Security researchers, in 2015, felt stress from many new fronts. There were battle lines drawn that few expected, and there were more than a courageous handful who dared take that first step to fight back. Lawmakers co-opted terrorism and national security in pleas for exceptional access to users’ data shielded by encryption. The Wassenaar Arrangement threatened to regulate the tools white hats need to keep us safe in the name of shutting down harmful surveillance software. And while many in the security community recognized the threat and decided to act, others felt the pressure and this led to the cancellation of conference talks or potentially important research in academic papers left unpublished. Interesting times.
FBI Director James Comey said that Apple and Google’s decision to relinquish access to encryption keys meant the government and law enforcement faced a serious impediment in executing warrants and collecting evidence in criminal and national security investigations. While Comey stopped short of demanding a backdoor into mobile devices, he did say that Silicon Valley needs to try harder to come up with a viable solution.
U.K. prime minister David Cameron started the year off with a frighteningly naïve and dangerous statement that encrypted communications should not be allowed. Cameron urged the U.K. government not to allow forms of communication that cannot be read. The PM, however, was speaking on the heels of a recent terror attack in nearby Paris and perhaps emotion got the best of him. But nonetheless, not only was Cameron suggesting that government intercept, but also read, private communication between citizens. Is there a bigger affront to a free society?
Despite the hostile environment, technology companies continued to innovate means of encrypted communication. Undeterred, initiatives such as Signal messaging moved ahead with new products for the iPhone and desktop, and SecureDrop emerged as a technology where journalists, activists and others conscious of their privacy could share sensitive documents. Not to mention that many in the security community have found their activist side themselves, and have begun teaching others how to use tools to elude targeted surveillance.
Keynote for the Ages
Major security conference keynotes have deteriorated into pay-for-play drivel that few pay serious attention to. Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, brought us back to the good old days at Black Hat, delivering a meaningful and passionate talk. She warned the world that the dream of Internet freedom, which lured her and so many others to explore their curiosities and reach and communicate with others around the world, was dying before our eyes. She cited short-sighted legislation such as the CFAA, Wassenaar, the DMCA and others for creating an air of centralization that governs the Internet and threatens its very fabric.
Cold, Cold Days
The Wassenaar Arrangement rose to prominence in the security lexicon. Wassenaar is an arms control agreement between participating nations, and late last year, so-called intrusion software such as FinFisher and Hacking Team wares fell under the arrangement. So too, apparently, did a lot of other legitimate white hat tools that came under the umbrella of what many experts believed was overly broad legislation. The result, those same experts feared, was a chilling effect on security research.
A Second Look at Wassenaar
Security researchers wrote hundreds of essays during a comment period on the proposed U.S. implantation of the Wassenaar Arrangement, ultimately forcing an unusual re-do of the rules by the Commerce Department. Many of the comments expressed fear of how Wassenaar would make it impossible for researchers to contribute to the safety of the Internet without great cost or fear of reprisal. Others called for protections under the law for white hats, and formal exemptions from prosecution.
Alas, while there were victories in at least delaying the U.S. implementation of Wassenaar without further review, there were some casualties. Case in point: U.K.
university student Grant Wilcox’s dissertation on bypasses of Microsoft’s EMET mitigation tool against memory-based exploits was not published. Legal minds at the University of Northumbria redacted portions of his paper describing proof-of-concept exploits against EMET partially because of Wassenaar. Later in the year, HP pulled its longtime sponsorship of the Mobile Pwn2Own contest in Tokyo, and citied Wassenaar as the reason. Lawyers at HP weren’t sure how the necessary transfer of research from the participants to affected vendors would run afoul of the Wassenaar rules. As Katie Moussouris of Hacker One said, perhaps we truly are entering into a “prohibition era” of security research.