[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Cybercrime treaty
Problems with the Treaty; http://conventions.coe.int/treaty/en/projets/cybercrime.htm Articles 2 - 5 all state or imply intent. A system designed to map out routers, such as WSPing, would be "designed or adapted [specifically] [primarily] [particularly] for the purpose of"..."the access to the whole or any part of a computer system". This runs afoul of Article 2. A system designed to collect usage information on a copyright data object would be "designed or adapted [specifically] [primarily] [particularly] for the purpose of" collecting "non-public transmissions of computer data." This runs afoul of Article 3. A system designed to obscure a data object (in the interest of privacy) would be "designed or adapted [specifically] [primarily] [particularly] for the purpose of"..."alteration"..."of computer data." In a situation where a browser's origin is being "altered" such that a web site cannot accurately determine its true origin, this would run afoul of Article 4. A system designed to stress test a web server to determine the load it can carry would be "designed or adapted [specifically] [primarily] [particularly] for the purpose of" the "serious hindering"..."the functioning of a computer system by inputting, [transmitting,] damaging, deleting, deteriorating, altering or suppressing computer data." This runs afoul of Article 5. Of course each of the articles use the term "without right" to qualify the actions they describe. If, in Article 6, they hope to make it illegal to create programs which might run afoul of Articles 2 - 5, then they must accept that determination of a given programs status (aX1, aX2) is going to be on the basis of whether or not said program can demonstrate any "rightful" purpose. If a program can be demonstrated as having a rightful use, then it could not be considered under (aX1, aX2). So, if I wrote a program and hard-coded it to attack Amazon.com, then distributed it to any and all, it might be deemed as being in violation of Article 6. If, however, I wrote the same program and forced the target address to be entered by the person(s) running that program, it could be argued it was designed to test your own systems (regardless of whether or not I provided you with Amazon's IP address as an example address). cDc have long argued (correctly IMO) that BO/BO2K have a "rightful" purpose. Any demonstration code (binaries or source, snippet or fully implemented) can easily be explained as having a "rightful" purpose if we accept the notion that anyone may wish to test their own systems to determine whether or not they're vulnerable or the severity of a given vulnerability within their environment. Take the example of the EICAR test file for Anti-virus programs. While harmless in and of itself, it can trigger an organization into motion. I had someone use it once as a signature on a message I sent through to NTBugtraq. The result, for me, was more than 1000 responses from subscribers claiming I sent through a message with a virus in it. Such actions might, in some AV products, cause NTBugtraq to be put onto a black list (temporarily or permanently), or cause other undesired actions. Point is, the EICAR test file is an accepted "virus" used to test AV programs. It has no point in life other than to trigger AV programs into action. Microsoft Internet Explorer has a feature which permits you to schedule the regular check for updates on a given Web Page/Site. Its able to check all pages on a site if configured as such, and by using more than one of these schedules you could effectively check the entire site every minute of every day. The result of such a configuration could run afoul of Article 5, making IE deemed illegal under Article 6. Since its highly unlikely many programs will be found not to have "rightful" purposes, it would make sense to redefine Article 6 to better articulate "without right", or intent, in the interest of guiding signatory States to form effective laws. Cheers, Russ - NTBugtraq Editor and purveyor of Cyber-crime Treaty Article 6 prohibited "data objects".