still around and can potentially be cracked with a big enough box of GPUs. Worse yet is that a heap of browsers and servers will go for the garbage ciphers first. In light of this reality, one must wonder how this kind of authoritarian bullshit will swat us all in the digital testicles 10-20 years from now.
  • by fustakrakich ( 1673220 ) on Thursday May 21, 2015 @09:20AM (#49743347) Journal

    Ah, but this time it's different!

    • Ah, but this time it's different!

      Yes. The companies already know how to set up foreign subsidiaries that will officially develop the tools restricted by this so there is no export. They learned from last time.

    • Yeah, it's "on the interne"... erh... wait, can I start over?

    • by Gizan ( 3984275 )
      This time the content is Hosted in Ireland!! its not being exported :)
  • by Anonymous Coward

    Sourcecode is speech.

    Opensource people: Do NOT obey this.

  • Stupid ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Thursday May 21, 2015 @09:21AM (#49743359) Homepage

    Once again lawmakers don't understand the issue.

    Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

    It also assumes that the best such tools come from America.

    This is idiot lawmakers who don't understand technology passing laws trying to fix it. So, saying it's extra special illegal to break the law achieves absolutely NOTHING, and it prevents people from studying actual security holes because the tools are limited.

    Can we make it illegal to be stupid? That would be awesome!

    • Re:Stupid ... (Score:5, Insightful)

      by anagama ( 611277 ) <obamaisaneocon@nothingchanged.org> on Thursday May 21, 2015 @09:44AM (#49743577) Homepage

      Making the tools illegal doesn't mean people who plan on doing illegal things won't have them.

      I think there is a better than even chance that the lawmakers understand this perfectly well, but that the real purpose of the law is to harass people who hold and publish views the government doesn't like by putting together a persecution [intended typo] with a 100 year sentence based on extreme applications of criminal laws. Their hope is that the target either plea bargains to something less that will still remove that person from the general population, or better yet from the Fed's perspective, prompts that person to just kill him/herself out of hopelessness.

      • by brunes69 ( 86786 )

        It's a law against export, not possession.

        The only result of laws like this is the off-shoring of jobs related to the creation of computer security tools.

        This is why I had to laugh at the slant of the summary for the Kaspersky article yesterday, claming that it was negative that the product came from Russia. In actual fact, the fact that the product is not made in the US protects it from crap like this.

    • Re: (Score:2, Insightful)

      Once again lawmakers don't understand the issue.

      I hate it when you people say that! They have their orders. They understand perfectly well what they are doing. It is the voters that are ignorant and stupid and thus blindly follow them. And in that ignorance it is the voters that give value to the campaign dollar. The politician is not the idiot here.

    • Department of Commerce would be bureaucracy, not really Congress (lawmakers). Though in this age and with this administration, maybe you're right!
    • If we could that would solve 90 of more % of this nations issues.

      My favorite security researcher, come on we're nerds I know you have one too, is not even a US citizen not sure his nationality but he lives in Malta.

      I'm sure this won't slow him down as he's been at it over a decade.

      Yes Luigi, I'm referring to you!
    • It also assumes that the best such tools come from America.

      And doing crap like this makes sure that if it is still the case, it will not be for long. Development with either move, or get surpassed.

    • by mspohr ( 589790 )

      If we made it illegal to be stupid, where would we find politicians?
      However, it is hard to believe that they are this stupid.
      Perhaps next they will try to build a wall to prevent those rogue 1s and 0s from being smuggled out of the country.
      I'm sure one of our defense contractors will be happy to tell them it will work and charge big bucks for building it.

      • If we made it illegal to be stupid, where would we find politicians?

        If we made it illegal to be stupid, who would be left to vote for them?

        • If we made it illegal to be stupid, where would we find politicians?

          If we made it illegal to be stupid, who would be left to vote for them?

          One of the main things required for a functioning US style democracy is a crappy education system.

