We must stop people from using this sort of thing!
(Unless it's us, of course...)
The US government has rewritten chunks of an obscure weapons trade pact between itself, Europe, Russia, and other nations – a pact that is now casting its shadow over today's computer security tools. Dubbed the Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the treaty limits …
(Unless it's us, of course...)
"Mom, I have given a friend a copy of GDB, now Interpol is looking for me as an arms dealer."
Seriously, has this agreement ever helped? Al Queida had guns from CIA, South American drug lords from FBI... It's such a massive FAIL that I have no words to describe it
The western "democracies" are becoming so restrictive in their Fascism that I believe this like all of their new spying arrangements are geared toward the subjugation of the populace.
The software "world" is like a parallel universe to our own physical world. So it's not hard to see that just like in the physical world we have bans on the "creation" of dangerous Arms, drugs etc..., it was always a matter of time before certain software are deemed dangerous and must be "controlled" by governments.
All of this is also really an extension to the slippery slope that this world has begun sliding on when the conservatives won the election and everywhere starts copying China where they seek to protect "their population" from absolutely everything including themselves.
Knowledge is power, and nobody can have more power than governments formed by rich school boy graduates from the elite families.
Time for all the plebs to see and admit defeat to things you can't do anything about.
It begs the question, should government really be the ones in power? Are they just anti-creation, anti-knowledge? This will only get worst, unless a revolution begins to reform what our governments should really be doing and should be allowed to do (rather than the reverse currently), and what freedoms are "humans" allowed in this prison we call society.
Sooner or later all laws will be enacted so that human beings are only allowed to grow older, breed and hand their offspring to government education programmes and die.
Crazy talk? Think again.
@ the anon' "could have seen this coming"
Looks like you're building a fork, or new perspective, on the Singularity Hypotheses whereby a new flavor of technology-based government forces us into a type of neo-barbarism (re: brave new). At least some of us (or them) retain humanity (knowledge-based) while the rest wither on the vine of existence or grow stronger within the "new world" of ignorant barbarism.
...it was always a matter of time before certain software are deemed dangerous and must be "controlled" by governments.
A matter of time? More like "time and again!" Think back to when the US put export bans on encryption software. It not only failed in its stated result, it actually hurt sales for US companies as a side effect. Still,
we have a habit of repeating our mistakes we'll get it right this time.
"A matter of time? More like "time and again!" Think back to when the US put export bans on encryption software. It not only failed in its stated result, it actually hurt sales for US companies as a side effect. Still, we have a habit of repeating our mistakes we'll get it right this time."
I still remember running Windows 2000 with 128-bit IE6 and reading fine print on the About IE section about exporting it to other countries.
The primary reason given for the changes is to stop
repressivedesignated regimes THAT ARE NOT DANCING TO UNCLE SAM'S MAD PIPING around the world from buying sophisticated software that can be used to spy on political opponents and others.
Did I mention that the staunch supporter of
NATO"freedom", Monsieur Saakashwili, currently on the run from his own home country for various kinds of nastiness, has just been appointed governor of the freedom-loving Ukrainian province of Odessa? Seriously. Can I export debuggers to Ukraine now?
It's time to tell the USA to go be barking mad elsewhere until it gets better.
The market for zero-day vulnerabilities can be a lucrative one; the new language bans the sale of details of unpatched flaws to anyone other than one's own government.
And whenever one’s own government is not smart enough enabled to realise they would be wise to purchase that which can be used to disable them/are unable or reluctant to believe that such a vulnerability within myriad zeroday vulnerabilities is possible and being offered to them for purchase with remote third party command and control/vendor power brokerage? Is one then obliged to provide foreign markets in public and private and pirate sectors elsewhere in service of global wealth redistribution in a stagnant petrified corrupt system?
And why would anyone smart wish to sell anything effective to any right dodgy government system which isn’t in command and control of public and private and pirate enterprise? Such is a stupid crazy action and retrograde step in support of the inequitable and ignorant, methinks.
And a government in pursuit of austerity rather than delivery of prosperity is a perverse body and monumental fraud worthy of nothing but scorn and revolution and a right dodgy farce of a force in fear of a reckoning with its inevitable wrecking in an educated awakening of the masses with colossal flows of enlightening information and novel intelligence, the present which the future brings.
