CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University
Center for Education and Research in Information Assurance and Security

CERIAS Blog

Page Content

A looming anniversary, and a special offer

Share:

It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time.

In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies!

Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant!

History

PUIS v1

In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic.

I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then.

I contacted Tim, and he directed me to Debby Russell, one of their editors. Debby was in the midst of writing her own book, Computer Security Basics. I told her what I had in mind, and she indicated that only a few days prior she had received a proposal from a well-known tech author, Simson Garfinkel, on the same topic. After a little back-and-forth, Debby introduced us by phone, and we decided we would join forces to write the book. It was a happy coincidence because we each brought something to the effort that made the whole more than the sum of its parts.

That first book was a little painful for me because it was written in FrameMaker to be more easily typeset by the publisher, and I had never used FrameMaker before, Additionally, Simson didn’t have the overhead of preparing and teaching classes, so he really pushed the schedule! I also had my first onset of repetitive stress injury to my hands — something that bothers me occasionally to this day, and has limited me over the years from writing as much as I’d like. I won’t blame the book as the cause, but it didn’t help!

The book was completed in early 1991 and included some of my early work with COPS and Tripwire, plus a section on some experiments with technology for screening networks. I needed a name for what I was doing, and taking a hint from construction work I had done when I was younger, I called it a “firewall.” To the best of our recollection, I was the one who coined that term; I had started speaking about firewalls in tutorials and conferences in at least late 1990, and the term soon became commonplace. (I also described the DMZ structure for using firewalls, although my term for that didn’t catch on.)PUIS v2PUIS v1

Anyhow…. the book appeared in the summer of 1991 and became a best seller (for its kind; last I heard, over 100,000 copies have been sold in 11 languages, and at least twice that many copies pirated). Thereafter, Simson and I also worked on a book on www security (editions in 1997 and 2002), along with our various other projects.

After several years, we produced a major rewrite and update of the Unix security book to include material on internetworking (a fast-growing topic area). That second edition was published in 1996.

Simson and I had gotten so occupied with other things that we welcomed a 3rd author for the third edition of PUIS (as we came to call it): Alan Schwartz. That edition appeared in 2003 and included many updates, plus extension of the material to cover Linux.

Simson went on to write many other books, started several companies, then went back to school to get his PhD. After a while as an academic, he is now a research scientist with NIST…and occasional tech essayist. Alan has a career as a consultant, author, and professor at the University of Illinois at Chicago. Me? I continued on up through the ranks as a POP (plain ol' professor) at Purdue University, including starting CERIAS.

Given all the various changes, and how busy our lives have become with other things, there are no current plans for a 4th edition of the book. If we were to do one, it would probably need to be split into at least two volumes, given all the changes and issues involved.

Possibly interesting bit of trivia: Simson and I did not know each other prior to late 1990, and we did not meet in person until 1992 — more than a year after the book was published! However, the experience of working together brought about an enduring friendship. I also did not meet Alan until several years after the 3rd edition went to press.

Special Offer

If you have someone (maybe yourself) who you’d like to provide with a special gift, here’s an offer of one that includes a donation to two worthwhile non-profit organizations. (This is in the spirit of my recent bow tie auction for charity.) You can make a difference as well as get something special!

Over the years, Simson, Alan, and I have often been asked to autograph copies of the book. We know there is some continuing interest in this (I as asked again, last week). Furthermore, the 25th anniversary seems like a milestone worth noting with something special. Therefore, we are making this offer.

For a contribution where everything after expenses will go to two worthwhile, non-profit organizations, you will get (at least) an autographed copy of an edition of Practical Unix & Internet Security!! Depending on the amount you include, I may throw in some extras.

The Two Non-Profits

The organizations we’ve chosen are EPIC and the ISSA Education Foundation.

The Electronic Privacy Information Center (EPIC) is a non-partisan, non-profit public interest research center established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age.

The ISSA Education Foundation is a non-profit organization associated with the international Information Systems Security Association (ISSA). It provides scholarships and educational programs on cyber security worldwide.

This offer is thus contributing to two worthwhile organizations — one supporting better security, and one supporting better privacy.

