Oz hackers safe to drop 0day at hacker cons, Wassenaar wonk says
Dropping exploits in Chrome? Sure. Private homebrew CMS? Not so much
ACSC2016 Australian hackers are free under the Wassenaar Arrangement to bring zero day vulnerabilities overseas, demonstrate them on stage, in training sessions, and to exploit them to win cash as part of hacking competitions, according to the Defence Science and Technology Organisation (DSTG*).
DSTO's Leonard Wills. Image: Darren Pauli, The Register.
The global Arrangement, to which Australia is a party under the Defence Trade Controls Act introduced last year seeks to restrict the movement of dual-use kinetic and digital weaponry, encryption, and communications systems that could be used in military contexts. Exemptions are required for those seeking to export named technologies.
The Agreement is a quagmire of complexity. Each signatory nation implements its controls differently with requirements that could see an application restricted based on the location of its cloud server, the nationality of those who have an administration password, or whether a vulnerability affects public software or in-house custom tools.
Fear of breaching the Arrangement has lead sections of the hacker community to not disclose zero day vulnerabilities at security conferences, most recently at the popular mobile Pwn2Own confab at PacSec, Japan.
Australian hackers can at least in some scenarios rest easy, says DTSO export controls wonk Leonard Wills.
He says hackers with a zero day Google Chrome vulnerability in hand would be free to disclose it at a conference, on stage, and in the Pwn2Pwn conference.
“My quick answer is that it won't be controlled because the vulnerability is in public software,” Wills told Vulture South at the Australian Cyber Security Conference in Canberra.
“The vulnerability is still in the public domain even though it is unknown.
“If you have certain commercial software that is not in the public domain, it becomes more complicated.”
The DSTO is largely recognised for its attempt to minimise the impact of Wassenaar on Australian hackers, and has produced online facilities to help security types establish if their vulnerability, service, or app will be controlled under various contexts. ®
* Hat-tip to reader David, who wrote in to let us know that the Defence Science and Technology Organisation (DSTO) is now the Defence Science and Technology Group (DSTG), although, as he quips: "The website is still DSTO ... some things in government don’t move that fast."