Intention of the agreement
If memory serves me right, the road to hell is paved by what...
Export regulations that threaten to hinder vulnerability research and exploit development have put hackers on edge ahead of the annual Pwn2Own contest. Operators of the hack-fest have reportedly issued an email warning to researchers to obtain legal advice about how the Wassenaar Arrangement, a 42-nation effort aimed at " …
Great idea tech companies and governments. Let's lower payments for malicious software discovery and ban the discussion of such tech to drive the talented kids who generate the stuff onto the streets. Give them no option but to actually use the stuff for no good purpose to generate a living wage.
Short sighted idiocy formulated by corporate accountants and marketing types who have no concept of IT or security beyond their X-Boxes.
... between the US and several other continents (and back) between late-1991 & mid-1993(ish). Not a single idiot in charge of so-called "security" even blinked.
Security theater, when you examine it, is absolutely hilarious.
I am not sure the Wassenar Agreement should be the one fingered here as it is pretty much down to national governments on how they regulate the export of dual use items. Like anyone else involved in defence or security, it is a VERY good idea to check what you are doing or taking with you does or does not require an export licence. With cyber defence being the new 'hot' thing, countries are tightening up on defence products relating to computer systems. Owning a browser or PC is not just for script kiddies, countries are doing it too and so hacking tools now have military/security applications and thus taking them with you to a convention may require a licence.
Remember all those stories about hacking and security tools being exported to [choose your repressive Middle East state here] who then used them to repress 'rebellious' citizens? The government will want to keep this sort of thing under control so any software/hardware you take with you that can do that sort of thing will be of interest. What it in your head cannot be licensed, but telling people how you did it can be. Be glad you are not in the US, breaking their export controls can put you in jail longer than for being a convicted rapist/thief etc!
But what if you are not "involved in defense" but merely report a vulnerability in some software.
Do you know need to become Mr Snowden to report a security flaw?
ps the spy software exported to middle eastern countries was detected by the government, IIRC the companies "advisor" on the deal was a former tory party leader.
"But what if you are not "involved in defense" but merely report a vulnerability in some software"
This is the very issue surrounding 'dual-use'. You may not be involved in defence business at all, but customs can (and will) stop you if they think something is dual use and at risk of ending up somewhere it shouldn't. They wont arrest you as you are not breaking any laws, but you will lose time and money as a result. Bit of an issue if you are meant to be going to a convention on a specific date!
The oil industry is one of several that finds itself with this problem because their gear can be dual-used to make fuels for missiles. Thus those companies put in for an export licence even though their equipment is only controlled under dual-use and supposedly going to a middle eastern oil field. Thus they try to get approval before sending the gear abroad, thus avoiding being stopped. They don't bother worrying about it if the gear is going to the US for example because dual-use is not just about the equipment, but also the end destination and that includes transit locations. (hint just because it is going to Dubai which has a huge port and not a lot else industry wise, does not mean that is the end destination!)
The advisors of the convention are advising attendees to check whether they should do the same. Bit of an overkill really because Canada is not exactly a hotbed of illicit weapons or dual-use equipment transfers, but I guess if the customs people of some governments are being anal enough then it is a good idea to get the paperwork sorted before it becomes a problem. The licence is not likely to be refused, but you may be stopped for not having one.
Remember all those stories about hacking and security tools being exported to [choose your repressive Middle East state here] who then used them to repress 'rebellious' citizens? The government will want to keep this sort of thing under control...
You are mistaken. These were security tools duly licensed and exported under full cognizance of said government, and fuck the people ending up in torture chambers. "Keep it under control" they would. To tax the sale.
It's basically unenforceable. The presumes that unless you tell the security/customs people what's on your laptop, they won't know as none of them have the technical expertise to find it. On the other hand, you put the file in say Dropbox, grab your clean laptop and go. Download before the meeting and wipe after the meeting.
I'm also curious is "exporting" could mean sending malware in a email, etc. from one country to another? Again, how would they enforce this?
It's bafflegab meant to make someone (the sponsors of the legislation) feel important and that they are doing something.
> how would they enforce this?
Randomly and capriciously, when they decide to go after someone who has pissed them off. But otoh, Wassenaar is very old news, so making a big deal of it now for this particular event is a political choice. (Just as Citizen Four made a political choice, one I admire, and like the PGP T-shirt, which was intentionally provocative.)
Biting the hand that feeds IT © 1998–2021