[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cybercrime treaty



It appears that the draft text can be found at
http://www.politechbot.com/docs/treaty.html .  The text in Article 6
prohibits "a device, including a computer program, designed or adapted
[specifically] [primarily] [particularly] for the purpose of
committing any of the offences established in accordance with Article
2," which defines illegal access.

>(with Steve's permission), we'd like to get the view of the other
>board members on this issue, and ask if we can produce a joint
>statement deploring the unethical use of exploit code, but drawing
>attention to its many legitamate uses for information sharing.

I think it is reasonable to discuss this issue in this forum, as it
clearly applies to information sharing and could have an impact on
CVE.  For example, sometimes we need to determine if two bugs are
really the same.  When bugs look similar, looking at the related
exploits can answer this question.  This could then determine how many
entries wind up in CVE.

Some CVE candidates have been proposed without many technical details.
I believe that Scott and Mike Prosser have voted to REJECT or at least
REVIEW such candidates due to lack of information, even in cases where
the vendor has confirmed the problem with an advisory.  I haven't yet
named the content decision that will address this :-) but some samples
are below.

Adam and Scott, are you asking the Editorial Board to make a statement
as an entity, or are you asking individuals to join with you?  I
believe that some Board members may disagree (either in their own
position or their company's), so it may be difficult to get consensus
on a statement from the entire Board.

>Imagine how hard it will be to verify the existance of a vulnerability
>in Windows without exploit code.  Now, there are clearly problems with
>script kiddies that need to be addressed in some way.

I've seen some remote buffer overflow exploits that assume that a
small program has already been created on the target machine, which
could conceivably allow admins to test their own systems, and
researchers to analyze the nature of the vulnerability, without giving
script kiddies a free shell.  The question is, would this sort of
"exploit" be prohibited under Articles 6 and 2?

- Steve

Page Last Updated or Reviewed: May 22, 2007