HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe

from the things-will-get-worse-before-they-get...-worse dept

An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.

Other countries aren't doing much better with their local versions of the Arrangement. Japan's proposed adoption appears to be just as bad as the US government's first draft. Concerns over Japan's interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers' conference, as Dan Goodin reports.

The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.

Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.
Ruiu points out HP didn't pull out of the Canadian leg of Pwn2Own, most likely because Canada's implementation was more streamlined and well-written than Japan's, which he calls "vague and cumbersome." The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.

Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: computer security, hacking, pwn2own, wassenaar
Companies: hp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Sep 2015 @ 6:14am

    Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2015 @ 6:25am

      Re:

      Its just the usual politician fishing for publicity crap.
      Who knows, maybe the US wants to have an exclusive right on selling software to terrorists. They do it with weapons now, may want to expand the business...

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2015 @ 10:13am

        Re: Re:

        I think it's somewhat more subtle than that. Part of the issue is that our spy agencies are relying on undocumented zero-day exploits to write their tools. Every time a security researcher publicly documents a bug, there's a risk that our spying tools will stop working and/or become exposed. Stuxnet was a particularly embarrassing example -- security researchers exposed the US government deliberately sabotaging another country's nuclear program.

        Of course, weakening the security of the world's computers in exchange for easier spying is a really stupid idea. But the people who are pushing for these rules are the same people who brought us the Cold War.

        reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 8 Sep 2015 @ 7:56am

      Re:

      Why do governments think that claiming control over dangerous things prevent their use by non-government, and disliked government actors?

      When your purpose is tyranny, any silly excuse will do. Anyone's actual use of dangerous things is irrelevant. Will those who were responsible for protecting the Office of Personel Management go to jail for their laziness and incompetence? No. People like that demonstrate the need for silliness like this. They're enablers.

      reply to this | link to this | view in chronology ]

  • identicon
    Pondering, 8 Sep 2015 @ 7:01am

    Hmmmm,

    So when a customer hands over a computer infected with malware to a technician (presumably for removal) could they both be charged with weapons trafficking?

    reply to this | link to this | view in chronology ]

    • identicon
      trrrist, 8 Sep 2015 @ 12:57pm

      Re: Hmmmm,

      and if your cellphone/tablet/laptop runs kali linux while passing a US airpor...
      you will be kidnapped into Guantanamo

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2015 @ 7:20am

    Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.


    While I fully agree with the idea expressed here, the same argument is used against gun control laws in the US.

    As I am not from the US but from a country with strict gun control laws (Switzerland) and as I find that the absence of such laws in the US make that country less safe rather than more, I am a bit conflicted about the use of that argument in the context of IT security as in that field the reverse holds.

    Maybe it just means that although it provides an intuitive metaphor, the term "weaponized software" is not accurate enough to describe what it really is.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2015 @ 7:56am

      Re:

      The difference is that any idiot can use a gun.
      btw, doesnt switzerland has a gun for everyone policy?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2015 @ 8:02am

        Re: Re: New NRA Slogan

        This absolutely has to be the NRA's new slogan!!

        "Any idiot can use a gun"

        reply to this | link to this | view in chronology ]

      • icon
        tqk (profile), 8 Sep 2015 @ 8:17am

        Re: Re:

        The difference is that any idiot can use a gun.

        Any idiot ("script kiddie" or "skiddie" now, apparently) can run a shell script too. Neither presumes they know what they're doing.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2015 @ 8:06am

      Re:

      There's a profound difference between a physical object and knowledge (expressed verbally, in written form, in digital form, in a program, in a document, etc.). Trying to control the latter is censorship and is doomed to fail, even more so in 2015 thanks to the enormous number of ways to move vast quantities of knowledge anywhere in the world quickly.

      The analogy is so flawed that it doesn't work.

      reply to this | link to this | view in chronology ]

      • icon
        tqk (profile), 8 Sep 2015 @ 8:22am

        Re: Re:

        Trying to control the latter is censorship and is doomed to fail ...

