Tuesday, January 26, 2016

The Elephant in the Room

This here is an elephant in the womb. So cute!

Wassenaar has been a learning experience for everyone involved. Everyone, that is, except the State Department. While Commerce has reached out and been quite open that they thought the initial rule was unlikely to be good, the State Department, which negotiated it in the first place, is as opaque as possible.

Look, there's three major companies in the States that sell penetration testing products. State called none of them before negotiating the rule, and I don't know why people think we can trust them to negotiate the next iteration, other than just ripping it up. 

Because any language that goes into this agreement is going to have subtle and complex issues that affect many segments of our industry. Do you trust State to understand the implications of them enough to allow them to negotiate in realtime on our behalf? Why would you?

I'll let you know when State finally makes an effort to reach out to those of us in the industry. Their claims of "We asked our technical advisory board" run very hollow. You can't help but assume they knew for a fact their technical advisers were not experts in this area and just didn't care.




Friday, January 15, 2016

Will there be a zombie Wassenaar Rule?

We know from the House Hearing this week on Wassenaar that the rule is dead in the United States. But will its zombie haunt us from Europe? That's the question. Because American companies also need their European offices to not be hamstrung, which is why State needs to go back and renegotiate this whole bad dream away.

If you haven't seen the hearing, it is here:



To give you some background: The State Department is playing massive amounts of defense. For example, they tried to pull Ann Ganzer out from the hearing the day before, and substitute her with Vann Van Diepen, who in theory outranks her, but would allow State to say they don't know the details on how this debacle came about, and otherwise obfuscate the issue.

Congressional Staffers immediately saw through that ruse and subpoenaed her. But even trying it makes State look bad.

Mr Van Diepen loves regulations. That's understating it a bit. His background is in Bio/Chem/Nuclear and he LOVES regulations like they are his grandchildren and thinks they can work everywhere, on everything. Nobody else in the room shared his opinions. It's also telling that while State ran their terrible ideas through their own technical advisory panel, they didn't stop to think that maybe calling a couple companies who would be affected would be a good idea. For some reason it's up to every company to be on every government board and advisory committee to keep them from making mistakes like this.

The fact is: I'm a highly public person in the community who runs one of the three companies most directly affected by this regulation, which State knows because THEY ARE A CUSTOMER. It is gross negligence for Ann Ganzer not to have reached out to me before the original language was finalized - and she has yet to do so even now. She claimed during the hearing that knowing what she knew then, she would have made the same choices, but if she knew then what she knew now, she would not. In other words: she didn't bother to learn enough about what she was regulating to make a wise choice.

So sensing this level of commitment to making a rule that works for industry and is rooted in reality, the House committee told her in no uncertain terms where she would be getting her next step from: Industry.

Her last argument is the same one we've covered before on this blog: "None of the other countries who have put this rule into place are having issues!" But of course, they also don't enforce their rules the way we do and we covered why this argument doesn't fly for many reasons in our previous blogpost here.


"I....have no excuses for what I did. It seemed like a good idea at the time."

"I'm not sure if you're going to be in that chair next year. To be blunt."

Wednesday, January 6, 2016

When your strategy fails!

Cyber Regulation Debate


The best regulatory effort...
I want to point out two interesting elements of the recent fronts in the ongoing Cyber Policy War. The first one, is the baffling Wassenaar support from various human rights groups upset at a tiny Italian company named "HackerTeam".

Someone, I'm sure not at all connected to any of these human rights groups, tried to buttress their argument that penetration testing software should be export controlled by uber-double-ironically hacking into HackerTeam and releasing all of their internal emails and documents.

At first, this worked well: HackerTeam had a number of contracts with people who they said they did not (Sudanese Govt, etc.).

However, it also demonstrated that HackerTeam had, in fact, gotten an export control license to do whatever they wanted, which completely undercut the whole rational for the Wassenaar cyber regulations, and in the end, helped cripple support for it. It also pointed out that of course HackerTeam's biggest customers were Western agencies - and if they really wanted to kill off HackerTeam, they could just close their pocket books.

Encryption Debate

Likewise, the crypto debate has always had a number of supporters of key escrow threatening loudly "When a terrorist attack happens, and the terrorists use crypto, this law is going to get shoved down your throat, so you better prepare a nicer version of the law for us and promise to self regulate!"

The FBI Director has been the head cheerleader on this, but everyone else on the key escrow side has parroted these remarks. And lo and behold, once a terrorist attack happened we saw a MASSIVE push to get the argument moved to pressure Apple and Google to change "Their business model" to allow for key escrow/crypto backdoors to happen.

But what also happened? JUNIPER. We still don't know how Juniper found the backdoor in their code. They claim "internal code review" which could very well be language that means "The NSA told us."

But what we do know is that they used the cryptographic primitive (DUAL_EC) that DOES provide for a "secure backdoor". It's the perfect key escrow!  This is what the FBI is asking for! But having a perfect mathematical primitive doesn't help the engineering side of things.

The weakness everyone is complaining about is not a mathematical weakness. It's an engineering weakness. And the Juniper hack completely demonstrated the fragility you introduce when you implement a "Cryptographic backdoor" in your system. Attackers then have a place to use to put implants into your network that are very hard to audit or control.

And, of course, China jumped the gun by requiring key disclosure from companies - the exact thing technology companies have been wanting the US Government to help prevent, which is why they were so angry the FBI was taking the opposite position in the first place.

So now the conversation has swung the other way, but with an EVEN MORE pissed off technology lobby, during an election year no less.

In summary: The crypto backdoor conversation is not one the government can win, in any likely scenario. It is time to move on and deal with the consequences.