SoylentNews is people
SoylentNews
The Register and Threatpost report that the U.S. Department of Commerce may enshrine the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies into law, banning the export of zero-day vulnerabilities without permission:
The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.
BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their "information security" functionality, including encryption and cryptanalysis.
This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of "intrusion software" to the definition section of the EAR pursuant to the WA 2013 agreements.
A 60-day comment period ends July 20th.
(Score: 3, Insightful) by VortexCortex on Thursday May 21 2015, @09:09PM
Well, as a low-level driver dev and alternate OS dev I have discovered and logged many zero day exploits for every popular OS in my /with/great/power/comes/great/responsibility/ directory. If the governments of the world could find an unencrypted copy they'd save a little bit of money instead of just buying new ones on the black market (like everyone who can't into cracking does, such as NSA). [theatlantic.com]
Fortunately, it's impossible to know whether prior to these new BIS export controls (which I have always been compliant with) any encrypted archive of said zero-day exploits was stored outside the USA. When you name an encrypted archive something like "Brittney Spears Discography" and put it on something like Limewire or Bittorrent over a decade before such silly regulations come into effect, who can even tell what 14 year old has a copy in what continent so long as they keep seeding them? And really, if my expectation of decipher-ability isn't expanded to include non-US individuals, how could I be in violation of exporting Zero-Day exploits. You'd have to put a ban on exporting digital white noise, since that's what was transmitted, and is still legally transmittable even given the new export relgurgitations.
TL;DR: "U.S. Mulls Export Controls on Zero-Days, but still allows export of white noise, in which every Zero-Day is hiding (given the appropriate one-time-pad key)."