|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FINAL version of CyberCrime Treaty statement - ready for signatures
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Armstrong, Senior Network Security Engineer EWA-Canada / CanCERT | -----Original Message----- | From: owner-cve-editorial-board-list@lists.mitre.org | [mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of | Steven M. Christey | Sent: Tuesday, May 16, 2000 4:44 PM | To: cve-editorial-board-list@lists.mitre.org | Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG | Subject: FINAL version of CyberCrime Treaty statement - ready for | signatures | | | All, | | The final version of the CyberCrime treaty statement is ready for your | signature. | | Editorial Board members from 26 different organizations have voted to | ACCEPT the statement, and expect to endorse it as individuals or as | official representatives of their companies. There are 28 | organizations on the Board at this time, so this clearly satisfies any | "quorum" requirement. | | I made two small grammatical changes based on comments by Andre Frech | and Jim Magdych, which means that I added three commas. No other | changes were made. The final text is below. | | At MITRE, Gary Gagnon (a director in our Security and Information | Operations division) is working on a strategy for conducting the | outreach. I expect that we will have a concrete approach, including a | coordinator, in the next day or so. | | The next step is to gather the signatures from Editorial Board members | so that we have a unified statement for the outreach. I will gather | the signatures for this initial effort. | | Some Board members have expressed concerns that even if they sign as | an individual and we include a disclaimer, that listing their company | affiliation may cause careless readers to believe that the member is | representing an official position. To address this, I propose the | following convention: | | - If you're representing an official position for your company, | include your title and the phrase "Representing XYZ Corporation" | as part of your signature | | - If you're signing as an individual, you have the option to include | your organization or not; if not, your title and/or role in the | community is encouraged. Consider that your title may further | reinforce the fact that you don't speak for your organization. | | The "Representing" tag will reinforce who's making an official | organizational statement and who isn't. The disclaimer has been | adapted as follows: | | This statement represents the professional opinion of each | individual signer. Unless stated otherwise, it may not represent | the official position of the signer's parent organization. | | Finally, because Adam Shostack and Scott Blake introduced this issue | to the Board, I suggest that their signatures should be listed first. | | Thanks to everyone for the incredible level of participation in this | effort. It's been a busy but rewarding experience. I look forward to | collecting your signatures as we move into the next phase. | | - Steve | | | ************** FINAL TEXT of CyberCrime Treaty Statement | ************** | | Greetings: | | As leading security practitioners, educators, vendors, and users of | information security, we wish to register our misgivings about the | Council of Europe draft treaty on Crime in Cyberspace. | | We are concerned that portions of the proposed treaty may result in | criminalizing techniques and software commonly used to make computer | systems resistant to attack. Signatory states passing legislation to | implement the treaty may endanger the security of their computer | systems, because computer users in those countries will not be able to | adequately protect their computer systems and the education of | information protection specialists will be hindered. | | Critical to the protection of computer systems and infrastructure is | the ability to | * Test software for weaknesses | * Verify the presence of defects in computer systems | * Exchange vulnerability information | | System administrators, researchers, consultants, and companies all | routinely develop, use, and share software designed to exercise known | and suspected vulnerabilities. Academic institutions use these tools | to educate students and in research to develop improved defenses. Our | combined experience suggests that it is impossible to reliably | distinguish software used in computer crime from that used for these | legitimate purposes. In fact, they are often identical. | | Currently, article 6 of the draft treaty is vague regarding the use, | distribution, and possession of software that could be used to violate | the security of computer systems. We agree that damaging or breaking | into computer systems is wrong and we unequivocally support laws | against such inappropriate behavior. We affirm that a goal of the | treaty and resulting legislation should be to permit the development | and application of good security measures. However, legislation that | criminalizes security software development, distribution, and use is | counter to that goal, as it would adversely impact security | practitioners, researchers, and educators. | | Therefore, we respectfully request that the treaty drafters remove | section a.1 from article 6, and modify section b accordingly; the | articles on computer intrusion and damage (viz., articles 1-5) are | already sufficient to proscribe any improper use of security-related | software or information. | | Please do not hesitate to call on us for technical advice in your | future deliberations. | | ---------------------------------------------------------------------- | | This statement represents the professional opinion of each individual | signer. Unless stated otherwise, it may not represent the official | position of the signer's parent organization. | | | [Scott Blake and Adam Shostack signatures here] | | -- corporate signers: examples -- | | Jane Doe | CTO | Representing Big_Corporation_ABC | | Ralph Kramden | Community-Based Transportation Technician | Representing Small_Business_DEF | | -- individual signers: examples -- | | David LeBlanc, Ph.D. | Microsoft Information Security | | Steve Christey | Lead Information Systems Engineer The MITRE Corporation -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOSKNlXfba3jWxdCmEQK7EwCdGPfYbaYMW5v5I3SYNEVL5EiXx84An2sN RFi/BxfjvF7iWCw2ZMbg5Z5B =KKNb -----END PGP SIGNATURE-----
|
||||
