Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Censorship Encryption Government Security

Chilling Effect of the Wassenaar Arrangement On Exploit Research 30

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
This discussion has been archived. No new comments can be posted.

Chilling Effect of the Wassenaar Arrangement On Exploit Research

Comments Filter:
  • No shit .... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Monday July 06, 2015 @12:00PM (#50054793) Homepage

    These were, in all likelihood, written by industry and handed to government to implement.

    Which means they've been carefully crafted to mean whatever is most advantageous to corporate interests and interpreted however they need it to be interpreted.

    These are noting more than gag laws, designed to block and intimidate people.

    You're not supposed to be able to know when they apply.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Actually it seems most laws are written that way these days. Very vague and impossible to know what exactly they mean when reading them.
      • And what's gloriously funny is that there will be a huge increase in the private exploit business, as no government seems to be able to kill either Tor or the "dark web".

        It's a laughable idea, and censorship at its silliest.

  • by gurps_npc ( 621217 ) on Monday July 06, 2015 @12:06PM (#50054841) Homepage
    Create a government funded council of exploits. Appoint the first 5 members, 1 government employee, 2 academics, and 2 from business.

    It now becomes 100% legal to report any exploit to them an any time. Once an exploit has been submitted, they independently confirm it works and report the exploit to the appropriate author. They also give the author a deadline to fix, based on severity of the exploit - somewhere between one week and one year.

    After that one deadline is up the Council itself will publish the exploit giving the original submitter full credit.

    Anyone that has successfully submits an exploit gets official 'submitter' rights, granting them the right to vote on who replacements for the Academics. Anyone that has an exploit on their code submitted becomes an official 'victim' rights, granting them the right to vote on replacements for the Business council members. President continues to appoint the government chair.

    • >> 5 members, 1 government employee, 2 academics, and 2 from business
      >> President continues to appoint the government chair

      So...three from business then? (Result: exploit will never be published.)

    • Where the situation gets complicated isn't so much who handles the exploits, it's during the research.

      You're a security researcher, you've got a couple of potential holes you're looking into; crash bugs you might be able to leverage into execution then chain them to break through a browser sandbox, say, but they're not yet ready for submission to the vendor. Then you travel overseas to a conference to present some interesting related techniques. You bring your laptop with some of your unpublished recent res

  • Officials will be retrieving the assets including and within spitting distance of the development and testing of the exploits in... three... two... one...
  • Research just has to be done under pseudonyms and posted to wikileaks or similar.

    • Research just has to be done under pseudonyms and posted to wikileaks or similar.

      Publish your PhD thesis under a pseudonym on Wikileaks? That's going to work great when applying for a job through Tor.

      • It's much safer to do your PhD on why water is wet. This business requires more extreme measures to get the word out. If the priority is fame, it will be a one time thing.

  • by Anonymous Coward

    So how is the legalese more ambiguous that calling everything vaguely security related a hack, every activity related to that hacking, and every s'kiddie a hacker?

    Especially in deeply technical fields with legal implications it is important that the practitioners know very well what they are doing and can explain it to lay people too. The cyber computer cyber security cyber industry has made it a point to deliberately confuse the issue to the point they reduced themselves to bickering over what colour their

  • by Anonymous Coward

    and you'll see that they don't apply to academic research or communication in general providing no items considered as standard products for the purpose of being distributed as such to clients.

  • Declaratory judgment (Score:4, Informative)

    by overshoot ( 39700 ) on Monday July 06, 2015 @01:45PM (#50055853)
    There's a mechanism in US law to deal with this kind of thing. It's called a "declaratory judgment," where a plaintiff who has reason to be afraid that the law will be enforced to land him in prison or bankruptcy sues for a judgment that either the law doesn't forbid his (in this case) publication of his research or that the Constitution forbids a law that would. Yeah, such suits ain't cheap. Fortunately there are several nonprofits that exist to fight exactly that kind of battle.
  • Meanwhile ... (Score:4, Insightful)

    by PPH ( 736903 ) on Monday July 06, 2015 @02:29PM (#50056269)

    ... the market for zero-day exploits continues unabated on the dark net. I guess the cyber criminals haven't gotten any negative feedback concerning Wassenaar restrictions from their legal departments.

    • by CBravo ( 35450 )
      As if there is ever a shortage of new exploits. Since security is not the first design criterium in current system design it will not be secure. We don't even know how. Just hope you catch the flukes that surround an actual break-in.
  • by X10 ( 186866 ) on Monday July 06, 2015 @02:35PM (#50056337) Homepage

    When will we start electing politicians that actually know about IT security? Or about IT? Or, if nothing else, about anything?

  • ...researchers are exchanging information with those subject to the gag being kept out of the loop because, well, if you can't bring anything to the table...

    Or, in short, if you outlaw information, only outlaws have information.

  • The Wassenaar Arrangement is only valid in 41 countries [wikipedia.org]. Many warm countries seem not to have signed it. Hmm, summers in Iceland, winters in Albania then.

Information is the inverse of entropy.