    • Re:Stupid ... (Score:5, Insightful)

      by Endymion ( 12816 ) <slashdot.org@thoughtnoise. n e t> on Thursday May 21, 2015 @10:30AM (#49743959) Homepage Journal

      It is dangerous to assume stupidity - especially when the people in question are making threatening gestures in your direction. What you describe is one possibility. Another is that these lawmakers (or the people they work for) DO understand these issues, and the inevitable problems that arise are the expected outcome.

      Yes, Hanlon's razor is a good heuristic most of the time, but in this case we have a pattern. Technology that empowers people (e.g. real crypto/security, better communications technology like the internet) has been attacked fairly consistently. Tools and methods have been criminalized in the past with alarming frequency. For this specific issue, there are a lot of people invested in the status quo [projectbullrun.org] of where computers ("ii.e. "most products", eventually) are easily monitored/tracked, and easily attacked if the need arises. Dan Geer described our situation very accurately in his outstanding talk last year [youtube.com]: the current strategy of the US government (and others) with regards to network security is "all offense".

      When proposals like this happen, people are tying to shape your future. Maybe they want to get an actual law passed. They just want to use a confusing topic in a show for the benefit of their constituency. Maybe the goal is propaganda or shifting the Overrton window [wikipedia.org]. Whatever the purpose, we would be lucky to have stupid lawmaker which we can at least attempt to fix with education. Unfortunately, what looks like stupidity is often agenda, and underestimate their threat at your own peril.

      • by PPH ( 736903 )

        the inevitable problems that arise are the expected outcome.

        Right. Keep this in mind the next time you get your laptop confiscated by Customs for having a copy of nmap on it.

    • Lawmakers have never understood the issue, no matter what the issue is.

    • by jodido ( 1052890 )
      except who's gonna enforce that?
    • by ebvwfbw ( 864834 )

      Not just America. Bunch of countries, even Australia. You know, we don't have any military nationals in America or the other countries.

      Ok, are your sides hurting yet from laughing?

  • Hot air, nothing compared to the US self imposed brain drain caused by fucked up policy, gamed and broken system. If they don't want to see things that are better in the hands of other countries then they should rethink the way things have been going in the US for the last 60+ years. The policy of 'keeping the people stupid' is not going to produce a superior product in any sector anyway so where are these idiots coming from on this?

    • Hot air, nothing compared to the US self imposed brain drain caused by fucked up policy, gamed and broken system. If they don't want to see things that are better in the hands of other countries then they should rethink the way things have been going in the US for the last 60+ years. The policy of 'keeping the people stupid' is not going to produce a superior product in any sector anyway so where are these idiots coming from on this?

      An economic/social collapse is what those in power need to roll out martial law and complete the final stages of the "fundamental transformation of America" to a police state.

      Strat

      • An economic/social collapse is what those in power need to roll out martial law and complete the final stages of the "fundamental transformation of America" to a police state.

        They are going to get it because it is the desire of those in power, CIA analysts have come forward now stating that the "3rd world depression is no longer avoidable". I think world depression is a bit on the dramatic side though, I think the rest of the world is likely to contain it to the US/UK. Rusky/China have been getting cozy f

      • by dave420 ( 699308 )
        Paranoid, much?
        • Paranoid, much?

          Head in the sand, much?

        • Paranoid, much?

          Those that would mistake paranoia with basic observational skills referencing events over the last 60 years are likely be on some type of 'agenda'. What some call paranoid, others are calling it 'having a big mouth', but you don't see that part now do you?

          • Paranoid, much?

            Those that would mistake paranoia with basic observational skills referencing events over the last 60 years are likely be on some type of 'agenda'. What some call paranoid, others are calling it 'having a big mouth', but you don't see that part now do you?

            Don't bother. Just check Dave420's post history. He's drank so much of Leftist/Social Justice kool-aid that California is considering sanctioning him for the amount of water he wastes.

            Strat

            • I read Dave420's post history. I also read yours. He's a liberal, and you are a raving paranoid lunatic that no one wants to talk to.
  • by Anonymous Coward

    Why would they want software running around that could conceivably reveal what the US governments & friends are up to? No sir, we can't have that.

    The funny thing is that this will just obliterate what little economy they still had in that area and send the whole thing overseas. So the net result will be, if anything, even less control over that software than before. Good jawb guys!