The Offer & Levels

Here are the levels of contribution:

$50
Send your copy of any edition of Pratical Unix Security and I (Spaf) will autograph it, then return it to you.
$75
Send your book along with a suggested inscription, and I (Spaf) will use that along with the autograph, subject to the caveats given below.
$100
I will send you a brand new copy of the 3rd edition with my signature.
$125
Simson and I will both sign your book, and if it is the 3rd edition of PUIS, so will Alan. (If it is a first or second edition of PUIS, Alan will sign it if you ask, although he didn't help author those editions.) If you suggest an inscription, one of us will add it, subject to the caveats given below.
$175
We will provide you with a new copy of the book, signed by all 3 authors, with a suitable inscription.
$250
Same as the previous category, plus we'll toss in one of Spaf's bow ties. (If that doesn't make sense, you haven't been to one of his conference talks or distinguished lectures in the last two decades.) This offer is limited to the first 8 at this level.
$300 or more+
All of the above plus something...make a suggestion. (No, we won't write your project code or hack into the Federal Reserve for you).
Each multiple of $500
We will send you five brand new copies of the latest edition of PUIS, signed by all 3 authors.

As an additional offer, Simson and Spaf will sign and return your copy of Web Security, Privacy, & Commerce for an additional $25 if you include it with one of the above.

We are making no profit on this offer! Anything above what is spent on shipping will get split evenly between the designated organizations. We are donating our time, gas (to drive to the post office), and ink to do this. We will share images of the receipts with anyone who asks for proof.

Don’t have a copy of the book already? Copies are still for sale via O’Reilly, Amazon, Barnes & Noble, and other likely sources. It should be easy to get (at least) one. As noted above, we are willing to do even that for you if you will pledge a sufficient amount for this fundraising drive.

This is an offer that will not be repeated...unless we happen to be around 25 years from now and decide to do this on the 50th anniversary!

This offer will expire at noon on Feb 1, 2016, so participate soon! If you act quickly, this could make the perfect "white elephant gift" for your annual office gift exchange, or maybe an odd stocking stuffer for that certain someone but you must order right away! And if you keep it for a few years, you might be able to use it at an upcoming SCA event!

The Fine Print

  • You must provide a check or money order in US dollars with the book(s), made out to “Eugene H. Spafford.” Put “Holiday fundraising offer” in the memo/notes field. Any items sent with an invalid form of payment will not be returned. Alternatively, you can include checks or money orders made out directly to each of the two organizations and we will simply send them on. (The goal is to raise money for these worthwhile organizations and celebrate the anniversary of the book, not to handle a lot of funds!) That will allow you to take the tax deduction, if it is applicable to your circumstances.

  • Ship the book(s) with funds to:

    PUIS Anniversary Offer
    c /o Professor Eugene H. Spafford
    Purdue University CERIAS
    656 Oval Dr
    West Lafayette, IN 47907-2086
  • Be sure to include your return address! Even better, include a pre-made return address label acceptable to the USPS.

  • All signed books will be returned via “book rate” US mail (USPS). If you want something faster, insured, or tracked, then send a pre-paid, self-addressed FedEx, or UPS envelope sufficient to hold the book in a padded envelope. You must do the same for shipment outside the United States! We will not be responsible for damage or lost items sent “book rate” in regular mail.
  • If you send a contribution for a custom inscription but don’t suggest one, we will make one up. If you suggest an inscription that we find offensive (e.g., “COBOL Rules!”) or legally problematic (e.g, “I embezzled $100 million”) then we will make up something else.

  • All contribution amounts beyond what is required for shipping expenses will be split evenly between the two organizations. No handling expenses will be charged (insert your own joke here).

And no, we don’t have books with anything like this cover; We wish we did!!

PUIS joke cover

Cyber Security in Stasis

Share:

This evening, someone pointed out Congressional testimony I gave over 6 years ago. This referenced similar testimony I gave in 2001, and I prepared it using notes from lectures I gave in the early-to-mid 1990s.

What is discouraging is that if I were asked to provide testimony next week, I would only need to change a few numbers in this document and it could be used exactly as is. The problems have not changed, the solutions have not been attempted, and if anything, the lack of leadership in government is worse.

Some of us have been saying the same things for decades. I’m approaching my 3rd decade of this, and I’m a young’un in this space.