        That didn't stop them from executing the Rosenbergs. Reality doesn't have to be an impediment when you're government.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 8 Sep 2015 @ 8:26am

      Re:

      Yes, the argument that a law is pointless because criminals don't obey laws is stupid no matter what law is being discussed. To make that argument is to argue that there should be no laws whatsoever.

      reply to this | link to this | view in chronology ]

      • identicon
        Adrian Lopez, 8 Sep 2015 @ 11:26am

        Re: Re:

        Not really. Some laws concern immediate harm to a victim (murder, breaking and entering, etc.), while others attempt to address future harm indirectly by criminalizing possession of certain tools that may be used in the commission of such crimes (guns, locksmith tools, etc.).

        Because possession of such tools does not result in direct harm to another, it is often the case that such tools may be obtained clandestinely at significantly less risk of discovery than for committing the intended crime. In that case, it stands to reason that those who commit crimes will look upon illegal possession of a tool as a minor risk.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2015 @ 4:34pm

        Re: Re:

        How about the argument a law is pointless when those that enforce the law do not follow it themselves?

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2015 @ 6:19pm

        Re: Re:

        You have oversimplified things.
        Banning guns or "hacker tools", things that can be used for good or evil, is pointless because criminals don't follow laws.

        A blanket ban on hacker tools is useless, a ban on using hacker tools in the commission of a crime is a useful deterrent.

        Someone using hacker tools to test the banks security is good, using those same tools to steal the banks money is evil.

        So yea, banning something that *might* be used for evil is as useful as having no laws whatsoever.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Sep 2015 @ 4:28pm

          Re: Re: Re:

          Banning something that might be used for evil isn't totally useless. The benefits and costs of banning, allowing, or regulating something must be weighed. As an example, consider the possession of nukes. Due to the properties of nukes (expense, complexity, etc) banning nukes means effectively nobody will have one. The benefit of citizens not having nukes is that a citizenly detonation is impossible. The cost is...people can't have functional nukes to look at in their home.

          The problem in the situation the article mentions is that the cost of regulation exceeds the benefit. The regulation will stop almost no malicious entity from getting the tools primarily because the tools are easy to hide and copy. Maybe a few inexperience hackers would be stopped. The cost of regulation is reduced security testing and research resulting in more insecure software. The damage resulting from increased breaches due to insucure software will not be offset by the small number of weak hackers stopped. It's a net loss, and a dumb idea.

          reply to this | link to this | view in chronology ]

    • identicon
      Swiss guy, 8 Sep 2015 @ 12:54pm

      Re: manure

      This is manure.
      In Switzerland everybody has at least a couple of army rifles.
      Everybody does shooting, and the government sponsors shooting events.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 8 Sep 2015 @ 7:26am

    Leave expertise to the experts

    I think the issue is not just that it's wrong for politicians to make computer security decisions. The main problem is that we let politicians make political decisions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2015 @ 7:44am

    Of course they will exempt themselves from any such restrictions as they will probably claim that will make their job harder if they are expected to follow the laws they enforce at the point of a gun on everyone else.

    reply to this | link to this | view in chronology ]

  • identicon
    Guardian, 8 Sep 2015 @ 7:56am

    grins

    at my 7 gb arsenal lol what a laugh

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2015 @ 10:48am

      Re: grins

      Yea that AR 7G is pretty awesome!

      Personally I like the Sub 2000 TB 256 AES
      Lays down good supressive fire against asaults of mass computing.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2015 @ 8:41am

    Car Analogy

    The president used nine pins to sign the new historic law banning all automovive crashes intentional or otherwise.

    In related news The Insurance Institude for Highway Safety has closed its doors stating "Your guess is as good as mine on what car is safest, its illegal to test them so no more safety ratings"


    In other news GM stock rises to all time highs after they announced that no future research money will be invested in increasing vehicle safety. They CEO stated "No one will ever crash a car again since its illegal. With crashes eleminated there is no need for additional safety improvements and we can return to our roots of cutting every corner possible to make the cheapest (pun intended) car possible."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Sep 2015 @ 8:48am

    ...The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed...

    Defcon and Black Hat don't seem to have that problem.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Sep 2015 @ 10:06am

      Re:

      Which is why the *very first* topic of conversation in the Def Con keynote was the dangers of the Wassenaar agreement to all security researchers?

      reply to this | link to this | view in chronology ]

  • identicon
    TDR, 8 Sep 2015 @ 4:01pm

    Any chance we could get Windows added onto the list of exploits and malware malware targeted by the agreement? It's little more than one giant piece of spyware now, especially Windows 10.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.