US fails in bid to renegotiate arms trade restrictions on exploit data export

Wassenaar rules require export licenses for anything that could be considered “intrusion software”—but not in US, yet.


Read the whole story

 

[DoomHamster]

In general, I think it is wise to be against any laws/treaties that will be a) ineffective at stopping actual criminals and b) effective at hampering legitimate security research.

 

[nehinks]

So kinda like crypto used to be.

 

[DoomHamster]

So kinda like crypto used to be.

Precisely.

Which also a) didn't work and b) hampered legitimate progress.

 

[seanmgallagher]

So kinda like crypto used to be.

Which is why I think it's time we start printing exploits on t-shirts.

 

[DoomHamster]

So kinda like crypto used to be.

Which is why I think it's time we start printing exploits on t-shirts.

 

[maxmurder]

\){ :|:& };:

Am I a gun now?

 

[.劉煒]

"The most important six inches on the battlefield is between your ears."

 

[Jousle]

seanmgallagher[/url]":1bd4zxug]

So kinda like crypto used to be.

Which is why I think it's time we start printing exploits on t-shirts.

See? You can't ban guns, I can print a gun on a T shirt.

 

[MaMuS]

maxmurder[/url]":13yjnnh4]\){ :|:& };:

Am I a gun now?

STAND BACK EVERYONE! HE GOT A BOMB!

 

[ABlueJelly]

MaMuS[/url]":1557tapr]

maxmurder[/url]":1557tapr]\){ :|:& };:

Am I a gun now?

STAND BACK EVERYONE! HE GOT A BOMB!

It's okay, I can diffuse it!
...
What do you mean I need a license to "export" the fix to the web?

 

[Pinko!]

"This could apply to things like training courses for penetration testing and other skills that deal with exploits—companies are likely to run into restrictions about who they can allow to attend those classes, since passing the information to someone from out of the country could be considered the same as exporting a munition without a license."

So are we violating export controls if we post information on the web? If you view that information have you violated an arms control treaty? Parts of this seem unenforceable.

 

[Schnookums]

I don't see anything that this law would bring to the table. What can it possibly change? The malicious are going to just completely ignore it. The only change would be to decrease research in the subject, which would make the whole situation worse. Only the criminals gain.

The tin-foil hat explanation (NSA doesn't want us to figure out their secrets) is probably even too much of a stretch for the paranoid.

This legislation just seems like a colossal waste of time and resources.

It seems like a bunch of legislators who don't know what they are talking about got into a room and decided that "well, we have to do something!" and this is what came out, without any consideration to practicality, relevance, or effectiveness.

 

[seanmgallagher]

seanmgallagher[/url]":wdvgku4n]

So kinda like crypto used to be.

Which is why I think it's time we start printing exploits on t-shirts.

See? You can't ban guns, I can print a gun on a T shirt.

I was thinking more like this:

But if you can print a lower to add to that shirt so you can shoot it full auto, I'll buy one.

 

[Schnookums]

seanmgallagher[/url]":2uo78hsj]

seanmgallagher[/url]":2uo78hsj]

So kinda like crypto used to be.

Which is why I think it's time we start printing exploits on t-shirts.

See? You can't ban guns, I can print a gun on a T shirt.

I was thinking more like this:

But if you can print a lower to add to that shirt so you can shoot it full auto, I'll buy one.

You can buy iron-on paper from office supply stores, make this image b/w and then just iron it on as an addition. Regulated AR15 parts (important bits to make them full auto).

Option 1, DIAS

Option 2: Lightning Link (also required)

Or, for your Glock

 

[Eurynom0s]

DoomHamster[/url]":3f4ex04e]In general, I think it is wise to be against any laws/treaties that will be a) ineffective at stopping actual criminals and b) effective at hampering legitimate security research.

Isn't TeamSpeak subject to export control? I've never really been able to take the categorizations seriously since then.

DoomHamster[/url]":3f4ex04e]

So kinda like crypto used to be.

Precisely.

Which also a) didn't work and b) hampered legitimate progress.

...is this why TeamSpeak is export controlled, is it encrypted?

 

[Velma Velvet]

Laws like this are so ridiculous. They assume that other countries "couldn't possibly come up with something as brilliant as we can." Set it and forget it. Once in place, the regulations remain long past when the technology is old news. Every country that imposes restrictions puts their industries at a disadvantage. Everyone else trades freely. BS like this will be approved quickly with the extra bonus of making it easier to restrict encryption at home.

