HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe

from the things-will-get-worse-before-they-get...-worse dept

An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.

Other countries aren't doing much better with their local versions of the Arrangement. Japan's proposed adoption appears to be just as bad as the US government's first draft. Concerns over Japan's interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers' conference, as Dan Goodin reports.

The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.

Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.
Ruiu points out HP didn't pull out of the Canadian leg of Pwn2Own, most likely because Canada's implementation was more streamlined and well-written than Japan's, which he calls "vague and cumbersome." The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.

Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: computer security, hacking, pwn2own, wassenaar
Companies: hp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 8 Sep 2015 @ 6:14am

    Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 8 Sep 2015 @ 6:25am

    Re:

    Its just the usual politician fishing for publicity crap.
    Who knows, maybe the US wants to have an exclusive right on selling software to terrorists. They do it with weapons now, may want to expand the business...

    link to this | view in thread ]

  3. identicon
    Pondering, 8 Sep 2015 @ 7:01am

    Hmmmm,

    So when a customer hands over a computer infected with malware to a technician (presumably for removal) could they both be charged with weapons trafficking?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 8 Sep 2015 @ 7:20am

    Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.


    While I fully agree with the idea expressed here, the same argument is used against gun control laws in the US.

    As I am not from the US but from a country with strict gun control laws (Switzerland) and as I find that the absence of such laws in the US make that country less safe rather than more, I am a bit conflicted about the use of that argument in the context of IT security as in that field the reverse holds.

    Maybe it just means that although it provides an intuitive metaphor, the term "weaponized software" is not accurate enough to describe what it really is.

    link to this | view in thread ]

  5. identicon
    Anonymous Hero, 8 Sep 2015 @ 7:26am

    Leave expertise to the experts

    I think the issue is not just that it's wrong for politicians to make computer security decisions. The main problem is that we let politicians make political decisions.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 8 Sep 2015 @ 7:44am

    Of course they will exempt themselves from any such restrictions as they will probably claim that will make their job harder if they are expected to follow the laws they enforce at the point of a gun on everyone else.

    link to this | view in thread ]

  7. identicon
    Guardian, 8 Sep 2015 @ 7:56am

    grins

    at my 7 gb arsenal lol what a laugh

    link to this | view in thread ]

  8. icon
    tqk (profile), 8 Sep 2015 @ 7:56am

    Re:

    Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?

    When your purpose is tyranny, any silly excuse will do. Anyone's actual use of dangerous things is irrelevant. Will those who were responsible for protecting the Office of Personel Management go to jail for their laziness and incompetence? No. People like that demonstrate the need for silliness like this. They're enablers.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 8 Sep 2015 @ 7:56am

    Re:

    The difference is that any idiot can use a gun.
    btw, doesnt switzerland has a gun for everyone policy?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 8 Sep 2015 @ 8:01am

    Re: Re:

    I think you misspelled disablers. ;-)

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 8 Sep 2015 @ 8:02am

    Re: Re: New NRA Slogan

    This absolutely has to be the NRA's new slogan!!

    "Any idiot can use a gun"

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 8 Sep 2015 @ 8:06am

    Re:

    There's a profound difference between a physical object and knowledge (expressed verbally, in written form, in digital form, in a program, in a document, etc.). Trying to control the latter is censorship and is doomed to fail, even more so in 2015 thanks to the enormous number of ways to move vast quantities of knowledge anywhere in the world quickly.

    The analogy is so flawed that it doesn't work.

    link to this | view in thread ]

  13. icon
    tqk (profile), 8 Sep 2015 @ 8:17am

    Re: Re:

    The difference is that any idiot can use a gun.

    Any idiot ("script kiddie" or "skiddie" now, apparently) can run a shell script too. Neither presumes they know what they're doing.

    link to this | view in thread ]

  14. icon
    tqk (profile), 8 Sep 2015 @ 8:22am

    Re: Re:

    Trying to control the latter is censorship and is doomed to fail ...

    That didn't stop them from executing the Rosenbergs. Reality doesn't have to be an impediment when you're government.

    link to this | view in thread ]

  15. icon
    John Fenderson (profile), 8 Sep 2015 @ 8:26am

    Re:

    Yes, the argument that a law is pointless because criminals don't obey laws is stupid no matter what law is being discussed. To make that argument is to argue that there should be no laws whatsoever.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 8 Sep 2015 @ 8:41am

    Car Analogy

    The president used nine pins to sign the new historic law banning all automovive crashes intentional or otherwise.

