RE: 5th Draft - CyberCrime Treaty Statement - 5.01
very minor changes in  - one striking out "next generation", since even
older security professionals need education, and another adding the word
'authorized' in the next to last paragraph for emphasis.
> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Wednesday, May 10, 2000 1:41 PM
> To: firstname.lastname@example.org
> Subject: 5th Draft - CyberCrime Treaty Statement
> Below is the 5th version and the last that I can handle today.
> This version was produced by Matt Bishop. Mostly just
> wordsmithing to shorten and clarify several points.
> IMO, I think it stand further shortening but I don't have
> time left today to devote to it.
> Could others also continue to place version numbers on
> their edits so that we can track the changes?
> Dave Mann || e-mail: email@example.com
> Senior Security Analyst || phone: 508-485-7737 x254
> BindView Corporation || fax: 508-485-0737
> Dear <treaty drafters>
> We are a group of security experts who participate in the Common
> Vulnerabilities and Exposures Initiative. This project is a
> collaboration between a broad range of responsible computer security
> experts and companies to develop a common industry-wide set of
> names for the many different vulnerabilities known in computer
> systems. As such, we represent a cross-section of the technical
> community that works on computer security vulnerabilities.
> As experts, educators, and practitioners of information security,
> we wish to register our concerns about the Council of Europe draft
> treaty on Crime in Cyberspace. Portions of the proposed treaty
> may result in criminializing practices and tools commonly used in
> making computer systems resistant to attack. If signatory states
> pass legislation to implement the treaty, they will endanger the
> security of their computer systems because professionals
> will not be able to protect those systems adequately. They will
> also hinder the education of [OMIT the next generation of
> protection specialists.
> Critical to the protection of computer systems and infrastructure
> is the ability to test software for new vulnerabilitities, determine
> the presence of known vulnerabilities in existing systems, and
> exchange information about such vulnerabilities. Professionals
> and companies routinely develop, use, and share tools designed to
> exploit vulnerabilities. Commercial tools for system administrators
> and security experts include these exploit tools. Academic
> use these tools and techniques to educate students and in research to
> develop new and better defenses.
> Our experience convinces us that impossible to reliably distinguish
> between tools used in computer crime and instances of tools used
> for the legitimate purposes described above.
> Article 6 of the treat is vague with respect to issues of use,
> distribution, or possession of software that could be used to
> violate the security of computer systems. Enabling legislation
> that criminalized tools or their uses would affect practitioners,
> researchers, and teachers, and would slow the important progress
> of computer security research.
> We agree that breaking into computer systems is wrong. But, we do
> not want the treaty, and the resulting legislation, to impede
> the development and application of good security measures. We are
> strongly in favor of criminalizing inappropriate behavior, but we
> urge the Council to avoid criminalizing the development, [authorized] use,
> distribution of tools that are important to professionals -- in
> commerce, academia, and government -- who are working to prevent
> We ask that the treaty drafters specifically recognize the legitimate
> and important role that the creation and public dissemination of
> demonstration code plays in advancing the information security
> field. Moreover, we urge that appropriate laws criminalizing the
> misuse of such tools replace the ownership or creation clauses of
> the treaty.
> <name> <affiliation>
> "Organizational affiliations are listed for
> identification purposes only, and do not necessarily reflect the
> official opinion of the affiliated organization."