Dailydave mailing list archives
Re: More Wassenaar, Sorry
From: Charisse Castagnoli <charisse () charissec com>
Date: Mon, 28 Dec 2015 11:26:38 -0600
Dave - I'm still very unclear on the difference between what the 2013 agreement states (export controls on intrusion software and IP surveillance systems) and how this control is going to be effectively implemented via a enforcement mechanisms. In the US, I thought BIS (through updates to EAR) was designated to "enforce" the agreement (not just cyber but other devices as well) Even though EAR is statutory, I think BIS has the administrative authority to make changes, just like NIST can put out new 800 docs without legislative approval. So - the last I thought I heard in the Nov 2, 2015 briefing was that BIS was not going to implement any EAR changes specifically for the cyber aspects of the 2013 Wassenaar agreement. therefore no restrictions on export from the US right? That said, other countries can certainly implement restrictions or cause the resellers of US exported products subject Wassernaar to suffer legal consequences. Is that what you are referring to? And does anyone know of promulgation of legal restrictions in the other 40 nations? Or are you referring to specific language in Wassernaar itself, and making an interpretation. Like ITAR, EAR violations are one of the few that carry individual criminal penalties so its not an issue to be taken lightly. thanks for staying on top of this. charisse Disclaimer: the above is just my personal opinion, not legal advice. On Dec 28, 2015, at 8:44 AM, Dave Aitel <dave () immunityinc com> wrote: I feel like every time anyone mentions Wassenaar they should have to apologize, like when you're discussing the Star Wars prequels or spawn camping in an online game. Anyways, let me drop some bad news: Although everyone says Metasploit (the free version) would not be effected by the proposed wording of the Agreement - that's only true for the finished product. Of course, as you are building Metasploit core or modules, you are basically forking Metasploit to your own private version. The Commerce department FAQs went on an on about your "intent" to make something public being part of their consideration as to something that needs or does not need an export license. But let's just say this is EXTREMELY FLIMSY LEGAL PROTECTION. If you work on a module with someone international, and you decide for whatever reason not to make it public and open source, you are most likely criminally liable. Not only is the agreement bad news because it doesn't deal with what Software is, but it is bad news because it does not deal with how it is built in this day and age. reasons[In short, export control is a horrible place for any kind of regulation around this kind of thing to live]+=1 ;) -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- More Wassenaar, Sorry Dave Aitel (Dec 28)
- Re: More Wassenaar, Sorry Charisse Castagnoli (Dec 28)