This will have absolutely no effect at all on the bad guys, who have a habit of rolling their own (for some undefined value of 'bad guy').
The only people it will impede are ordinary honest folk.
> The only people it will impede are ordinary honest folk.
And that is of course the whole point of this kind of rules. We want to empower only ourselves, definitely not our subjects.
Citizens citizen Paul. We're all citizens now. The nice gentleman from miniluv who has been monitoring your communications has dispatched a small team to help you to the joycamp. Stay right where you are.
No, it MOSTLY impedes ordinary honest folks. It does also impede the inept bad people (for various values of bad), although they tend to be more of a bother than an existential threat.
So, the gov'ts are going to try to make it impossible to be legit, and the conferences are paying lower and lower payouts anyway? Might as well blackhat it then, sell those 0-days privately online to the highest bidder.
IMO there is a social obligation to expose software flaws to the software maker and no one else. I would think that the language of the agreement could add this condition and some standardized form of compensation which should not constitute win the lottery. Anyone choosing to blackmail by not disclosing the software defect for the set financial compensation should do serious prison time.
Except no contract in existence today would stand up to the global onslaught we're experiencing right now. What good is contract law in one country when you're being blackmailed by a hacker in an ENEMY country?
> some standardized form of compensation which should not constitute win the lottery
Given that the standardised amount probably won't be much, the low hanging fruit will get picked up on, and no-one will spend the time digging into the less easy to find, but still potentially critical stuff.
I'm not advocating selling flaws, but a standardised compensation level will just be exploited by the major industry players with no real benefit to the rest of us.
> Anyone choosing to blackmail by not disclosing the software defect for the set financial compensation
> should do serious prison time.
Only if the fuckers who missed it because they wanted to save some money in the QA department face a similar threat, which whilst potentially appealing is just as stupid. First they fuck up and get millions of machines pawned, and then the taxpayer pays their cost of living for 'serious time'?
Part of why we are where we are today is that back before things became so bleak, there were honest people who found flaws and told only the software maker. The software makers may have said thanks, but when they did, mostly let the the flaws moulder on the shelf until something bad happened. Even then it needed to be sufficiently bad to affect company image. At which point they started paying for bugs. Still probably not as much as they ought to, but at least you get paid these days.
"Security research is increasingly a young person's game"
Statements like that just don't make any sense. The only things in this life that are a young person's game are various forms of athleticism, and some niches that requires skilled people willing and able to work for low wages (usually in fields where experience is mandatory to progress, such that the role is an apprentice role like apprentice surgeon) such that older people deselect themselves from starting out in that niche.
Security research does not depend on particular abilities of the young. Unless, that is, you want smart, skilled people willing to work long hours for low wages,which incidentally brings us around to the UK MoDs effort, the joint reserve unit, who hope to do just that :)
"Security research does not depend on particular abilities of the young. Unless, that is, you want smart, skilled people willing to work long hours for low wages,which incidentally brings us around to the UK MoDs effort, the joint reserve unit, who hope to do just that :)"
Thing is, older people can be hidebound: stuck in ruts. Young people aren't burdened by experience so are more likely to think outside the box, and that's where most of our novel exploits are coming from: side channel attacks and the like.
Age has an advantage too, though sheer experience. Those who have been working in a field for a decade know all the odd little quirks and the backwards-compatibility features that might lead to a vulnerability.
I'm saying experience is BOTH boon and bane. You're right that people with experience in the code will know about the little nooks and crannies. But what about the parts of the code they're NOT familiar with? Their perspective will be COLORED by their experience, so they may not see the hole in the code since they're trained to spot other types of exploits. Furthermore, some of the more novel exploits have employed multiple little pieces coming together in a gestalt-like manner (think return-oriented programming which relies on exploiting multiple little bits of code); unless someone is intimately familiar with ALL the pieces involved, they're likely to overlook the exploit since some of it's beyond their scope.
"Thing is, older people can be hidebound: stuck in ruts."
They can also be brilliantly innovative and experienced. Something that is literally impossible for the young. Sure, sometimes you get some child who sees something because they don't know the literature or history, but to say it's a young person's game because of that? Having worked in the software industry for the best part of two decades, I can count on the fingers of one hand the number of inexperienced programmers I've met who are better than people with many years' experience. It does happen, but by and large the better programmers are the ones with a lot more experience and knowledge.
