All right everybody. Good morning. Thank you for getting up and getting down here in time for our talk. I barely made it myself. I understand the struggle involved. My name is Tom cross and this is Collin Anderson. We're going to talk about the new export controls for intrusion software. I was going to start with a quick background for me and Collin. I used to work for systems where I did a lot of export control work. I helped the company understand what it was that we were making and how the export control rules applied to the things that we made. (audio blipped) and the government about that. Vulnerability research work. I know a lot about vulnerability disclosure and can see some consequences that regulations have for researchers? >> I'm Collin Anderson, a network researchers based in Washington, D.C. I did a lot of work based on the structures of network control, patterns of network performance as they're applied to issues such as internet censorship. Being in DC which is a scarce place for people with technology backgrounds, (audio blipped) as a result for the past five years I looked at issues that are rolled into the umbrella of internet freedom, including circumvention tools and anonymity online and export controls -- on the low surveillance and censorship. >> I knew that this stuff was coming down the pike months ago when the DEFCON call for papers opened. It was something that concerned me. I knew that the U.S. government was going to implement it at some point. I didn't know when. I felt like it was something that the community needed to understand better and I had a conversation with Collin about it. He was one of the few people writing about this before the United States decided to publish it. He wrote a paper on the controls and what they were and were not intended to do (audio blipped) we decided to propose a talk. We felt these issues were relevant to the community and the community needs to understand them. And subsequently the United States published a paper in May and opened up a public comment period. Everybody in the InfoSec industry got involved in this topic and comments were filed. And the Window to file comments closed just before DEFCON. So a lot has happened. Collin may be one of the few people on the planet who has read every single comment (audio blipped) filed. There is going to be a second round of this. A revised regulation. Another opportunity for us to comment. What is important is that everybody in the community understand what is going on and be engaged and provide constructive input to BIS so they don't screw this up. And they're going to ask for our input again. You know, the question that we have kind of a sarcastic title here. One of the things we wanted to discuss with this talk is this or is this not a threat to vulnerability research. The truth is we don't know. Part of the reason for that is neither of us is an attorney. And so you can't take anything seriously. The other thing is that the government doesn't know and they contradicted themselves on this topic and we'll show you where. And in fact, nobody knows. And in fact, Collin and I don't even agree about it. It's a messy topic. But there's actually been two other talks at DEFCON and black hat about this and we heard opinions from a lot of smart people about this topic. What is important is your opinion so we want to use this hour to help you develop your own point of view about this instead of just hearing ours. I do want to show you a few of my favorite comments that were submitted to BIS. I didn't read them all but I went through them and I have a few that I think are hilarious. On the topic of (audio blipped) BIS and what is not constructive with BIS -- the first is this. Make that jailbreak (muffled) BIS does not care how many people file comments. And although I agree with the sentiment expressed here, it's not terribly persuasive. It helps to have arguments along with your opinion. The second favorite comment is the one that we submitted. And he talks about his recent or deal with law enforcement and there are comments about what is critical of BIS. And this one is supportive of everything they wanted to implement. And he said he is plotting a violent overthrow of the United States government and having trouble recruiting to his cause. He encouraged BIS to proceed so he could get more recruits. Personally I don't plan violent overthrows of the United States governments but when I do I usually keep it on the DL until it's ready to roll. The third favorite comment is from Raytheon. I currently work for a company with [indiscernible] employees and we're getting product out the door and I sat down to write constructive commentary on this. Raytheon is a 60,000 employee federal government contractor with full-time attorneys that work for them. They filed a single page that explained they wanted an extension on the time to comment because their dudes are on summer vacation. This is a new life goal for me. I hope to become so powerful that I can tell the department of commencer to hold off on a regulatory issue because I'm on vacation. These comments are not particularly helpful but hopefully by the end of the talk we can show you comments that are helpful. We want to talk about the basics. What is the problem and why is this happening? And I'm going to turn it over to Collin. >> Part of the reason I'm sure that several of you have attended all three now of the presentations and