05-14-2021, 09:58 AM
(This post was last modified: 05-14-2021, 09:59 AM by redtape2021.)
Hi all, since I am under investigation by the local export control agency, I have an urgent question to developers, contributors and possibly anybody who internationally ships hashcat preinstalled on a device.
The agency claims that any software ‘for defeating, weakening or bypassing “information security” mechanisms’ would be export controlled as it is supposedly covered by position 5D002.c.3 (software doing the same as 5A002.a.4 - https://dsgl.defence.gov.au/dsglcontent/...5A004.aspx) of the ‘Wassenaar Arrangement’ that is in effect in lots of countries (US, EU, Australia…).
The agency claims also that international shipping or uploading (either binary or source - even if only an addon to prior uploaded code) to the internet constitutes an ‘export’ and I would have needed prior export authorization.
Hashcat has been around a long time, John the Ripper even for decades. Also there are many many similar academic projects. It boggles my mind how this now can be considered ‘controlled dual-use software’ for which the code-contribution is controlled and I may be facing huge penalties.
Does anybody have some substantial explanation why hashcat is not covered by that 5D002.c.3 / 5A002.a.4 position? Maybe even a link to some official statement or prior court ruling (I’d take any country) stating that hash-cracking is not controlled or that hashcat specifically has an exemption or a general export license?
Or did I make a huge mistake there and I actually should have applied for an export authorization before uploading?
I guess, anybody who uploaded new hashcat code or similar can hopefully answer this question in detail as we are talking about prison-time in the worst case. This is also why I am posting it in this subforum.
The agency claims that any software ‘for defeating, weakening or bypassing “information security” mechanisms’ would be export controlled as it is supposedly covered by position 5D002.c.3 (software doing the same as 5A002.a.4 - https://dsgl.defence.gov.au/dsglcontent/...5A004.aspx) of the ‘Wassenaar Arrangement’ that is in effect in lots of countries (US, EU, Australia…).
The agency claims also that international shipping or uploading (either binary or source - even if only an addon to prior uploaded code) to the internet constitutes an ‘export’ and I would have needed prior export authorization.
Hashcat has been around a long time, John the Ripper even for decades. Also there are many many similar academic projects. It boggles my mind how this now can be considered ‘controlled dual-use software’ for which the code-contribution is controlled and I may be facing huge penalties.
Does anybody have some substantial explanation why hashcat is not covered by that 5D002.c.3 / 5A002.a.4 position? Maybe even a link to some official statement or prior court ruling (I’d take any country) stating that hash-cracking is not controlled or that hashcat specifically has an exemption or a general export license?
Or did I make a huge mistake there and I actually should have applied for an export authorization before uploading?
I guess, anybody who uploaded new hashcat code or similar can hopefully answer this question in detail as we are talking about prison-time in the worst case. This is also why I am posting it in this subforum.