back to article US plans to apply export controls to 0-days put out for comment

US proposals for export controls for zero-day vulnerabilities and malware have finally been pushed forward, re-opening the fault lines of a long-running argument among security experts in the process. The proposals (pdf) from the US Department of Commerce would introduce the Wassenaar Arrangement (WA) – an international …

  1. Anonymous Coward
    Anonymous Coward

    Could do better

    ..in your reporting. Specifically, what's the motive here? Is it to "protect" zero days for the benefit of NAS and their Stasi pals in Anglophone countries, or is to to stop foreign crims and foreign Stasis from exploiting them? The answer could be both, but I have a feeling that there's probably a single over-riding ambition here, and my suspicion points to the NSA.

    And what's the consequence of this if enacted? If my cynical suspicions are correct, doesn't this make US software even less attractive to suspicious foreign customers?

    More analysis, please!

    1. Anonymous Coward
      Anonymous Coward

      Re: Could do better

      Not sure what garnered the downvote there AC. Perhaps some leery old commentard took exception to your (frankly daft) implication that it's possible to fall below absolute zero?

  2. Jess

    Shouldn't things like this be blocked by TTIP like deals?

    Shouldn't a security firm based in any of the countries that already has a TIP deal be able to sue?

    Or does it only work one way?

    1. Will Godfrey Silver badge

      Re: Shouldn't things like this be blocked by TTIP like deals?

      Don't be ridiculous...

      Of course it's one way.

  3. All names Taken
    Paris Hilton

    Starfish bytes?

    Or is it Sailfish?

    And why are so many IT terms marine related huh? Net? Network?

    1. Rob 5

      Re: Starfish bytes?

      Swordfish!

  4. Anonymous Coward
    Facepalm

    Let me be the first:

    Fuck Off.

    This is probably the stupidest thing I've ever heard. As I read it, it means that Sophos wouldn't be able to share information with McAfee or vice versa.

    Way to go fuckwits.

    1. Eddy Ito

      Re: Let me be the first:

      Oh I'm sure there will be a way to share information. I happened to notice in my quick scan that it will involve ITAR which allows for licenses to be had for a bit over $2k so the larger players won't have any problems but the odd independent hack is going to get tacked to the wall. Clearly however it's going to take more than a quick scan to get through it, I hope my stomach is up to it.

      1. Roland6 Silver badge

        Re: Let me be the first:

        "it will involve ITAR which allows for licenses to be had for a bit over $2k so the larger players won't have any problems but the odd independent hack is going to get tacked to the wall."

        Suspect that non-US security companies, such as those HQ'd in former eastern Europe and Russia will have difficulty getting and retaining such licenses...

        1. Eddy Ito

          Re: Let me be the first:

          Perhaps I'm missing something, why would they need a license? As I understand it only US companies and citizens who would need a license to "export" or "import" the information. Where it get's tricky is when you have a non-US company with a facility in the US and the parent company discovers the 0-day. Would they be able to tell the US facility (import) and would that then bind them to the ITAR rules with regard to telling anyone else (export)?

          Granted it's a total cluster fsck in the first place but then ITAR itself is largely a cluster fsck.

          1. Wzrd1 Silver badge

            Re: Let me be the first:

            'As I understand it only US companies and citizens who would need a license to "export" or "import" the information.'

            No, it's for export. One can import any information without suffering from an ITAR violation prosecution and fines. Exporting the wrong thing can get quit costly.

            Such as one firm that develops state of the art night vision for the US DoD and those blessed by the US government to receive those devices as well, who made the brilliant decision to order sensitive components from the PRC. That resulted in $150 million in fines and concessions from the company (free services to the government).

            Meanwhile, I can legally import Russia's favorite nuclear weapons designs, the most that would happen is a very, very threatening NDA (which I had already signed back in the 1980's) against revealing the contents of the new born secret documents and the NRC would confiscate the plans.*

            Of course, I have no access to such plans, nor would I desire to somehow access those plans. That is just an outrageous example.

            *By law, *all* things nuclear, be they fissionables above a certain curie unit or nuclear weapons belong, by law, to the NRC. Back when the core had to be inserted to arm a nuclear warhead, the core had to be signed out from the then AEC and signed back into AEC storage.

            Yeah, US laws can get *quite* interesting. Add in federal, state, county and municipal, things can be rather tangled unless you review the US and state Constitutions.

  5. Malcolm Weir Silver badge

    I think @theordore is right: as I read it, if I publish something on the web showing an attack vector, that is (or could be) "intrusion software to identify vulnerabilities of computers and network-capable devices".

