Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Overhaul Wassenaar or ruin next Heartbleed fix, top policy boffin says

Stop crooks, not 100 cross-border collaboration during crises

Kiwicon Additional exemptions to the much-feared Wassenaar Arrangement will do nothing to protect far-flung security professionals critical to crushing dangerous Heartbleed-esque bugs, according to infosec policy-buff Katie Moussouris.

The Hacker One chief policy officer is spearheading the security industry's global response to the Wassenaar Arrangement, a global agreement to limit the movement of weaponry that is being extended to cover security vulnerabilities, software, and exploits.

Moussouris (@k8em0) is the globe-trotter among a cadre of security types who are lobbying signature countries to ensure the Arrangement does not needlessly hinder the complex world of security vulnerability discovery and remediation.

Hackers fear the Arrangement will crimp vital security research and have lobbied signature countries to consider the ramifications of becoming signatories.

Speaking at the Kiwicon security confab in Wellington today, Moussouris said the Arrangement will, in its current form, severely hinder the identification and repair of major software security flaws that affect scores of people occur on a daily or weekly basis.

Katie Moussouris . Photo: Darren Pauli / The Register.

She said the Arrangement requires an overhaul, adding that so-called emergency exemptions that allow controlled goods to be quickly deployed – such as radar units to the 2010 Haiti earthquake – will not apply to globally-coordinated security vulnerability research that occurs daily.

"Multivendor vulnerability research are situations where you won't know who the coordination partners are ahead of time – there was something 100 partners in the case of Heartbleed," Moussouris says.

"Are they (Wassenaar officials) prepared to grant emergency exemptions like nine times a day for multi-vendor coordination? They didn't have a good answer."

“There are places where the exemptions just won't work and that means we have to go back and change Wassenaar – we have to get that piece removed that says intrusion software technology which is a drag net.”

Moussouris says even those countries that have to date managed to make Wassenaar largely compatible with their local industries are still at risk of butting heads with critical research should the US bork its implementation and not address the fallibility of exemptions.

She met with Australian defence officials last week ahead of Kiwicon and told Vulture South Canberra is on “the same page” with her concern over exemptions.

Moussouris says supply chain development is also under threat due to the global distribution of developers who could unbeknown to researchers be located in Wassenaar controlled countries.

Exemptions can work in some areas of the Arrangement; she has proposed fixes to remove a mind-blowing intra-company rules that could prevent staff from discussing vulnerabilities based on an employee's country of origin.

The complexities of Wassenaar coupled with industry fear-mongering has resulted in some competent but un-named researchers no longer disclosing vulnerabilities for fear of prosecution.

Indeed some hackers did not attend the recent mobile pwn2own competition at PacSecWest since they would be carrying exploit material to the Tokyo event.

Canberra will meet later this month to discuss the latest proposals including Moussouris' work and will move to set amendments in stone early next year. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like