RE: Second draft of CyberCrime Treaty Statement
Steven Christy said:
> Spaf suggested moving away from referring to ourselves as "experts"
> and instead using "professionals" or related terms. I agree with
> this, and another Board member suggested a similar modification in a
> private email.
I agree with this as well.
> I agree with David LeBlanc that we shouldn't specifically mention
> "young security enthusiasts who behave unethically" - but on the other
> hand, it's the free exchange of information that helps talented but
> inexperienced people to learn and make contributions of their own.
Agreed, but that's why we talk about educational purposes. We want to stay
far away from any appearance of supporting crackers (i.e., evil hackers).
> (For example, how many high-quality posters to *Bugtraq with unknown
> hat colors have been snapped up by security companies?)
Do you have any idea how nervous this makes a lot of people? Will tell
stories for beer. I know people that have really gone clean, and others
that aren't quite so clean. I've also seen high qulaity posters get snapped
up with disastrous results. We're dealing with law enforcement types here.
This is really a digression from the main point, which is that we're the
good guys and we need these tools to protect you from the barbarians. Let's
keep the focus narrow.
> So I think we
> need to address this *somehow*, because some "young enthusiasts" with
> white hats may not be recognized as professionals.
I think that "As experts, educators, and practitioners of information
security" does a really good job of defining who we are, and the people who
they ought to be worried about not infringing upon. "Young enthusiast"
sounds way too much like "15-year-old hacker". If they're really white
hats, and they're doing good work, I don't care if they are 9, but they'll
come under the quoted area above.
> I suggest that we not mention funding at all.
I'll go along with that. I don't see them offering grants in any case.