 it's my pleasure, you're getting a real stack of attorneys today, you know, we had Allian here and he was an attorney and now we've got a panel of a bunch of them. This is going to be a really interesting set about the weaponization and regulation of security research, something that's pretty important to a lot of us here. I'm not going to introduce everybody individually, I'll probably let Jim take care of that. So let's give our panel a big hand. Thank you for coming to our panel. This is licensed to own the weaponization of security research. We really appreciate you taking the time to explore this important issue with us. This is a unique time for the entire information security community and here's why. The U.S. government is implementing rules that could change the way information security is practiced in the United States and more than that it could even affect the way that we talk about information security. The way information is exchanged amongst us here and if that sounds like a big deal, it is and that's not an overstatement at all of the situation that we're currently looking at. Specifically, some new regulations are being proposed by the Bureau of Industry and Security also known as BIS as we'll refer to it here. That's within the U.S. Department of Commerce. The stated mission of BIS is to administer and enforce dual use export controls on various technologies such as body armor, bullet proof windshield glass, and encryption, most relevant what we're doing and that those charges are now being expanded to cover some technologies that we're seeing more often here in this room even. So this is an opportunity for us to organize and present a coherent explanation of our concerns with respect to the regulations that are being proposed. So with that, let me introduce our fantastic panel that we have here in alphabetical order for the folks that are here at the table first. Dave I. Tell is an offensive security expert whose company immunity is hired by major companies to try to hack their computer networks to find and fix vulnerabilities that criminal hackers organized crime in nation state adversaries could use. The company is well known for developing several advanced hacking tools used by the security industry such as swarm, canvas, silica stalker, accomplice, spikes, bike proxy, unmask, and most recently innuendo. The first U.S. made nation grade cyber implant with flame, Stuxnet like malware capabilities. Matt Blaise is a professor in the computer science department at the University of Pennsylvania. His research focuses on the architecture and design of secure systems based on cryptographic techniques, analysis of secure systems against practical attack models and finding new cryptographic primitives and techniques as you surely must know. In 1994 he discovered a serious flaw in the U.S. government's Clipper encryption system. He is interested in the use of encryption in various physical security systems and that work has yielded an attack against virtually all commonly used master key mechanical locks. Nate Cardozo is a staff attorney with the electronic frontier foundation. He focuses on the intersection of technology, privacy, and free expression. He has defended the rights of anonymous bloggers who do the United States government for access to improperly classified documents. Lobby Congress for sensible reform of American surveillance laws. In addition he works on the EFF coders rights project counseling hackers, academics, and security professionals at all stages of the research. Mara Tam is a researcher and historian of policy, justice, culture, and security. She has authored and contributed research for technical policy papers in the field of international security and arms control. After earning a first class degree in art history Mara's work supported bilateral negotiations toward peaceful nuclear cooperation between the United States and India. She has been a participant speaker and panelist in academic conferences and cultural studies, languages and history including the Intangible Security Initiative convened by NATO and the European Science Foundation. And today we have with us also by remote presence a very special guest, Randy Wheeler of the Bureau of Industry and Security. We are momentarily challenged with the AV. We'll see her later. But she's with us and we can see her and she can hear us and she'll be able to hear you. So I can tell a little bit about her. She has served as the director of the Information Technology Controls Division of the Bureau of Industry and Security's Office of National Security and Technology Transfer Control since 2006. So she's in charge of this. This is great. Mrs. Wheeler was detailed to serve as acting chair of the operating committee, the interagency body that resolves this agreement among reviewing agencies. And her experience here is incredibly relevant for this task that we have here of trying to get to rules that our community can live with and that also forward the mission, the stated mission of the BIS. So we can't thank her enough for taking the time to be with us today. And I'm the moderator for this lovely panel. I'm Jim Dinaro. I'm a data security and intellectual property attorney. I also advise hackers on how to stay out of trouble or at least get in less trouble. So with that said, let's dive into the meat of this. But this is really about export control. And it's a really kind of in the weeds subject. And to really understand the significance of the rules that are being proposed and how they would affect the community in such a fundamental way is we're taking a moment to just explore what is export control? How does it apply to you? How could it apply to you? And why does it matter? So just a few notes of background before we get into the meat of this particular situation here. So the U.S. government controls the exports of sensitive equipment, software and technology as a means of promoting national security interests and foreign policy objectives. This control is achieved by requiring people and companies to apply for licensing before exporting the articles that are covered by the rules. So the question is what's covered by export control? That's really what the debate is here. So at a high level we can break it into two categories. First, there are traditional defense articles that's not really an issue here. They have their own licensing regime. These are things that have no commercial application. They're covered by ITAR, the international traffic and arms regulations. These include, for example, armored combat ground vehicles, think tanks, as well as something perhaps a little more relevant for us here, computers that are specifically designed or developed for military applications. Second, our space here, we have items that are considered to have both commercial and military application. These are considered to be dual use items and that's a term of art. They are controlled by the export administration regulations for software and technology. The cover technologies include things such as high performance computers and encryption, which many of you have probably come across already. In fact, the schedule of controlled goods even has a section entitled information security. So you're already kind of in range here. But those rules are really principally about cryptography and that's where you see the most. So for these dual use licenses, the U.S. Department of Commerce receives somewhere between 12,000 to 14,000 applications a year for this type of export activity. And compliance matters. For these dual use export control violations, criminal penalties can reach a maximum of $500,000 per violation and an individual person can get up to 10 years imprisonment. Dual use violations can also be the subject of civil fines of up to $12,000 per violation as well as denial of export privileges. And in some cases, both civil and criminal cases can be brought. So the stakes are fairly high at this point. But so far in the world we've been living in, nobody in the community has been concerned that exploits or zero days or even things like the hacking team system were the subject of much export control if any at all. So there was no concern there. But that's changing. That brings us today. And what you may have referred, what you may have heard of as the Wasunar arrangement. The Wasunar arrangement is a group of 41 countries that have agreed to control certain dual use items. The US participates in this group and the list of controlled goods is updated every year. So here's where it gets interesting. In 2013, the Wasunar arrangement agreed to add certain things to the list. And this is the text of the Wasunar arrangement. I wouldn't expect you to read this now and it's too small anyway. But the key here, the key bit of language is that intrusion software will be regulated as a dual use item. And as you can, I'm sure already a thousand questions occur to you. What even is intrusion software? How would you do this? And so on. So that's really, that's the item here that we're interested in. So the US has committed to implementing the Wasunar arrangement agreement at the national level here in the United States. So rules will have to be written and enforced here for all of us in the United States that regulate this. And on May 20th, 2015, the BIS published its proposed rules for implementing this Wasunar arrangement locally. And most notably, and a particular concern to those in the information security and research community, these rules seem to go beyond the bare requirements of this relatively simple looking statement here. And that's been a cause of much concern that we'll be addressing in particular here. So comments were taken on the proposed rules. And in light of those comments, some things are happening and we'll hear about what the response to those comments has been. So that's just a broad outline of what it is that we're talking