 

[psd]

If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

 

[nbs2]

Curious to know how this will be handled by other countries under their deemed export regulations. Unless I'm misunderstanding, this could make business challenging for some multi-nationals. I'll have to talk to our Export Control Manager tomorrow.

 

[Durandul]

Man, whoever is giving elected officials liquor on the job ought to stop, I'm beginning to think it's making them paranoid :/

 

[esdf]

psd[/url]":1z74i8h0]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

 

[Gooberslot]

People need to stop passing laws without talking to experts in the relevant fields first.

 

[scrambledhelix]

psd[/url]":20tivfkr]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

Maybe you're just trying to play devil's advocate, but this suggestion indicates that you don't understand how education works in the slightest. Practical exercises are necessary to convey how it works in practice. You don't get researchers in the first place if they've never seen how a buffer flow can be leveraged to execute malicious or mischievous code.

 

[Esteanil]

I met this cute foreign girl online, but she turned out to be a programmer.
Now I'm serving an 8 year sentence for attempted weapon importation...

 

[goddog]

psd[/url]":18curbx3]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

Hey there Dolores, thought you were still in Askaban. Good to know your handle on Ars.

 

[bhaughwout]

"Congrats, hackers: you’re now a munition (sort of)"

They'll need to get in line behind "fat cattle," classified as munitions under federal admiralty law for more than two hundred years per US v. Barber (1815)...

https://supreme.justia.com/cases/federal/us/13/243/

 

[Baenwort]

Would this impact bug bounties? Such that unless you're located in their home country you can't claim them?

 

[Zapman987]

This would have been much cooler if it was required for me to get an export license to visit other countries.

 

[Derecho Taketh Away]

International airport security guard #1:
"Sir/Madam, has anyone handled your micro SD drive after packing for your journey?"

Guard #2:
"Let's put 'em in the sandboxed body scanner/compiler to uncover any possible exploits written or tatttoed on the suspect."

 

[psd]

esdf[/url]":19a007nd]

psd[/url]":19a007nd]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

 

[r3loaded]

Time to dust off another XKCD.

 

[esdf]

psd[/url]":34brqcjn]

esdf[/url]":34brqcjn]

psd[/url]":34brqcjn]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

Just no. You see, depending on the exact definition of exploit code, issue reproduction instructions may fall afoul this definition.

Basically, when company A gets the report, they want clear instructions on how to replicate it (so they can verify their fix was successful). They may not want to pay B again just to verify the same exact issues have been fixed (forcing them to do that would result in some of the customers feeling ripped off).

Such replication instructions typically contain stuff like "type the following code into the input field and see how your application 'explodes'". That part with the 'following code' is critical for fix verification and may indeed be interpreted as exploit depending on the interpretation of the restrictions (disclaimer: I haven't read the language in verbatim so I don't know if this only deals with malware or exploits of any sort).

Source: I've done this stuff for work for the last 5 years or so.

 

[StudentofLife]

psd[/url]":162d74fx]

esdf[/url]":162d74fx]

psd[/url]":162d74fx]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

I have practical experience in this area. There are a number of reasons why Company A needs or can't practically avoid obtaining the actual exploit:

*Effective exploits are often hard, and false positives often occur--this isn't about trust.

*In order to fix the problem a developer often has to see the problem--thus requiring the developer to see the exploit itself.

*Repeated and expanded testing is almost always needed--once I pay for the testing, I don't want to keep paying to validate remediation or expand the scope.

*Monitoring tools can sometimes reveal the actual exploit--this incidental disclosure is likely to run afoul of the rules making any testing across borders questionable and corporate legal isn't likely to sign off causing a chilling effect.

We need to get better at defending ourselves. These types of rules don't stop the black markets and only make us weaker.

 

[psd]

esdf[/url]":1qwyavr5]

psd[/url]":1qwyavr5]

esdf[/url]":1qwyavr5]

psd[/url]":1qwyavr5]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

Just no. You see, depending on the exact definition of exploit code, issue reproduction instructions may fall afoul this definition.

Basically, when company A gets the report, they want clear instructions on how to replicate it (so they can verify their fix was successful). They may not want to pay B again just to verify the same exact issues have been fixed (forcing them to do that would result in some of the customers feeling ripped off).

Such replication instructions typically contain stuff like "type the following code into the input field and see how your application 'explodes'". That part with the 'following code' is critical for fix verification and may indeed be interpreted as exploit depending on the interpretation of the restrictions (disclaimer: I haven't read the language in verbatim so I don't know if this only deals with malware or exploits of any sort).

Source: I've done this stuff for work for the last 5 years or so.

