Re: [BOARD] Dissenting opinion on CyberCrime treaty statement
First of all I'd like to thank Marcus for his thought provoking
insight. I agree with some of his concerns. However, I think it's
important to keep in mind that the purpose of this statement is to
express concern. The purpose is not to draft specific laws nor create
any specific definition of criminal or non-criminal activities. The
concept is to raise awareness. Keeping that in mind, the document is
not perfect but I think it hits the target.
SCOTT A. LAWLER, CISSP
"Steven M. Christey" wrote:
> Marcus Ranum, as the NFR representative on the Editorial Board, has
> expressed a dissenting opinion with the CyberCrime Treaty statement.
> I am posting Marcus' concerns here as a matter of record. This does
> not impact the current activities with respect to garnering support
> for the statement, as we have already decided that it is not an
> "official" Editorial Board activity.
> Since some of his concern touches on the controversial issue of full
> disclosure, I encourage any potential responders to this email to take
> care to avoid being "sidetracked" by that issue. There may be better
> forums than the Editorial Board mailing list for those sorts of
> The concern is with the following text of the statement:
> # System administrators, researchers, consultants and companies all
> # routinely develop, use, and share software designed to exercise known
> # and suspected vulnerabilities. Academic institutions use these
> # tools to educate students and in research to develop improved
> # defenses. Our combined experience suggests that it is impossible
> # to reliably distinguish software used in computer crime from that
> # used for these legitimate purposes. In fact, they are often
> # identical.
> And following is Marcus' response, extracted from various email
> discussions and approved by him:
> >The statement, as it is drafted, goes contrary to what I believe is
> >the inevitable and right progression of legislative events concerning
> >hacking/penetration test tools.
> >While it is difficult to reliably distinguish between attack tools and
> >security tools, I believe there are standards of reasonableness that
> >can, and _must_ be applied. Too many attack tools are being developed
> >and deployed, under the guise of "helping" and "education" - I believe
> >that in the long run it is not helpful and is in fact detrimental.
> >For example, nmap, by its very design, is intended to defeat certain
> >forms of security. Therefore it is not a purely legitimate tool. Some
> >may argue that it may still be useful to white hats. That may be true
> >- but there are plenty of cases where legitimate tools that may be
> >abused are restricted and regulated. I don't have a problem with that
> >in this case.
> Others have expressed concerns that if it appears that the Board as a
> whole supports this treaty statement, that it may conflict with the
> organizational opinions of some parent organizations of Board members.
> Marcus effectively agrees with this:
> >I am opposed to participating (and, by extension, NFR
> >participating...) in any action that indicates support for further
> >dissemenation, usage, teaching about, or otherwise condoning the use
> >of hacking tools and techniques.
> - Steve