about and why we're here today and why it matters. So here's the plan we're going to do going forward on the panel. Each panelist here comes at the issues from a somewhat different perspective and has some brief opening remarks. So we're going to hear those remarks by various of the panelists and then we'll dive into some more questions and hopefully things will get pretty engaging. So with that, Mara is going to kick it off. So are you doing, are you running the slides? We are so good at this. Right, so this is going to be a really quick and dirty introduction to dual use export controls. What are they for? Basically to avoid this, dual use export controls are controls designed to monitor and regulate the ecosystems around weapons of mass destruction or at least that's where we get our modern export control regimes from. Here's some of the stuff that export control is meant to regulate. We have weapons of mass casualty, nuclear, explosive and incendiary, weapons of mass disruption which probably doesn't mean what you think it means. Disruption actually means something a lot worse than sort of the Uber definition. Hey, puppy. So the core logic of export control is nonproliferation. It is controlling the spread of dangerous technologies and this is done through a couple of mechanisms. One of them is through controlling the transfer of knowledge which is deemed export. This is obviously going to be of concern to a lot of people in this room. And then there's the transfer of stuff or required stuff. And this is where we get a bit into dual use. So is this thing required for this other thing to be made? And the way that we target this is through identifying choke point technologies. You want to find something where if you control it you can control further progress in the development cycle. And these are really difficult to identify because they can't be ubiquitous. They have to be rare and or conspicuous because you need to be able to control every iteration of it or close to it. So you can see why for intrusion and surveillance software that principle sort of falls apart immediately. Command and delivery platforms just they are too ubiquitous. They don't. That doesn't work. So here's a short history of the sort of dual use arrangements that we have to work with and the international agreements for export control that have happened sort of in the modern era. We started off with the OEC which this was like an offshoot of Marshall plan. And they turned into the OECD. And their counterpart is the council for mutual economic assistance the CMEA which we because we are adults decided to call Comicon. So arms exports to Comicon were controlled under COCOM and these are the original COCOM countries. So this is what we had from about just after the Second World War until the mid-90s. And the successor to COCOM is the Vasanar arrangement which sort of mashes together Comicon and OECD in this sort of lovely mix and this is what we're stuck with now. And these are all of the U.S. task force agencies tasked with export control reform like all great bureaucratic disasters this one was inherited from the Cold War. And this is one of the issues that we have right now is that there are just so many people involved in this process that getting good regulation is really hard. So the question I want to leave you with is why is a bug like a bomb? What is it about intrusion and surveillance software and possibly exploits that lends them or does not lend them to regulation under a dual use export control regime? And okay with that we'll switch to Randy Wheeler. So let's see how we're gonna make this work. So do we want to put the mic? Oh you can just switch over the whole screen. That's perfect. That's awesome. All right, can I plug this in? Yes. And you can switch back to the slide. So we've got anything to mic for? Okay. Audio test for her. Okay. Can you hear us? Can we hear? We can't hear her. What if we take this out? Can you hear it? Can we hear her now? We just put the mic on this. Randy, can you hear us? Yes, I can hear you. I just put the mic on this. Make it really loud. This is going to work. This is a terrible idea. Yes, it is. Okay, can you? Okay. Speak like a giant. Can she say something? Randy, can you say something? Yes, I can say something. Yeah. Can you hear me? Can everybody hear me? Why is my dog up? Why is my dog up? Why is this? She does not look like a dog. She is a human being. I can hear lots of people. Why is this? Just drag it over to the next one. Sorry? Just drag it over. Just drag Randy over to the screen. Oh, hey. Look, it's Randy. Why? All right. How do we full screen it? Yeah. Okay. What just happened? We finally got you on screen. You personally? You yourself? Oh, my goodness. Okay, I realize you can't see everybody, but wave hello to Def Con. Funny thing. No, don't turn it around. Don't talk. Don't turn it around. It's a bad idea. Okay, so we're saying hi to her. Okay, so I might say her. Okay, so due to some unexpected technical issue, we cannot see Randy and her slides at the same time. So now that we've all had a chance to, or at least you've had a chance to say hi to her, anyway, we're going to have to switch over to her slide. So you'll hear her, you'll hear her but not see her. This is a two hour meeting for obvious reasons. Several hours of technical fail. Thank you very much for inviting me to participate in this panel. I really appreciate the opportunity to address the folks at Def Con. And I'm going to give a very, very brief overview of the proposed controls on intrusion software items and IP network surveillance systems in the Export Administration Regulations that Nate mentioned earlier. Next slide. So, oops. My next slide isn't working here. I can't mention in the Export Administration Regulations we have controls, national security controls on computers, telecommunications and information security. These listed items appear in the Commerce Control List, which is part of the Export Administration Regulations. And there are other, of course, other categories as well. The Category 4, 5 Part 1, and 5 Part 2 controls are the responsibility of my division, the Information Technology Controls Division. We process approximately 2,500 export license applications and also 2,000 commodity classification requests per year. To date, most of our work has been in the encryption area in the Category 5 Part 2. Partly because over the past several years, as everybody knows, everything has encryption in it and so items that would have been in the Category 4, Category 5 Part 1 have moved over into the encryption control section. Within each category there are entries, as I think Nate also mentioned, for commodities, test equipment, software and technology. The Information Technology Controls Division comprises 9 licensing officers, including myself, and we have 3 electronics engineers on the staff and 6 export policy analysts. Next slide, please. The new control list entries that are the subject of the proposed goal are 3 related list entries in Category 4. And as Nate said, systems, equipment, software, components, especially designer modified for the generation, operation or delivery of or communication with intrusion software. We also have a separate technology control for technology required for the development of said intrusion software. And then the proposed rule also includes a definition of intrusion software. There's also a separate entry for the IP Network Communication Surveillance Systems in Category 5 Part 1 telecommunications. Next slide, please. As Nate noted, these control list entries were proposed in the Basinar arrangement in 2013, and they were adopted by the plenary in December 2013. It's worth noting that the Category 4 and Category 5 proposals were submitted by 2 different countries aimed at covering 2 different types of products. And the interesting thing about them was that they both had an element of human rights in the purpose of the control. The Category 4 controls were aimed at offensive systems that were being sold not on the commercial market, but directly to governments of potentially repressive regimes to be used against their citizens. And the same element was present in the proposal for the Category 5 Part 1 monitoring surveillance systems. Once the Basinar arrangement agrees to a new control list entry, it is added to the multilateral Basinar control list. And then it's up to each member country to implement the control in its own list pursuant to its own statutory and regulatory authorities. In the United States, the dual use list for national security products is implemented in the commerce control list, so the process is to draft a rule and to issue the rule usually as a final rule usually in the May or June time frame in the year following the adoption on the Basinar list. Between December 2013 and May 2015, there was a great deal of interagency discussion on how to implement these new control list entries. In the export administration regulations we have a reason for control or several reasons for control for the same item. We need to determine the licensing policy, license exceptions that may apply, and in this case we needed to consider that there was overlap with existing encryption controls. As I mentioned earlier, a lot of products have moved over into Category 5 Part 2 over the past years because they have added encryption. In this case, we already had controls on penetration testing products that included encryption and at times cryptanalytic functionality and had been licensing them under Category 5 Part 2. So part of the question was what do we do with those products, do we change the treatment of them? And in the proposed rule there is a much tighter restriction on the export of all products that could be described under the new control list entries, including the penetration testing products. We published the proposed rule in May 2015 with a request for