RE: [BOARD] Dissenting opinion on CyberCrime treaty statement
Although I do not completely agree with Marcus, I do agree with some of what
he posted, and feel like his concerns should have been brought up earlier.
There are portions of the statement that I, for one, might have wanted to
amend. I don't know that we could have reached consensus, but we should
have considered his input when creating the draft.
> -----Original Message-----
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> Sent: Wednesday, June 07, 2000 6:58 PM
> To: firstname.lastname@example.org
> Subject: [BOARD] Dissenting opinion on CyberCrime treaty statement
> Marcus Ranum, as the NFR representative on the Editorial Board, has
> expressed a dissenting opinion with the CyberCrime Treaty statement.
> I am posting Marcus' concerns here as a matter of record. This does
> not impact the current activities with respect to garnering support
> for the statement, as we have already decided that it is not an
> "official" Editorial Board activity.
> Since some of his concern touches on the controversial issue of full
> disclosure, I encourage any potential responders to this email to take
> care to avoid being "sidetracked" by that issue. There may be better
> forums than the Editorial Board mailing list for those sorts of
> The concern is with the following text of the statement:
> # System administrators, researchers, consultants and companies all
> # routinely develop, use, and share software designed to
> exercise known
> # and suspected vulnerabilities. Academic institutions use these
> # tools to educate students and in research to develop improved
> # defenses. Our combined experience suggests that it is impossible
> # to reliably distinguish software used in computer crime from that
> # used for these legitimate purposes. In fact, they are often
> # identical.
> And following is Marcus' response, extracted from various email
> discussions and approved by him:
> >The statement, as it is drafted, goes contrary to what I believe is
> >the inevitable and right progression of legislative events concerning
> >hacking/penetration test tools.
> >While it is difficult to reliably distinguish between attack
> tools and
> >security tools, I believe there are standards of reasonableness that
> >can, and _must_ be applied. Too many attack tools are being
> >and deployed, under the guise of "helping" and "education" -
> I believe
> >that in the long run it is not helpful and is in fact detrimental.
> >For example, nmap, by its very design, is intended to defeat certain
> >forms of security. Therefore it is not a purely legitimate
> tool. Some
> >may argue that it may still be useful to white hats. That may be true
> >- but there are plenty of cases where legitimate tools that may be
> >abused are restricted and regulated. I don't have a problem with that
> >in this case.
> Others have expressed concerns that if it appears that the Board as a
> whole supports this treaty statement, that it may conflict with the
> organizational opinions of some parent organizations of Board members.
> Marcus effectively agrees with this:
> >I am opposed to participating (and, by extension, NFR
> >participating...) in any action that indicates support for further
> >dissemenation, usage, teaching about, or otherwise condoning the use
> >of hacking tools and techniques.
> - Steve