Thursday, March 24, 2016

A checklist of scenarios for Wassenaar text judging

We all know that personally I think (along with most of the security community) that we would be much better off removing any language related to "intrusion software" from Wassenaar's export control regulations.

But people are putting together lots of texts to examine. However, in the software world, we do something called "Test Driven Development" - writing the tests first so you can tell if your software works by constantly running testing over it as you develop it. The list in this blog is solely concerned with "unintended capture". Basically all of these scenarios are banned by the current proposed US implementation, in case you wondered why the whole industry is up in arms about it and are new to this blog. Please help me add to it by sending me emails and tweets!


  • You are Kaspersky and you have captured a sample of Stuxnet. You send this to some researchers in Hungary to help you analyze it
  • You are a penetration tester for E&Y, and you want to buy and use CANVAS or Metasploit Pro while traveling to your customer sites, both domestically and abroad.
  • You are a researcher working for Booze Allen Hamilton, and you find an issue with a commonly used Korean word processor. You send an exploit for this to your Korean friend so he can talk to the vendor for you after making sure it really works.
  • You are Tavis Ormandy, and you travel to Singapore to give a talk on Antivirus Security, including demonstrating some 0day they won't fix
  • You work for Symantec and you turn your head to the left and talk to the H1-B employee who sits next to you about a vulnerability
  • You are a company that does threat intelligence and you send samples of various trojans and their C2's to your customers so they can help protect themselves
  • You run Blackhat and you want to have a conference and do trainings with an international crowd of people without running all your slides or attendees through the NSA for approval.
  • ...


No comments:

Post a Comment