public comments and boy did we receive comments. We had received almost 300 comments totaling some almost 1,000 pages. Many of them were very thoughtful. Before that comment period was over we received many requests to meet with various groups and sets of industry coalitions and so forth. We were very, very grateful that there was such interest in talking to us and explaining the issues that the proposed rule raises. There are three areas that the comments have raised. The first was the US implementation in the proposed rule and as I mentioned, the restrictive license requirements and the no availability of license exceptions which places export license requirements on all destinations except Canada and all government and non-government end users and would require an export license for intra-company and internal use in companies for technology and software and it would also impose a license requirement on deemed exports. As Nate mentioned very briefly the release of technology or source code to a foreign national in the United States is considered to be an export to the home country of the foreign national and we do receive a fairly large number of deemed export license applications each year by companies who want to release controlled technology to employees who are not US nationals and this these deemed export license requirements would apply to the new control list entries without any exception. The proposed rule also is set forth a very restrictive licensing policy with approval only to four countries and case by case to all other destinations in addition to the national security reason for control it would impose a regional stability reason for control which is very restrictive and it set forth the licensing policy under the regional stability provisions of the regulations finally the proposed rule set forth a denial policy for products with zero day or root kit functionality. Now these terms did not appear in the Boston Honor text this is in addition on a licensing policy basis in the proposed rule. Second and we were expecting the comments on the restrictive proposed implementation but we also received a very large set of comments on the text of the Boston Honor control list entries as well in particular the definition of intrusion software raises many questions and issues and the other panelists will address some of those and there are many concerns about the scope of the control on technology or development of the intrusion software as defined. Finally there were other issues raised even beyond the Boston Honor text that are very important to consider. The likelihood that the imposition of these controls would achieve the service of addressing human rights and the likelihood that they would even cause more harm to security research generally. In addition there are a number of comments that noted that the restriction on sharing of technology on cybersecurity research appears to be at cross purposes with other government initiatives including pending legislation to encourage the sharing of such information. I forgot to tell you to change the slide I'm sorry. So we're now at the very last slide that says next steps. The next steps in the regulatory process were in the process of reviewing the comments and again we do appreciate all the time and effort that all types of companies researchers and industry representatives and industry coalitions took to put their thoughts down on paper. We are planning to discuss the issues raised in the comments in a series of technical advisory committee meetings in the rest of the calendar year and although Mara mentioned that there are so many government agencies involved in export control we found that in this process there were a number of government agencies who are with expertise in the cybersecurity area who were not involved in the development of the rule and we hope to have them participate with us in the open discussions with the constituencies who are interested in the issue in open meetings in the technical advisory committees for the rest of the calendar year. Also given the issues raised we will consult with our boss and our partners a number of the other member countries have already implemented these control list entries in their national control lists and apparently without some of the reaction that we've received when we published the proposed rule. So we would like to talk to them about the entries and find out how the implementation is affecting their industries and research community as well. Following these three steps we intend to draft a revised proposed rule and again we would have an opportunity for public comments before we would publish a final rule that would go into effect. And with that again thank you for inviting me to participate and I look forward to hearing the other panel members presentations. Thank you for that Randy that was a very helpful explanation and thank you to the members of the audience also for staying with us for this explanation of what it is we're talking about and what the rules are and how this process moves forward. This is a back and forth process between the research community and many other stakeholders that are interested in how the technologies that are used in surveillance software may be regulated on a global scale. So this is the framework and these are the parameters that we're working with and with that we can take a deeper dive into how the proposed rules are going to potentially have some very significant impacts on the various interests. So with that Nate I'd like to take it. Thanks I'm Nate Cardozo I'm a staff attorney with the electronic frontier foundation as Jim mentioned earlier and I love technology so I'm going to pull up my notes on a phone and do the slides from the computer since we can't do both. John Gilmore in 1993 or there abouts told us that the net interpret censorship is damaged and routes around it. That statement is as true today as it was more than 20 years ago when Gilmore told us and in fact it is far more true today than it was then. Back in the 90s the export of and this is a gross oversimplification. The export of cryptography was controlled under ITAR under the United States munitions list as a weapon. So this slide could not be exported from the United States. Nowadays we're left with the ITAR arrangement. EFF sued on behalf of Dan Bernstein in the 90s. We won. We got a ruling that said code is speech and cryptography was moved out of ITAR and into the EAR the export administration regulations. Now of course we're dealing with Vassanar. Why? This is the problem that Vassanar was designed to solve. Enigma machine. Enigma was actually designed to protect German banking. It was a commercial encryption device that was of course repurposed during the war to at least at first great effect. This is also the problem that Vassanar was designed to solve. Not really of course. The maker bod is not controlled under Vassanar. But guns are. Not guns per se. But nerve gas precursors, et cetera. But what about information? How do you control the export of information? And I would propose to you that it's not going to work any better this time than it did the last time. Because we have things like this. I can export information very, very easily. But what do we do? There is an actual problem here. And it's a significant one. What do we do about things like this? Finfisher. Hacking team. These are pieces of software that I really don't want in the hands of repressive regimes around the world. What do we do about it? As Randy said, one of the things about the way that export controls work, especially in the United States and the way that the proposed rule that we're talking about today works, is that it controls exports period. To anyone, you know, talking to your co-worker who is not a U.S. person, that's controlled. It doesn't matter whether you're selling Finfisher to the government of Ethiopia or selling Metasploit to a pentester in Chile. Those are both controlled. One of those uses I'm just fine with. The other one I'm not so happy about. But there are already tools available. And I would suggest that going to an end use or an end user control is a lot better. This is an actual Cisco slide talking about how Cisco is going to help the Chinese government build the Golden Firewall to combat Falun Gong, even evil religion and other hostilities. This kind of thing is what we should be worried about. We should be worried about our technology companies building the tools of human rights abuse. The Vossner arrangement is intended to control things like this. But it ends up sweeping way too much in. Because it doesn't take an end user control. Here's another thing that I'm worried about. This is, of course, a hacking team email talking about sales to the government of Ethiopia. I at the Electronic Frontier Foundation am representing an Ethiopian American suing the government of Ethiopia. Not for hacking team, but for Finfisher for wiretapping his Skype calls. So I would propose to you that there are other tools besides a blanket export control regime that are better suited to holding companies responsible for doing things like building the Great Firewall of China in this specific Falun Gong evil religion plug-in that Cisco built, or Finfisher selling to the government of Ethiopia with full knowledge that it was being used against journalists, activists, dissidents and the diaspora. So that's where I come from and I'll turn it over to who goes next. Matt. David. So I'm just going to start off real quick with I guess a rebio in case you forgot who I am and why I'm here talking to you guys. And the reason for that is that my first employer out of, well during college in fact was the National Security Agency and I've since started Immunity which is a company many of you guys know of only because we have a free debugger which is surprising to me but that shows how awesome my marketing skills are. I