HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe
from the things-will-get-worse-before-they-get...-worse dept
An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.
Other countries aren't doing much better with their local versions of the Arrangement. Japan's proposed adoption appears to be just as bad as the US government's first draft. Concerns over Japan's interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers' conference, as Dan Goodin reports.
The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.Ruiu points out HP didn't pull out of the Canadian leg of Pwn2Own, most likely because Canada's implementation was more streamlined and well-written than Japan's, which he calls "vague and cumbersome." The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.
Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.
Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computer security, hacking, pwn2own, wassenaar
Companies: hp
Reader Comments
The First Word
“Car Analogy
The president used nine pins to sign the new historic law banning all automovive crashes intentional or otherwise.In related news The Insurance Institude for Highway Safety has closed its doors stating "Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings"
In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated "No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible."
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Who knows, maybe the US wants to have an exclusive right on selling software to terrorists. They do it with weapons now, may want to expand the business...
[ link to this | view in chronology ]
Re: Re:
Of course, weakening the security of the world's computers in exchange for easier spying is a really stupid idea. But the people who are pushing for these rules are the same people who brought us the Cold War.
[ link to this | view in chronology ]
Re:
When your purpose is tyranny, any silly excuse will do. Anyone's actual use of dangerous things is irrelevant. Will those who were responsible for protecting the Office of Personel Management go to jail for their laziness and incompetence? No. People like that demonstrate the need for silliness like this. They're enablers.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Hmmmm,
[ link to this | view in chronology ]
Re: Hmmmm,
you will be kidnapped into Guantanamo
[ link to this | view in chronology ]
While I fully agree with the idea expressed here, the same argument is used against gun control laws in the US.
As I am not from the US but from a country with strict gun control laws (Switzerland) and as I find that the absence of such laws in the US make that country less safe rather than more, I am a bit conflicted about the use of that argument in the context of IT security as in that field the reverse holds.
Maybe it just means that although it provides an intuitive metaphor, the term "weaponized software" is not accurate enough to describe what it really is.
[ link to this | view in chronology ]
Re:
btw, doesnt switzerland has a gun for everyone policy?
[ link to this | view in chronology ]
Re: Re: New NRA Slogan
"Any idiot can use a gun"
[ link to this | view in chronology ]
Re: Re:
Any idiot ("script kiddie" or "skiddie" now, apparently) can run a shell script too. Neither presumes they know what they're doing.
[ link to this | view in chronology ]
Re:
The analogy is so flawed that it doesn't work.
[ link to this | view in chronology ]
Re: Re:
That didn't stop them from executing the Rosenbergs. Reality doesn't have to be an impediment when you're government.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Because possession of such tools does not result in direct harm to another, it is often the case that such tools may be obtained clandestinely at significantly less risk of discovery than for committing the intended crime. In that case, it stands to reason that those who commit crimes will look upon illegal possession of a tool as a minor risk.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Banning guns or "hacker tools", things that can be used for good or evil, is pointless because criminals don't follow laws.
A blanket ban on hacker tools is useless, a ban on using hacker tools in the commission of a crime is a useful deterrent.
Someone using hacker tools to test the banks security is good, using those same tools to steal the banks money is evil.
So yea, banning something that *might* be used for evil is as useful as having no laws whatsoever.
[ link to this | view in chronology ]
Re: Re: Re:
The problem in the situation the article mentions is that the cost of regulation exceeds the benefit. The regulation will stop almost no malicious entity from getting the tools primarily because the tools are easy to hide and copy. Maybe a few inexperience hackers would be stopped. The cost of regulation is reduced security testing and research resulting in more insecure software. The damage resulting from increased breaches due to insucure software will not be offset by the small number of weak hackers stopped. It's a net loss, and a dumb idea.
[ link to this | view in chronology ]
Re: manure
In Switzerland everybody has at least a couple of army rifles.
Everybody does shooting, and the government sponsors shooting events.
[ link to this | view in chronology ]
Leave expertise to the experts
[ link to this | view in chronology ]
Re: Leave expertise to the experts
FTFY.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
grins
[ link to this | view in chronology ]
Re: grins
Personally I like the Sub 2000 TB 256 AES
Lays down good supressive fire against asaults of mass computing.
[ link to this | view in chronology ]
Car Analogy
In related news The Insurance Institude for Highway Safety has closed its doors stating "Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings"
In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated "No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible."
[ link to this | view in chronology ]
Re: Car Analogy
[ link to this | view in chronology ]
Defcon and Black Hat don't seem to have that problem.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]