the idea is to give a common core. We need to be able to speak to what the issues are and what the language has been. There are a lot of complexities to this issue and I think no one has talked about the full lead up to it. What people are trying to control and what the language says. There are a lot of assumptions and hyperbole, some true, some not. All driven by the complexities of this regulation. We should take a step back. The source of this is (audio blipped) surveillance is becoming a multibillion dollar industry provided to foreign governments, used against questionable targets on a continual basis. There's no greater example of this than the hacking team incident. You have a company that was based in Italy selling both to the FBI and to spotty governments around the world without any precondition on those sales. Anywhere from Bahrain that arrests dissidents to Ethiopia to Sudan which is under an arms control. While the -- team made an assertion they had a human race due diligence problem. The recommendation committee was the CEO of Finn fisher himself. Not an independent arbitor of a legitimate transaction. A hacking team, there was an Italian attorney who was effective writing out these issues, by and large these recommendations were ignored. I want to focus on one thing which is what happened in hacking team especially was the hacking team's products were being used to compromise not only legitimate targets, not only counter (audio blipped) but democratic activists not only domestic but also internationally. There is nothing that is going to invite regulation from governments more than having their own -- being targeted by these items. This becomes a product of this sort of drag of unregulated space being used in creating increasingly visible breaches of privacy around the world. So much so that this became a point and even congressional testimony from intelligence officials on the sort of threats that intelligence officials are seeing online? >> I mean I think this is an issue that lots of people in this community care about. We don't like to see surveillance technologies used by oppressive regimes. (audio blipped) on different levels. I think that most of us agree to -- the question is what is the best way to combat it. And also are there ways to create -- for control to combat it that also don't have negative consequences for other important things that we want to do. You know, often creating a new regulation creates more problems than it solves which people many this community are very familiar with. What we -- so we want to provide some background here. What is the Wassenaar arrangement. The Wassenaar arrangement is the agreement regarding the export of dual use items. So let me explain what dual use item is. We have agreements about the export of military goods, guns, tanks, airplanes, stuff like that. There pretty much is only one use for an aircraft carrier in the military, you can throw a party on it but people are not buying it for consumer usage. There are a lot of things that have legitimate consumer use that could be applied to a military application but are not necessarily being sold for that purpose. That's a dual use item. Cartography can be considered one. It can be used to protect espionage. (audio blipped) whole bunch of countries including Russia. They all agree they're not going to allow certain commodities to be exported outside of their country except in certain circumstances. There are two tiers here. The Wassenar agreement agreed (audio blipped) 2013. Compelled to implement this agreement. The United States is compelled to implement an agreement. And BIS is part of the department of commerce is attempting to implement this in the United States. There is a discussion that is happening where BIS published and asked for comments and having discussions. But there is a discussion going back and saying let's change what Wassenaar did. It's difficult for Wassenaar to change and it's an important dynamic in this discussion that people need to be cognizant of? >> To that effect one of the things that's important to start the talk about is actually because there are layers, effectively what happens is Wassenaar gives a particular set of language and it's up to the member states in order to dictate the licensing policies and in some ways the interpretations. They can license these things liberally or decontrol as in not require a license for certain set of uses but that's up to the member states. What we're going to talk about across a lot of this -- it's important to reflect back on if you were here yesterday or the previous days or if you read into this. There is a difference between the Wassenaar language as written and BISs proposed control. We have to dissect the two. You look at route kit and zero day. A lot of people have focused on the undefined use of these terms but those aren't originally in the Wassenaar language. We're going to say this is the Wassenaar language, this is what BIS added onto it and this is where the room for negotiation for having it increased or decreases presumably decreased or having, requiring or requesting specific definitions to be added to what these mean. Like when it comes up, there's a nebulous term carrier grade class. What is that? If you are interested in that, recommending to BIS this is what carrier-grade class is. Clarifications such as that? >> This is a picture of me at DEFCON 4. Wear ago T-shirt that has