also have a mailing list called Daily Dave which is discussing a lot of this Vasanar activity and we became very concerned when we first saw it coming down the pike in particular because we sell to the general public three or four major tools. We have Canvas which competes with Metasploit Pro and Core Impact and I assume many of you have used one of these tools to do operational penetration testing which is something that is required by PCI, required by HIPAA, required by almost everything that is security related. Of course we also sell Silica which does wireless penetration testing which qualifies as a crypto analytic tool under the BIS regulations. We also have a conference called Infiltrate which focuses on offensive and attack technologies and offers people a way to be very honest about what it is we do. And so, you know, my whole life has been spent building command and delivery platforms essentially and that's the exact sort of behavior that these people find uncomfortable which is in fact a necessary part of our existence in order to understand and secure ourselves and it's been said that Prezi won't come up on his laptop but it's also been said that defense is the child of offense and so for those of us in this room who work on offensive things I think we can all spend one hour of our time to reply to the simple to use website and it surprised me more than anybody that BIS has an amazingly easy to use website for submitting your comments. You can read the regulation in about 15 minutes, you'll never understand it so don't even try but you can read it and then you can write comments on it that say what, how it would affect your daily life and it will take you about an hour you can do it during Simpsons reruns or something so you can make it funny just don't include curse words or anything crazy and I think the next round for comments should not be a thousand pages I think it should be a hundred thousand pages I think that Randy would very much enjoy having everyone at this conference everyone here is impacted by this rule in a major way that's the only reason I'm involved because you know we pay our lawyers a lot of money to keep us out of trouble but no one in this room wants to pay these lawyers all that they do obviously the lawyers in this room I'm not a lawyer but the lawyers would enjoy that and I don't think you should have to and I think it's a uniquely un-American thing to control the export of information which you know in a sense the human voice is the original export technology for information and I think we should try to keep that voice free from any kind of overbearing regulation as a matter of course we almost have Prezi that's amazing I can go on for hours can I have a little clicky thing thank you I'm not up on the screen yet but we're close we're close there it is can we make it full screen that would be amazing there you go boom alright okay so here's my perspective on this and it's also your perspective at the end of my five minutes which is that export control is a bad idea for anything in this area and we've been talking a lot about the intrusion software part of it intrusion software let me say is already them trying to frame the discussion because when they say intrusion software they mean anything that does anything useful in security and when they say surveillance software they also link in anything that does intrusion detection and anti crime work on any scale and I'm going to talk a little bit more about that but this I believe is should be and is definitely the and Randy can't see it I'm sorry Randy it says here you can see it oh she's seen it already okay well okay so Thomas Jefferson among many things is I think should be our guiding light when it comes to protecting ourselves against tyranny and we should avoid ourselves coming in the form of tyranny and that is what they're asking us to do and if you read the definitions in the thing it should scare you not that the definitions are there but that they were ever allowed to be put into the regulation at all something went horribly wrong with the whole process and I'm going to give you an example that no one's talked about yet which is carrier grade for those of you who have ever worked in telecommunications which is a lot of you carrier grade is definition means reliable it's a marketing term and how I think it got in the regulations is I think privacy international used it in one of the random little reports like we're scared of anything carrier grade but carrier grade is not it's not a metric for speed yet if you if I magically made you zoom in with your eyeballs and you zoomed in on this thing in the actual defense of the regulation that BIS had they had they said well we think it's anything fast enough for a city or a country but we won't put an actual number on it and the reason for that is because there is no number and if you did put a number on it it would have to go up exponentially over time I live in South Beach not that I'm recruiting because my company is awesome but you shouldn't move to it for South Beach but South Beach has like every apartment can get you know 500 megabit to your door via a mesh network someone has set up you can do the same thing in New York you can do the same thing in San Francisco and at what speed is carrier class we're a small city so I don't understand how what the bar is there is no bar what they mean is we mean what we mean when we say what we mean right and that's this should scare you because the penalties are so high for all of us for breaking these regulations that you are guaranteed to break them and you are guaranteed to be under that onus what is a root kit it's not in there if this was a program this document would never have compiled supports zero day exploitation first of all zero day is not a term you can define because it means something you don't know and everyone has different amounts of knowledge so things that one of you knows may not be a zero day to me they may just be something I have sitting around that I don't think is important and to support zero day simply means you can run a program so every everything that qualifies as a command and delivery platform can in fact be modular and run programs this is an extremely low bar and yet it's under the default denial section of the regulation which means that at some point they thought this will be fine and that's just the beginning here's what's going to happen with the next regulation they come out with there'll be a million more examples just like this we have a process that's creating programs that cannot compile and making them with laws with humongous penalties that's what's broken here and the overreach in this area has massive massive dangerous implications deemed exports alone means those of you who have H1Bs are essentially cast out of our community as pariahs technical data is something that you as a human being cannot understand but the lawyers among us will argue about for years at a thousand dollars an hour to tell you if you're allowed to open your mouth and talk to the person next to you required for again some of these phrases should scare you because if you as a person can't understand if what you're creating and exporting is required for the building and delivery of command and delivery systems then you are at risk no matter what you do and that's what this regulation does it puts all of us under this giant sword so the people can knock on your door and say hey by the way I noticed you were violating the law we'd love you to cooperate on something else that would be awesome I can make the stuff go away and there was a very bizarre section in the regulation when they went to defend it on their phone calls as they started getting some heat which said that well if you release it to the public or the vendor you're okay but if you release it to you know just private industry you're not okay and we're talking about some value decisions in the disclosure arguments that don't reflect this community at all and don't reflect the industry at all and again just to nail this point down penetration testing software which is at its this regular this current regulation would have been restricted as much as a nuclear bomb is a required operational practice for every company in America and I think you know we talked briefly especially tomorrow did that the you know export control if you're going to apply it should at least have some hope of accomplishing the desired goals I don't believe the desired goals are worth accomplishing but I want to run this down here here's how you protect those poor journalists and activists against finfisher and gamma and it is this you give them an iPad because neither finfisher or gamma can attack unpatched iPads so that's cheap I'm willing to donate iPads to these people to avoid regulation because I think it's a cheap way to do it here's what you what you don't do is ban all software that makes you uncomfortable at great cost the rest of the world and I think we should talk a little bit about licensing because even permissive licensing kills sales and retards innovation because in order to go through the encryption controls you currently have to wait one month after developing your software and this is almost all software because the rule is anything that links to lib SSL is under this rule and if you do anything to your crypto that changes your crypto or how you use your crypto you are supposed to send them a note and explain it and describe it and wait 30 days and then you can do a release and so if you've wondered why core impact in canvas and metaspoil pro are on a monthly release cycle this is why and it's extremely difficult to innovate under this kind of conditions and of course anyone actually malicious if there was a malicious Ethiopian person that you know Nate does not like for some reason then they could always get a rack space account right and that's what they're going to do so even in its best chances there's no way export control could work even if it was meant to work which is not so I think you know this community all 700 people in here are largely of the opinion that code is not a weapon code is speech and I think part of the reason of that is we kind of understand something at a much more basic level which is that you can break down any fact into an infinite number of smaller facts which you can then combine up in combinations to produce the original fact so for example if I was going to write a paper on if you have the extended instruction pointer then you can use a certain technique to bypass ASLR and then I would write a separate paper on here's how I would get EIP using Adobe Reader and a particular technique and if I combine those things up those are controllable but if I don't they're not controllable and I think that's the key problem with regulation in any space where we're trying to regulate speech in this way and you know the of course the irony of this is that when you see people who are privacy activists espousing these kinds of controls they're not looking forward to the obvious next step which is that to enforce them you need a global surveillance network which is a horrible thing to have to put into their hats. So in summary their idea is bad and they should feel bad and in the end what's going to happen if this stuff goes through as is or even close to as is is that all of you are going to feel bad so I'm hoping everyone takes that hour to comment on the next one and we can further influence it by means of killing it and that's what I've got and hopefully everyone now agrees with me and we can all go. Okay so I'm Matt and I should say in spite of the introduction I'm not a lawyer though I do occasionally impersonate one. I'm a computer science professor and one question is what am I doing here? I am working in this sort of very abstract field and you know I'm not directly a target of these regulations in the sense that you know nobody thinks that what I do and what people like me do is bad and needs to be regulated I mean the worst people say about what I do is that it's useless and stupid. But you know I don't think anybody says that what I do is harmful and I don't think even the Watson or advocates think that academic published research in this area is something that is supposed to be regulated or at least that's not a particularly common feeling. So you know it would be very easy for me as an academic to say this is something that I should just kind of sit out and watch and let people with a vested interest like Dave fight this out for their interests and in particular the work that I do when you look a little closer at how it actually gets done and how these regulations are likely to be implemented particularly over time I start to become a lot more worried. And one reason that I start to be worried is that well okay I you know my job is to think of things and publish papers for the greater good right and you know I publish things and fundamentally that's sort of a defensive activity the more we learn about what to do the more robust systems we can build. But at the level of work that we're doing the distinction between offense and defense is meaningless right and we can't study defense without studying offense and in fact if you look at the papers that we publish we can tend to kind of flip around between defense work and overtly defense overtly offense back and forth back and forth somebody publishes attack somebody publishes defense somebody publishes attack and at the end of that arms race we end up with something a little bit a little bit stronger. So fundamentally you know I'm in the offense business as much as I'm in the defense business. Now another thing that should reassure me is that I don't produce products and I don't export things and I don't sell things. But and you know it's true that you know fundamentally what we're doing is not producing in the academic and research world we're not producing code that we're selling to people or code that we're that we're incorporating into attack products. But when you but when you look at the process there's quite a bit of code exchanged and there's quite a bit of exporting going on. About half and that number depending on your institution will will go up or down but it's but it's it's you know certainly in the ballpark about half of our graduate students are foreign nationals and that's generally true at you know any research oriented university people come to the United States to to study this stuff. We have colleagues in other countries that we collaborate with and the process of producing research is often involved in with a process of experimentation exchanging code and working on things. The export regulations effectively limit what I can say privately with my colleagues prior to publication and that means essentially it's not regulating the output of my work it's regulating the process of doing my work in order to produce that output. So people who say you don't have to worry because your papers are published by the First Amendment you don't have to worry because this only affects you know attack tools and you're not selling attack tools and you're not exporting things over borders. That's true about the output but it's not true about the process necessarily. So even though you know there are many reassuring reasons to think that this is work that shouldn't that that I I and people like me shouldn't worry about when we drill down to the actual process this is something that me and all of my colleagues have to be worried about every day. Now I'm lucky that I work for a big fancy pants institution that can afford lawyers and you know fortunately at my institution the lawyers that we employ generally see as their job finding ways for me to do my work instead of finding ways to stop me from doing work and as soon as but as soon as I talk to them about export rules they that that flips the answer tends to be oh you're taking some risk here oh you need to worry about that oh we better go and get a license to do this before you do that. Unfortunately I have the support where they'll help me with this but but these are extremely difficult rules to comply with even in the easy case where you know that you don't have to make an argument where you just have to go through the motion. Many people who are doing you know research of the you know at the same caliber or higher than people like me at universities aren't affiliated with universities and don't have that kind of institutional support so for me with institutional support it's hard for somebody without institutional support it it becomes kind of a death knell. Now the last thing that I worry about is as a veteran of crypto war one in the 1990s that was before we knew to number the crypto wars the primary thing we were talking about was export law. Cryptography was was covered under ITAR the and the lever that the government had to regulate cryptography was not that there were rules about using cryptography domestically but that there were rules about using cryptography internationally and that was what we were talking about in the first crypto wars. So what one of the now we won that and now we you know they've largely deregulated most consumer grade and research grade crypto but what that illustrates to me is the way that regulations that are intended for to accomplish one set of policy goals here when they're when they're implemented in the future can be used to accomplish other policy goals that weren't even on the table or being considered by by the people proposing them and I worry here that you know today we look at this and we say well nobody's meaning to regulate academic inquiry into computer security. That may not be true you know 10 years from now under the you know Trump administration or or or what have you and you know these rules may change in the regulatory tone may change later. So you know this is something that I am you know I find worth engaging in and I think you know you need to to to consider whether it's something that you need to engage in as well. So thanks. I also note that we have these little buzzers that make funny noises and we were supposed to press them if anybody disagrees with each other and nobody seems to disagree with anything any of us said. Well I disagree that we won the crypto war I think we actually lost and so two of you have said we won but you know when you sell software anywhere in the country out externally you because every piece of software uses crypto in some way you are under some very strict regulatory frameworks and as much as like you're going to get a license the fact is your sales process is going to be pretty messed up you are sending away to the government a list of all of your customers which some of you may feel uncomfortable with and there's many other regulatory issues with even understanding these these are not simple these are some of the most complex convoluted laws on the planet that you as a as a you know simple researcher are now being required to understand or else be under severe penalty the same thing true with crypto I think we actually lost so that's my personal opinion. So let me jump in on on something they've just said the the rules are very difficult to understand and I'm I'm a lawyer so I'm going to look at this through a U.S. constitutional law perspective in constitute and this is again going to be a gross oversimplification in constitutional law here in the U.S. we have a a doctrine called void for vagueness if a criminal law is vague enough that an average person of ordinary intelligence can't tell whether their conduct would be criminalized or not that law fails constitutional scrutiny we've seen that it's most common in in hate speech or incitement contexts but it works it works here too right if if an ordinary person of average intelligence reads the vassnar control lists and can't understand them then the implementation of those control lists would be a denial of due process and unconstitutional yeah and that actually gets to one of the the sort of core issues about export control which is like I said earlier you can't control something if it is you can't choose a choke point technology if it is ubiquitous so when something is omnipresent like encryption like these command and delivery platforms you run into the same problem you don't know and therefore the control fails I think you know it's telling that in fact BIS has on their website web applications that run you through an expert system to determine if certain phrases apply to you such as required for or is needed by like there's little phrases in the regulation you cannot understand only the expert system can understand and I think they're meant to help you but they design they demonstrate that the design of the arguments is already vague and if you talk to your local export control individual which unfortunately immunity gets the privilege of doing a lot they will tell you as well that even even the lawyers under BIS don't really have a clear understanding of it that they can explain to you for example what software is meant to be controlled and what's not because these issues are so complex and they're rarely they're rarely they rarely go to court you know it's been really rare to see the crypto stuff result in a penalty against a company but that's not as important as whether or not it's used as a hammer in general which I think should scare you more so at this point it's it's pretty well established that the rules are intended to prevent the availability of surveillance software to repressive regimes but there are questions about whether or not these rules are effective in doing that and whether they would also sweep in lots of legitimate software at the same time we can use that term so the I'd like to give Randy an opportunity to respond to that and sort of give give some more context into how the rules are being tailored to cover just what some but the original intent wise you I think that the comments are right on point that the boss and our control list attempts to describe particular products particular functionalities and the intent was to narrowly define what was going to be controlled but in fact what we have learned from the public comment process is that either the language is not well stated so that reasonable people with potentially different vocabularies are reading the the language differently and as well a number of unknown or unexpected products or activities are being swept into the control and that's what we want to address going forward is there a way to capture the only the products that we're interested in capturing and only licensing those exports that are of concern certainly from an administrative law perspective and as a regulator I think it is a poor use of government resources and a very poor use of company and industry and researcher resources to we lost her she's gone network resources too who wants to say something controversial Dave but I think she might be back hold on you're back I'm back you're back great you said resources and then you disappeared oh sorry I I just meant that I think it's a poor use of everybody's resources both the government resources and industry or research researchers resources to spend time worrying about transactions export transactions or deemed export transactions that are subject to a policy of approval there's no point in requiring licenses for those types of activities and so we should work to only cover those transactions that would be of concern so in order to cover just those certain transactions it seems like it's a project of definitions and a lot of what a lot of the concern is how intrusion software is being defined in and I think there's an even bigger question as to whether or not intrusion software is even capable of any kind of meaningful definition so I'd like to open that up to Randy first and also I'd like to hear from the rest of the panel about if there's any anything to be had there well I would just quickly agree with you from the comments that we've received it is a problematic definition again the people who are in we have government regulators trying to define products and then when people who actually deal in the products in the technology have looked at the definition it either doesn't they don't understand it what it was intended to do or they use the vocabulary differently and that is a poor regulation then if there is a lack of understanding of what it covers and particularly if it is understood to be broader than it is supposed to be then it needs to be needs to be revised the frequently asked questions were an attempt to address that but we got to the point where even in the answers to the questions that we posted on our website we were referring back to their regulatory language and we just kind of got stuck because we didn't have the correct vocabulary to address the issues that were being raised so that's what we hope to look into in the rest the next step of the discussions thank you so as EFF one of the things that we asked in our comments to BIS which was also echoed by Google among others is that commerce department and I guess more more saliently state department go back to the boss our arrangement itself the next meeting is at the end of this year and work on not just clarifying the American implementation through BIS but working with the 41 member states of the boss our arrangement to add some clarity to the control lists there right software that modifies the standard execution path of a program what does that mean like why are we focusing on that and that that is not something that BIS can do alone that's something that needs to to go back to the boss our arrangement itself so that's that would be our best case scenario is if BIS didn't just do a new revised proposed rule and open it back up for comments but that BIS and state department go to boss our change the control lists there to make them better and then doing a revised proposed rule and additional comments and by make them better he means let's just remove this because there's no good way to do this and what you hear from people he doesn't agree but he's wrong I mean if I agree to him we both be wrong and that would be terrible and here's the thing they will say that regulation in this space is inevitable so you might as well as an industry feel free to come up with some language that you're willing to be bound by and I will tell you this that is a fool's errand and is a trap you should not fall into and I think even if you could describe all of today's software that you found abhorrent the reality is you're also describing software that in the next generation is we're going to be required for normal operational business because this is a community that moves far faster than regulation and always will and always should if we're going to survive and I think that when they say please describe some language that works for us today you should say I need I need language that works for us forever and it's not possible and therefore we should not do it also worth noting that the the confusion arising from the boss in our language is due in large part to the fact that boss in our was never designed for human rights purposes I mean this was a the export control regime that boss in our inherited was all about controlling arms and several advocacy groups namely privacy international and cause petition to get these category four and five entries added and they were successful and one of the really irritating things about that is that they knew that boss in our was not fit for purpose they knew that export control would not work for these items but they persisted and unfortunately we're dealing with that right now and you know good intentions and all of that but this really was not the right way to go about it from my perspective it's not the software that's really a problem right what hacking team does what what fin fisher do that's just you know it's a standard remote administration tool right that's you you can use you know and any of the remote administration tools would would have worked just as well to to spy on on my client in the Ethiopia lawsuit what work what we care about what matters isn't the tool itself it's the service support and most importantly training that comes along with it right fin fisher doesn't cost very much but getting your intelligence agency all trained up to use it and then the ongoing support contract is what gamma makes its money on that's the problem right these tools are these it's not the tool it's it's what it's what goes on it's the infrastructure surrounding it Navostar arrangement was the sort of designs to take that into account right intrusion software is not controlled under the Vossner arrangement it's the it's the infrastructure around intrusion software that's controlled technology required for etc etc but without without tailoring it specifically to state uses and it's those state uses that that we see causing significant harm out there in the real world keep mine under under US law if I'm if I'm correct and we have lawyers on here anything that designed specifically for US government or military use would be controlled under itar and the same you know this is something that no one mentioned which is that actually hacker team was perfectly well regulated under Wassenar and they went to the local government they said can we have a license and the government said yes you can for anyone anyone you want so even if under the most strict interpretation of these regulations the reality is those companies who operate out of smaller countries which would of course be every company in this business if the US decides to implement these regulations can easily go to their government and ask for an out anyway so even if there was a perfect language that applied only to really bad things which we don't know what are but if there was perfect language it still would not work because you'd have every company going to their government and saying hey I just want to know well and alternatively you have to worry about pushing pushing these governments into capabilities development and I think Nate raises a really good point which is that it's the back end support which leads these technologies to be so harmful in those contexts but if if these state surveillance agencies are no longer able to buy off the rack they will move to they will move to capabilities development for themselves and that is a very serious problem there is no unwritten law of cyber that says that Bahraini engineers couldn't come up with an equivalent of hacking teams RCS especially now that the source code is leaked so controlling this from the top down simply will not work especially when we're talking about activities that are done by 10 people with computers you can buy off the shelf I think that's you know the inefficiency of regulation in this space can't be overstated so we're getting a good sense of what what the objectives are I think Randy it would be great if you could fill us in a bit more on where these objectives come from because I think a lot of people might make the criticism that it may be or at least ask the question as to whether or not it's properly within the scope of the mission of BIS or commerce or even the government to be taking a position as to what types of software should be made available to any particular regime so really the question is where does these these regulations of course don't say on their face you can't sell to a particular repressive regime and it doesn't define who the regime is it defines the thing so if you can you can give us any insight into where the input on these these particular sets of regulations are coming from within within the US so the there isn't an export control community involved with the export administration regulations prescribed by statute essentially the State Department Defense Department and the Department of Commerce and we all provide expert group members to attend the Vasanar discussions the consensus was in 2013 that there was a set of products that was of concern within the scope of the Vasanar mandate that addresses dual use products that can be used by the military or by civilian agencies for civilian uses and so that's how the the language was added to the Vasanar list then I think that it's fair to say that immediately even though we have the understanding at the time what the products were that were supposedly described in the language that that was not perhaps a good understanding and the public comments have certainly borne that out that there are many products in this space that could be considered to be described in the control list language that were not intended to be controlled under the control list entries so we we don't have a disagreement here there was an intent to control certain products but a good number of other products have been swept in in the technical description and that's what we're dealing with now and all of the comments so far have echoed comments that we received in the public process and will be certainly taken seriously under consideration going forward so speaking of thank you for that answer so speaking of the public process we'd like to open up the floor here to some audience questions so they'll have to we don't have a mic for the audience so we'll have to make do we'll repeat the questions and and we'd love to hear your input and of course panelists feel free to jump in yeah line up behind Joe no so the question was is there any reason or is the only reason we control crypto the Vasanar arrangement and then the second part of it is is there any good reason to control the export of crypt analysis so the answer the first question is no we have controlled crypto since since that's a pre Vasanar thing why do we and then the second half of it is why do we still so cryptography was was controlled under cocom which was the predecessor to the Vasanar arrangement and it's worth noting that when encryption first came under first came under export control it was not as sort of insane as it sounds now I mean encryption was sort of a big boy toy was something that nation states did it was not you know in the era before personal computing it was not ubiquitous so export control might have made sense at some point I don't think it still does and that was a that was another thing which I in in the comments I drafted for the electronic frontier foundation said is before we we attempt to do anything more in surveillance software let's decontrol encryption just entirely you know I'm not sure they're gonna do that but that was what I asked for and it's also worth pointing out crypto export controls are a perfect example of one policy goal for when the regulations were originally enacted which was to keep crypto boxes out of the hands of military adversaries you know perfectly good public policy goal if you know there are crypto boxes and military adversaries that might be able to exploit them then all of a sudden software got invented right and suddenly you know we're now worrying about law enforcement domestically and these these you know regulations that were enacted for a purpose completely different from what they're of being actually enforced for so Randy just quickly on the crypto subject well that's obviously not part of what's in our crypto has been regulated more tightly in the past and the regulations we have now are relatively more relaxed is can you give us any insight into any trends at BIS with respect to how crypto might be regulated going forward certainly there've been a lot of changes to the encryption entries it is of us and our control under category five part two since I have been involved in the program fortunately we have had a series of decontrols in the encryption provisions but in the same way that we have the the technical description issues in the proposed control list entries we have them in the encryption provisions as well for example I would point to a couple of new decontrol notes L and M that we just implemented in the regulations in this May and again they are technical descriptions that are not exactly product descriptions and we're in my office still trying to work through exactly what products these decontrol notes cover and don't cover and as I said these are decontrol notes L and M so that means there are several others starting with a and to go through all of this it's a it's a very broad control with many different carve-outs and notes and so forth we have limited the encryption controls to products whose primary function is communications computing networking or information security which makes refrigerators not subject that have or the alarm systems that have encryption and that's a good thing that didn't happen until 2010 we're still working on that we still would like to have a positive list we would welcome public participation in that process as well to try to make the rules more concise and more understandable there are many permissive provisions in the encryption area many license there's a license exception that is very broad and for example applies to almost all deemed exports of technology so we have a very permissive regime in the end but a lot of text to get there and certainly it could use a lot of improvement when I could talk about the encryption controls all day I have a day-long seminar that goes from soup to nuts and we would like to continue to improve them and again we welcome public participation through the technical advisory committee process for that purpose perhaps one day there'll be a day-long seminars on what intrusion software is next so we we've got a big line of questions so we should take the next question yeah I think that the question is as technology has I'm sorry if I'm paraphrasing I didn't hear the whole thing I think you're you're getting at as technology has changed is the and the use of technologies change are the regulations still relevant or the regulations following the technology in an appropriate way I think he's almost saying as well that if the did we tell the NSA that metadata might be more important than data by allowing people to export crypto because PGP use is rare anyone using PGP therefore need to be looked at and when we deregulate a little bit but not too much it's not everywhere it's not omnipresent so you can do a sort and select on just people using crypto for targeting that's a good question and no one here has the answer so that's that's not why crypto moved out of itar and into EAR a crypto moved out of itar because we we won our case for Dan Bernstein so or he has the answer we we got the we got the stronger crypto controls that resulted in export grade encryption back in the 90s we got those controls deemed unconstitutional so that's why it was that's why the crypto controls are now slightly less that no that was not so the question is the it was the value of metadata part of the reason that the national security establishment the United States was okay with that I think that they weren't quite thinking along those lines at that time next question Colin so I want to repeat that so so the basic question let me just paraphrase into a couple words how does how do the crypto regulations affect you me in my in my daily work and the short answer is the crypto regulations probably don't hurt my daily work that much because I've already spent enormous investment in figuring out where those boundaries are and I'm really and I'm comfortable with where knowing at least where some of the bright lines are and and how I can do my work without crossing them you know when it comes to intrusion software those all of those lines are inherently a lot more blurry and I