|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Cybercrime treaty
If you had trouble with the link in Adams message, as I did for some reason, another link to the Draft is http://conventions.coe.int/treaty/en/projets/cybercrime.htm Mike -----Original Message----- From: Adam Shostack [mailto:adam@HOMEPORT.ORG] Sent: Wednesday, May 03, 2000 9:59 AM To: cve-editorial-board-list@lists.mitre.org Subject: Cybercrime treaty (This is a joint letter from myself, and Scott Blake) We'd like to draw the attention of the board to a new proposed treaty which might make it substantially more difficult for us to work. The proposed Cybercrime treaty apparently includes the criminalisation of exploit code. This is similar to the Digital Millenium Copyright Act, where we had to fight to keep research into security legitamate. Imagine how hard it will be to verify the existance of a vulnerability in Windows without exploit code. Now, there are clearly problems with script kiddies that need to be addressed in some way. But its not clear to me that criminalizing research is the right way. We'll draw a parallel to the Bernstien and Junger decisions, in which 2 appeals courts have found source code to be protected speech. At Netect/Bindview, we create and distributed exploit code to show new vulnerabilities. That code has never been widely distributed, but would have violated the proposed treaty. Getting an international treaty revised will be very difficult, and that will result in a chill that will make it more difficult to do security research. Given the poor state of the field today, we would strongly urge that we not chill research into how to improve security. So, we'd like first to draw your attention to this, since we think its a mistake. Then, (with Steve's permission), we'd like to get the view of the other board members on this issue, and ask if we can produce a joint statement deploring the unethical use of exploit code, but drawing attention to its many legitamate uses for information sharing. Adam & Scott Adam Shostack, adam@homeport.org Scott Blake, blake@bindview.com Excerpts from http://wired.com/news/politics/0,1283,36047,00.html >The proposal, which is expected to be finalized by December 2000 >and appears to be the first computer crime treaty, would: >* Make it a crime to create, download, or post on a website any >computer program that is "designed or adapted" primarily to gain >access to a computer system without permission. -- "It is seldom that liberty of any kind is lost all at once." -Hume
|
||||