Maybe I missed it but nothing in the article indicates that talking about exploits would run afoul of the language. For example, the specific concern of the member of the US Wassenaar delegation is decreasing participation at competitions like Pwn2own. Well, duh, those competitions don't just talk about exploits; they produce and distribute working exploits.

I would say though that if working code must be passed around because science, a good model would be in bio research. How do researchers pass around samples of anthrax so researchers in other institutions/countries can study/verify? A useful international agreement with the goal of controlling the spread of malware would make provisions for such things. It is so reckless to have "working exploits" just out in the wild. We don't call malware virus for nothing. Malware researchers should be expected to handle its just like its biological counterpart.

 

[psd]

dogbertat[/url]":t1jv9zy0]

psd[/url]":t1jv9zy0]

esdf[/url]":t1jv9zy0]

psd[/url]":t1jv9zy0]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

I have practical experience in this area. There are a number of reasons why Company A needs or can't practically avoid obtaining the actual exploit:

*Effective exploits are often hard, and false positives often occur--this isn't about trust.

So, you don't think your testing company got it right?

*In order to fix the problem a developer often has to see the problem--thus requiring the developer to see the exploit itself.

A good description of the exploit would be enough. Your testing company should be able to tell you exactly what and how to fix. If your testing company can't do this, they suck. Get a refund.

*Repeated and expanded testing is almost always needed--once I pay for the testing, I don't want to keep paying to validate remediation or expand the scope.

Security is expensive. But again, a good description of the vulnerability would be plenty to go by.

*Monitoring tools can sometimes reveal the actual exploit--this incidental disclosure is likely to run afoul of the rules making any testing across borders questionable and corporate legal isn't likely to sign off causing a chilling effect.

As long as you did not produce or distribute what you discovered, I think you will be okay.

We need to get better at defending ourselves. These types of rules don't stop the black markets and only make us weaker.

How does that necessitate working exploits to be freely passed around? BTW, nothing stops the black markets; they will do what they do. The best we can do is not help them, not be an unwitting accessory to their dastardly deeds by openly passing around their working exploits for them.

 

[esdf]

psd[/url]":204odnz5]

dogbertat[/url]":204odnz5]

psd[/url]":204odnz5]

esdf[/url]":204odnz5]

psd[/url]":204odnz5]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

I have practical experience in this area. There are a number of reasons why Company A needs or can't practically avoid obtaining the actual exploit:

*Effective exploits are often hard, and false positives often occur--this isn't about trust.

So, you don't think your testing company got it right?

*In order to fix the problem a developer often has to see the problem--thus requiring the developer to see the exploit itself.

A good description of the exploit would be enough. Your testing company should be able to tell you exactly what and how to fix. If your testing company can't do this, they suck. Get a refund.

*Repeated and expanded testing is almost always needed--once I pay for the testing, I don't want to keep paying to validate remediation or expand the scope.

Security is expensive. But again, a good description of the vulnerability would be plenty to go by.

*Monitoring tools can sometimes reveal the actual exploit--this incidental disclosure is likely to run afoul of the rules making any testing across borders questionable and corporate legal isn't likely to sign off causing a chilling effect.

As long as you did not produce or distribute what you discovered, I think you will be okay.

We need to get better at defending ourselves. These types of rules don't stop the black markets and only make us weaker.

How does that necessitate working exploits to be freely passed around? BTW, nothing stops the black markets; they will do what they do. The best we can do is not help them, not be an unwitting accessory to their dastardly deeds by openly passing around their working exploits for them.

I'm sorry, but I do have to ask, do you have relevant experience in software development and testing (security related if possible, or general otherwise) or is your approach based on applying common sense to specialist topics? This would help me to understand your reasoning better.

Please understand I'm not saying that subject matter expertise is required to participate in discussion or have a meaningful contribution thereof. I just want to know what common 'trade knowledge' I can assume for the discussion and what needs to be explained in more detail.

 

[psd]

esdf[/url]":2gd8mrv4]

psd[/url]":2gd8mrv4]

dogbertat[/url]":2gd8mrv4]

psd[/url]":2gd8mrv4]

esdf[/url]":2gd8mrv4]

psd[/url]":2gd8mrv4]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

How about this? Company A in country A hires company B in country B to perform security testing for an application. Testing is performed in country B over the internet. Company B finds a vulnerability in the system and creates a instructions for replication (i.e. proof of concept exploit code). Can company B hand over the resulting report to company A as this could be construed as exportation of an exploit from country B to country A?

