SoylentNews is people
SoylentNews
The Register and Threatpost report that the U.S. Department of Commerce may enshrine the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies into law, banning the export of zero-day vulnerabilities without permission:
The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.
BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their "information security" functionality, including encryption and cryptanalysis.
This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of "intrusion software" to the definition section of the EAR pursuant to the WA 2013 agreements.
A 60-day comment period ends July 20th.
(Score: 2) by bob_super on Thursday May 21 2015, @07:03PM
So, since "legit" penetration companies already clear their stuff with the TLAs, and white hackers talk to companies before releasing details, who's the intended law-abiding target of this proposal?
(Score: 3, Insightful) by BananaPhone on Thursday May 21 2015, @07:54PM
Anonymous
(Score: 5, Interesting) by middlemen on Thursday May 21 2015, @08:19PM
who's the intended law-abiding target of this proposal?
The real target are companies like Exodus Intel, Veracode, Immunity, TippingPoint, Rapid7 and companies whose business is to sell exploits to various government and private entities across the world. Another company is VUPEN but they're in the EU and already affected by this.
The other target is no-name exploit developers who are working in their free time to find an exploit so that they can find that magic 0-day and make a killing for that year - hackers such as Geohot and others.
Another target is the guys like Saurik who are jail breaking iPhones and such. Since a jailbreak is a 0-day exploit first, and then used by all to the chagrin of phone companies, this will apply to them as well.
Who benefits ? 0-day exploit writers in non-US and non-EU countries such as those in Asia.
Who else benefits ? Government agencies and private entities who buy such 0-day exploits in the US and EU. Since there are only maybe 3-letter agency buyers now, the value of the 0-day will drop if you want to legally sell it and report it on your tax return.
Currently a valuable 0-day exploit can go for 100s of 1000s of dollars if it targets browsers or iOS or Android phones.
Such an agreement will drop the legal customer base to a small number and hence force the price drop on the 0-day sellers as well.
(Score: 2) by frojack on Thursday May 21 2015, @08:40PM
So basically a few companies making a living semi-openly selling zero-days (and probably most of their business is clandestine).
Seems to me that even notifying a company outside the US of a vulnerability in software that they publish, could fall under this ruling.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by middlemen on Thursday May 21 2015, @08:45PM
(and probably most of their business is clandestine).
Some of those companies are listed on the stock exchange ! Definitely Veracode is ...
They also sell security products and are providing their customers security by finding more 0-days and integrating them into their security applications and appliances to help track malware that contains those 0-days. That is the standard jargon.
Selling those 0-days as clandestine is done through consulting and customization services which have no detailed paper trails (no citation available for obvious reasons). Not all of them do it this way though.
Some like VUPEN explicitly say that they sell 0-days to only governments and entities they like to sell to and that don't curb their citizen's freedoms.
(Score: 3, Insightful) by c0lo on Thursday May 21 2015, @10:01PM
??? I know, I'll write a book and sell it as literature for the weird guys that enjoy such creations.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by middlemen on Friday May 22 2015, @01:07AM
I'll write a book and sell it as literature for the weird guys that enjoy such creations.
What Phil Zimmermann did for PGP cannot be compared to 0-days. 0-days are worth money if no one knows about it. PGP was worth money if everyone knew about it.
(Score: 3, Insightful) by kaszz on Thursday May 21 2015, @10:01PM
What law forbids exports of these things inside EU?
And what hinders export of some sneaky little lines of code?
(Score: 3, Interesting) by edIII on Thursday May 21 2015, @11:20PM
*bing* *bing* *bing*
It's not an export, if it's given away freely and on an extremely advanced communications platform that reaches worldwide.......
What's so blissfully amusingly stupid is that if it is designed to hamper this kind of dissemination of code, it's completely bypassed just by setting up servers in that country and "finding" the files somehow locally. None of this actually stops the dissemination of code, only the effective ability to be paid for it, and receive it into typical financial institutions.
Zero day exploits, that remain hidden for these purposes, are just the products of sadists, assholes, and other such socially malfunctioning people. So the specific exploits that make jail breaking iPhones and Android devices will most likely remain unconstrained by this. There's no money anyways, except for the opportunities provided to the developers for exposure (and possibly donations).
If anything, this is governments directly stating to these companies that they are the only acceptable client.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by kaszz on Thursday May 21 2015, @11:52PM
What's preventing anyone from just making secret deals?
(Score: 0) by Anonymous Coward on Friday May 22 2015, @01:38PM
What's preventing anyone to make secret deals about anything else that's illegal, be it drug smuggling, illegal gambling, or contract killing?
(Score: 2) by edIII on Saturday May 23 2015, @01:31AM
That moment when you want to go to the bank, get a home loan or other such instrument, and need to prove the source of the money?
Some real control right there.
Bank: You have a million dollars?
Me: Yes. In Gold.
Bank: Interesting. Where did you get it?
Me: Uhhh, it's gold. Money has no pedigree last time I checked.
Bank: Uhhh, yeah... not in the United States of America, Land of the Free, and Home of the Brave. Seriously. The government demands we know.
Me: Uhhhhh.... I guess I have a bunch of worthless gold then if all I can say is I blew a leprechaun?
Bank: Yep.... but do you have the number for the leprechaun?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by kaszz on Saturday May 23 2015, @09:23AM
Don't use the banks? buy something outright?