Panel: How the Wassenaar Arrangement's Export Control of "Intrusion Software" Affects the Security Industry

Presented at Black Hat USA 2015, Aug. 6, 2015, 11 a.m. (50 minutes)

In 2013, the group of countries that make up the Wassenaar Arrangement added "intrusion software" to the list of dual use controlled items. This rule has been implemented and enforced in different ways among participating countries since last year. The United States Government is currently working on how it will implement these rules. Much like the crypto wars of the 1990's, the ruling in its current form threatens to make some legitimate security work more difficult. This has the potential to raise the cost for defenders and lower the cost for attackers. Join us for a panel that brings together different members of our community to discuss their perspectives on these export regulations. The panel will include those involved in security research, bug bounty programs, and privacy.

Presenters:

• Adriel Desautels - Netragard, Inc.
  Adriel T. Desautels is Managing Partner and CEO at Netragard, Inc. Netragard specializes in the delivery of realistic threat, protective penetration testing services. Netragard is one of the few BBB accredited Penetration Testing firms which is a testament to its confidence in service quality. If Netragard fails to breach a customer network when using its unrestricted penetration testing methodology then the engagement is delivered free of charge. Adriel is the architect behind most of Netragard's services. Netragard has at its disposal an unparalleled team of exploit developers, penetration testers and technical writers. This team is capable of delivering services that range from vulnerability research and exploit development to advanced penetration testing services. Netragard's clients include but are not limited to major casinos, financial institutions, pharmaceutical corporations, healthcare providers and wholesale distributors. Adriel is well known for his efforts towards building an ethical, legitimate and legal 0-day exploit market. Adriel ran Netragard's 0-day Exploit Acquisition Program (EAP) from 1999 up until the summer of 2015. The Exploit Acquisition Program differentiated its self from other programs by welcoming software vendors to participate as exclusive buyers of their own vulnerabilities. The program was suspended in July of 2015 but may be revived pending a review of its buyer vetting process and government regulations. Adriel continues to define new quality standards for Penetration Testing. He hopes that Netragard's customers will adopt these standards as their own and in doing so will require other Penetration Testing firms to meet the same level of service quality. Adriel is available for speaking engagements upon request.
• Dino Dai Zovi - Square
• Katie Moussouris - HackerOne
  Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response & structured bounty programs. She is a noted authority on vuln disclosure & advises lawmakers, customers, & researchers to legitimize & promote security research & help make the internet safer for everyone. Katie's earlier Microsoft work encompassed industry-leading initiatives such as Microsoft's bounty programs & Microsoft Vulnerability Research. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vuln disclosure (29147), vuln handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market. She is a New America Foundation Fellow. Katie is an ex-hacker, ex-Linux developer, and persistent disruptor. Follow her and HackerOne on Twitter http://twitter.com/k8em0 andhttp://twitter.com/hacker0x01
• Nate Cardozo - EFF
  Nate Cardozo (@ncardozo) is a Staff Attorney with the Electronic Frontier Foundation. He focuses on the intersection of technology, privacy, and free expression. He has defended the rights of anonymous bloggers, sued the United States government for access to improperly classified documents, and lobbied Congress for sensible reform of American surveillance laws. In addition, he works on EFF's Coders' Rights Project, counseling hackers, academics, and security professionals at all stages of their research. Nate also manages EFF's Who Has Your Back? report, which evaluates service providers' protection of user data. Nate has projects involving automotive privacy, speech in schools, government transparency, hardware hacking rights, anonymous speech, public records litigation, and resisting the expansion of the surveillance state. Nate has a B.A. in Anthropology and Politics from the University of California, Santa Cruz and a J.D. from the University of California, Hastings where he has taught legal writing and moot court.
• Collin Anderson
• Kim Zetter - Wired

Links:

• https://www.blackhat.com/us-15/briefings.html#panel-how-the-wassenaar-arrangements-export-control-of-intrusion-software-affects-the-security-industry
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Panel How The Wassenaar Arrangement s Export Control Of Intrusion Soft Affect.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Panel How The Wassenaar Arrangement s Export Control Of Intrusion Soft Affect.mp4
• https://www.youtube.com/watch?v=J2jz2OK0V1E

Similar Presentations:

• Kiwicon 9: Cyberwar Is Hell (2015) / Swinging From the Cyberlier: How to Hack Like Tomorrow Doesn't Exist Without Flying Sideways of Regulations
• DEF CON 23 (2015) / Do Export Controls on "Intrusion Software" Threaten Vulnerability Research?
• 32C3 (2015) / Cyber all the Wassenaars: Export controls and exploit regulations: braindead and (in)evitable?