Dailydave mailing list archives
Why you should fear the new regulations more than you think.
From: Dave Aitel <dave.aitel () gmail com>
Date: Thu, 18 Jun 2015 14:26:47 +0000
There were a few very telling moments in the BIS phone call yesterday about the new proposed "Cyber" regulations. One thing was that they are explicitly carving out a few things: 1. Metasploit and other free tools. 2. Exploits that pop a calc. 3. Vulnerability scanners that don't offer shells 4. Fuzzers and web scanners 5. Papers and stuff for academics that are eventually going to be made public A lot of their responses to questions (which they found highly amusing and giggly!) were repetitions on "why don't people understand our highly vague and convoluted regulation wording!?!" And, fair enough, many of the questions were very similar. Some major strategic problems are still there, which you should be worried about: 1. Penetration testing tools are considered harmful. Despite being such a central part of operations that they are REQUIRED by PCI and many government regulations already, the current proposed regulations specifically explicitly "default deny" all penetration testing tools on the market right now. It is telling that the US COMMERCE DEPARTMENT is pro "free things" but if you charge money for that very same thing, it is banned like plutonium. This is a rather extreme position, and not one validated by a common sense reading of the last decade of security operations. 2. Bug bounties where the information is kept secret are not allowed. 3. The regulatory agency draws a line between "supports exploits" and "supports 0day exploits" that does not have any technical value. There's no way to support exploitation and NOT 0day exploitation. They seem reluctant to discern or define what an 0day is as opposed to just an exploit, and the penalty is "default deny". Same with "rootkit". All current penetration testing frameworks "support 0day" under any definition of course, since they are so modular. 4. "deemed exports" are a vast blackhole of danger for any modern company that has security operations spread across the world. 5. You're still allowed to do vulnerability research with an international team if you plan on giving it to an AV company or Vendor or make it public, but "I planned on doing something" is a VERY weird position to take when the BIS comes knocking. There's no way to prove it, for example. Honestly, there's still a lot of cloudy "maybes" in this area. You should be worried about a Commerce Department that has taken Full-Disclosure as a religion without being in the community and dealing with the heat...
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Why you should fear the new regulations more than you think. Dave Aitel (Jun 18)