RSA implemented which at the time was on the U.S. munitions list and you couldn't export outside the United States. It was considered an arm. So today, arms, the export of arms is controlled by ITAR (ph.) and they are operated by the department of state. If you want to export something which is considered an ITAR commodity you have to work with the department of state to do that. Dual use items are not controlled by the department of state. They're controlled by the department of commerce. Commerce is more friendly to business than the department of state. And business is controlled by the department of commerce. I wanted to clarify that distinction because we talk a lot about ITAR in this community and you need to understand the difference between dual use under the department of commerce and under the department of state. Another thing that a lot of people think in this community is there are no export controls on Cartography. I guess it's a matter of opinion. We won a lot in the crypt toe war but there are still export -- on it. People do get prosecuted for doing export controls on Cryptography. This is in 2015, paid $750,000 for unauthorized encryption export. It used to be in the 90s if you wanted to export cartography the answer was usually no. Today you still have to ask the government but the answer is usually yes. That's a huge distension in terms of what we're able to do but the bureaucratic load in having to talk to the government is still there. It doesn't really have a big impact on our community, though, because as a consequence of a lawsuit that the EFF filed, the (inaudible) versus DOJ, they mentioned that source code is speech and when you publish source code you engage in the first amendment. (audio blipped) which allows you when you put source code on the internet it can be exported without a license. You are supposed to notify BIS that you did it. Send them an email to the place where you put it online. Other than that, you're good to go? >> You email the NSA. To go back to that point, actually when we hear of people like Matt talk and cryptographers talk, they are still controlled but they fall under a set of license exemptions. License exemption is dense and complicated and no one understands it. (audio blipped) that was initially talked about -- the Crypto rules are not generally enforced. The case with a 750,000-dollar fine was a subsidiary exporting to the people's liberation army of China. When used they're used in specific cases very, very infrequently. Those of you who for example work on network, any sort of network communications tool that employs cryptography, if you are linking -- you fall under the export control regulations. You're generally not aware of this because you false under license TSU, the general software note for other people that have been into this (audio blipped) dense category of control. So the point I'm saying, talking about this is when we talk about regulation, I think we think that regulation automatically leads to the kicking down of doors. But in fact on a daily basis there is a regulatory landscape that you interact with that you might not necessarily be aware of. >> A lot of the questions that I heard talking to people at DEFCON have to do with what is the point of having an export control on software because you can just download it? Why is there an export control on cryptography when you can download PGP? I want to address that. I think there are two ways in which these things function. The first is that when you're working in a company, there's a lot of pressure to do deals. So you get somebody that comes in and wants to buy your product. And the sales guy is incentive to do the deal. And the management team is financially incensed to do the deal and you stand up and say, guys I don't think we should do this deal because the customer is threatening the security of the United States. The answer is going to be shut up, hippy, we have a business to run here. Export rules work well when people want to comply with them. You don't want to do business with that guy and you say my hands are tied. I can't sell you the software. Sorry. You can tell the sales guy and the management team, I'm sorry, we can't do this business. It puts businesses in a place they're not required to make moral decisions with respect to who they're doing business with. >> You also don't necessarily want a lot of people to make these ... >> There is a tremendous amount of pressure to do the deal. So back in the late 80s, India tested a nuclear bomb. As a consequence of that the United States took a bunch of Indian government agencies and put them on a denied party list. A list of people you're not allowed to export to. Decades later, these guys wanted to buy an IPS that I worked on. And they wanted to (audio blipped) IPS. Trying to stop malware in their network. It had encryption in it. It was a controlled commodity and we couldn't sell it to them because they were on the denied party list. We tried over and over and couldn't do it. The sales guys were round up, sorry, we can't do the deal. In 2007, the Bush administration reached an agreement with the Indian government to provide assistance on the war on terror to remove some of them from the do not sell list. These guys called us the very next day to buy the software. Basically I'm sure our IPS wasn't the key to negotiating with the Indian government but it was on the list somewhere. These export [indiscernible] mechanism that the government uses to negotiate things with other governments. It's a stick in the various different kinds of diplomatic things that the government can do to put pressure on other governments. Those are the kinds of things that can happen that really, you know, sure, this Indian government agency could have downloaded snort or something but people buy products for a reason. And that was enough to give the United States some leverage. We're going a little slow here. We want to talk about the new rules and provide you some background (audio blipped) explain what is being proposed here. We're going to start with the IP network surveillance controls. The intrusion software controls. >> To fly through it because we don't have much time. If you heard yesterday, there is two controls that were -- implementation by BIS. They come from two sources. The first is IP network surveillance systems. The origin of this originates from the French delegation to Wassenaar. And the reason is post Gaddafi Libya, a number of documents were uncovered showing their local business, AMSIS was providing sophisticated monitoring systems to the government to surveil the entire info structure which isn't hard when it's Libya. They pushed a particular rule for monitoring centers or rather correlation based off DPI. This is a narrow rule. You have a lot of lines here and they're joined with ands. This is important. Part of the reason they talk about this is in the first conversations a lot of people didn't read the rules. And they took these things like IP network surveillance systems, these labels and assumed it meant DPI more broadly. It's not. It's performing all of the following on a carrier class IP network, IE a national grade IP backbone and analysis of the application layers. So layer 7 on (audio blipped) and selected meta data and application content and indexing of that extracted data and being specifically designed to carry out all of the following. Execution of searches based off of hard selector. Personally identifiable information like email addresses and mapping out the relational networks, the social network mapping of individuals or groups of people. This is a very specialized piece of technology and across -- if you look at Wikileaks, only a few products fall under this framework and they're very specialized. I wanted to sort of direct one thing, Wassenaar has this idea of mass market. And what mass market says is actually essentially not only if you're open source but if you're generally available for the public, we're not going to control you. And so this is something that comes into play because effectively the stuff that is off the shelf, unless it's encryption, isn't controlled by the Wassenaar arrangement. This uses crypt toe so we're going to control it. That is a lot of the push back and it's an important point. Suffice it to say the IP network surveillance system is very narrow and probably only ones into some I think probably speculative network intrusion detection systems. So intrusion software however is the largest point of controversy and rightfully so. The Wassenaar arrangement puts together this definition of intrusion software. It says software specially designed or modified to avoid detection by monitoring tools or defeat counter protective measures of a computer network, cable or devices and performing all of the following. The extraction of data or information from a computer or network capable device. Or the modification of user data. That is one possible route. Or the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. They provide Def nixes on monitoring tools and protective counter measures. I think people have a good understanding of what those means but at least you have things like DEp and ASLR showing up on export controls? >> The question is, is intrusion -- >> Right. Sorry. Here is the important point about intrusion software. Intrusion software itself is not controlled. That's the next slide. >> There are no controls on intrusion software. (audio blipped) there is no export controls on them. And this is why this gets confusing. What is controlled? One of the reasons this is super-confusing is they didn't come up with a name for the thing that is controlled. I don't know if you -- you want to do this slide? >> Intrusion software is this definition they use throughout the rest of the document. Intrusion software itself is not controlled but they control the periphery of technologies. The reason they did this was smart. They said the biggest problem is if we can control -- this came out by the way out to have UK delegation to Wassenaar and the reason is they - fin fisher had a presence in the country enough so they had to start to control Finn Fisher. If we control intrusion software that means anyone hit by anything controlled, a target of intrusion software would be engaged in an export control violation if they took their infected malware outside of the country. Especially for things like hacking team, when you start to look at in the catalog is there is a broader periphery of technologies used to support this. Finn agents or RCS is not necessarily a substantial thing. It's not (audio blipped) the hacking team's equipment valuable. We're going to control the technologies around it. The things that interact with it. The RCS console. The proxy. The thin (inaudible) proxy. The middle box that is doing infection by tainting binaries. We're