ID yourself or get NOTHING (except Framework), snarls Metasploit
Outside the US and Canada? Request licence and bend over
Metasploit Pro and Community users outside North America now need to prove who they are, thanks to changes introduced this week and a tightening of encryption export rules.
The open source Metasploit Framework (a computer security project) is not affected by the new rules.
"[This] is yet another reminder that governments have much more control over closed source software," said Christopher Soghoian, a technologist at the ACLU, in an update to his personal Twitter account.
Announcement on the changes came in a blog post by Rapid7, the firm that markets the Metasploit penetration testing framework, on Sunday.
Due to changes in regulatory requirements that are applicable to Metasploit (Pro and Community) and similar products, as of Sunday, April 19, 2015, individuals outside of the US and Canada who would like to use Metasploit Pro or the Metasploit Community Edition will need to request a licence and provide additional information regarding themselves or their organization designation.
In accordance with the new requirements, the request will be reviewed by Rapid7 and, unless the user is a non-US or non-Canadian government agency (or is otherwise ineligible to receive the products without approval from the US Department of Commerce), the request will be fulfilled.
This affects licence requests made through Rapid7.com as well as any third party sites that currently offer Metasploit Pro or Community products for download.
If you work for the French government, for example, and make use of Metasploit, then licenses will continue to work until they come up for renewal, when the new process will kick in.
Metasploit is a dual use tool that can be used either to test for vulnerabilities within computer systems or to break into remote systems. Many computer security tools have the same inherent characteristic.
HD Moore, Metasploit founder, rejected comparison between the more restricted availability of Metasploit and attempts to block the export of encryption software PGP in the 90s.
"PGP isn't a good comparison, [as] Metasploit Framework is still open source and available globally," he said in a Twitter update. ®