HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe

from the things-will-get-worse-before-they-get...-worse dept

An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement — originally crafted to regulate the sale of actual weapons — have targeted exploits and malware. The US’s proposed adoption of the Arrangement expands on the definitions of targeted “weapons,” threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.

Other countries aren’t doing much better with their local versions of the Arrangement. Japan’s proposed adoption appears to be just as bad as the US government’s first draft. Concerns over Japan’s interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers’ conference, as Dan Goodin reports.

The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.

Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.

Ruiu points out HP didn’t pull out of the Canadian leg of Pwn2Own, most likely because Canada’s implementation was more streamlined and well-written than Japan’s, which he calls “vague and cumbersome.” The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.

Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren’t going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.

Filed Under: , , ,
Companies: hp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re:

I think it’s somewhat more subtle than that. Part of the issue is that our spy agencies are relying on undocumented zero-day exploits to write their tools. Every time a security researcher publicly documents a bug, there’s a risk that our spying tools will stop working and/or become exposed. Stuxnet was a particularly embarrassing example — security researchers exposed the US government deliberately sabotaging another country’s nuclear program.

Of course, weakening the security of the world’s computers in exchange for easier spying is a really stupid idea. But the people who are pushing for these rules are the same people who brought us the Cold War.

tqk (profile) says:

Re: Re:

Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?

When your purpose is tyranny, any silly excuse will do. Anyone’s actual use of dangerous things is irrelevant. Will those who were responsible for protecting the Office of Personel Management go to jail for their laziness and incompetence? No. People like that demonstrate the need for silliness like this. They’re enablers.

Anonymous Coward says:

Those finding and using exploits for criminal reasons aren’t going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.

While I fully agree with the idea expressed here, the same argument is used against gun control laws in the US.

As I am not from the US but from a country with strict gun control laws (Switzerland) and as I find that the absence of such laws in the US make that country less safe rather than more, I am a bit conflicted about the use of that argument in the context of IT security as in that field the reverse holds.

Maybe it just means that although it provides an intuitive metaphor, the term “weaponized software” is not accurate enough to describe what it really is.

Anonymous Coward says:

Re: Re:

There’s a profound difference between a physical object and knowledge (expressed verbally, in written form, in digital form, in a program, in a document, etc.). Trying to control the latter is censorship and is doomed to fail, even more so in 2015 thanks to the enormous number of ways to move vast quantities of knowledge anywhere in the world quickly.

The analogy is so flawed that it doesn’t work.

Adrian Lopez says:

Re: Re: Re:

Not really. Some laws concern immediate harm to a victim (murder, breaking and entering, etc.), while others attempt to address future harm indirectly by criminalizing possession of certain tools that may be used in the commission of such crimes (guns, locksmith tools, etc.).

Because possession of such tools does not result in direct harm to another, it is often the case that such tools may be obtained clandestinely at significantly less risk of discovery than for committing the intended crime. In that case, it stands to reason that those who commit crimes will look upon illegal possession of a tool as a minor risk.

Anonymous Coward says:

Re: Re: Re:

You have oversimplified things.
Banning guns or “hacker tools”, things that can be used for good or evil, is pointless because criminals don’t follow laws.

A blanket ban on hacker tools is useless, a ban on using hacker tools in the commission of a crime is a useful deterrent.

Someone using hacker tools to test the banks security is good, using those same tools to steal the banks money is evil.

So yea, banning something that might be used for evil is as useful as having no laws whatsoever.

Anonymous Coward says:

Re: Re: Re: Re:

Banning something that might be used for evil isn’t totally useless. The benefits and costs of banning, allowing, or regulating something must be weighed. As an example, consider the possession of nukes. Due to the properties of nukes (expense, complexity, etc) banning nukes means effectively nobody will have one. The benefit of citizens not having nukes is that a citizenly detonation is impossible. The cost is…people can’t have functional nukes to look at in their home.

The problem in the situation the article mentions is that the cost of regulation exceeds the benefit. The regulation will stop almost no malicious entity from getting the tools primarily because the tools are easy to hide and copy. Maybe a few inexperience hackers would be stopped. The cost of regulation is reduced security testing and research resulting in more insecure software. The damage resulting from increased breaches due to insucure software will not be offset by the small number of weak hackers stopped. It’s a net loss, and a dumb idea.

Anonymous Coward says:

Car Analogy

The president used nine pins to sign the new historic law banning all automovive crashes intentional or otherwise.

In related news The Insurance Institude for Highway Safety has closed its doors stating “Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings”

In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated “No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible.”

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...