If you are interested, read the testimony from 2009 and see what you think.

Privacy, Surveillance, Freedom of Expression, and Purdue University

Share:

On September 24 and 25 of this year, Purdue University hosted the second Dawn or Doom symposium. The event — a follow-up to the similarly-named event held last year — was focused on talks, movie, presentations, and more related to advanced technology. In particular, the focus has been on technology that poses great potential to advance society, but also potential for misuse or accident that could cause great devastation.

I was asked to speak this year on the implications of surveillance capabilities. These have the promise of improving use of resources, better marketing, improved health care, and reducing crime. However, those same capabilities also threaten our privacy, decrease some potential for freedom of political action, and create an enduring record of our activities that may be misused.

My talk was videotaped and is now available for viewing. The videographers did not capture my introduction and the first few seconds of my remarks.The remaining 40 or so minutes of me talking about surveillance, privacy, and tradeoffs are there, along with a few audience questions and my answers.

If you are interested, feel free to check it out. Comments welcome, especially if I got something incorrect — I was doing this from memory, and as I get older I find my memory not not be quite as trustworthy as it used to be.




You can find video of most of the other Dawn or Doom 2 events online here. The videos of last year's Dawn or Doom event are also online. I spoke last year about some of the risks of embedding computers everywhere, and giving those systems control over safety-critical decisions without adequate safeguards. That talk, Faster Than Our Understanding , includes some of the same privacy themes as the most recent talk, along with discussion of security and safety issues.




Yes, if you saw the news reports, the Dawn or Doom 2 event is also where this incident involving Barton Gellman occurred. Please note that other than some communication with Mr. Gellman, I played absolutely no role in the taping or erasure of his talk. Those issues are outside my scope of authority and responsibility at the university, and based on past experience, almost no one here listens to my advice even if they solicit it. I had no involvement in any of this, other than as a bystander.

Purdue University issued a formal statement on this incident. Related to that statement, for the record, I don’t view Mr. Gellman’s reporting as “an act of civil disobedience.” I do not believe that activities of the media, as protected by the First Amendment of the US Constitution and by legal precedent, can be viewed as “civil disobedience” any more than can be voting, invoking the right to a jury trial, or treating people equally under the law no matter their genders or skin colors. I also share some of Mr. Gellman’s concerns about the introduction of national security restrictions into the entire academic environment, although I also support the need to keep some sensitive government information out of the public view.

That may provide the topic for my talk next year, if I am invited to speak again.

Why I Don’t Attend Cons

Share:

I recently had a couple of students (and former students, and colleagues) ask me if I was attending any of a set of upcoming cons (non-academic/organizational conferences) in the general area of cyber security. That includes everything from the more highly polished Black Hat and DefCon events, to Bsides events, DerbyCon, Circle City Con, et al. (I don’t include the annual RSA Conference in that list, however.)

25 years ago there were some as the field was starting up that I attended. One could argue that some of the early RAID and SANS conferences fit this category, as did some of the National Computer Security Conferences. I even helped organize some of those events, including the 2nd RAID workshop! But that was a long time ago. I don’t attend cons now, and haven’t for decades. There are two main reasons for that.

First, is finances. Some of the events are quite expensive to attend — travel, housing, and registration all cost money. As an academic faculty member, and especially as one at a state university, I don’t have a business account covering things like these as an expense item. Basically, I would have to pay everything out of pocket, and that isn’t something I can afford to do on a regular (or even sporadic) basis. I manage to scrape up enough to attend the main RSA conference each year, but that is it.

Yes, faculty do sometimes have some funds for conferences. When we have grants from agencies such as NSF or DARPA, they often include travel funds, but usually we target those for places where the publication of our research (and that of our students) gives the most academic credit — IEEE & ACM events, for instance. Sometimes donors will provide some gifts to the university for us to use on things not covered by grants, including travel. And some faculty have made money by spinning off companies and patenting their inventions, so they can use that.

None of that describes my situation. Over the last 20 years I have devoted most of my efforts at raising (and spending) funds towards the COAST lab and then CERIAS. When I have had funding for conferences, I have usually spent it on my students, first, to allow them to get the professional exposure. There is seldom money left over for me to attend anything. I show up at a few events because I’m invited to speak and the hosts cover the expenses. The few things I’ve invented I’ve mostly put out in the public domain. I suppose it would be great if some donor provided a pot of money to the university for me to use, but I’ve gotten in the habit of spending what I have on junior colleagues and students so I’m not sure what I’d do with it!

