Wired magazine has this wonderful article discussing how the federal government is causing an uproar in the software security community over new rules to stop the finding & distributing of tools & found hacks.
The Wassenaar Arrangement, also known as Export Controls for Conventional Arms and Dual-Use Goods and Technologies is 100% backwards in terms of stopping the bad guys from using the newest found security leak also called a zero day exploit.
Jump below the famous squiggles for one person's thoughts about this important subject.
I am quite sure this round of changes is due to the government recently experiencing a major intrusion. To which I ask, Does any security analyst really believe these new rules would have stopped this? I do not think so.
All Wassenaar rules will supposedly do is slow down getting the newest version of the gun. What is needed are rules to speed up the issuance of the newest bullet vest.
So what if the enemy has means to find or use a zero day? Just like a country will always have machine guns and fighter jets unfriendlies will always have nefarious software. What has made the Unites States number one in military is not the newest ways to attack. It has been having the newest way to counter attack or defend already in the field.
Software is not the same as hardware. Not even close. One should not, can not use the same strategy to prevent distribution to unfriendly places. Hardware is big, it's bulky, it's hard to transport, it's expensive, it's easy to keep track of. Software in comparision is the exact opposite of these features. Software is able to effortlessly move across any physical barrier. How can you stop something with no physical attributes? Software is the same as an idea, a thought, ask China how well they think they are controlling those.
Wired magazine again marvelously tells us with it's article about how Flash must die illustrates the real problems of getting fixes out there fast enough. Getting the people who need the fixes to apply them. Getting the zero day hack to the vendor so they can find a fix before it is used in anger.
This private selling and distributing of zero days to anyone other then the vendor is what should be outlawed. Laws need to ensure the vendor is first in line to be notified so they can do their jobs. Simply giving vendors this monopoly is not enough to remove the underground market for hacks. A system is needed to require just compensation to those who find the exploits. Thus preserving incentive for ethical hackers to find and report.
The government's role should be to make sure vendors are getting and fixing the exploits as fast as possible. To this end they should be making laws that facilitate this. The government should ensure vendors are able to apply fixes to "everyone" even if the end-user does not want the fix.
Technical security people who do not do their jobs need to be held responsible. Not applying fixes to last year's exploits on the latest project or worse yet on old forgotten systems still in use is a far larger problem.
What is criminal are all the times we have seen security was missing patches to months old exploits. There are cases where even the most basic security was turned off. These incidents need to be prosecuted.
But we all know this won't happen because the black hats also happen to be the white hats. Security leak finders know they can sell a zero day to a three letter agency or an enemy nation then retire. Neither party wants to cut off the value they receive. Leaving the vendor clueless and the country vulnerable.