Sunday, June 14, 2015

#Wassenaar: New World Order?

"Wassenaar will make resistance via the Internet impossible!"

This is another in our series of guest posts by subject matter experts.  This post relates to a new threat to internet security and freedom of expression.

Open Letter Regarding Wassenaar to the Department of Commerce and to Legislators,
Posted on May 26, 2015

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technology is a multilateral export control regime [MECR] with 41 participating states, to include the USA.  Wassenaar replaces COCOM [Coordinating Committee for  Multilateral Export Controls], and is ostensibly less strict than COCOM and focuses primarily on the transparency of national export controls and not granting veto power to individual members over organizational decisions.

Wassenaar has come under fire from the IT community since, in its current form, it will have “extensive harmful effects on computer security research and defensive software”, potentially imposing criminal penalties on software and security developers.  The very credible author of this article:  Jonathan Adziarski, provides a stirring case against Wassenaar.]

To Whom it May Concern,

I am a published and respected forensics expert who pioneered the very first forensic techniques to extract data from the iPhone as early as 2008.  Since then, I have spent several years, and much of my time, assisting numerous law enforcement and military agencies around the world, including our own. I’ve trained government agencies in the US, Canada, and the UK, and I've trained law enforcement organizations from dozens of our allies here at home in the US.

My work has been validated by the NIJ/NIST. I have invested my time in providing free assistance to many US-based federal and state agencies who have flown personnel into my small town for help in the middle of the night.

Because of my research and hard work, I’ve provided the necessary information to the rest of the industry to be able to perform iOS forensics, and a vast majority of today’s forensics solutions are founded upon my techniques.

I did all of this on my own personal time, and in many cases on my own dime. The tools and techniques I developed are by no means “intrusion” tools; however, due to the excessively broad nature of the Wassenaar proposal, my services would fall under its regulations as they bypass security mechanisms of devices and collect information from them. As all of my research is done personally, I have no large company with lawyers to address the impossible spider web of export regulations that would be introduced by Wassenaar.

The current proposal, as is, would harm far more than simply the information security industry, but would also greatly damage the forensics industry and ultimately limit the quality of tools available to law enforcement agencies for conducting lawful forensics. My tools, as well as many commercial solutions, employ the use of exploits to collect information from devices for purposes that serve law enforcement and the greater good.

I sometimes only privately release the source code to my own tools, as many commercial forensics manufacturers have stolen it in the past, yet I continue to help the law enforcement community. Wassenaar will do little to accomplish the goals it set out to, and instead make it impossible for security researchers like myself to further expand the base of knowledge by contributing openly to the community – which goes far beyond this country’s borders.

Had Wassenaar (as it is proposed today) been in place in 2008, I would not have felt as though I could openly share my research publicly without risk of prosecution, which would have deprived the community as a whole – including the United States – of valuable information that has led to the greater good.

I understand there are certain nation states misusing intrusion tools to commit crimes. There are also many law enforcement agencies within the United States who have misused or abused my own tools and techniques to conduct questionable and potentially illegal intrusions. We cannot simply un-invent technologies to prevent their misuse, and unlike nuclear weapons, digital goods cannot be effectively regulated; yet this is the tradeoff we make, to create these tools for the greater good, knowing they may be abused.

This proposal stands to only damage those looking to contribute to a better and more secure community. Wassenaar has a deterrent component, and at the heart of security research are many independent researchers like myself who will simply stop contributing if there is a fear of prosecution simply for sharing knowledge in the form of code.

Sharing knowledge is not only a basic human right, but the only means by which we can become a civilized society. Without knowledge and education, the greater good suffers.

Security researchers share knowledge in the form of code, which serves as an illustration – a description – of a problem that exists in a system. Even many published papers will contain code as it is our language by which we can most effectively communicate an idea. In addition to code, we create binaries of it to help test our own systems for vulnerabilities and ensure the security of our user base.  Wassenaar, at its very core, attempts to regulate the ideas and knowledge we communicate through code.

Dept of Commerce Bureau of Industry and Security
History has consistently demonstrated that regulating knowledge on any level has proven detrimental to societies. 

In Wassenaar’s attempt to prevent the dissemination of intrusion software, it is, at the very core, creating too much of a fear of prosecution to any security researcher to even consider developing or sharing their research with those who would most benefit from it.

There are alternatives to dealing with malicious nation states that do not involve creating regulations and the fear of prosecution on honest, law abiding researchers whose focus should be on their work, and not on being imprisoned by their own country. 

The day that I am prevented from sharing my knowledge freely with the world is also the day I stop sharing with all; it is the day the US declares they own the rights to my knowledge and what I do with it. That kind of power is far more dangerous than any intrusion tool.