[Owasp-leaders] [Owasp-board] The US wants to restrict exports of software vulnerabilities. But is that such a good idea?

Pawel Krawczyk pawel.krawczyk at hush.com
Sat May 23 08:37:58 UTC 2015


Hi Timo,

Looks like it’s targeted against companies trading zero-days to countries that might use them to attack critical infrastructure and disrupt power grids etc. While this sounds reasonable in its basic assumptions, the law is being written by people who may not understand how the information security research works, which could effectively lead to a situation where publishing Metasploit on GitHub would be legally equivalent to exporting arms. 

They are now in public comments phase so I’d encourage everyone to send a brief comment (https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items <https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items> green “Submit a formal comment box”, top right). Just remember you’re writing to lawyers.

What I wrote for example was that information security depends on unrestricted exchange of scientific research results in the global infosec community. This involves full attack descriptions and computer programs implementing these attacks but this research actually contributes to increasing our security as penetration testing with such an “offensive software” is a key requirement in cybersecurity legislation of most countries. If anything should be restricted in this area, it could be export of unpublished methods of attacking software whose publication is withheld to increase their market value. This is obviously about zero-days trading, and I believe if they feel like restricting anything, it should not even be the trading itself but sales of zero-days to the countries classified as hostile by Wassenaar.

> On 23 May 2015, at 08:42, Timo Goosen <timo.goosen at owasp.org> wrote:
> 
> I don't really understand what this law means and what the implications are.
> 
> On Fri, May 22, 2015 at 9:25 PM, Kevin W. Wall <kevin.w.wall at gmail.com <mailto:kevin.w.wall at gmail.com>> wrote:
> If we could interpret this to mean that US software companies who license their software abroad were no longer permitted to release them with vulnerabilities, then I'd be all for it. But why stop there? Let's push for "no more bugs" too while we're at it. ;-)
> 
> -kevin
> Sent from my Droid; please excuse typos.
> 
> On May 22, 2015 12:54 PM, "Bev Corwin" <bev.corwin at owasp.org <mailto:bev.corwin at owasp.org>> wrote:
> FYI:
> 
> The US wants to restrict exports of software vulnerabilities. But is that such a good idea?:
> http://pando.com/2015/05/21/the-us-wants-to-restrict-exports-of-software-vulnerabilities-but-is-that-such-a-good-idea/ <http://pando.com/2015/05/21/the-us-wants-to-restrict-exports-of-software-vulnerabilities-but-is-that-such-a-good-idea/>
> 
> Bev
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board <https://lists.owasp.org/mailman/listinfo/owasp-board>
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board <https://lists.owasp.org/mailman/listinfo/owasp-board>
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7879 180015
CISSP, OWASP, MBCS



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150523/93e69dda/attachment.html>


More information about the OWASP-Leaders mailing list