Re: Cybercrime treaty
I strongly support the board making such a statement if Mitre feels
politically able to do that. There is no practical way to distinguish
exploit code used for legitimate scanning, testing, and research, and
that used for crimes. Banning the tools will affect legitimate security
experts far more than underground operators, since we are obliged to
follow the law and they aren't. And if folks can't create and
distribute exploits, there won't be many clearly established, publically
known vulnerabilities for CVE to cross-index.
Adam Shostack wrote:
> (This is a joint letter from myself, and Scott Blake)
> We'd like to draw the attention of the board to a new proposed treaty
> which might make it substantially more difficult for us to work. The
> proposed Cybercrime treaty apparently includes the criminalisation of
> exploit code. This is similar to the Digital Millenium Copyright Act,
> where we had to fight to keep research into security legitamate.
> Imagine how hard it will be to verify the existance of a vulnerability
> in Windows without exploit code. Now, there are clearly problems with
> script kiddies that need to be addressed in some way. But its not
> clear to me that criminalizing research is the right way. We'll draw a
> parallel to the Bernstien and Junger decisions, in which 2 appeals
> courts have found source code to be protected speech.
> At Netect/Bindview, we create and distributed exploit code to show new
> vulnerabilities. That code has never been widely distributed, but
> would have violated the proposed treaty. Getting an international
> treaty revised will be very difficult, and that will result in a chill
> that will make it more difficult to do security research. Given the
> poor state of the field today, we would strongly urge that we not chill
> research into how to improve security.
> So, we'd like first to draw your attention to this, since we think its a
> mistake. Then, (with Steve's permission), we'd like to get the view of
> the other board members on this issue, and ask if we can produce a
> joint statement deploring the unethical use of exploit code, but
> drawing attention to its many legitamate uses for information sharing.
> Adam & Scott
> Adam Shostack, firstname.lastname@example.org
> Scott Blake, email@example.com
> Excerpts from http://wired.com/news/politics/0,1283,36047,00.html
> >The proposal, which is expected to be finalized by December 2000
> >and appears to be the first computer crime treaty, would:
> >* Make it a crime to create, download, or post on a website any
> >computer program that is "designed or adapted" primarily to gain
> >access to a computer system without permission.
> "It is seldom that liberty of any kind is lost all at once."
Stuart Staniford --- President --- Silicon Defense
(707) 445-4355 (707) 445-4222 (FAX)