going to control the hardware and software that creates the ecosystem around the technology -- of the Trojan itself. Here is where it's more confusing. They start to do technology for the development of intrusion software. When you run into controversy this is probably the largest issue. Technology in terms of Wassenaar is a specialized thing. It's basically information. It's basically technical data. It's technical assistance, it's blueprints, the structure that is necessary for the creation of that thing. I mean anyone who did a computer science 101, how easy it is to control intrusion software. This is one of the points of ambiguity that we run into. Technology is defined, develop is defined. Intrusion software is defined but what all these things together mean is one of the largest things that you'll see across the FAQs and across the conversations and across the debate. Difficulties from all the parties involved really starting to be able to scope this out in a limited way that doesn't necessarily create a burden for researchers like a lot of the people in the room? >> What are the potential implications of all this? I'm going to run fast because we're getting low on time. But big question that everyone asks is what about full disclosure and open source? It's interesting because a lot of us work in the encryption world and we're used to license exception being the mechanism through which open source software is not controlled for export. They specifically said that TSU does not apply to intrusion software. So that created a lot of confusion initially because people thought that means I can't put this stuff out on the web. There is this separate part of the regulations, CFR734.3 which creates an exception for things that are publicly disclosed. This exception does not apply to encryption software. Those who work with encryption software, are not necessarily familiar but it applies to intrusion software. It creates exemptions. Fundamental research which is narrowly defined and things that are presented in a classroom environment and academic institution. So (audio blipped) exceptions that allow you to do things and it's important that it doesn't matter whether or not your source code is open. If you can public object code on the internet without publishing the source code and be free of control whereas the encryption content you have to publish the source code. Any slide on this can benefit with a few pictures of Eric. On the one hand with encryption there is license exception and if you want it to apply you have to email the source code and tell them where it is. On the intrusion software there is 15CSR before, it does not have (audio blipped) does not have to be notified. A different system. If you're here and you're talking about stuff and releasing stuff you don't have to worry about export control. The public sphere is removed from the picture and it's private transactions that end up getting controlled. What about vulnerability research. Is it covered. When you expose a vulnerability to a vendor is that covered? That is unclear and BIS has contradicted themselves on this topic. In the federal register when they publish this, they say technology for the development of intrusion software software includes proprietary research on the vulnerabilities and exploitation of computers. Yes, vulnerability research is controlled. Then BIS after getting feed back about this published an FAQ on the website and one of the answers said the proposed rule said the information would not control vulnerabilities research. They said in their fact, neither the disclosure nor the disclosure of the export code would be controlled. However, this is the caveat. I think that BIS has been operating under the assumption when you disclose a vulnerability the vendor than all the information that you give the vendor becomes public. This public - the exception for things that are published applies here and so we don't have to worry about vulnerabilities disclosure. As you know nah is not entirely true. When you disclose a vulnerability a vendor there is technical information that they don't disclose to the public. They put out an advisory. Where to get the patch and credit you (audio blipped) explains how you got -- and those kinds of things because they're not published may be technology for the development of intrusion softwares issue here. And so potentially coordinated vulnerabilities disclosure could be controlled by this unless they carve out clear exceptions for it. This can impact bug [indiscernible]. Not only coordinating this information across a border but you're getting paid for it and not talking to the vendor directly. That's important to point out because if they do craft an exception it needs to include bug boundary programs? >> This is struggling to interpret the Wassenaar language. This is where a large number of people have the ability to start to clarify what the intended scope of these should be. How you get to the effective point where hacking team and others might incur controls if you're interested in that while not necessarily creating an undue burden on the types of people in the room. This is the translation process that is necessary for the participation of those of you around. >> Quickly, one of the things they controlled is ways to reliably and predictably defeat counter protective measures. There are vulnerability disclosure programs that specifically have to do