    • The funny thing is that this will just obliterate what little economy they still had in that area and send the whole thing overseas. So the net result will be, if anything, even less control over that software than before. Good jawb guys!

      And piss off people that might otherwise be on their side. "To fight our enemies, we need to make more enemies!"

  • Didn't we try something like this already? It seems like the only thing this would really do is move the development of some pretty popular tools to overseas locales.
    IANAL, does anyone know what effect this would have on things like Wireshark and Metasploit?
  • by Hrrrg ( 565259 ) on Thursday May 21, 2015 @09:25AM (#49743387)

    Haha! No more Norton AV for you!

  • by Anonymous Coward

    The US government still thinks that the US is still ahead of everyone when it comes to computer and software technology.

    So, all that work that's offshored is done by programmers with memory issues? And the same with the H1-bs?

    Requirements for job:

    Security and penetrations programming and testing. Early onset Alzheimer's and/or severe drug and alcohol addiction, ....

  • Logjam (Score:5, Insightful)

    by Kippesoep ( 712796 ) on Thursday May 21, 2015 @09:30AM (#49743419) Homepage
    So, just as the net is reeling from the latest SSL/TLS vulnerability, Logjam, which is in large part due to the export restrictions on cryptographic technology from 20 years ago, politicians are at it again. I wonder how this will end up biting everybody in the arse in the future. Possibly not as directly as in the case of Logjam, but perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.
    • by Dunbal ( 464142 ) *

      will mean that certain critical vulnerabilities may not be discovered in time, or not reported.

      Which, if you think about it, works in Big Brother's favor. Again.

    • ...perhaps restricting such tools will mean that certain critical vulnerabilities may not be discovered in time, or not reported.

      Well yes, that is the idea. Reporting these kind of things will become illegal [slate.com] (for an example how it's happening in meatspace)

  • Just proprietary? (Score:5, Interesting)

    by Rich0 ( 548339 ) on Thursday May 21, 2015 @09:31AM (#49743431) Homepage

    I'm interested in whether this is limited to ONLY proprietary research.

    I could actually see an argument for banning export of such research. Do we really want companies finding flaws in widely-used software, keeping those flaws secret from the software vendors and the general public, but then selling details on those flaws to others who could potentially turn around and exploit them? In a sense, this does sound like a munition.

    I don't see the same concern with public research. If you disclose a vulnerability publicly, then everybody can fix it, and that strengthens the ecosystem instead of weakening it.

    If the ban were limited to proprietary research, I don't see it as a bad thing. Of course, it does nothing to keep companies from selling their findings to NSA contractors and such, but I don't expect the US to lift a finger to ban practices like these.

  • And Of Course... (Score:4, Informative)

    by BlueStrat ( 756137 ) on Thursday May 21, 2015 @09:33AM (#49743445)

    ...What they mean by "export" is posting downloads or links to downloads of source code or binaries on the 'net.

    Just another restriction on the communication of knowledge & free speech in the "Land of the Free".

    The US I grew up in during the 1960s/'70s is dead.

    Strat

    • The US I grew up in during the 1960s/'70s is dead.

      Oh, thank god! Who wants to relive Johnson/Nixon? And look what it gave us, the 80s, and he *who shall not be named*!

      • by Anonymous Coward on Thursday May 21, 2015 @10:26AM (#49743929)

        And look what it gave us, the 80s, and he *who shall not be named*!

        That's a pretty rude way to make fun of Prince's trademark woes.

      • by Anonymous Coward

        The US I grew up in during the 1960s/'70s is dead.

        Oh, thank god! Who wants to relive Johnson/Nixon? And look what it gave us, the 80s, and he *who shall not be named*!

        Agreed!

        Individual liberty and rule of law is for old people!

    • I think you mean: "The (place) I grew up in (when I was unaware of all the problems that existed and everything seemed perfect) during the (any time in all of history)'s is (overly dramatic demise)." Clearly the 90's were where it was at though.
  • Yeah... Let's make "security through obscurity" the law of the land.

