[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: v 5.4 - from Dave Mann



All,

I think the real strength of two signature sections is that a section
composed only of people by name (and as Spaf correctly notes may contain
many important yet relatively unknown names to the public) is exactly our
point -- it focuses everyone to the fact that it is a very divergent group
of talented professionals who are speaking with one voice on a troubling
technical issue.  It lets everyone know that it may be many of the
'unorthodox' behaviors they seek to outlaw that actually created a not
insignificant number of our total talent pool.  As talented professionals,
with trench time, each of us should want our own voice to stand alone.

The second section (for affiliated organizations, etc), in my thought, was
to allow companies to do the right thing and come on board -- or, as may be
the right thing for them, to stand mute and simply not add their voice.  My
only desire was to see *everyone's* voice be able to be heard -- with an
explicit desire not to let company size or position be erroneously used to
weight the 'validity' of our individual voices.

Another concern is that each person who signs with an affiliation will have
some form of approval process (I know we do), since each affiliated
organization has different people -- getting approval from each would take
too long.  I think too, it diminishes everyone's experience/knowledge vs
affialiation.  Your on the list because you're a talented professional,
you're driven by personal/technical concerns aside from your company
position, and your voice -- apart from your company position -- is what
counts.  This Treaty is just a *potentially* good idea that is terribly
executed thus far.  It's not a business issue (IMHO) or an academic issue --
it's a "they're going to criminalize many of the things we do"

I really apologize for the length of this -- I think the letter (and the
colloorative work so far) is a fantastic idea, but I think the way its
signed can maxmize our effectiveness.  I personally believe that this is
only the first of many times we'll feel compelled to raise our collective
voices on things like this -- we should use our signatures in the most
judicious way possible to maximize the sound of our collective voice going
forward...  Done right, this has the potential to catch everyone's eye and
get Government's around the world to at least start thinking about doing the
right thing.

Whatever we decide; this really has been a great collobarativ effort :)

