Overhaul Wassenaar or ruin next Heartbleed fix, top policy boffin says

Kiwicon Additional exemptions to the much-feared Wassenaar Arrangement will do nothing to protect far-flung security professionals critical to crushing dangerous Heartbleed-esque bugs, according to infosec policy-buff Katie Moussouris.

The Hacker One chief policy officer is spearheading the security industry's global response to the Wassenaar Arrangement, a global agreement to limit the movement of weaponry that is being extended to cover security vulnerabilities, software, and exploits.

Moussouris (@k8em0) is the globe-trotter among a cadre of security types who are lobbying signature countries to ensure the Arrangement does not needlessly hinder the complex world of security vulnerability discovery and remediation.

Hackers fear the Arrangement will crimp vital security research and have lobbied signature countries to consider the ramifications of becoming signatories.

Speaking at the Kiwicon security confab in Wellington today, Moussouris said the Arrangement will, in its current form, severely hinder the identification and repair of major software security flaws that affect scores of people occur on a daily or weekly basis.

She said the Arrangement requires an overhaul, adding that so-called emergency exemptions that allow controlled goods to be quickly deployed – such as radar units to the 2010 Haiti earthquake – will not apply to globally-coordinated security vulnerability research that occurs daily.

"Multivendor vulnerability research are situations where you won't know who the coordination partners are ahead of time – there was something 100 partners in the case of Heartbleed," Moussouris says.

"Are they (Wassenaar officials) prepared to grant emergency exemptions like nine times a day for multi-vendor coordination? They didn't have a good answer."

“There are places where the exemptions just won't work and that means we have to go back and change Wassenaar – we have to get that piece removed that says intrusion software technology which is a drag net.”

Moussouris says even those countries that have to date managed to make Wassenaar largely compatible with their local industries are still at risk of butting heads with critical research should the US bork its implementation and not address the fallibility of exemptions.

She met with Australian defence officials last week ahead of Kiwicon and told Vulture South Canberra is on “the same page” with her concern over exemptions.

Moussouris says supply chain development is also under threat due to the global distribution of developers who could unbeknown to researchers be located in Wassenaar controlled countries.

Exemptions can work in some areas of the Arrangement; she has proposed fixes to remove a mind-blowing intra-company rules that could prevent staff from discussing vulnerabilities based on an employee's country of origin.

The complexities of Wassenaar coupled with industry fear-mongering has resulted in some competent but un-named researchers no longer disclosing vulnerabilities for fear of prosecution.

Indeed some hackers did not attend the recent mobile pwn2own competition at PacSecWest since they would be carrying exploit material to the Tokyo event.

Canberra will meet later this month to discuss the latest proposals including Moussouris' work and will move to set amendments in stone early next year. ®