Legal Issue Export Control
#1
Exclamation 
Hi all, since I am under investigation by the local export control agency, I have an urgent question to developers, contributors and possibly anybody who internationally ships hashcat preinstalled on a device.

The agency claims that any software ‘for defeating, weakening or bypassing “information security” mechanisms’ would be export controlled as it is supposedly covered by position 5D002.c.3 (software doing the same as 5A002.a.4 - https://dsgl.defence.gov.au/dsglcontent/...5A004.aspx) of the ‘Wassenaar Arrangement’ that is in effect in lots of countries (US, EU, Australia…).
The agency claims also that international shipping or uploading (either binary or source - even if only an addon to prior uploaded code) to the internet constitutes an ‘export’ and I would have needed prior export authorization.

Hashcat has been around a long time, John the Ripper even for decades. Also there are many many similar academic projects. It boggles my mind how this now can be considered ‘controlled dual-use software’ for which the code-contribution is controlled and I may be facing huge penalties.
Does anybody have some substantial explanation why hashcat is not covered by that 5D002.c.3 / 5A002.a.4 position? Maybe even a link to some official statement or prior court ruling (I’d take any country) stating that hash-cracking is not controlled or that hashcat specifically has an exemption or a general export license?

Or did I make a huge mistake there and I actually should have applied for an export authorization before uploading?

I guess, anybody who uploaded new hashcat code or similar can hopefully answer this question in detail as we are talking about prison-time in the worst case. This is also why I am posting it in this subforum.
Reply
#2
Code:
General Software Note

Note: This note applies to all software controls in the Defence and Strategic Goods List.

The Defence and Strategic Goods List does not control “software” which is any of the following:

(1) generally available to the public by being:

(a)  sold from stock at retail selling points, without restriction, by means of:

1.  over‑the‑counter transactions; or

2.  mail order transactions; or

3.  electronic transactions; or

4.  telephone order transactions; and

(b)  designed for installation by the user without further substantial support by the supplier;

Note:  Entry 1 does not release “software” specified in Category 5 — Part 2 (“Information Security”).

(2) “in the public domain”;

(3) the minimum necessary "object code" for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.

Note: Entry 3 does not release "software" controlled by Category 5 - Part 2 ("Information Security").


According to the above, I believe hashcat would fall under Entry (2). It further clarifies what that means using the following language:

Code:
“In the public domain” as it applies herein, means “technology” or “software” which has been made available without restrictions upon its further dissemination (copyright restrictions do not remove “technology” or “software” from being “in the public domain”).

Hashcat is distributed freely and openly on github under the MIT license. Our repo even states this:

"Licensed under MIT license, or dedicated to the public domain (BSD, GPL, etc. code is incompatible)"

That puts the code/software in the "public domain", clearing it of any restrictions under the DSGL.

However, i am not a lawyer and I can not be certain so please do not take my word for it. You will need to speak with someone who is legally able to give this sort of advice and present the above information to them for clarification.
Reply
#3
Thanks for your reply. From your quote I also think that exactly "hashcat 6.1.1" is uploaded into the public domain already. So anybody would be free to upload it again somewhere else.

Unfortunately my case is with regards to adding code. Meaning that whatever is added creates an issue. Like a Kernel for attacking a specific hash that wasn't included before.
Reply
#4
Again, I'm not a lawyer so I can't really speak to what is or is not allowed. Please seek legitimate legal council who is more familiar with this sort of situation. I would say this is just too far outside the bounds of what anyone here on the forums to help you with, talk to a specialist/lawyer.

