back to article Microsoft and pals re-write arms control pact to save infosec industry

Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document's terms are a threat tot he information security industry. The pitch is the result of brainstorming by the group to redefine …

  1. MrDamage Silver badge

    how do I get my country on the "no sale" list?

    That way I can protect everyone from the spyware known as Win10.

    1. TheVogon

      Re: how do I get my country on the "no sale" list?

      "aims to stop the sale of exploitation software to restricted regimes with poor human-rights records"

      Won't the Americans and Israelis be a bit upset when they can't buy their favourite software?

  2. Anonymous Coward
    Anonymous Coward

    I won't sell you a weapon...

    ... but I'll let you download the blueprints to build it yourself.

    While I understand the reason and motives of the infosec industry, that exactly what would happen.

    While building a complex, physical weapon may require resource beyond the capabilities of many opponents (building a military plane or missile is not that easy, and requires fairly sophisticated technology), building software weapons when you have the basic, difficult to research, pieces ready may be still a little complex, but not very difficult.

    Look at how relatively small group of crooks can build sophisticated attack tools (Angler, Neutrino, etc.) - after all, all you need is a small group of decent developers, some PC and some tools you can easily find like a compiler. Hacking Team developers may have been good ones - but you don't really need outstanding ones.

    The very difficult part is to find the useful vulnerabilities (and anyway some crooks have this capability as well) and understand how to use them. Then, everything can be "left as an exercise for the reader" - and some tools will make it even easier (as some ROP "compilers").

    There's also a risk of asymmetric information, because while "good" infosec guys will release what they know, bad ones won't. So the bad ones will take advantage of good ones data, and not vice-versa.

    Where to draw the line? It's very difficult. We have two very different interests colliding. And there's no very easy solution.

    1. Graham Cobb Silver badge

      Re: I won't sell you a weapon...

      I see your point but I don't think it is as hard to draw the line as you think.

      Wassenaar is not about stopping a gangster buying a gun. It is about stopping nation states buying extremely high-level weapons to use against other nations or their own people.

      So, it really doesn't need to be about preventing access to knowledge of vulnerabilities (after all, any information available in the US will be easy to get hold of elsewhere). Nor is it about stopping crooks building new attacks. It isn't even about stopping "bad" nations from creating their own "Hacking Team" -- as long as they are having to do their own development they will be some distance behind us. It is really about stopping commercial entities (such as the real Hacking Team) from developing and selling weapons to anyone who can pay.

      I think the issue will be over defensive uses: does Wassenaar really want to stop Microsoft, etc selling defenses against our weapons.

      1. Anonymous Coward
        Anonymous Coward

        It is about stopping nation states buying extremely high-level weapons

        Which makes my point: if you let them have the "blueprints" for high-level "cyberweapons" not so difficult to build with limited resources, we're back to square one.

        The problem with "cyberwarfare" is it can be highly asymmetrical. The power is in the knowledge to create them, not in the resources and infrastructure needed to build enough weapon and maintain them. Resources are down to some software, maybe even free one. You can use someone else infrastructure when needed.

        You can stop Hacking Team sales, but to develop this kind of "weapons" all you really need the exploits, and a few skilled enough developers. Why some States just bought HT tools? Because of laziness, probably. And because some interested "exchanges" between the states involved. Italy for example blocked F-16 spare parts delivery to Egypt, but then green-lighted the sale of an Internet traffic monitoring system. While F-16s don't look the right tool to use against dissidents, while an Internet monitoring system is. My take? It was a wink to ISIS and others in Libya - "we don't support Egypt air raids there, so please don't make anything bad here". In exchange, Egypt got tools to monitor people it's interested in. Realpolitik? Maybe. A bad smelling one anyway.

        But it shouldn't be very difficult for, say Saudi Arabia to hire some East Europe developers and code something alike. Others may already have.

        Actually, what trouble infosec people is Wassenaar makes research tools and the researches themselves an issue, and I understand them. It also makes a pain in the ass to export "dual use" products, and today maybe even Pokemon GO could be one.

        I'm not advocating "security by obscurity", but there are some disadvantages to understand, and find how to tackle them to avoid to give too much unfair advantages to the "bad ones". It's not much about stopping to sell defenses, it's about avoiding to find one day your tools and your knowledge is being used against you - and it's already happening.

        It will be very difficult to find a good solution - especially when between the anvil of companies that would send their mothers to anybody for money, and the hammer of government that would like to control everything.

  3. Alister

    "Intrusion delivery platforms’ are defined as systems, equipment, components and software specifically designed for use in offensive intrusion and remote monitoring and that demonstrate elements of vulnerability exploitation, evasion, and enabling subversion or destruction."

    I think the revised description above still runs the risk of outlawing the use and dissemination of the vast majority of security software used by Pen Testers, Sysadmins etc.

    Think of NMap, Nessus, and even Fiddler, they could all be caught by broad interpretation of the passage above.

  4. NotBob

    Obligatory XKCD reference

    www.xkcd.com/504/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like