    In related news The Insurance Institude for Highway Safety has closed its doors stating "Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings"


    In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated "No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible."

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 8 Sep 2015 @ 8:48am

    ...The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed...

    Defcon and Black Hat don't seem to have that problem.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 8 Sep 2015 @ 10:06am

    Re:

    Which is why the *very first* topic of conversation in the Def Con keynote was the dangers of the Wassenaar agreement to all security researchers?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 8 Sep 2015 @ 10:13am

    Re: Re:

    I think it's somewhat more subtle than that. Part of the issue is that our spy agencies are relying on undocumented zero-day exploits to write their tools. Every time a security researcher publicly documents a bug, there's a risk that our spying tools will stop working and/or become exposed. Stuxnet was a particularly embarrassing example -- security researchers exposed the US government deliberately sabotaging another country's nuclear program.

    Of course, weakening the security of the world's computers in exchange for easier spying is a really stupid idea. But the people who are pushing for these rules are the same people who brought us the Cold War.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 8 Sep 2015 @ 10:48am

    Re: grins

    Yea that AR 7G is pretty awesome!

    Personally I like the Sub 2000 TB 256 AES
    Lays down good supressive fire against asaults of mass computing.

    link to this | view in thread ]

  21. icon
    Josh in CharlotteNC (profile), 8 Sep 2015 @ 10:57am

    Re: Leave expertise to the experts

    ... we let politicians make *any* decisions.

    FTFY.

    link to this | view in thread ]

  22. icon
    Josh in CharlotteNC (profile), 8 Sep 2015 @ 11:00am

    Re: Car Analogy

    I'm wary of analogies, but in this case, you've nailed it exactly.

    link to this | view in thread ]

  23. identicon
    Adrian Lopez, 8 Sep 2015 @ 11:26am

    Re: Re:

    Not really. Some laws concern immediate harm to a victim (murder, breaking and entering, etc.), while others attempt to address future harm indirectly by criminalizing possession of certain tools that may be used in the commission of such crimes (guns, locksmith tools, etc.).

    Because possession of such tools does not result in direct harm to another, it is often the case that such tools may be obtained clandestinely at significantly less risk of discovery than for committing the intended crime. In that case, it stands to reason that those who commit crimes will look upon illegal possession of a tool as a minor risk.

    link to this | view in thread ]

  24. identicon
    Swiss guy, 8 Sep 2015 @ 12:54pm

    Re: manure

    This is manure.
    In Switzerland everybody has at least a couple of army rifles.
    Everybody does shooting, and the government sponsors shooting events.

    link to this | view in thread ]

  25. identicon
    trrrist, 8 Sep 2015 @ 12:57pm

    Re: Hmmmm,

    and if your cellphone/tablet/laptop runs kali linux while passing a US airpor...
    you will be kidnapped into Guantanamo

    link to this | view in thread ]

  26. identicon
    TDR, 8 Sep 2015 @ 4:01pm

    Any chance we could get Windows added onto the list of exploits and malware malware targeted by the agreement? It's little more than one giant piece of spyware now, especially Windows 10.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 8 Sep 2015 @ 4:34pm

    Re: Re:

    How about the argument a law is pointless when those that enforce the law do not follow it themselves?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 8 Sep 2015 @ 6:19pm

    Re: Re:

    You have oversimplified things.
    Banning guns or "hacker tools", things that can be used for good or evil, is pointless because criminals don't follow laws.

    A blanket ban on hacker tools is useless, a ban on using hacker tools in the commission of a crime is a useful deterrent.

    Someone using hacker tools to test the banks security is good, using those same tools to steal the banks money is evil.

    So yea, banning something that *might* be used for evil is as useful as having no laws whatsoever.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 14 Sep 2015 @ 4:28pm

    Re: Re: Re:

    Banning something that might be used for evil isn't totally useless. The benefits and costs of banning, allowing, or regulating something must be weighed. As an example, consider the possession of nukes. Due to the properties of nukes (expense, complexity, etc) banning nukes means effectively nobody will have one. The benefit of citizens not having nukes is that a citizenly detonation is impossible. The cost is...people can't have functional nukes to look at in their home.

    The problem in the situation the article mentions is that the cost of regulation exceeds the benefit. The regulation will stop almost no malicious entity from getting the tools primarily because the tools are easy to hide and copy. Maybe a few inexperience hackers would be stopped. The cost of regulation is reduced security testing and research resulting in more insecure software. The damage resulting from increased breaches due to insucure software will not be offset by the small number of weak hackers stopped. It's a net loss, and a dumb idea.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.