Re: [BOARD] Dissenting opinion on CyberCrime treaty statement
First of all, let me say that I think that the ammended statement is
actually better than the older one.
Marcus is right in that there should be reasonable rules regarding
posession and publication of exploit. The current situation is
far from ideal.
But I also think the draft cybercrime treaty is unreasonable.
It's the typical of way in which police and justice departments try to
address crime: make up some crimes with a low burden of proof
so you can potentially put away lots of people rather than tackle
the crimes that actually cause damage to data. Just as with
"burglary tools", it shouldn't be possession or manufacturing that
is illegal, as those tools all have legitimate uses, but
"possession with intent"; much harder to proof.
In some cases I have dealt with exploits are the only way of showing
people that problems are not merely theoretical but very real. I still
have to explain at times why buffer overflows are a problem
("the program will crash, so what?" "run this" "./this; #, ah, I see").
Writing exploits to document bugs is a valid thing to do. Security
experts generally do not need exploits, just a pointer to the general
area where the bug is will do; but getting past first line support
often requires one.
Another area of concern for me is exploits caught in the wild by
customers; since the treaty would allow legislation that bans possession
and distribution, customers who catch exploits in the wild are
legally no longer allowed to pass the information to us, only
to law enforcement (or even hang on to it).
If law enforcement would actually cooperate with industry and send the
security holes they come across to the vendors concerned this wouldn't
be much of a problem. In my experience law enforcement acts pretty
much like a black hole when it comes to any type of information. I'd
love to hear reports on law enforcement officials doing the responsible
thing and sharing exploit data with vendors. In fact, I hear
consistent rumours that the only recipients of such information are
TLAs* and we all know what those do for a living
When it comes to publishing, I believe that the current trend of
publishing something quickly without vendor notification is wrong,
especially in those cases where there is no workaround. Disabling a
service is not a workaround for many of our customers. But this is
probably more of a matter for civil courts.
Other distressing signs in europe are the proposed legislation banning
anonymous email; it's an important tool for those areas where human rights
are weak and in some cases for whistleblowers too (though they're typically
more easily tracked down by the information they know).
*) Three Letter Agency