<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Dave -<div><br></div><div>I'm still very unclear on the difference between what the 2013 agreement states (export controls on intrusion software and IP surveillance systems) and how this control is going to be effectively implemented via a enforcement mechanisms. </div><div><br></div><div>In the US, I thought BIS (through updates to EAR) was designated to "enforce" the agreement (not just cyber but other devices as well)</div><div>Even though EAR is statutory, I think BIS has the administrative authority to make changes, just like NIST can put out new 800 docs without legislative approval.</div><div><br></div><div>So - the last I thought I heard in the Nov 2, 2015 briefing was that BIS was not going to implement any EAR changes specifically for the <i>cyber </i> aspects of the 2013 Wassenaar agreement.</div><div>therefore no restrictions on export from the US right?</div><div><br></div><div>That said, other countries can certainly implement restrictions or cause the resellers of US exported products subject Wassernaar to suffer legal consequences.</div><div>Is that what you are referring to? And does anyone know of promulgation of legal restrictions in the other 40 nations? </div><div><br></div><div>Or are you referring to specific language in Wassernaar itself, and making an interpretation.</div><div><br></div><div>Like ITAR, EAR violations are one of the few that carry individual criminal penalties so its not an issue to be taken lightly.</div><div><br></div><div>thanks for staying on top of this.</div><div><br></div><div>charisse</div><div>Disclaimer: the above is just my personal opinion, not legal advice.</div><div><br><div><div>On Dec 28, 2015, at 8:44 AM, Dave Aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:</div><br class="Apple-interchange-newline"><div>I feel like every time anyone mentions Wassenaar they should have to<br>apologize, like when you're discussing the Star Wars prequels or spawn<br>camping in an online game.<br><br>Anyways, let me drop some bad news: Although everyone says Metasploit<br>(the free version) would not be effected by the proposed wording of the<br>Agreement - that's only true for the finished product. Of course, as you<br>are building Metasploit core or modules, you are basically forking<br>Metasploit to your own private version. The Commerce department FAQs<br>went on an on about your "intent" to make something public being part of<br>their consideration as to something that needs or does not need an<br>export license.<br><br>But let's just say this is EXTREMELY FLIMSY LEGAL PROTECTION. If you<br>work on a module with someone international, and you decide for whatever<br>reason not to make it public and open source, you are most likely<br>criminally liable. Not only is the agreement bad news because it doesn't<br>deal with what Software is, but it is bad news because it does not deal<br>with how it is built in this day and age.<br><br>reasons[In short, export control is a horrible place for any kind of<br>regulation around this kind of thing to live]+=1 ;)<br><br>-dave<br><br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>https://lists.immunityinc.com/mailman/listinfo/dailydave<br></div></div><br></div></body></html>