There is also the issue of time. I have finite time (and it seems more compressed as I get older) and there are only so many trips I have time (and energy) to make, even if I could afford more. Several times over the last few years I’ve hit that limit, as I’ve traveled for CERIAS, for ACM, and for some form of advising, back to back to back.

Second, I’m not sure I’d learn much useful at most cons. I’ve been working (research, teaching, advising) in security and privacy for 30 years. I think I have a pretty good handle on the fundamentals, and many of the nuances. Most cons present either introductions for newbies, or demonstrations of hacks into existing systems. I don’t need the intros, and the hacks are not at all surprising. There is some great applications engineering work being done by the people involved, but unlike some people, I don’t need to see an explicit demonstration to understand the weaknesses in supply chains, poor authentication, lack of separation, no root of trust, and all the other problems that underlie those hacks. I eventually hear about the presentations after the fact when they get into the news; I can’t recall hearing about any that really surprised me for quite some time now.

I wish leaders in government and business didn’t need to be continually bashed with demonstrations to begin to get the same points about good security, but I’ve been trying to explain these issues for nearly my whole career, and they simply don’t seem to listen after “This will cost more than you are currently spending.” If anything, attending con events simply points out that the message I’ve been trying to convey for so long has not been heard; rather than instructive, cons might well be rather depressing for me.

There’s obviously also a social element to these events — including the more academic and professional conferences — that I am clearly missing out on. I do have a little regret over that. I don’t get to meet some of the young up-and-coming people in the field, on either the research or applied ends of things. I also don’t get to see some of people I already know as often as I wish I did. However, that gets back to cost and time. And I don’t think too many people have noticed the difference or bemoaned a loss because I wasn’t there, especially as I have gotten older. The current crop of practitioners are all excited by learning the most recent variation on a theme — someone who points out that it is all material we could have predicted (and prevented) isn’t going to fit in. Frankly, I was surprised to hear there was any interest in Jack Daniel’s “Shoulders of Infosec” project by some of the con crowd!

So, do I hate cons? No, not at all! If colleagues or students find them of value and they have the time and resources to attend, then they should go…but they aren’t likely to see me attending.

Proposed Changes in Export Control

Share:

The U.S. limits the export of certain high-tech items that might be used inappropriately (from the government’s point of view). This is intended to prevent (or slow) the spread of technologies that could be used in weapons, used in hostile intelligence operations, or used against a population in violation of their rights. Some are obvious, such as nuclear weapons technology and armor piercing shells. Others are clear after some thought, such as missile guidance software and hardware, and stealth coatings. Some are not immediately clear at all, and may have some benign civilian uses too, such as supercomputers, some lasers, and certain kinds of metal alloys.

Recently, there have been some proposed changes to the export regulations for some computing-related items. In what follows, I will provide my best understanding of both the regulations and the proposed changes. This was produced with the help of one of the professional staff at Purdue who works in this area, and also a few people in USACM who provided comments (I haven’t gotten permission to use their names, so they’re anonymous for now). I am not an expert in this area so please do not use this to make important decisions about what is covered or what you can send outside the country! If you see something in what follows that is in error, please let me know so I can correct it. If you think you might have an export issue under this, consult with an appropriate subject matter expert.

Export Control

Some export restrictions are determined, in a general way, as part of treaties (e.g., nuclear non-proliferation). A large number are as part of the Wassenaar Arrangement — a multinational effort by 41 countries generally considered to be allies of the US, including most of NATO; a few major countries such as China are not, nor are nominal allies such as Pakistan and Saudi Arabia (to name a few). The Wassenaar group meets regularly to review technology and determine restrictions, and it is up to the member states to pass rules or legislation for themselves. The intent is to help promote international stability and safety, although countries not within Wassenaar might not view it that way.

