[Dailydave] Why you should fear the new regulations more than you think.

Thu Jun 18 10:26:47 EDT 2015

There were a few very telling moments in the BIS phone call yesterday about
the new proposed "Cyber" regulations.

One thing was that they are explicitly carving out a few things:
1. Metasploit and other free tools.
2. Exploits that pop a calc.
3. Vulnerability scanners that don't offer shells
4. Fuzzers and web scanners
5. Papers and stuff for academics that are eventually going to be made
public

A lot of their responses to questions (which they found highly amusing and
giggly!) were repetitions on "why don't people understand our highly vague
and convoluted regulation wording!?!" And, fair enough, many of the
questions were very similar.

Some major strategic problems are still there, which you should be worried
about:

1. Penetration testing tools are considered harmful. Despite being such a
central part of operations that they are REQUIRED by PCI and many
government regulations already, the current proposed regulations
specifically explicitly "default deny" all penetration testing tools on the
market right now.

It is telling that the US COMMERCE DEPARTMENT is pro "free things" but if
you charge money for that very same thing, it is banned like plutonium.
This is a rather extreme position, and not one validated by a common sense
reading of the last decade of security operations.

2.  Bug bounties where the information is kept secret are not allowed.

3. The regulatory agency draws a line between "supports exploits" and
"supports 0day exploits" that does not have any technical value. There's no
way to support exploitation and NOT 0day exploitation. They seem reluctant
to discern or define what an 0day is as opposed to just an exploit, and the
penalty is "default deny". Same with "rootkit". All current penetration
testing frameworks "support 0day" under any definition of course, since
they are so modular.

4.  "deemed exports" are a vast blackhole of danger for any modern company
that has security operations spread across the world.

5. You're still allowed to do vulnerability research with an international
team if you plan on giving it to an AV company or Vendor or make it public,
but "I planned on doing something" is a VERY weird position to take when
the BIS comes knocking. There's no way to prove it, for example. Honestly,
there's still a lot of cloudy "maybes" in this area. You should be worried
about a Commerce Department that has taken Full-Disclosure as a religion
without being in the community and dealing with the heat...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150618/91224166/attachment.html>