RE: v 5.4 - from Dave Mann
I really like what members of this group have put together so quickly and
have just some quick comments I would like to place before the board
As I said in an earlier message, I have been keeping Ron Moritz, our CTO, in
sync with where we (CVE) stand and he has reviewed the Draft Treaty. He has
also exchanged email with Howard Schmidt (MS) concerning carrying the CVE
position to G8. It seems Howard won't be able to attend G8 as originally
planned so Ron has indicated he will be happy to present the CVE position
during the G8 open discussion session and share the G8 viewpoint on the
Treaty with us.
I would like a feel for whether we could hold off on a final signing and
release of the CVE letter until Ron can present our concerns and get some
feedback from G8 members. I will sign as myself, an employee of Symantec
and a concerned professional, but I like the thought of Mike Prosser and
Symantec the company both signing on.
Enterprise Solutions Division
(210) 344-3200 x113
(210) 344-4700 Fax
From: David LeBlanc [mailto:firstname.lastname@example.org]
Sent: Thursday, May 11, 2000 3:11 PM
To: 'Andy Balinsky'; email@example.com
Cc: Kevin J. Ziese
Subject: RE: v 5.4 - from Dave Mann
We could just not distinguish, and let the disclaimer apply to everyone. In
my case, I could get Howard Schmidt to weigh in - he's about as high up the
operational security food chain as you can get here at MS.
> -----Original Message-----
> From: Andy Balinsky [mailto:balinsky@CISCO.COM]
> Sent: Thursday, May 11, 2000 9:53 AM
> To: firstname.lastname@example.org
> Cc: Kevin J. Ziese
> Subject: Re: v 5.4 - from Dave Mann
> I agree with all the statements about quality over quantity of treaty
> signers. Inclusion of a public forum which includes individuals of
> potentially questionable hat color detracts from the statement.
> That said, I'd like to comment about the statement at the end
> affiliations. How do we disclaim those who wish NOT to speak
> for their
> organizations, but still note people who are speaking FOR their entire
> organization. For e.g., if Kevin and I speak for ourselves, and David
> speaks for the entire Microsoft hegemony, (or vice versa,
> since Cisco is a
> Fortune 4 company, too) how do we indicate that, without
> having to put Steve
> Ballmer, CEO as the signatory.
> Kevin Ziese and I propose the following
> Two signatory columns, one for individuals, one for
> organizations. If you
> and your org agree, you can show up in both columns. This has several
> 1) It allows people to sign on independent of their org's approval.
> 2) It allows us to demonstrate approval from official bodies
> (like companies
> and universities)
> 3) It allows a company who won't give approval to be
> conspicuously absent
> from the organization column, even though Joe Scientist,
> working for that
> company has signed the letter in the other column.
> ----- Original Message -----
> From: "Dave Mann" <dmann@BINDVIEW.COM>
> To: <email@example.com>
> Sent: Thursday, May 11, 2000 10:14 AM
> Subject: v 5.4 - from Dave Mann
> > Tinkering with Spaf's last version.
> > Changes include:
> > * Word count driven down to 368 (I tried to retain meaning)
> > - In particular, note the hack job I did on paragraphs 2 and 5
> > * Attempted to strengthen some a few passages
> > - Replaced "register our opinions" with "register our misgivings"
> > in lead sentence
> > - Replaced "computer users... may not be able to
> adequately protect"
> > with "computer users... will not be able to adequately protect"
> > in second paragraph
> > * Added (undue?) influence of marketing "add speak" by
> > - shortening/breaking apart sentences and paragraphs
> > - adding bullets to add emphasis
> > I am super impressed with all of the work that took place
> > since I left work last night. In my (not so) humble opinion, I
> > think this is looking really, really good and I would consider
> > it very close to final. My only suggestion at improving it would
> > be to drive the word count down further.
> > 'best,
> > Dave
> > --
> > ==============================================================
> > Dave Mann || e-mail: firstname.lastname@example.org
> > Senior Security Analyst || phone: 508-485-7737 x254
> > BindView Corporation || fax: 508-485-0737
> > ==============================================================
> > Greetings:
> > As leading security practitioners, educators, vendors, and users of
> > information security, we wish to register our misgivings about the
> > Council of Europe draft treaty on Crime in Cyberspace.
> > We are concerned that portions of the proposed treaty may result in
> > criminalizing techniques and software commonly used to make computer
> > systems resistant to attack. Signatory states passing
> legislation to
> > implement the treaty may endanger the security of their computer
> > systems since computer users in those countries will not be able to
> > adequately protect their computer systems and the education of
> > information protection specialists may be hindered.
> > Critical to the protection of computer systems and infrastructure is
> > the ability to
> > * Test software for weaknesses
> > * Verify the presence of defects in computer systems
> > * Exchange vulnerability information
> > System administrators, researchers, consultants and companies all
> > routinely develop, use, and share software designed to
> exercise known
> > and suspected vulnerabilities. Academic institutions use these
> > tools to educate students and in research to develop improved
> > defenses. Our combined experience suggests that it is impossible
> > to reliably distinguish software used in computer crime from that
> > used for these legitimate purposes. In fact, they are often
> > identical.
> > Currently, article 6 of the draft treaty is vague regarding the use,
> > distribution, and possession of software that could be used to
> > violate the security of computer systems. We agree that damaging or
> > breaking into computer systems is wrong and we unequivocally support
> > laws against such inappropriate behavior. We affirm that a
> goal of the
> > treaty and resulting legislation should be to permit the
> > and application of good security measures. However,
> legislation that
> > criminalizes security software development, distribution and use
> > is counter to that goal, since it would adversely impact security
> > practitioners, researchers, and educators.
> > Therefore, we respectfully request that the treaty drafters remove
> > section a.1 from article 6, and modify section b accordingly; the
> > articles on computer intrusion and damage (viz., articles 1-5) are
> > already sufficient to proscribe any improper use of security-related
> > software or information.
> > Please do not hesitate to call on us for technical advice in your
> > future deliberations.
> > Signed,
> > <name>
> > <title>
> > <affiliation>
> > "Organizational affiliations are listed for identification purposes
> > only, and do not necessarily reflect the official opinion of the
> > affiliated organization."