In the U.S., there are two primary regulatory regimes for exports: ITAR and EAR. ITAR is the International Traffic in Arms Regulations in the Directorate of Defense Trade Controls at the Department of State. ITAR provides restrictions on sale and export of items of primary (or sole) use in military and intelligence operations. The EAR is the Export Administration Regulations in the Bureau of Industry and Security at the Department of Commerce. EAR rules generally cover items that have “dual use” — both military and civilian uses.

These are extremely large, dense, and difficult to understand sets of rules. I had one friend label these as “clear as mud.” After going through them for many hours, I am convinced that mud is clearer!

Items designed explicitly for civilian applications without consideration to military use, or with known dual-use characteristics, are not subject to the ITAR because dual-use and commodity items are explicitly exempted from ITAR rules (see sections 121.1(d) and 120.41(b) of the ITAR). However, being exempt from ITAR does not make an item exempt from the EAR!

If any entity in the US — company, university, or individual — wishes to export an item that is covered under one of these two regimes, that entity must obtain an export license from the appropriate office. The license will specify what can be exported, to what countries, and when. Any export of a controlled item without a license is a violation of Federal law, with potentially severe consequences. What constitutes an export is broader than some people may realize, including:

  • Shipping something outside the U.S. as a sale or gift is an export, even if only a single instance is sent.
  • Sending something outside the U.S. under license, knowing (or suspecting) it will then be sent to a 3rd location is a violation.
  • Providing a controlled item to a foreign-controlled company or organization even if in the U.S. may be an export.
  • Providing keys or passwords that would allow transfer of controlled information or materials to a foreign national is an export
  • Designing or including a controlled item in something that is not controlled, or which separately has a license, and exporting that may be a violation.
  • Giving a non-U.S. person (someone not a citizen or permanent resident) access to an item to examine or use may be an export.
  • Providing software, drawings, pictures, or data on the Internet, on a DVD, on a USB stick, etc to a non-U.S. person may be an export

Those last two items are what as known as a deemed export because the item didn’t leave the U.S., but information about it is given to a non-US person. There are many other special cases of export, and nuances (giving control of a spacecraft to a foreign national is prohibited, for example, as are certain forms of reexport). This is all separate from disclosure of classified materials, although if you really want trouble, you can do both at the same time!

This whole export thing may seem a bit extreme or silly, especially when you look at the items involved, but it isn’t — economic and military espionage to get this kind of material and information is a big problem, even at research labs and universities. Countries that don’t have the latest and greatest factories, labs, and know-how are at a disadvantage both militarily and economically. For instance, a country (.e.g, Iran) that doesn’t have advanced metallurgy and machining may not be able to make specialized items (e.g., the centrifuges to separate fissionable uranium), so they will attempt to steal or smuggle the technology they need. The next best approach is to get whatever knowledge is needed to recreate the expertise locally. You only need to look at the news over a period of a few months to see many stories of economic theft and espionage, as well as state-sponsored incidents.

This brings us to the computing side of things. High speed computers, advanced software packages, cryptography, and other items all have benign commercial uses. However, they all also have military and intelligence uses. High speed computers can be used in weapons guidance and design systems, advanced software packages can be used to model and refine nuclear weapons and stealth vehicles, and cryptography can be used to hide communications and data. As such, there are EAR restriction on many of these items. However, because the technology is so ubiquitous and the economic benefit to the U.S. is so significant, the restrictions have been fairly reasonable to date for most items.

Exemptions

Software is a particularly unusual item to regulate. The norm in the community (for much of the world) is to share algorithms and software. By its nature, huge amounts of software can be copied onto small artifacts and taken across the border, or published on an Internet archive. In universities we regularly give students from around the world access to advanced software, and we teach software engineering and cryptography in our classes. Restriction on these kinds of items would be difficult to enforce, and in some cases, simply silly to restrict.

Thus, the BIS export rules contain a number of exemptions that remove some items from control entirely. (In the following, designations such as 5D002 refer to classes of items as specified in the EAR, and 734.8 refers to section 734 paragraph 8.)