My $0.02,

Kevin



> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of
> David LeBlanc
> Sent: Thursday, May 11, 2000 3:11 PM
> To: 'Andy Balinsky'; cve-editorial-board-list@lists.mitre.org
> Cc: Kevin J. Ziese
> Subject: RE: v 5.4 - from Dave Mann
>
>
> We could just not distinguish, and let the disclaimer apply
> to everyone.  In
> my case, I could get Howard Schmidt to weigh in - he's about
> as high up the
> operational security food chain as you can get here at MS.
>
> > -----Original Message-----
> > From: Andy Balinsky [mailto:balinsky@CISCO.COM]
> > Sent: Thursday, May 11, 2000 9:53 AM
> > To: cve-editorial-board-list@lists.mitre.org
> > Cc: Kevin J. Ziese
> > Subject: Re: v 5.4 - from Dave Mann
> >
> >
> > I agree with all the statements about quality over quantity
> of treaty
> > signers.  Inclusion of a public forum which includes individuals of
> > potentially questionable hat color detracts from the statement.
> >
> > That said, I'd like to comment about the statement at the end
> > regarding
> > affiliations.  How do we disclaim those who wish NOT to speak
> > for their
> > organizations, but still note people who are speaking FOR
> their entire
> > organization.  For e.g., if Kevin and I speak for
> ourselves, and David
> > speaks for the entire Microsoft hegemony, (or vice versa,
> > since Cisco is a
> > Fortune 4 company, too) how do we indicate that, without
> > having to put Steve
> > Ballmer, CEO as the signatory.
> >
> > Kevin Ziese and I propose the following
> >
> > Two signatory columns, one for individuals, one for
> > organizations.  If you
> > and your org agree, you can show up in both columns.  This
> has several
> > advantages:
> > 1) It allows people to sign on independent of their org's approval.
> > 2) It allows us to demonstrate approval from official bodies
> > (like companies
> > and universities)
> > 3) It allows a company who won't give approval to be
> > conspicuously absent
> > from the organization column, even though Joe Scientist,
> > working for that
> > company has signed the letter in the other column.
> >
> > Andy
> >
> > ----- Original Message -----
> > From: "Dave Mann" <dmann@BINDVIEW.COM>
> > To: <cve-editorial-board-list@lists.mitre.org>
> > Sent: Thursday, May 11, 2000 10:14 AM
> > Subject: v 5.4 - from Dave Mann
> >
> >
> > > Tinkering with Spaf's last version.
> > >
> > > Changes include:
> > > * Word count driven down to 368 (I tried to retain meaning)
> > >   - In particular, note the hack job I did on paragraphs 2 and 5
> > > * Attempted to strengthen some a few passages
> > >   - Replaced "register our opinions" with "register our
> misgivings"
> > >     in lead sentence
> > >   - Replaced "computer users... may not be able to
> > adequately protect"
> > >     with "computer users... will not be able to
> adequately protect"
> > >     in second paragraph
> > > * Added (undue?) influence of marketing "add speak" by
> > >   - shortening/breaking apart sentences and paragraphs
> > >   - adding bullets to add emphasis
> > >
> > > I am super impressed with all of the work that took place
> > > since I left work last night.   In my (not so) humble opinion, I
> > > think this is looking really, really good and I would consider
> > > it very close to final.  My only suggestion at improving it would
> > > be to drive the word count down further.
> > >
> > > 'best,
> > >
> > > Dave
> > >
> > > --
> > > ==============================================================
> > > Dave Mann                ||   e-mail:  dmann@bos.bindview.com
> > > Senior Security Analyst  ||    phone:  508-485-7737   x254
> > > BindView Corporation     ||      fax:  508-485-0737
> > > ==============================================================
> > >
> > >
> > > Greetings:
> > >
> > > As leading security practitioners, educators, vendors,
> and users of
> > > information security, we wish to register our misgivings about the
> > > Council of Europe draft treaty on Crime in Cyberspace.
> > >
> > > We are concerned that portions of the proposed treaty may
> result in
> > > criminalizing techniques and software commonly used to
> make computer
> > > systems resistant to attack.  Signatory states passing
> > legislation to
> > > implement the treaty may endanger the security of their computer
> > > systems since computer users in those countries will not
> be able to
> > > adequately protect their computer systems and the education of
> > > information protection specialists may be hindered.
> > >
> > > Critical to the protection of computer systems and
> infrastructure is
> > > the ability to
> > > * Test software for weaknesses
> > > * Verify the presence of defects in computer systems
> > > * Exchange vulnerability information
> > >
> > > System administrators, researchers, consultants and companies all
> > > routinely develop, use, and share software designed to
> > exercise known
> > > and suspected vulnerabilities.  Academic institutions use these
> > > tools to educate students and in research to develop improved
> > > defenses.  Our combined experience suggests that it is impossible
> > > to reliably distinguish software used in computer crime from that
> > > used for these legitimate purposes.  In fact, they are often
> > > identical.
> > >
> > > Currently, article 6 of the draft treaty is vague
> regarding the use,
> > > distribution, and possession of software that could be used to
> > > violate the security of computer systems.  We agree that
> damaging or
> > > breaking into computer systems is wrong and we
> unequivocally support
> > > laws against such inappropriate behavior.  We affirm that a
> > goal of the
> > > treaty and resulting legislation should  be to permit the
> > development
> > > and application of good security measures.  However,
> > legislation that
> > > criminalizes security software development, distribution and use
> > > is counter to that goal, since it would adversely impact security
> > > practitioners, researchers, and educators.
> > >
> > > Therefore, we respectfully request that the treaty drafters remove
> > > section a.1 from article 6, and modify section b accordingly; the
> > > articles on computer intrusion and damage (viz., articles 1-5) are
> > > already sufficient to proscribe any improper use of
> security-related
> > > software or information.
> > >
> > > Please do not hesitate to call on us for technical advice in your
> > > future deliberations.
> > >
> > > Signed,
> > >
> > > <name>
> > > <title>
> > > <affiliation>
> > >
> > >
> > > "Organizational affiliations are listed for
> identification purposes
> > > only, and do not necessarily reflect the official opinion of the
> > > affiliated organization."
> > >
> >
>
>

Page Last Updated or Reviewed: May 22, 2007