[Dailydave] More Wassenaar, Sorry

Charisse Castagnoli charisse at charissec.com
Mon Dec 28 12:26:38 EST 2015

Dave -

I'm still very unclear on the difference between what the 2013 agreement states (export controls on intrusion software and IP surveillance systems) and how this control is going to be effectively implemented via a enforcement mechanisms. 

In the US, I thought BIS (through updates to EAR) was designated to "enforce" the agreement (not just cyber but other devices as well)
Even though EAR is statutory, I think BIS has the administrative authority to make changes, just like NIST can put out new 800 docs without legislative approval.

So - the last I thought I heard in the Nov 2, 2015 briefing was that BIS was not going to implement any EAR changes specifically for the cyber  aspects of the 2013 Wassenaar agreement.
therefore no restrictions on export from the US right?

That said, other countries can certainly implement restrictions or cause the resellers of US exported products subject Wassernaar to suffer legal consequences.
Is that what you are referring to?  And does anyone know of promulgation of legal restrictions in the other 40 nations? 

Or are you referring to specific language in Wassernaar itself, and making an interpretation.

Like ITAR, EAR violations are one of the few that carry individual criminal penalties so its not an issue to be taken lightly.

thanks for staying on top of this.

Disclaimer:  the above is just my personal opinion, not legal advice.

On Dec 28, 2015, at 8:44 AM, Dave Aitel <dave at immunityinc.com> wrote:

I feel like every time anyone mentions Wassenaar they should have to
apologize, like when you're discussing the Star Wars prequels or spawn
camping in an online game.

Anyways, let me drop some bad news: Although everyone says Metasploit
(the free version) would not be effected by the proposed wording of the
Agreement - that's only true for the finished product. Of course, as you
are building Metasploit core or modules, you are basically forking
Metasploit to your own private version. The Commerce department FAQs
went on an on about your "intent" to make something public being part of
their consideration as to something that needs or does not need an
export license.

But let's just say this is EXTREMELY FLIMSY LEGAL PROTECTION. If you
work on a module with someone international, and you decide for whatever
reason not to make it public and open source, you are most likely
criminally liable. Not only is the agreement bad news because it doesn't
deal with what Software is, but it is bad news because it does not deal
with how it is built in this day and age.

reasons[In short, export control is a horrible place for any kind of
regulation around this kind of thing to live]+=1  ;)


Dailydave mailing list
Dailydave at lists.immunityinc.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151228/1daa9235/attachment.html>

More information about the Dailydave mailing list