Licensed to Pwn: The Weaponization and Regulation of Security Research

Presented at DEF CON 23 (2015), Aug. 7, 2015, 11 a.m. (120 minutes)

Security research is under attack. Updates to the Wassenaar Arrangement in 2013 established among its 41 member nations an agreement to place a variety of previously undesignated "cybersecurity items" under export control. After 18 months and a half-dozen open advisory meetings, the U.S. has taken the entire security research community by surprise with its proposed rule; we are confronted by a sweeping implementation with profound consequences for academia, independent research, commercial cybersecurity, human rights, and national security. While the outcome of this round of regulatory intervention is still uncertain, the fact that there will be more is not. This panel of experts will discuss the context, history, and general process of regulation, as well the related question of "weaponized" research in regulatory discourse. There is significant daylight between the relatively lax text of the Wassenaar Arrangement itself and the extraordinarily broad implementation proposed in the U.S. What will the practical effects of those differences be, and why did the U.S. diverge from the Wassenaar text? Regulators are, even now, still struggling to comprehend what the consequences of this new "cyber rule" might be. So, how are we to understand this regulatory process? What are its objectives? Its impacts? Its limits? How can we influence its outcomes? Eleventh-hour interventions are quickly becoming a hallmark of regulatory activities with implications for the wider world of information security; the fight here is almost exclusively a rearguard action. Without resorting to the usual polemics, what failures of analysis and advice are contributing to these missteps - on both sides? What interests might encourage them? How are security researchers being caught so off-balance? Come victory or despair in the present case, this panel aims to answer the question of whether there is a solution that prevents technology transfer to hostile nations while still enabling free markets, freedom of expression, and freedom of research.


  • Catherine "Randy" Wheeler
    Catherine “Randy” Wheeler has served as the Director of the Information Technology Controls Division in the Bureau of Industry and Security’s (BIS) Office of National Security and Technology Transfer Controls since June 2006. From July 2011 - July 2012, Ms. Wheeler was detailed to serve as the Acting Chair of the Operating Committee in the Office of the Assistant Secretary for Export Administration, the interagency body that resolves disagreements among reviewing agencies on export license applications. From 1995 through May 2006, Ms. Wheeler was an attorney with the Office of the Chief Counsel for Industry and Security, and served as Senior Counsel for Regulation from 2003 through 2005, advising BIS on regulatory and licensing issues. She previously served as a policy analyst with the Bureau of Export Administration’s Office of Foreign Availability from 1984-1991, and as a policy analyst with the National Telecommunications and Information Administration’s Office of International Affairs from 1981-1983. Ms. Wheeler received a International Relations from Carleton College in 1979, an M.S. in Foreign Service from Georgetown University in 1981, and a J.D. from the Georgetown University Law Center in 1993.
  • Mara Tam
    Mara Tam (@marasawr) is a semi-feral researcher and historian of policy, justice, culture, and security. She has authored, co-authored, and contributed research for technical policy papers in the fields of international security and arms control. After earning a first class degree in art history, Mara’s work supported bilateral negotiations towards peaceful nuclear cooperation between the United States and India. She has been a participant, speaker, and panellist for academic conferences in cultural studies, languages, and history, as well as for strategic programmes like ‘The Intangibles of Security’ initiative convened by NATO and the European Science Foundation. She is currently a doctoral candidate and freelance thinkfluencer. Twitter: @marasawr
  • Nate Cardozo
    Nate Cardozo (@ncardozo) is a Staff Attorney with the Electronic Frontier Foundation. He focuses on the intersection of technology, privacy, and free expression. He has defended the rights of anonymous bloggers, sued the United States government for access to improperly classified documents, and lobbied Congress for sensible reform of American surveillance laws. In addition, he works on EFF's Coders’ Rights Project, counseling hackers, academics, and security professionals at all stages of their research. Additionally, Nate manages EFF’s Who Has Your Back? report, which evaluates service providers' protection of user data. Nate has projects involving automotive privacy, speech in schools, government transparency, hardware hacking rights, anonymous speech, public records litigation, and resisting the expansion of the surveillance state. Nate has a B.A. in Anthropology and Politics from the University of California, Santa Cruz and a J.D. from the University of California, Hastings where he has taught legal writing and moot court. Twitter: @ncardozo
  • Matt Blaze
    Matt Blaze (@mattblaze) is a professor in the computer science department at the University of Pennsylvania. From 1992 until he joined Penn in 2004, he was a research scientist at AT&T Bell Laboratories. His research focuses on the architecture and design of secure systems based on cryptographic techniques, analysis of secure systems against practical attack models, and on finding new cryptographic primitives and techniques. In 1994, he discovered a serious flaw in the US Government's "Clipper" encryption system, which had been proposed as a mechanism for the public to encrypt their data in a way that would still allow access by law enforcement. He has testified before various committees of the US Congress and European Parliament several times, providing technical perspective on the problems surrounding law enforcement and intelligence access to communications traffic and computer data. He is especially interested in the use of encryption to protect insecure systems such as the Internet. Recently, he has applied cryptologic techniques to other areas, including the analysis of physical security systems; this work yielded a powerful and practical attack against virtually all commonly used master-keyed mechanical locks. Twitter: @mattblaze
  • Dave Aitel
    Dave Aitel (@daveaitel) is an offensive security expert whose company, Immunity, Inc., consults for major financial institutions, Fortune/Global 500s, etc. At the age of 18, he was recruited by the National Security Agency where he served six years as a “security scientist” at the agency’s headquarters at Fort Meade, Maryland. He then served as a security consultant for @stake before founding Immunity in 2002. Today, Dave’s firm is hired by major companies to try to hack their computer networks - in order to find and fix vulnerabilities that criminal hackers, organized crime and nation-state adversaries could use. Immunity is also a past contractor on DARPA’s cyber weapons project, known as Cyber Fast Track. The company is well-known for developing several advanced hacking tools used by the security industry, such as Swarm, Canvas, Silica, Stalker, Accomplice, Spike, Spike Proxy, Unmask - and, most recently Innuendo, the first US-made nation-grade cyber implant with Flame/Stuxnet-like malware capabilities. Immunity has offices in Florida, D.C., Canada, Italy and Argentina. eWeek Magazine named Dave one of “The 15 Most Influential People in Security.” He is a past keynote speaker at BlackHat and DEF CON. He is a co-author of “The Hacker’s Handbook,” The Shellcoder’s Handbook” and “Beginning Python.” He is also the founder of the prestigious Infiltrate offensive security conference (Businessweek article) and the widely read “Daily Dave Mailing List,” which covers the latest cybersecurity news, research and exploit developments. Twitter: @daveaitel
  • Jim Denaro
    Jim Denaro (@CipherLaw; moderator) is the founder of CipherLaw, a Washington, D.C.-based intellectual property law firm and focuses his practice on legal and technical issues faced by innovators in information security. He is a frequent speaker and writer on the subject and works in a wide range of technologies, including cryptography, intrusion detection, botnet investigation, and incident response. Jim advises clients on legal issues of particular concern to the information security community, including active defense technologies, government-mandated access (backdoors), export control, exploit development and sales, bug bounty programs, and confidential vulnerability disclosure (Disclosure as a Service). He has a degree in computer engineering and has completed various professional and technical certifications in information security and is engaged in graduate studies in national security at Georgetown University. Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug. Twitter: @CipherLaw
  • Panel


Similar Presentations: