 everybody. Good morning. Thank you for getting up and getting down here in time for our talk. I barely made it myself so I understand the struggle that was involved. My name is Tom Cross and this is Colin Anderson and we're going to talk about the new export controls that are proposed for intrusion software. I guess I was going to start with a quick background for both me and Colin. I used to work for internet security systems where I did a lot of export control work. I helped the company understand what it was that we were making and how the export control rules applied to the things that we made. And I helped the lawyers communicate with the government about that. In addition I did a lot of vulnerability research work and managed vulnerability researchers and so I know a lot about vulnerability disclosure and I can see some of the consequences that the regulations may have for researchers. Sure. I'm Colin Anderson. I'm a network researcher based in Washington, D.C. I've done a lot of work on looking at the structures of network controls, patterns of network performance and especially as they're applied to issues such as internet censorship. Being in D.C. which is a scarce place for people with a technology background that's also afforded some interaction with the policy landscape and so as a result for the past five years or so I've looked at issues that are sort of rolled up under the umbrella of internet freedom including things like circumvention tools and anonymity online and in addition to export controls and sanctions on the flow of basically surveillance and censorship goods. So I, you know, I knew that this stuff was coming down the pipe, you know, months ago when the DEF CON call for papers opened and it was something that concerned me. I knew that the United States government was going to implement it at some point. I didn't know when and you know I felt like it was something that the community needed to understand better and I ended up having a conversation with Colin about it. He's one of the few people who was writing about this before the United States decided to publish their implementation. He wrote a really good paper discussing the controls and what they were and were not intended to do and so, you know, discussing it with them, you know, we decided to propose a talk here because we, you know, we felt that these issues were relevant to this community and the community needed to understand them. And then subsequently the United States published their implementation I think it was in May and opened a public comment period and so everybody in the infosec industry like sort of suddenly got involved in this topic and a huge number of comments were filed to BIS and the window for filing the original window to file comments closed just before DEF CON. So, you know, a lot has happened. Colin may be one of the few people on the planet who's actually read every single comment that was filed. I don't know if BIS has read every single comment that was filed. You know, there is going to be a second round of this. There's going to be a revised regulation and another opportunity for us to comment and so what's important is that everybody in the community understand what's going on and be engaged and provide constructive input to BIS so that they don't screw this up and they're going to ask for our input again. So, you know, the question that we have kind of a sarcastic title here, the Waston Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies and You. One of the things we wanted to discuss with this talk is like is this or is this not a threat to vulnerability research? And you know, the truth is we don't know. Part of the reason for that is that neither of us is an attorney and so you can't take anything we say seriously. The other thing is that the government doesn't know and they've contradicted themselves on this topic and we'll show you where. And in fact, nobody knows. And in fact, Colin and I don't even agree about it. So, it's a messy topic. But you know, so, I mean, there's been a lot of, there's actually been two other talks at Defconn and Black Hat about this. And we've heard opinions from a lot of smart people about this topic. What's really important is your opinion. And so we want to use this hour to try to arm you to develop your own point of view about this as opposed to necessarily just hearing ours. I do want to show you a few of my favorite comments that were submitted to BIS. I didn't read them all but I went through them and I have a few that I think are hilarious. And so, on the topic of like, what is constructive input to BIS and what is not constructive input to BIS, we'll start with some counter examples. The first is this, brah, make that jailbreak legal. So, BIS does not care how many people file comments. And although I agree with the said, it's been expressed here. It's not terribly persuasive. And so it helps to have arguments along with your opinion. The second favorite comment is the one that we've submitted. And it's, it's, he talks about his recent ordeal with law enforcement. And you know, there are many people who submitted comments that are critical of what BIS is trying to do. We've's comment was one of the few that was absolutely supportive of everything that they want to implement. And he explained that he's plotting a violent overthrow of the United States government and he's having difficulty recruiting to his cause. And so he encouraged BIS to proceed in hopes that it would, you know, drive more recruits into his, you know, planned revolution. You know, I personally, I don't often plan violent overthrow of the United States government. But what I do, I usually keep it on the DL until we're ready to roll. The third favorite comment is from Raytheon. So I, I currently work for a company that has seven employees and we're busting our ass to get product out the door. And, and I sat down and took time to write, you know, constructive commentary for BIS on this issue because I think it's a big deal. The, Raytheon is a 60,000 employee federal government contractor with full-time attorneys that work for them. They filed a single page in which they explained that they want an extension on the time window to come it because their dudes are on summer vacation. So this is now a new life goal for me. I hope to, in my life, become so powerful that I can tell the Department of Commerce to hold off on a regulatory issue because I need to take the time to do the certification. So no, these, these comments are not particularly helpful, but perhaps at the end of the talk we can, we can show you the kinds of comments that will be helpful. You know, first we want to talk about, about, about the basics. Like what is the problem here? Why is this even happening? And for that I'm going to turn over Colin. So I probably can't go close to that. Yeah. So part of the reason, I'm sure that several of you have attended all three now of the presentations and the idea is to give a common core because we need to be able to start to speak to what the issues are, what the language has been. And there are a lot of complexities to this issue and in fact I think no one's really talked about the full lead up to it, what people are trying to control and what the language even says. There's been a lot of assumptions, a lot of hyperbole, some of it true, some of it untrue, all driven by the complexities of this regulation. But we should step, take a step back very briefly. The, the source of this is obvious. The reality is, is that surveillance is, is becoming a multi billion dollar industry. Provided to foreign, foreign governments used against questionable targets on a continual basis. Change sides. You know, no, there's no greater example of this than the hacking team incident. What you have is a company that was based in Italy that was selling both to the FBI but also despotic governments around the world without necessarily any sort of precondition on those sales. Anywhere from Bahrain which regularly arrests dissidents, legitimate dissidents to Ethiopia, to Sudan who's under an arms control treaty. While, while hacking team had made, made the assertion that they had sort of a human rights due diligence process. So did Finn Fisher, we later found out that the chair of Finn Fisher's ethical review committee was the CEO of, of, of, of Finn Fisher himself. And so not really necessarily an independent arbiter of what is a, a legitimate transaction or not. In the case of hacking team, while there was a Italian attorney who was, I think very effective at actually writing out some of these issues, by and large these, these, these recommendations were ignored. But I want to focus on one thing, which is, what happened in hacking team especially, was the hacking team's products were being used to compromise not only legitimate targets or rather, not only counter-terrorism, but also legitimate democratic activists, but not only domestic democratic activists, but actually international activists. And so there's nothing that's going to invite regulation from, from, from governments more than having their own citizens being targeted by these items. So this becomes a product, this becomes a product of this sort of drag of unregulated space being used in creating increasingly visible sort of breaches of, of, of privacy around the world. So much so that this became a, a, a, a point and even a congressional testimony from intelligence officials on this sort of threats that, that intelligence officials are, are seeing online. So I, I mean, I think that this is an issue that lots of people in this community care about. We don't like to see surveillance technologies used by oppressive regimes. A lot of this community has to do with, with fighting that on different levels. Really, so that, I think that most of us agree that this is bad. The, the question is what is the best way to combat it? And also, are there ways to create a rule for export control that combat it that don't also have negative consequences for other important things that we want to do? You know, often creating a new regulation creates more problems than it solves, as people in this community are very familiar with. So, you know, what we, so we want to provide some background here. You know, what is the Wassenar arrangement? The Wassenar arrangement is an international agreement regarding the export of dual use items. The, the, the, the, so let, let me explain what dual use item is. We have agreements about the export of military goods. So, you know, guns, tanks, airplanes, you know, stuff like that. And, you know, there pretty much is only one use for an aircraft carrier and that is to have a military. I mean, you could throw a party on it. But generally speaking, people are not buying them for legitimate consumer usage. But there are a lot of things that, that have legitimate consumer use or business use that could be applied to a military application but are not necessarily being sold for that purpose. And that's what a dual use item is. Cryptography is regulated as a dual use item. Most of us are not using it in order to, you know, protect espionage. You know, we use it to protect our web browsing. But, you know, it could be used to protect espionage and so it's considered a dual use item. The Wassner arrangement is, is a bilateral agreement amongst a whole bunch of different countries, including Russia. They, they all agree that they're not going to, you know, allow certain kinds of commodities to be exported outside of their country except in certain circumstances. So, it's important to understand that there's two tiers here. So, the Wassner arrangement agreed to some controls on intrusion software back in 2013. And all of the countries that are members of the Wassner arrangement are thereby compelled to implement this agreement. And so, at the United States being a member is now compelled to implement an agreement. And then BIS, it's part of the Department of Commerce, is attempting to implement this in the United States. And so, there's a discussion that's happening where, where BIS has published their suggested implementation and asked for comments about that implementation. And, you know, they're open to discussion about that. But having a different discussion where we say, well, let's go back and change what Wassner agreed to is a much more difficult thing. It's easy for BIS to change. It's more difficult for Wassner to change. And that's an important dynamic in this discussion that people need to be cognizant of. There's also, to that effect, one of the things, one of the things that's important to, to start to talk about is actually because there's, there's these layers. Effectively, what happens is Wassner gives a particular set of language and then it's up to the member states in order to dictate the licensing policies in some, in some ways, the, the interpretations. And so they can license these things liberally or they can even decontrol as in like not require a, a, a license for certain set of uses. But that's up to the member states. And so what we're going to talk about across a lot of this and, and it's important to reflect back on if you were here yesterday or any of the previous days or, or if you've read into this, there's a difference between the Wassner language as it was written and BIS's proposed control. And so we have to dissect the two because you look at things like root kit and zero day. A lot of people have fixated on, on the use of these terms, the undefined use of these very nebulous terms. But those aren't originally in the Wassner language. And so what we're going to try to do is effectively say this is the Wassner language, this is what BIS has added onto it. And this is particularly if you have concerns based off of this, the room for negotiation for either having it increased or decreased, presumably decreased, or having requiring or requesting specific definitions to be added to what these mean. Like when they, when it comes up, there's a nebulous term carrier grade class, what is carrier grade class. If you are interested in that recommending to BIS, this is what carrier grade class is. You know, clarification such as that. So this is a picture of me at DEF CON 4, wearing a t-shirt that had RSA implemented in Pearl, which at the time was considered, was on the U.S. munitions list, and was, you couldn't export it outside the United States, but it wasn't considered a, it was considered an arm. And, you know, today, and so arms, export of arms are controlled by ITAR, which you've heard a lot about. And they are, ITAR is operated by the Department of State. And so if you want to export something which is considered an ITAR commodity, you have to work with the Department of State in order to be able to do that. Dual use items are not controlled by the Department of State, they're controlled by the Department of Commerce. The reason is that commerce tends to be more friendly to business interests than the Department of State. And, you know, encryption is currently controlled by the Department of Commerce and the EIR. So I just wanted to clarify that distinction, because we talk a lot about ITAR in this community, and it's important that people understand the distinction between the dual use items that are controlled by the EAR, the export administration regulations under the Department of Commerce and arms which are controlled under the Department of State. The new intrusion software controls would fit under BIS and not under the Department of State. So another thing that a lot of people think in this community is that there are no export controls on cryptography anymore. We won the crypto war. And, you know, that's there's, I guess it's a matter of opinion, we did win a lot in the crypto war, but there still are export controls on cryptography. And, you know, people do get prosecuted for violating export controls on cryptography. So this example is from 2014 and Intel subsidiary paid $750,000 for an unauthorized encryption export. So, you know, it used to be in the 90s that if you wanted to export cryptography unless you met certain characteristics, the answer was usually no. And so you could ask the government and they would say no. Today you still have to ask the government generally speaking, but the answer is usually yes. And so, you know, that's a huge distinction in terms of what we're able to do, but the bureaucratic load of having to talk to the government about it is still there. It doesn't really have a big impact on our community though because, you know, as a consequence of a lawsuit that the EFF filed, the Bernstein versus DOJ, they argued that source code is speech and that when you publish source code, you're engaged in a first amendment protected activity. And as a consequence, we have an exception for open source software called License Exception, TSU, which allows you to, when you put source code out on the internet, you know, it can be exported without a license. Now, you are supposed to notify BIS that you've done it. You're supposed to send them an email with a link to the place where you put the stuff online, but other than that, you're good to go. You also email the NSA. You have this very dense License Exception ENC slide. So to go back to that point, actually, when we hear people like Matt Blaise talk, when we hear cryptographers talk about sharing within their domain, actually they are still controlled, but they fall under a set of license exceptions such as what's called License Exception ENC. Actually, License Exception ENC is very dense and complicated and really no one understands it. And to refer back to the settlement that was initially talked about, the crypto rules are not generally enforced. The case in which there was a $750,000 fine was actually an Intel subsidiary, Wind River, exporting to the People's Liberation Army of China. And so when they're used, they're used in these very specific cases, but very, very infrequently. So actually, for those of you who, for example, work on network, any sort of network communications tool that employs cryptography, even if you are not shipping cryptography, if you are linking to, for example, open SSL, you actually fall under still the export control regulations. However, you generally are not aware of this because you either fall under License Exception TSU, which is technology, software unrestricted. It's also called the general software note for other people who have been into this. But you also fall under this dense category of controls. So the point of talking about this is that when we talk about regulation, I think that we think that regulation automatically leads to the kicking down of doors, but in fact, on a daily basis, there is a regulatory landscape that you interact with that you might not necessarily be even aware of. So a lot of the questions that I heard talking to people at DEF CON have to do with what is the point of having an export control on software because you can just download it. Why is there an export control in cryptography when you can just download PGP? And I want to address that. I think there are two ways in which these things function that are worth being aware of. The first is that when you're working in a company, there's a lot of pressure to do deals. So you get somebody who comes in and wants to buy your product and the sales guy is financially incentive to do the deal. And the channel partners financially incentive to do the deal. And the management team is financially incentive to do the deal. And the shareholders financially incentive to do the deal. And you're the guy who stands up and says, guys, I don't think we should do this deal because the customer is threatening the national security of the United States. The answer is going to be shut up hippie. We have a business to run here. And so, you know, export controls work really well when people actually want to comply with them. And so you don't want to do that deal. You don't want to do business with that guy. And now you can say, look, my hands are tied. I can't sell you the software. I'm sorry. You know, you can tell the sales guy and the channel partner and the management team and shareholders. I'm sorry, but you can't do this business. And so it puts businesses in a place where they're not required to make moral decisions with respect to who they're doing business with. And you also don't necessarily want a lot of these people to be making them more. Well, right, because a lot of them are just going to do the deal. I mean, there's a tremendous amount of pressure to do the deal. And so, you know, that's, and so at a previous employer, so back in the late 80s, India tested a nuclear bomb. And as a consequence of that, the United States took a bunch of Indian government agencies and put them on what's called the denied party list. So that's a list of people you're not allowed to export things to. And, you know, decades later, these guys wanted to buy, you know, an IPS that I worked on. And they wanted to buy it for the same reason anybody buys an IPS. They're trying to stop malware in their network. But this IPS had encryption in it because you do that. And so it was a controlled commodity and we couldn't sell it to them because they were on the party list. They tried over and over and over again to buy it and we couldn't sell it. And sales guys get riled up, you know, trying to make lexus payments. I'm sorry, dude, we can't do this deal. And then, you know, so in 2007, the Bush administration reached some sort of agreement with the Indian government where the Indian government provided unspecified assistance on the war on terror in exchange for removing some of these entities from the denied party list. And these guys, this particular government agency in India called us the very next day to buy the software. And so, you know, like basically, like I'm sure that our IPS wasn't like the key to like negotiating steel with the Indian government, right? But it was on the list somewhere. It was probably pretty far down on it, but it was on it somewhere. So these export controls, you know, are a mechanism that the government uses to negotiate things with other governments. It's a stick in the various different kinds of diplomatic things that the government can do to put pressure on other governments. And so those are the kinds of things that can happen that really, you know, you know, sure this Indian government agency could have downloaded, you know, snored or something, but, you know, the people buy commercial products for a reason. And so they just wanted to be able to do that. And that was enough to give the United States some leverage. So we're going a little slow here. We want to talk about the new rules and provide you some background because nobody in the past few talks has really just sat down and explained exactly what is being proposed here. So we're going to do that and we'll start with the IP network surveillance controls, which are not as controversial as the intrusion software controls. Yeah. So to fly through it because we don't have much time, if you'd heard yesterday actually there's two controls that were proposed for implementation by BIS. They come from two different sources. The first is the IP network surveillance systems. Actually the origin of this originates from the French delegation to Vassnar. And the reason why is that post-Qaddafi Libya, a number of documents were uncovered showing that their local business, AMSIS, had been providing sophisticated monitoring centers to the government in order to basically surveil the entirety of the communications infrastructure, which isn't hard when it's Libya. So they pushed a particular rule for essentially monitoring centers or rather sort of correlation based off of DPI. This is a very narrow rule. And so actually you have a lot of lines here and they're joined with ands. And so this is very important because part of the reason I'm talking about this is that in the first conversations a lot of people just didn't read the rules. They didn't understand it and they took these things like IP network surveillance systems, these labels and assumed that it meant DPI more broadly. It's not. It's actually performing all of the following on a carrier class IP network, i.e. a national grade IP backbone and analysis at the application layer, so layer 7 on OSI, and extraction of selected metadata and application content, and indexing of that extracted data, and being especially designed, that's a term of art, to carry out all of the following. Execution of searches based off of hard selectors, so this is personally identifiable information like e-mail addresses, and mapping out national, the relational networks, the social network mapping of individuals or groups of people. So this ends up being a very specialized piece of technology and across all of, if you look for example, WikiLeaks spy files, only a few products start to fall under this framework, and they are very specialized products. And I wanted to sort of direct one thing, Vassanar doesn't necessarily, Vassanar has this idea of mass market, and what mass market says is actually, essentially not only if you're open source, but if you're generally available for the public, we're not going to control you. And so this is something that comes into play, because effectively stuff that's off the shelf generally, unless it's encryption actually, isn't controlled by the Vassanar arrangement. One of the points of controversy though is BIS said this all uses crypto, so we're going to control it like cryptography. That's a lot of the push back and it's an important point that we can talk about later. But suffice it to say, the IP network surveillance systems is very narrow and probably only runs in incidentally to some, I think probably speculative network intrusion detection systems. So intrusion software however is the largest point of controversy and rightfully so. So firstly, the Vassanar arrangement puts together this definition of what it calls intrusion software. And it says, software specially designed, there's that keyword again, or modified to avoid detection by monitoring tools or defeat protective counter measures of a computer or network-capable device and performing all of the following. The extraction of data or information from a computer or network-capable device or the modification of user data, that's one possible route, or the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. And they provide definitions on how to use these tools and protective counter measures. I think probably people have a good understanding of what those mean, but hey, at least you have things like DEP and ASLR showing up in export control, so that's kind of cool. So I mean the question is, is intrusion right? Sorry. So here's the important point about intrusion software. Intrusion software itself is not that's the next slide. There are no controls on intrusion software. We've defined what it is, but there's no export controls on them. And this is why this gets very confusing. So what is controlled? One of the reasons that this is super confusing is that they didn't come up with a name for the thing that is controlled. I don't know if you want me to do this slide, do you want to do it? Well, so just to continue. So intrusion software is this periphery of technologies that they use throughout the rest of the document. Intrusion software itself is not the thing that's controlled, but actually what they start to control is this periphery of technologies. And the reason they did this was actually pretty smart, which as they said, firstly, the biggest problem is if we control, this came out by the way out of the UK delegation to Vassanar and the reason why is because they had figured out how to control finfisher. And what they said firstly is if we control intrusion software, then that means that anyone who's been hit by anything that's controlled, anyone who's, for example, a target of intrusion software would be engaged in an export control violation if they took their infected malware outside of the country. And so what they started to say is actually, especially for things like hacking team, what you start to see is a periphery of technologies that are used to support this. Fin agent, for example, or RCS, is not necessarily DaVinci, is not necessarily a substantial thing. It's not the thing that makes the entirety of hacking teams equipment valuable. And so what they said is we're going to control the periphery of technologies around it. So the things that interact with it, the RCS console, the FinFly proxy, which is basically the middle box that's doing infection by tainting binaries, we're going to control the hardware and the software that creates the ecosystem around that technology that is necessary for the infection and the operation of the the Trojan itself. Here's where it gets more confusing. They also start to do what's called technology for the development of intrusion software. And by and large, when you run into controversy, this is probably the largest issue. Which is technology in terms of Vassnar is a specialized thing. It's basically information. It's basically technical data. It's technical assistance. It's blueprints. It's the structure that is necessary for the operation of that thing. Anyone who's done a computer science 101 course knows how easy it is to control intrusion software. This is one of the points of ambiguity that we start running into. Because it's not well defined. Technology is defined. Development is defined. Intrusion software is defined. But what all of these things together mean is one of the largest things that you'll see in conversations across the debate. Difficulty from all of the parties involved really starting to be able to scope this out in a limited way that doesn't necessarily create an onerous burden for researchers like a lot of the people in the room. So what are the potential implications of all of this? And I'm going to run pretty fast because we're getting low on time. But a big question that everyone asks is what about open source? And it's interesting because a lot of us work in the encryption world and we're used to license exception TSU which I explained before being the mechanism through which open source software is not controlled for export. And they specifically said that TSU does not apply to intrusion software. And so that created a lot of confusion initially because people thought that means that I can't put this stuff on the web. There's this separate part of the regulations 15 CFR 734.3 which creates an exception for things that are publicly disclosed. This exception does not apply to encryption software. And so those of us who work in encryption software like we're not necessarily familiar with it, but it would apply to intrusion software. It creates exemptions for anything that's published including on the internet things that arise from what's called fundamental research which is narrowly defined and things that are presented in a classroom environment in an academic institution. And so those are pretty broad exceptions that allow you to do things and it's important that it doesn't matter whether or not your source code is open when you're operating under this exception. If you don't have the internet without publishing the source code and be free of control whereas in the encryption context you have to publish your source code. So I figure any slide about encryption and open source software could benefit from a few pictures of Eric Raymond. So I want to explain the distinction clearly. On the one hand with encryption there's this thing called license exception TSU and if you wanted to apply to you code and you have to email BIS and tell them where it is. On the intrusion software side there's this thing 15 CFR 734.3 before it must be publicly available it does not have to be open source and BIS does not have to be notified so it's a totally different system but either way if you're here in a con and you're talking about stuff and you're releasing stuff you don't have to worry about export control. So the whole public sphere is it's really private transactions that end up getting controlled. The next question is what about vulnerability research? Is vulnerability research covered? When you disclose a vulnerability to a vendor is that covered? And unfortunately that's been very unclear and BIS has actually contradicted themselves on this topic. So in the federal register when they published their implementation they had some notes that went along with it and they said technology for technology control that Colin was just talking about includes proprietary research on the vulnerabilities and exploitation of computers. So that seems to be yes vulnerability research is controlled. Then BIS after getting a lot of feedback about this started publishing an FAQ on their website and one of the FAQ answers says the proposed rule would not control information about vulnerabilities. So the BIS doesn't even know what these rules mean. They also said in their FAQ neither the disclosure of the vulnerability nor the disclosure of exploit code would be controlled. However this is the big caveat. I think that the BIS has been operating under the assumption that when you disclose a vulnerability to a vendor that all of the information that you give the vendor ends up becoming public. So they decided that this public, the exception for things that are published applies here and so we don't have to worry about vulnerability disclosure. But as many of you know that's not entirely true. Often when you disclose a vulnerability to a vendor you include a whole bunch of technical information that they don't subsequently disclose to the public. They put out an advisory with a little bit of information where to get the patch and they credit you but they don't like publish your exploit, they don't publish your write up that explains how you got reliable code execution and those kinds of things because they're not published may still be technology for the development of intrusion software so that's a real issue here and so potentially coordinated vulnerability disclosure across borders could end up being controlled by this unless they carve out some pretty clear exceptions for it. This could also impact bug bounties. Not only are you coordinating this information across a border but you're getting paid for it and you're not talking to the vendor directly so that's important to point out because if they do craft an exception it needs to include bug bounty programs. So this is one of the points though is that this is struggling to interpret the Vostner language and this is a point in which a large number of the people in this room have the ability to start to clarify what the intended scope of these should be. How you get to the effective point where hacking team and others might incur controls if you're interested in that where you're not necessarily creating an undue burden on the types of people in the room. This is the translation process that is necessary for the participation of those of you around. So quickly one of the things they controlled is ways to reliably and predictably defeat protective countermeasures because they didn't think that was relevant to a vulnerability disclosure program that specifically have to do with mitigation bypasses. So that's potentially an issue. Sharing exploit tool kit samples is potentially controlled and their fact they said exploit tool kits would be covered under the proposed rule and there's no license exceptions for them. So those of us who work in the infosec industry they find these things and pass them around on private mailing lists so we can make sure our tools detect them potentially that activity could be controlled at least under their initial pass in interpreting this. What about training classes? So technology for the development of intrusion software includes sitting down and talking to somebody about it and so if you're having a training class there's an exception for classes that are offered in an academic environment but there's no exception for private training classes so we see like a black hat they've got really expensive training classes that are available to the public so potentially they could become controlled and black hat might have to ask what country you're from before they let you take the class. Traveling outside the United States so there's a specific exception that applies to encryption software if it's on your laptop for personal use and you're traveling outside the United States you don't have to worry about export control as long as you're going to bring it back and you're not going to disseminate it when you're over there but they didn't apply this exception to intrusion software so if you had metasploit states potentially you might have illegally exported the software and doing so even if you don't give it to anybody else. If you have foreign coworkers in your office telling them about exploiting a vulnerability or giving them access to tools like Core Impact may potentially violate these rules because they're foreign nationals and so it's considered an export. That's also an idiosyncrasy of the US regime. This notion of deemed exports is something that exists in the US and that's one of the things that I think people have run into that they didn't necessarily understand. So debuggers and exploit generators is a question that people have brought up. If it's specially designed for the generation of intrusion software it may be controlled. Most debuggers aren't but some are. Jailbreaking software could potentially be subject to export control. So they said they would have a policy of presumptive denial for items that support root-kidder zero-day exploit capabilities and that's way more aggressive than like the last in our text itself. That's not something last in our requires. That's something that the US government is potentially interpreting. I'm trying to blow through the rest of our slides here. I think it's important that we highlight a few comments that were submitted that we think are really good. So we've run out of time and in 45 minutes we couldn't even get through the entire scope of the rule. It's complex and we know it's complex. There's a lot of resources that are available and there are specific points that people are going to incidentally run into. A lot of these things are easily fixable. As long as the right people are saying the right things. The last call closed on the 20th and actually 260 comments were filed. The vast majority of those were not broad don't mess up. They were constructive involvement from people within the community. So for example Dino from square submitted their issue in a personal capacity with deemed exports and they said actually we work in an environment in which we have to exchange this information that's critical. We are not facilitating the intrusion of users we're trying to protect our service. We need access to deemed exports. We need to be able to provide it to foreign nationals within our office. So Dino's comment is good because he talks about what he's doing. He explains why it's legitimate. He explains how it interacts with the regulation and why the regulation might prevent him from doing it. And he provides example after example after example. That level of specificity is influential to BIS because they don't know what goes on in your world and they need to understand how they could potentially actually the New York Electrical Power Association. At some point they realize wow we have pen testing tools and we have foreign nationals and we have international companies that need to be able to export within other branches. And this is a great example because what they said is we need to know about bulk export licenses. We need to know about whether it's possible for you to exempt certain countries that are not necessarily going to engage in malicious hacking of dissidents or intelligence targets. We need to know about how we can better interact with foreign offices and subsidiaries. We need to make sure that we can facilitate legitimate research within our company. And they started to lay out these specific points yet again that spoke to their interest and also the interest of BIS and basically the federal government to protect the power grid. I thought actually one of my favorites was cobalt strikes. Cobalt strike wrote through paragraph by paragraph on saying we need to be able to do this. We are a legitimate business, this is our involvement and this is how we interact with the economy. And so they went through paragraph by paragraph they had recommendations, they had support, they articulated their argument in order to address the specific claims. They had specific things that they were interested in fixing or that they needed to be protected. They don't necessarily have to endorse the rules. You don't necessarily have to endorse the rules. You can think that export controls are the bane of their existence, their feudal that you have to erect a great firewall. I will disagree with you. But the likelihood, you know, you have to behave politically essentially and you have to say irrespective we disagree with these rules, we disagree with them on this basis and this is the basis in which we want to protect our assets, and so this is what you have to do. They want information. They did not have to open up this call. Based off of the process, Rapid7 did this again. Rapid7 said this is our involvement with the industry. And so this is the point in which biz came to DEF CON. They want your input. There's going to be a second proposed rule that will come out in the next couple of months. There's technical advisory committees. They have maintained an open door and then this is the opportunity for you to be able to protect your profession. There you go. All right, so I'm sorry we don't have time for questions. It's early. It took us a little bit of time to get up to speed here, but I really appreciate your interest this morning and Colin and I will be hanging out if you want to come up and talk to us. Thank you.