Pwn2Own Tokyo hacking contest trashed, export rules blamed
Sponsor HP stumped by Wassenaar Arrangement cluster-fsck
The Cold War has reached out a long-dead hand to stifle the Pwn2Own hackfest in Tokyo – with the international Wassenaar Arrangement blamed for the event's cancelation.
Organized by the HP TippingPoint-backed Zero Day Initiative, Pwn2Own slings bounties to researchers who find and exploit security bugs in popular software and gear.
But it seems that this year, nobody could work out whether vulnerabilities revealed in Tokyo could be brought back to the US and elsewhere without breaking the Wassenaar treaty, which is an agreement between 41 nations including the US and Japan.
An HP spokesperson told The Register via email that the Zero-Day Initiative made the decision to cancel the event, writing: "Due to the complexity of obtaining real-time import/export licenses in countries that participate in the Wassenaar Arrangement, the ZDI has notified conference organizer Dragos Ruiu that it will not be holding the Pwn2Own contest at PacSecWest in November."
Ruiu had previously tweeted that HP pulled its sponsorship and that he intends to try and host some kind of hackfest in its place:
The first bona fide casualty of the Wassenaar changes: HP won't be doing PWN2OWN Mobile in Japan due to new export restrictions. But...— dragosr (@dragosr) September 1, 2015
I still like hacker circuses, and have ordered my own RF Isolation cage for Japan. PWN2OWN Mobile marches on. Stand by for details.— dragosr (@dragosr) September 1, 2015
Like the Internet we'll route around export blocks, solve by handing bugs over to local reps in .jp don't need to feed bugs back to US— dragosr (@dragosr) September 1, 2015
He also told Ars that HP had lawyered up to the tune of US$1 million to test the legal risk of Pwn2Own in a post-Wassenaar world, but decided it was untenable.
HP confirmed to The Register that it had worked with its lawyers on the issue, but wouldn't comment on how much it had cost.
Hackers had already expressed their concern that Pwn2Own was at risk, since it's open to the interpretation that trafficking flaws across borders is banned in light of the Wassenaar Arrangement.
The text added last year to Wassenaar, which was originally a Cold War-era arms-control pact, forbids the export of:
Software "specially designed" or modified to avoid detection by "monitoring tools," or to defeat "protective countermeasures," of a computer or network-capable device, and performing any of the following:
(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
As The Register noted in June, that language could stretch far beyond hacks and exploits, since it could also be read to mean that antivirus can't be exported.
While the US has toned down its approach to implementing the Wassenaar treaty, Ars says the problem for Pwn2Own is Japan's "cumbersome" and "vague" implementation of the agreement.
It's also all colossally convenient for HP, which is apparently considering ejecting its Tipping Point biz ahead of its corporate split. ®
Editor's note: This article has been tweaked to clarify the situation: the problem is exporting the vulnerability information out of Japan, due to that country's implementation of the treaty, rather than a problem with America's rules.