    That'll help so much.

    Effin' idiots.

  • First [wikipedia.org] Amendment [wikipedia.org] says "Kiss my ass" to export restrictions.

  • by Last_Available_Usern ( 756093 ) on Thursday May 21, 2015 @09:56AM (#49743691)
    You can find any piece of software you want online with almost no effort, and the folks who want this kind of software are going to be better at finding it than me. So why create restrictions to block something that is so ridiculously easy to obtain already?
  • by Simon ( 815 ) <simon&simonzone,com> on Thursday May 21, 2015 @10:04AM (#49743745) Homepage

    Sure, this law won't stop these tools from leaving the USA, but may still be effective in bullying and retaliating against US based security researchers when they piss off the wrong people.

    You presented your research at a conference outside the US? => That's export.
    You put your software up on the web for everyone? => That's export.
    You posted details to a mailing list which is hosted outside the US? => That's export.

  • This would make developing things such as metasploit and nmap near impossible, as well as most Free/Open security testing tools.(there is no way to really prevent Free software from crossing borders)
  • ... it will discourage hackers from just breaking in and getting the stuff.

  • by koan ( 80826 )

    Well you can't stop people from getting these tools, you may be able to keep people from selling them.

  • by Opportunist ( 166417 ) on Thursday May 21, 2015 @11:26AM (#49744363)

    Your jurisdiction, unlike the traffic of the internet, is limited to your own country. And the countries you control. Which is a lot, I give you that, but by no stretch whatsoever it's all.

    Also: Money trumps laws. Twice so if corporations are involved. If $evil_bastard_country wants to throw money at whoever sells them $supersecret_technology, corporations will not obey your law, they will race against each other to find the loophole. Which usually ends in the tech involved being developed abroad by those suspicious foreigners and then sold to the $evil_bastard_country.

    The net effect for the US of such a ban is a loss of jobs, loss of knowledge and most of all valuable IT security information in the hands of whatever foreign country was smart enough not to be as stupid as you are, putting shackles on your own ITSEC industry.

  • Please Comment (Score:5, Interesting)

    by terbeaux ( 2579575 ) on Thursday May 21, 2015 @11:57AM (#49744601)
    The opened a public comment period. Please send them your comments and let them know what you think. https://www.federalregister.go... [federalregister.gov]
  • by Anonymous Coward

    The only way to stop a bad guy with a script kiddie tool is a good guy with a script kiddie tool.

  • At this point, it's pretty much moot.

    The tools are already out there.

    Cutting off now accomplishes JACK SHIT. And all the tools will simply be mirrored outside the US.

    The especially bad part? Look at the whole encryption export debacle.

    Basically most of the meaningful security jobs and development will move outside the US.
    Sure, we'll have in-country development, but it'll be happening in a vacuum, as nobody else will want to touch development of tools they can't legally use.
    Meaning that security tools in g

  • The idea that the US is some how in charge of how security researchers spend their energies will be its own undoing. Research will be done outside the US. Security researchers have long memories. Nothing stops them from doing all of their research outside the US. And nothing will stop them from denying US interests access to their tools, research, and discoveries.

    Customers in the united states will still find out about the vulnerabilities. They'll find out after they are penetrated.

    Thankfully stupidity is n

  • People who can defend themselves tend to make their own decisions. This has not escaped the notice of governments.

  • If you don't like this idea, send an email (as they request) to Sharron Cook, publiccomments@bis.doc.gov. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments. Explain why you think it's a bad idea, with reasoned arguments. Before commenting, you should read the proposal first: https://www.federalregister.go... [federalregister.gov]
  • We did this with encryption and ended up causing a shit ton of problems down the road, problems that are seriously affecting us today.
  • Penetration tools are critical to almost all IT professionals and it's often to recommend tools to friends all over the world. The reason penetration tools exist is to test your network, software and all other manors of holes. So why need a license to export?
  • NOT!

    Considering most of the good ones come from Russia, China, and India.

We all agree on the necessity of compromise. We just can't agree on when it's necessary to compromise. -- Larry Wall

Working...