    Therefore I would now need a license to do that.... which I almost certainly wouldn't get, because I can't specify who the intended recipient is, and I certainly couldn't prevent "transfer (in country)" of the information even if I could (i.e. I couldn't prevent Hans in Germany telling Pierre in France).

    Of course, if the attack vector involved, say, a foreign-made communications device -- say, a router made in China -- then I could apply for, and if manufacturer cared, I probably would receive a license to tell them the problem. Chances are, though, that the manufacturer wouldn't care, so wouldn't agree to the license terms (i.e. don't tell Pierre), so no license and the vulnerability would continue unpatched.

    Even more problematic: if that Chinese router used, say, open source software, I couldn't tell anyone about the vulnerability because the open source process of providing the patch would disclose the existence and nature of the original problem.

    And even if the device was US built and I could tell them about the vulnerability, they would have to be very, very careful describing the reason for the patch that resolves it, because they cannot publicly disclose the precise nature of the problem. So you'd get release notes that say things as profound as "Fixed vulnerability. Enjoy!"

    1. All names Taken
      Paris Hilton

      We have this sort of ...

      ... thing in the UK too.

      It does not matter a jot what the case is for or the case is against.

      Proponents can get into heated debate and all aflustered and whatever, however the outcome will be undeniable as the framework in which the debate happens has been constructed to give the -ahem- cough-cough preferred outcome?

      Example: independence in Scotland (failed) but Scotland returns all but 2 MPs as Scottish Nationalist Party members?

      1. Malcolm Weir Silver badge

        Re: We have this sort of ...

        @All names Taken: the Scottish thing is not at all contradictory, no matter what how might appear, because the votes were about different things. In the in/out vote, although much of the rhetoric was anti-Westminster-political-parties, the actual question boiled down quite simply and the other ties with the rest of the UK (i.e. the social, cultural, etc ones) won out. In the General Election, no-one cared about anything except the anti-Westminster-party stuff (aka "they're all equally horrible"), so the SNP won big precisely because they are not a traditional part of the London political system, and are not likely to be dominated by Whips calling for a vote for tax cuts for everyone living within the M25!

        Interestingly, if Cameron's "Let's leave the EU" thing works, to me that pretty much guarantees that Scotland will leave the UK to rejoin the EU. Yes, Salmond called it a "once in a generation" vote, but a generation of _what_? It's not impossible that he met a generation of rats, because sometimes it's easy to confuse a rodent with a politician!

  6. Anonymous Coward
    Anonymous Coward

    Making it illegal is only going to help the bad guys

    I have no idea what exactly they have been smoking or snorting to come up with this approach, but in the real world this is going to elevate threat levels because it widens the time for exploitation.

    Frankly, I am getting the strong impression that most governments are now so far removed from reality that most of the politicians actually need a psych eval.

    Why do we bother planning a mission to Mars? Most of these people are already there.

    1. All names Taken
      Paris Hilton

      Re: Making it illegal is only going to help the bad guys

      Guvmints don't really know anything - they are in a democracy supposed to be of the people to represent the people (in the UK common people that is people without land or wealth or title?) but that is increasingly becoming a 1984-ism with dynasty effect becoming obvious in land-of-the-free?

      But Guvmints are expected to decide upon policy and how to make that policy manifest (my own view is that here in the UK Guvmint should estrange and divest itself of its manyfold civil servants)

  7. Anonymous Coward
    Anonymous Coward

    Catch-22

    So it will be illegal for anyone in the US to report a zero-day *to the vendor* for any product developed outside the US? That'll work out well...

  8. Anonymous Coward
    Anonymous Coward

    Tooling

    What's going to happen with our tools? I would really like to know how they intend to regulate F/OSS. Then there are several hundred, likely thousands, which are used often by any sysadmin or developer but have "dual use" potential. Actually I have been wondering why there weren't restrictions on the tools, documents and especially licensing the practitioners in the field. I guess I have my answer.

    Update your tools often before it applies would be my guess.

  9. amanfromMars 1 Silver badge

    True GCHQ View and Comment.... Madness and Mayhem in CHAOS*

    Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items

    AGENCY: Bureau of Industry and Security, Commerce.

    ACTION: Proposed rule, with request for comments.

    A program proposal for losers wrapped up in a document for tossers to be enacted by retards in a guaranteed certifiable response to the inexorable rise of the virtual machine. How can it possibly fail to generate and supply to systems and AI, Revolutionary Evolution with SMARTR Internet Networking in Creative Command and Cyber Control of Computers and Communications and the Future with Options And Hedges in Derivatives for ZeroDay Trading to Markets Spaces and Exchange Dream Places?

    *Global Communications Head Quarters/Clouds Hosting Advanced Operating Systems

  10. Doctor Syntax Silver badge

    Shooting the messenger..

    ..to become a legal requirement.

  11. Bronek Kozicki
    Coat

    This regulation will force many technology companies in security field out of US - only ones dealing with the gov directly would benefit from remaining in the country.

    If US gov continues creating legislation out of fear of technology, I foresee exodus of technology companies in any field from the US, because otherwise they would be out competed on global stage due to regulations. Also, it is quite possible they will be no longer willing to sell technology to US consumers, either directly due to regulations or for lack of demand (indirectly caused by regulations) - and US consumers will not even know what they missed.

    For example, see how long it took US cell networks to "invent" SIM cards which could be easily swapped between phones (thanks to telecom regulations), how long it took to "invent" chip & pin (thanks to banking regulations) etc.

    It's not a good news for Americans, but you get what you voted for (sorry, couldn't resist sarcasm here). At least Amish will not complain.

  12. Trigonoceps occipitalis

    " ... provision to give Australia, the UK and New Zealand favourable treatment ... "

    Suck on that Canada!

  13. w1guu

    The article and comments are misleading

    As the article correctly reports the new export control is the result of a Wassenaar agreement. That means that 40+- nations agreed that the "intrusion software" should be added to the dual use control list. See; http://www.wassenaar.org/controllists/2014/WA-LIST%20%2814%29%202/WA-LIST%20%2814%29%202.pdf search for "intrusion software". There are 3 control statements and a definition. Pay close attention to the definition, and pay particular attention to the notes in the definition. All of this is part of the multilateral control agreement.

    The Wassenaar partner countries have agreed on the items to be controlled. However, each country runs its own export control regime. The control methods, including licensing policy vary widely. There will also be wide variations in the actual implementation dates, and there may be variation in the practice of what (exactly) will be licensed.

    The US proposed rule is the subject of the FR notice. See; http://www.bis.doc.gov/index.php/forms-documents/doc_download/1236-80-fr-28853 That proposal has to be considered in the context of the complete EAR (US Export Administration Regulations). For example, Part 734 which provides for the release from the EAR for published information. Other Wassenaar jurisdictions will/may have their own exclusions.

    Finally, since this is my first post on this forum, a brief introduction. I fixed my first computer in 1962, and I have been dealing with multinational export controls since 1985.

    /Don Ames

    1. amanfromMars 1 Silver badge

      Re: The article and comments are misleading

      Welcome, Don Ames/w1guu. Nice to see you, to see you, nice.

    2. Malcolm Weir Silver badge

      Re: The article and comments are misleading

      @Don Ames/w1guu

      It appears, you're right in some areas, not so right in others. For instance, while the actual text of the Wassenaar Agreement is interesting, it is of only peripheral relevance to US law, which is only concerned with the actual Federal Regulations. So an enabling regulation can be substantially broader than required.

      But, yes, the EAR Part 734.7 (and possibly 734.8) have bearing on the matter, but the effect of them is awful: anyone wanting to avoid the export controls *has* to publish everything, including the "proof of concept" attack code, if they want to notify the hypothetical Chinese router manufacturer. This is possibly an even worse situation, because they cannot limit disclosure to the known good guys. So if I discover an attack vector, I *have* to hand it off to the bad guys, too... which is possibly a Bad Idea.

      And the fact that the 40+ countries agreed on making intrusion software "dual use" doesn't mean much, because the people at the table deciding these things are typically NOT representative of the broadest constituency. In other words, the Mil/industrial base gets a disproportionately loud voice, and the open source community is disproportionately under-represented.

  14. PassiveSmoking

    What, do they think that if you can't report on a vulnerability that it will magically cease to exist and that all will be well? That nobody will try to exploit it? That nobody outside the US is capable of finding 0-day vulns?

    What new idiocy is this? I haven't got a facepalm big enough to express it.

  15. Schultz

    Well, they should stop exporting exploits...

    so someone tell the NSA to stop meddling with hard- and software that will be exported.

    Aah, that was not what they were talking about? Too bad.

  16. amanfromMars 1 Silver badge

    Too big to fail? Oh please, you cannot be serious.

    Sort out this criminal operation ...... http://www.zerohedge.com/news/2015-05-21/public-confused-why-worlds-biggest-banks-admitting-criminal-fraud-leads-public-yawns ..... if you want anyone smart to pay any attention and even to start thinking it is a better thing to follow what governmental sysadmins think is prudent.

    Until then will all involved be thought right jokers and plonkers in first class Titanic accommodation and live targets for the relentless practising of deep pooling and dark web arts upon? You know it makes sense.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like