HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe
from the things-will-get-worse-before-they-get...-worse dept
An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement — originally crafted to regulate the sale of actual weapons — have targeted exploits and malware. The US’s proposed adoption of the Arrangement expands on the definitions of targeted “weapons,” threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.
Other countries aren’t doing much better with their local versions of the Arrangement. Japan’s proposed adoption appears to be just as bad as the US government’s first draft. Concerns over Japan’s interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers’ conference, as Dan Goodin reports.
The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.
Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.
Ruiu points out HP didn’t pull out of the Canadian leg of Pwn2Own, most likely because Canada’s implementation was more streamlined and well-written than Japan’s, which he calls “vague and cumbersome.” The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.
Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren’t going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.
Filed Under: computer security, hacking, pwn2own, wassenaar
Companies: hp
Comments on “HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe”
Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?
Re: Re:
Its just the usual politician fishing for publicity crap.
Who knows, maybe the US wants to have an exclusive right on selling software to terrorists. They do it with weapons now, may want to expand the business…
Re: Re: Re:
I think it’s somewhat more subtle than that. Part of the issue is that our spy agencies are relying on undocumented zero-day exploits to write their tools. Every time a security researcher publicly documents a bug, there’s a risk that our spying tools will stop working and/or become exposed. Stuxnet was a particularly embarrassing example — security researchers exposed the US government deliberately sabotaging another country’s nuclear program.
Of course, weakening the security of the world’s computers in exchange for easier spying is a really stupid idea. But the people who are pushing for these rules are the same people who brought us the Cold War.
Re: Re:
When your purpose is tyranny, any silly excuse will do. Anyone’s actual use of dangerous things is irrelevant. Will those who were responsible for protecting the Office of Personel Management go to jail for their laziness and incompetence? No. People like that demonstrate the need for silliness like this. They’re enablers.
Re: Re: Re:
I think you misspelled disablers. 😉
Hmmmm,
So when a customer hands over a computer infected with malware to a technician (presumably for removal) could they both be charged with weapons trafficking?
Re: Hmmmm,
and if your cellphone/tablet/laptop runs kali linux while passing a US airpor…
you will be kidnapped into Guantanamo
While I fully agree with the idea expressed here, the same argument is used against gun control laws in the US.
As I am not from the US but from a country with strict gun control laws (Switzerland) and as I find that the absence of such laws in the US make that country less safe rather than more, I am a bit conflicted about the use of that argument in the context of IT security as in that field the reverse holds.
Maybe it just means that although it provides an intuitive metaphor, the term “weaponized software” is not accurate enough to describe what it really is.
Re: Re:
The difference is that any idiot can use a gun.
btw, doesnt switzerland has a gun for everyone policy?
Re: Re: New NRA Slogan
This absolutely has to be the NRA’s new slogan!!
“Any idiot can use a gun“
Re: Re: Re:
Any idiot (“script kiddie” or “skiddie” now, apparently) can run a shell script too. Neither presumes they know what they’re doing.
Re: Re:
There’s a profound difference between a physical object and knowledge (expressed verbally, in written form, in digital form, in a program, in a document, etc.). Trying to control the latter is censorship and is doomed to fail, even more so in 2015 thanks to the enormous number of ways to move vast quantities of knowledge anywhere in the world quickly.
The analogy is so flawed that it doesn’t work.
Re: Re: Re:
That didn’t stop them from executing the Rosenbergs. Reality doesn’t have to be an impediment when you’re government.
Re: Re:
Yes, the argument that a law is pointless because criminals don’t obey laws is stupid no matter what law is being discussed. To make that argument is to argue that there should be no laws whatsoever.
Re: Re: Re:
Not really. Some laws concern immediate harm to a victim (murder, breaking and entering, etc.), while others attempt to address future harm indirectly by criminalizing possession of certain tools that may be used in the commission of such crimes (guns, locksmith tools, etc.).
Because possession of such tools does not result in direct harm to another, it is often the case that such tools may be obtained clandestinely at significantly less risk of discovery than for committing the intended crime. In that case, it stands to reason that those who commit crimes will look upon illegal possession of a tool as a minor risk.
Re: Re: Re:
How about the argument a law is pointless when those that enforce the law do not follow it themselves?
Re: Re: Re:
You have oversimplified things.
Banning guns or “hacker tools”, things that can be used for good or evil, is pointless because criminals don’t follow laws.
A blanket ban on hacker tools is useless, a ban on using hacker tools in the commission of a crime is a useful deterrent.
Someone using hacker tools to test the banks security is good, using those same tools to steal the banks money is evil.
So yea, banning something that might be used for evil is as useful as having no laws whatsoever.
Re: Re: Re: Re:
Banning something that might be used for evil isn’t totally useless. The benefits and costs of banning, allowing, or regulating something must be weighed. As an example, consider the possession of nukes. Due to the properties of nukes (expense, complexity, etc) banning nukes means effectively nobody will have one. The benefit of citizens not having nukes is that a citizenly detonation is impossible. The cost is…people can’t have functional nukes to look at in their home.
The problem in the situation the article mentions is that the cost of regulation exceeds the benefit. The regulation will stop almost no malicious entity from getting the tools primarily because the tools are easy to hide and copy. Maybe a few inexperience hackers would be stopped. The cost of regulation is reduced security testing and research resulting in more insecure software. The damage resulting from increased breaches due to insucure software will not be offset by the small number of weak hackers stopped. It’s a net loss, and a dumb idea.
Re: manure
This is manure.
In Switzerland everybody has at least a couple of army rifles.
Everybody does shooting, and the government sponsors shooting events.
Leave expertise to the experts
I think the issue is not just that it’s wrong for politicians to make computer security decisions. The main problem is that we let politicians make political decisions.
Re: Leave expertise to the experts
… we let politicians make any decisions.
FTFY.
Of course they will exempt themselves from any such restrictions as they will probably claim that will make their job harder if they are expected to follow the laws they enforce at the point of a gun on everyone else.
grins
at my 7 gb arsenal lol what a laugh
Re: grins
Yea that AR 7G is pretty awesome!
Personally I like the Sub 2000 TB 256 AES
Lays down good supressive fire against asaults of mass computing.
Car Analogy
The president used nine pins to sign the new historic law banning all automovive crashes intentional or otherwise.
In related news The Insurance Institude for Highway Safety has closed its doors stating “Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings”
In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated “No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible.”
Re: Car Analogy
I’m wary of analogies, but in this case, you’ve nailed it exactly.
…The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed…
Defcon and Black Hat don’t seem to have that problem.
Re: Re:
Which is why the very first topic of conversation in the Def Con keynote was the dangers of the Wassenaar agreement to all security researchers?
Any chance we could get Windows added onto the list of exploits and malware malware targeted by the agreement? It’s little more than one giant piece of spyware now, especially Windows 10.