The exact same thing is true of architecture. Is that a young person's game? Also surgery. Also electronic design. Also journalism. Also medicine. Also music. Also this, also that, also almost every skilled profession there is. The only true exception I can think of is pure mathematics in which the genius steps do seem to come from the (relatively) young, but that is something that can be done with zero knowledge or experience, unlike hammering on someone's network.
If we say that security research is a young person's game, by the same criteria we have to say that almost every skilled profession in the whole world is also a young person's game, and that's just nonsense.
"Thing is, older people can be hidebound: stuck in ruts. Young people aren't burdened by experience so are more likely to think outside the box,"
Thing is, younger people think it is all new: thinking they're up against new problems. Older people have been around the block a few times and understand that the answer is seldom in the box.
You can write this up either way, but it will be bollocks.
A few years back I was involved in a project that involved reverse engineering/hacking the firmware in an embedded system. At 46, I was the youngster on the team. The oldest was well into his 70s. Nope, the 70 yo didn't need a nap every 15 minutes. Nor did he get lost on the way to the bathroom.
Individuals are all that matters, not age groups.
The same applies to the bright young things you extol...
Well said. Part of my day job is assessing new technology. In the past several years our bright young scientists have invented radar (exactly as the Brits did it in 1938); Kichoff's law for Voltage (and with it the multi-battery flashlight); the air core transformer. The first two were granted new US Patents. The USTPO also within the last couple of years granted a patent for a scalable device to extract unlimited power from any point in the universe.
There are many new things under the sun that weren't in the texts back in the day when I was in college. On the other hand the accumulated wisdom of many centuries of human scientific development was. The phenomenon Charles's comments points to--the overwhelming propensity of today's scientists to presume that their ignorance of a concept means it must be novel represents that deadliest combination of human attributes--arrogance and stupidity.
Better to be coloured by your experience than coloured by your inexperience.
So if that bit of Five Eyes malware that insinuated itself into your laptop fails to discover anything, you can at least be prosecuted for breaking arms control regulations. How convenient!
Although, if it blocks Norton, might be worth the risk :-)
I like the intent of prohibiting export of censorship tools, but what's the point? This is now super-sophisticated code: Any halfway-advanced country could just develop their own. Hell, I could knock up a program for searching for forbidden terms in HTTP requests and sending TCP RST packets like the GFWC does - it wouldn't be as sophisticated or as scaleable as theirs, but it'd work.
" "This was drafted by someone who doesn't understand security research and the effect of its implementation, not just on researchers but the general public as well: It's ludicrous," Cardozo said.
No surprise there, then.
Like with large companies, and successive UK governments, some arrogant know-it-all makes decisions over something they know nothing about.
> stop repressive regimes around the world from buying sophisticated software that can be used to spy on political opponents and others
But it's only repressive regimes who WANT to spy on "political opponents and others¹"
 where "others" would imply everyone who isn't a political opponent. So that has pretty much all of us covered.
The Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is one of those too-long titles that surely has to have some acronymification.
And 'Waeccadugat' just sounds so unprofessional!
Perhaps "Wassenarr Agreement Controlling Conventional Arms and Dual-Application Exports" because I couldn't think of an appropriate word starting with 'Y' but I think 'W.A.C.C.A.D.A.E' is surely enough of an improvement...?
"Software 'specially designed' or modified to avoid detection by 'monitoring tools'"
"The extraction of data or information, from a computer or network-capable device"
So, am I allowed to do anything involving IP on my OS anymore?
Stupid politicians and their corrupt bureaucrat buddies.
are now illegal commands anywhere but the usa?
Sorry this type of bovine excrement warrants a foad to the writers.
Strictly speaking, the Wassenaar Arrangement is an international agreement, not a treaty. Within the framework it creates, there is latitude in how it is implemented in national regulations.
Europe and the rest of the members of the Waasenaar have the national discretion not to shoot themselves in the foot. And except for the UK, are most likely to exercise it.
The countries who are not members, particularly China, must be ecstatic.
Strictly speaking it is a treaty not an agreement. Agreements have no status as international law and are worth even less than the paper on which treaties are written. Playing with words is the con man's scheme to convince you that male bovine waste smells like roses.
Biting the hand that feeds IT © 1998–2017