

UK Student’s Research a Wassenaar Casualty - walterbell
https://threatpost.com/uk-students-research-a-wassenaar-casualty/113625

======
jacquesm
> Wilcox said he considered this avenue, but the university’s ethics board
> stepped in and prohibited him from publicly releasing the code; since the
> public release of exploits is a university ethics violation and could have
> put Wilcox’s degree in jeopardy.

Right, I think that university's ethics board should rapidly dismantle
themselves, if they aren't even capable of understanding their mandate.

Suppressing this data is an ethical issue, not doing the research and
releasing it in the first place.

~~~
msandford
Sadly like most governance bodies they think the rules are more important than
the outcomes. This is a clear case of the rules causing a bad outcome rather
than preventing it.

------
asayler
This story has surfaced a few times now via various publications. I think the
assertion that Wassenaar is the issue here is highly flawed.

First, since this student is operating in the UK and, as far as I can tell, is
a UK citizen, the proposed US Wassenaar implementation and FAQs have no
bearing on him. Instead, I belive he is just bound by the EU implmention of
Wassenaar, which unlike the proposed US rules, more-or-less mirrors the
original 2013 text exactly: [http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX...](http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32014R1382&from=EN). So any discussion related
to what BIS is planning to do is irrelevant to this case. And even if he were
a US-based US citizen, it would still be irrelevant since the US rules are
still in the proposed stage and aren't even in effect yet.

Second, Wassenaar explicitly exempts anything "in the public domain", as well
as all mass-market software, from control under the General Software Note.
This is generally interpreted to include any open source code or even
publically-available object code, as well as academic research publications.

Finally, the Wassenaar control mechanism for the Class 4 items operates as a
secondary control. First it defines "Intrusion software" as:

"Software" specially designed or modified to avoid detection by 'monitoring
tools', or to defeat 'protective countermeasures', of a computer or network-
capable device, and performing any of the following: the extraction of data or
information, from a computer or network-capable device, or the modification of
system or user data; or the modification of the standard execution path of a
program or process in order to allow the execution of externally provided
instructions.

But it does not attempt to control "Intrusion Software" directly. Instead it
goes on to control:

4.A.5: Systems, equipment, and components therefor, specially designed or
modified for the generation, operation or delivery of, or communication with,
"intrusion software". 4.D.4: "Software" specially designed or modified for the
generation, operation or delivery of, or communication with, "intrusion
software". 4.E.1.c: "Technology" for the "development" of "intrusion
software".

So individual exploits such as the ones discussed here are not even
controlled. Only software designed for the operation, delivery, or control of
systems compromised or targeted by such exploits (e.g. think Metasploit,
ignoring the open-source and mass-market exemption that likely apply to it).

So it seems like a reach to assert that Wassenaar would control the discussed
research, and even if it did, the research could still be published and/or
released to the general public without infringing Wassenaar under the General
Software Note exemptions.

The issue here seems much more about an Ethics Boards that has little
understanding of the ethics of best-practice coordinated disclosure or basic
academic freedoms. Wassenaar and the proposed US implementation has many
issues, but this doesn't seem to be one of them.

------
tomjen3
Too bad this wasn't in the US so that it could be tested under the 4th
amendment, which actually have some teeth. Unfortunately this happened in the
UK, so I guess he is SOL.

~~~
tptacek
You mean the 1st Amendment.

~~~
mjcohen
Unfortunately, currently the only amendment which seems to have any teeth is
the second. After all, you shouldn't bring teeth to a gunfight.

~~~
ta92929
The first is rather well protected. They tried to ban animal snuff videos for
example and it was overturned. Hate speech is protected as well, whereas it is
prohibited in most (all?) European countries.

