HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe
from the things-will-get-worse-before-they-get...-worse dept
An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.
Other countries aren't doing much better with their local versions of the Arrangement. Japan's proposed adoption appears to be just as bad as the US government's first draft. Concerns over Japan's interpretation of the Wassenaar Arrangement has led to a major computer manufacturer pulling its support from a long-running hackers' conference, as Dan Goodin reports.
The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.Ruiu points out HP didn't pull out of the Canadian leg of Pwn2Own, most likely because Canada's implementation was more streamlined and well-written than Japan's, which he calls "vague and cumbersome." The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.
Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.
Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.