with mitigation bypasses. Sharing exploit tool samples is potentially controlled. They said exploit tool kits would be covered under the proposed rule and no license exception. Those that work in the InfoSec industry that find these things and pass them around on private mailing lists, potentially that activity could be controlled at least under the initial pass at interpreting this. Training classes? Technology for the development of intrusion software includes sitting down and talking to somebody about it. There are exceptions for classes in an academic environment. There is no exception for private training classes. So we see at BlackHat they have expensive training classes that aren't available to the public. They could potentially become controlled and BlackHat would have to ask what country you're from before allowing you in the class. Traveling outside of the United States -- (audio blipped) if it's on your laptop and you're traveling outside of the United States, you don't have to worry about import control. They didn't apply this intrusion software (audio blipped) and traveled outside the United States, potentially you might have the legally exported the software. If you have foreign coworkers in your office, telling them about exploiting a vulnerability of giving them access to tools may potentially violate the rules because they're foreign nationals and it's considered export? >> That is also an idiosyncrasy of the U.S., this notion of -- [indiscernible] only exists in the U.S. And that's one of the things that I think people have run into that they didn't necessarily understand. >> Debugers and exploit generators is a question brought up. If it's especially designed for intrusion software it may be controlled. Some are. Jailbreaking software can be subject to export control. And there's this other point. They said they would have -- presumptive denial [indiscernible] that's way more aggressive than the Wassenaar text itself. That is something that the United States government is potentially interpreting. I'm trying to blow through the rest of the slides. I think it's important that we highlight a few comments that were submitted that were really good? >> We've run out of time. That is because in 45 minutes we couldn't get through the entire scope of the rule. It's complex. There is a lot of resources that are available and -- going to incidentally run into. A lot of these things are easily fixable as long as the right people say the right things. The last call closed on the 20th and 260 comments were filed. The vast majority were constructive involvements from people within the community. For example, DINO from square submitted an issue, in a personal capacity with deemed exports. We work in an environment in which we have to exchange this information, it's critical. We are not facilitating the intrusion of users, we're trying to protect our service. We need access to deemed exports. We need to be able to provide it to foreign nationals within our office? >> This comment is good. He is explaining why it's good and why it's legitimate and why the regulation might prevent him from doing it. That level of specificity is influential to BIS. They need to understand. (audio blipped). >> In another case we have the New York electrical power association. At some point they realized wow, we have pentesting tools and foreign nationals and we have international companies that need to be able to export within other branches. This is a great example. We need to know about bulk export licenses. We need to know about whether it's possible for you to exempt certain countries that are not necessarily going to engage in malicious hacking of dissidents or intelligence targets. We need to know about how we can better interact with foreign offices and facilitate legitimate research within our company. And they laid out points that spoke to their interest and the interest of BIS and basically the federal government to protect the power grid. I thought one of my favorites was cobalt strikes. He wrote through paragraph by paragraph by saying we need to be able to do this. We are a legitimate business and this is how we interact with the economy. They went through paragraphs of recommendations and articulated the argument to address the specific claims. They had specific things they were interested in fixing that they needed to be protected. They don't have to necessarily endorse the rules. You don't need to endorse the rules. You can think the export controls are the bane of their existence and futile, I will disagree with you, but the likelihood, you have to behavior politically and say, irrespective, we wrote these rules and we disagree with them on this basis and this is how we want to protect our assets and our legitimate -- and this is what you have to do. They want information. They did not have to open up this call. Based off of the process, rapid 7 did this. Said this is our involvement with the industry. This is the point in which this came to DEFCON. They want your input. There is going to be a second proposed rule that will come out in the next few months. There is technical advisory committees, they maintained an open door and this is the opportunity for you to protect your profession. There you go? >> I'm sorry we don't have time for questions. It's early. I really appreciate your interest this morning. And Collin and I will be hanging out if you want to come up and talk to us.