Why does company A need working code to be convinced? Do they not trust the competence and analysis of company B, a company they chose and hired? What company A need to ask for is how to defend against the exploit. Those would not run afoul of any international arrangements.

I have practical experience in this area. There are a number of reasons why Company A needs or can't practically avoid obtaining the actual exploit:

*Effective exploits are often hard, and false positives often occur--this isn't about trust.

So, you don't think your testing company got it right?

*In order to fix the problem a developer often has to see the problem--thus requiring the developer to see the exploit itself.

A good description of the exploit would be enough. Your testing company should be able to tell you exactly what and how to fix. If your testing company can't do this, they suck. Get a refund.

*Repeated and expanded testing is almost always needed--once I pay for the testing, I don't want to keep paying to validate remediation or expand the scope.

Security is expensive. But again, a good description of the vulnerability would be plenty to go by.

*Monitoring tools can sometimes reveal the actual exploit--this incidental disclosure is likely to run afoul of the rules making any testing across borders questionable and corporate legal isn't likely to sign off causing a chilling effect.

As long as you did not produce or distribute what you discovered, I think you will be okay.

We need to get better at defending ourselves. These types of rules don't stop the black markets and only make us weaker.

How does that necessitate working exploits to be freely passed around? BTW, nothing stops the black markets; they will do what they do. The best we can do is not help them, not be an unwitting accessory to their dastardly deeds by openly passing around their working exploits for them.

I'm sorry, but I do have to ask, do you have relevant experience in software development and testing (security related if possible, or general otherwise) or is your approach based on applying common sense to specialist topics? This would help me to understand your reasoning better.

Please understand I'm not saying that subject matter expertise is required to participate in discussion or have a meaningful contribution thereof. I just want to know what common 'trade knowledge' I can assume for the discussion and what needs to be explained in more detail.

yes. Tell me again why you do don't expect your testing company to be able to tell you what and how to fix the vulnerability that they have found?

 

[psd]

scrambledhelix[/url]":39ddiyhy]

psd[/url]":39ddiyhy]If the goal is education, "working exploits" are unnecessary. Researchers are smart people; they don't need working code to help their understanding. What is desired is to criminalize the act of producing and distributing working exploits (including trivially compile-ready source code) but not the act of talking about an exploits theory of operation.

Maybe you're just trying to play devil's advocate, but this suggestion indicates that you don't understand how education works in the slightest. Practical exercises are necessary to convey how it works in practice. You don't get researchers in the first place if they've never seen how a buffer flow can be leveraged to execute malicious or mischievous code.

I'm not convinced. Seriously. When teaching about buffer overflows, it is not necessary to give students working code that not only cause buffer overflows but also deliver executable code to comprise a system. If they are good students they would write their own from what they were taught. And this is fine because education. But you leave the act of producing and distributing functional malware to the student, if that is what they chose to do with their knowledge.

 

[psd]

Baenwort[/url]":3smeqemf]Would this impact bug bounties? Such that unless you're located in their home country you can't claim them?

Depends on what the bug bounty wants. If they want a functional malware suite with source code, then I think that should not be okay. If they just want what to fix and how along with the description of the exploit, then that is all very educational.

 

[esdf]

psd[/url]":3or8dska]

yes. Tell me again why you do don't expect your testing company to be able to tell you what and how to fix the vulnerability that they have found?

You did not actually answer my question. EDIT: sorry, you may have actually answered. In that case, can you please elaborate what kind of fix recommendation report is implementable from your point of view?

In anycase, money. That is the reason. How much unnecessary overhead do you want for your project? If you are willing to accept any and all additional costs caused by the burden associated with compliance to these restrictions, then of course what you suggest is possible.

For example a somewhat usual testing case for a web page security assessment:

Usually takes 5 days or a bit more (including manual testing) depending on target scope. Results in a report that details for each issue the description, impact, general remediation and reproduction. Customer's programmers will then implement the fixes and use the reproduction instructions to validate fixes.

If tester cannot disclose the reproduction part and must give detailed fixing instructions the project will look more like this:

2 days reading source code and finding root causes for detected issues (_somewhat_ conservative estimate depending on codebase).* 5 days testing and 1 day for validating the fixes (since customer cannot do this themselves without reproduction instructions). That is already 8 days for a 5 day project. Customer pays a whopping 60% premium over getting the same work done.

*Finding the root cause of an issue is mandatory for a working fix and finding the root cause requires reading through the source code and configuration of the system. Normally this is done by customer personnel.

EDIT: Oh yeah, and don't forget the very common case where customer uses a third party vendor who is unwilling to show their source code to the testing company for IPR-reasons.