That said, I'm not sure i see the difference between contributing to and altering/distributing if its all in the public domain. The code you may have contributed would still be open to the public domain if part of the hashcat repo.
Reply
#5
Chick3nman is absolutely right that you should get a lawyer asap. Unfortunately I have had trouble with this topic for the last 6 years (non-hashcat related) and it triggers me enough to stop lurking:
  • The Waasenaar Arrangement is an international agreement, but the only thing that really matters is what your specific country has implemented in its legislature as well as what the specific judge decides.
  • You wrote that you are currently "under investigation". If it's not an official case yet, you may have better chances to cooperate extensively and possibly proactively admit guilt. Don't wait until you get cited to court, better take a lawyer and discuss your options. That may be the difference between monetary fine and prison.
  • To be honest: You should have checked for the export controls on dual-use items in your country beforehand (I know, easy to say in hindsight). It usually takes a few weeks for the authorities to answer (unless in Germany where it is several months) and shouldn't cost anything. And, no, there is no "I am sure I first get one warning before anything serious happnes. I can wait that long."
  • While you get a lawyer to discuss if you are really in breach of export regulations, I would recommend to check for your specific country if there are potential exemption clauses applicable. Chick3nman referenced the "exempt if in the public domain" possibility. While probably correct in some countries, this unfortunately might not be the case for your country. Other possibilities may have to do with the specific recipient (some countries have treaties among themselves) or with the content (fully functional code is controlled, non-functional "concepts" potentially not) or how long ago you screwed up (I think the official English term is "statutes of limitations"). That's all country specific.

Where are you from? I hope it's not Germany. BAFA in Germany (and probably also other EU government bodies) considers cryptanalysis not only Annex I but even Annex IV (same as missiles etc., up to 5 years prison or up to 3M € iirc) and BAFA's position on bringing something into the public domain is also over the top:

Code:
It should also be considered that information is only in the public domain once it has been published. It is BAFA’s established administrative practice to consider first time publications of research results subject to Annex I to the EC Dual-Use Regulation as exports because the research results are not yet in the public domain at the time of publication and the exception from the GTN does not apply.

Source: ec_academia.pdf page 66

So, either go directly to a lawyer or at least let us know which country you are from. There is enough people with the right background (or colleagues of theirs) visiting this forum, maybe one of your countrymen can provide further specific info.
Reply
#6
Good news is that I have a legal advisor now.
Bad news is that he wants me to not publicly discuss the case anymore until it is fully resolved. Maybe this is why this topic had not been covered in the forums before...
cya in a few years
Reply
#7
So, I'm not familiar with this at all but it caught my eye and was wondering in what cases someone would get in trouble with this. If you share and publish code on the hashcat repo as an individual you're adding to the public code base and I can't imagine you getting in trouble for that (for this software in the public domain used by thousands of companies etc. etc.)

So in what theoretical scenarios could you be in violation that would warrant such an investigation.
Reply
#8
(10-20-2021, 06:57 PM)Vavaldi Wrote: If you share and publish code on the hashcat repo as an individual you're adding to the public code base...
So in what theoretical scenarios could you be in violation...

"Cryptanalysis" software is an export controlled item (5D002c) under the Wassenaar agreement, but local legal implementation is what counts. So, no way around a professional local legal advice...

To generalize:
If you publish code related to "cryptanalysis" the first time then you are probably exporting it.
In some countries, it might be automatically decontrolled if you intend to open-source it. But in this thread there is already one country example (Germany) listed where it definitely still is controlled no matter the intention.
If the code is an add-on or adjustment to other (prior) open-source software ... probably doesn't matter. What does matter, is what exactly the code does. If it isn't related to "cryptanalysis" then there shouldn't be an issue.

Hashcat and similar software may or may not be considered "cryptanalysis". This definition, as well as legal penalties, probably also differ between countries.


Understanding the thinking of export authorities can be easier if substituting the term "cryptanalysis" by "missile technology". Not every "add-on" is harmless only because the core building-plans have been published already.
Reply
#9
Important edit :
If the code is an add-on or adjustment to other (prior) open-source software ... probably doesn't matter. What does matter, is what exactly the code does. If it isn't related to "cryptanalysis" then there shouldn't be an issue.
According to German export control: Under item 5D002a3a, code that is developed or modified to use "cryptoanalysis" software is also subject to control.
That seems to make it irrelevant what exactly the new code does - it depends on what the repo (or any other part of the repo) is considered.
Reply