think what it will mean is I spend a lot more time talking to our lawyers at my very generous university and less time actually you know doing my day job which is filing grant applications so for Randy I think the question I don't know if you heard all of that but I think there's a lingering question as to what kind of exceptions are there would there be for research use perhaps on an intrusion software and those technologies required to build intrusion software and with everything being controlled under the proposed rule the possibilities going forward are my point of view endless they could be certainly a broad license exception there could be changes to the control list language so it really depends on how the discussion proceeds over the next few months thank you so I'll just add a quick quick coded to that which is that you know even academics occasionally end up finding themselves on the wrong end of export control investigations and you know it doesn't happen that often but it does happen and it often happens in very significant ways right in physics and in bio and and to a lesser extent in information systems no well I don't think you can paint it with with with that specific approach Collins the one person on earth who likes this thing so if you want to know more about that position I recommend you listen to his Twitter wait I think we have time for about one more question there's two or two more questions fantastic all right make it quick call it is is speaking on a different boss in our panel tomorrow I think is it tomorrow tomorrow morning I want to ask why they didn't invite any of you guys to comment before they put this regulation down your throats I don't know if you noticed the presence of Randy Wheeler on the panel so the question was are and what are any of us in favor of regulation at all and if if not why don't we have a balance panel and of course we have we have Randy who's the director of export if you want but there's a long discussion about the stuff feel free to post the daily day of call on if you wish to propose thanks I think that the point is is a valid one that as the you know the the software industry continues to mature and as as probably as a as a world we transition more towards a future cyber war that these technologies are going to these technologies that we're talking about here will become more and more relevant on the battlefield and there will be increasing government interest not just in the US but increasing government interest globally in in setting up some kind of regulatory regime so I it shouldn't come as a surprise that that we're here today and I think this is probably the first of of quite a few discussions like this that will belong to having and you know I'll say I'm not you know I'm not sure that I would make a broad statement saying that no none of this should ever be regulated in any way in fact I can imagine all sorts of of you know bad things that can be done with the kinds of of software being discussed here that may well deserve regulation what I'm concerned with is I don't know how to draft regulations without enormous collateral damage and I would be in favor of regulation that controls the provision of support for these kinds of technologies to government and users that would be a regulation I would get behind so I don't I don't care about you know metasploit right I don't care I don't care about a remote administration tool what I care about is the provision of support to the domestic version of NSA all across the world that should require a license the tool itself the technology behind it you just go and get up and maybe not an export license maybe it should just be something that you can sue people in US court about like you're doing already and it shouldn't be under export control at all so with respect to who's for regulation it's worth pointing out that as Randy noted earlier there will be another round of proposed rules and another comment period and I know that the BIS is very interested in hearing comments from everybody who who may be interested in submitting them and as you know she referenced the number of them earlier today so I'd like to hear her advice on what kind of comments are most helpful to to BIS in figuring out how to do this but you know just with that with the comment with respect to who's for regulation BIS is not in the business of making value judgments about whether or not certain things should be regulated or not it's it's there to fulfill its mission and to do the best job it can so comments in general that are directed to this is really horrible go away your your idiots this is dumb that kind of thing's not really going to be going to be that helpful obviously so if you can provide something more helpful than that and to guiding us how to how to move forward with the comments for the public for the proposed rule has closed we certainly will accept additional public comments but they won't necessarily be in the record but we what we do want to do is again identify specific issues from the comments that we've received the most important ones and to try to flesh those out and have all interested parties in the the ecosystem the constituencies including government agencies that are involved in cyber security to to weigh in and help us the interagency go forward as appropriate beyond that I I'm not sure there there will be another proposed rule it will not be a final rule based on this proposed rule so there will be opportunity for more public comments we do have the technical advisory committee meetings which we will advertise there they're published in the federal register and we can have open sessions where interested parties can discuss the the issues that have been identified and we do hope to have broad participation in that process during the rest of the calendar year thanks I think we have one more question hi there seem to be pretty good consensus least among the panelists on the definitions being not not the best and the ubiquity of some of the tools and so forth I wanted to follow up on the the the issue of service provider support and the sort of customer that you're selling these tools to or people are selling the tools to needs one of his first slides and you know is it a government and users somebody else's end user is there some sort of scheme a different regulatory approach that looked that would conceivably work that would focus on who are the buyers and what are they doing with it or do you sort of lose it because if you sell to like an Ethiopian small businessman that eventually winds up in the in the hands of the Ethiopian government for example that's a good point so I think this is a good question for Randy if I understand the question correctly it's under the under a licensing regime how do you discern who the end customer is part of the licensing process so if someone is selling to a repressive regime or they're just selling to a random interested perhaps researcher in that same country is there any way to distinguish that it's part of the this process so the answer is yes and we have a white paper on how to do it you company should institute a know your customer policy right we saw this illustrated very nicely in the hacking team document dump mr. does it tells from net regard sold a zero-day to hacking team and we saw an email from from him to hacking team saying I know who your customers are and I'm okay with it so that's the that's the sort of thing which I would love to bring a lawsuit about but yeah a robust know your customer scheme I think is the is the best way of determining that flow charts are magic have magic powers ready to have any further comment on know your customer here well well that's just right that's certainly a provision already in the export administration regulations the know your customer in a licensing process the end user at times and end use statement are required and certainly in a license exception situation or no license required situation the know your customer requirements still still applies to to ensure that a license is not required there's one more thing there I think honestly the EFF is going down the wrong path here and I get him drunk we're going to correct it and I'll tell you why and and it's it's pretty simple which is that the Huang Huang technology corporation calls you up and says they want a copy of some random thing some gadget or widget now under the current rule set your theoretically supposed to try to find out if they are owned or mostly owned or controlled by the Chinese government but in reality no US company can ever really know there's no way to know so even if you have perfect and I think immunity has perfect know your customer abilities and you have a flow chart on your wall which explains it to your admin because keep in mind it's not a lawyer figuring this out it's your it's your admin right the same person who answers the phone and they go through the flow chart and they kind of oh you have a web page your web page looks good it's all in Chinese but I don't know whatever so I would say that divide dividing a regulatory framework against this when anyone in China is very difficult determine if they're government owned government controlled corporation or not is probably not the right direction to go well but the tools were concerned about our tools that are sold only to governments right hacking team and and gamma only sell to governments so they certainly know who their customers are okay with that unfortunately we are out of time the next panel is dying to get in and play with the AV equipment really can't wait for this so I just like to extend some some recognition here to tomorrow Tam who did some amazing things behind the scenes to make this panel happen and also thank you certainly to Randy Wheeler for really this completely unique opportunity to discuss these proposals with you thank you to all of you for coming and listening to