  • EAR 734.3(b.3) exempts technology except software classified under 5D002 (primarily cryptography) if it is
    • arising from fundamental research (described in 734.8), or
    • is already published or will be published (described in 734.7), or
    • is educational information (described in 734.9).
    Exempt from 5D002 is any printed source code, including encryption code, or object code whose corresponding source code is otherwise exempt. See also my note below about 740.13(e.3).
  • EAR 734.7 defines publication as appearing in books, journals, or any media that is available for free or at a price not to exceed the cost of distribution; or freely available in libraries; or released at an open gathering conference, meeting, or seminar open to the qualified public; or otherwise made available,
  • EAR 734.8 defines fundamental research that is ordinarily published in the course of that research.
  • EAR 734.9 defines educational information (which is excluded from the EAR) as information that is released by instruction in catalog courses and associated teaching laboratories of academic institutions. This provision applies to all information, software or technology except certain encryption software, but if the source code of encryption software is publicly available as described in 740.13(e), it can also be considered educational information.
  • We still have some deemed export issues if we are doing research that doesn’t meet the definition of fundamental research (e.g. because it requires signing an NDA or there is a publication restriction in the agreement) and a researcher or recipient involved is not a US person (citizen or permanent resident) employed full time by the university, and with a permanent residence in the US, and is not a national of a D:5 country (Afghanistan, Belarus, Burma, the CAR, China (PRC), the DRC, Core d’Ivorie, Cuba, Cyprus, Eritrea, Fiji (!), Haiti, Iran, Iraq, DPRK, Lebanon, Liberia, Libya, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Zimbabwe). However, that is easily flagged by contracts officers and should be the norm at most universities or large institutions with a contracts office.
  • EAR 740.13(d) exempts certain mass-market software that is sold retail and installed by end-users so long as it does not contain cryptography with keys longer than 64 bits.

The exemption for publication is interesting. Anyone doing research on controlled items appears to have an exemption under EAR 740.13(e) where they can publish (including posting on the Internet) the source code from research that falls under ECCN 5D002 (typically, cryptography) without restriction, but must notify BIS and NSA of digital publication (email is fine, see 740.13(e.3)); there is no restriction or notification requirement for non-digital print. What is not included is any publication or export (including deemed export) of cryptographic devices or object code not otherwise exempt (object code whose corresponding source code is exempt is itself exempt), or for knowing export to one of the prohibited countries (E:1 from supplement 1 of section 740 — Cuba, Iran, DPRK, Sudan and Syria, although Cuba may have just been removed.)

As part of an effort to harmonize the EAR and ITAR, a proposed revision to both has been published on June 3 (80 FR 31505) that has a nice side-by-side chart of some of these exemptions, along with some small suggested changes.

Changes

The Wassenaar group agreed to some changes in December 2013 to include intrusion software and network monitoring items of certain kinds on their export control lists. The E.U. adopted new rules in support of this in October of 2014. On May 20, 2015, the Department of Commerce published — in the Federal Register (80 FR 28853) — a request for comments on its proposed rule to amend the EAR. Specifically, the notice stated:

The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their "information security" functionality, including encryption and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of "intrusion software" to the definition section of the EAR pursuant to the WA 2013 agreements. The comments are due Monday, July 20, 2015.

The actual modifications are considerably more involved than the above paragraph, and you should read the Federal Register notice to see the details.

This proposed change has caused some concern in the computing community, perhaps because the EAR and ITAR are so difficult to understand, and because of the recent pronouncements by the FBI seeking to mandate “back doors” into communications and computing.

The genesis of the proposed changes is stated to match the Wassenaar additions of (basically) methods of building, controlling, and inserting intrusion software; technologies related to the production of intrusion software; technology for IP network analysis and surveillance, or for the development and testing of same. These are changes to support national security, regional stability, and counter terrorism.

According to the notice, intrusion software includes items that are intended to avoid detection or defeat countermeasures such as address randomization and sandboxing, and exfiltrate data or change execution paths to provide for execution of externally provided instructions. Debuggers, hypervisors, reverse engineering, and other software tools are exempted. Software and technology designed or specially modified for the development, generation, operation, delivery, or communication with intrusion software is controlled — not the intrusion software itself. It is explicitly stated that rootkits and zero-day exploits will presumptively be denied licenses for export.

The proposed changes for networking equipment/systems would require that it have all 5 of the following characteristics to become a controlled item:

  1. It operates on a carrier class IP network (e.g., national grade backbone)
  2. Performs analysis at OSI layer 7
  3. Extracts metadata and content and indexes what it extracts
  4. Executes searches based on hard selectors (e.g., name, address)
  5. Performs mapping of relational networks among people or groups

Equipment specially designed for QoS, QoE, or marketing is exempt from this classification.

Two other proposed changes would remove the 740.13(d) exemption for mass-market products, and would make software controlled by one of these new sections and containing encryption would now be dual-listed in two categories. There are other changes for wording, cleaning up typos, and so on.

I don’t believe there are corresponding changes to ITAR because these all naturally fall under the EAR.

Discussion

Although social media has had a number of people posting vitriol and warnings of the impending Apocalypse, I can’t see it in this change. If anything, this could be a good thing — people who are distributing tools to build viruses, botnets, rootkits and the like may now be prosecuted. The firms selling network monitoring equipment that is being used to oppress political and religious protesters in various countries may now be restrained. The changes won’t harm legitimate research and teaching, because the exemptions I listed above will still apply in those cases. There are no new restrictions on defensive tools. There are no new restrictions on cryptography.

Companies and individuals making software or hardware that will fall under these new rules will now have to go through the process of applying for export licenses, It may also be the case those entities may find their markets reduced. I suspect that it is a small population that will be subject to such a restriction, and for some of them, given their histories, I’m not at all bothered by the idea.

I have seen some analyses that claim that software to jailbreak cellphones might now be controlled. However, if published online without fee (as is often the case), it would be exempt under 734.7. It arguably is a debugging tool, which is also exempt.

I have also seen claims that any technology for patching would fall under these new rules. Legitimate patching doesn’t seek to avoid detection or defeat countermeasures, which are specifically defined as “techniques designed to ensure the safe exertion of code.” Thus, legitimate patching won’t fall within the scope of control.

Jennifer Granick wrote a nice post about the changes. She rhetorically asked at the end whether data loss prevention tools would fall under this new rule. I don’t see how — those tools don’t operate on national grade backbones or index the data they extract. She also posed a question about whether this might hinder research into security vulnerabilities. Given that fundamental research is still exempt under 734.8 as are published results under 734.7, I don’t see the same worry.

The EFF also posted about the proposed rule changes, with some strong statements against them. Again, the concern they stated is about researchers and the tools they use. As I read the EAR and the proposed rule, this is not an issue if the source code for any tools that are exported is published, as per 734.7. The only concern would if the tools were exported and the source code was not publicly available, i.e., private tools exported. I have no idea how often this happens; in my experience, either the tools are published or else they aren’t shared at all, and neither case runs afoul of the rule. The EFF post also tosses up fuzzing, vulnerability reporting, and jailbreaking as possible problems. Fuzzing tools might possibly be a problem under a strict interpretation of the rules, but the research and publication exemptions would seem to come to the rescue. Jailbreaing I addressed, above. I don’t see how reporting vulnerabilities would be export of technology or software for building or controlling intrusion software, so maybe I don’t understand the point.

At first I was concerned about how this rule might affect research at the university, or the work at companies I know about. As I have gotten further into it, I am less and less worried. it seems that there are very reasonable exceptions in place, and I have yet to see a good example of something we might legitimately want to do that would now be prohibited under these rules.

However, your own reading of the proposed rule changes may differ from mine. If so, note the difference in comment to this essay and I’ll either respond privately or post your comment. Of course, commenting here won’t affect the rule! If you want to do that, you should use the formal comment mechanism listed in the Federal Register notice, on or before July 20, 2015.




Update July 17: The BIS has an (evolving) FAQ on the changes posted online. It makes clear the exemptions I described, above. The regulations only cover tools specially designed to design, install, or communicate with intrusion software as they define it. Sharing of vulnerabilities and proof of exploits is not regulated. Disclosing vulnerabilities is not regulated so long as the sharing does not include tools or technologies to install or operate the exploits.

As per the two blog posts I cite above

  • research into security vulnerabilities is explicitly exempt so long as it is simply the research
  • export of vulnerability toolkits and intrusion software would be regulated if those tools are not public domain
  • fuzzing is explicitly listed as exempt because it is not specifically for building intrusion software
  • jailbreaking is exempt, as is publicly available tools for jailbreaking. Tools to make jrailbreaks would likely be regulated.

Look at the FAQ for more detail.