[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cybercrime treaty

Problems with the Treaty;


Articles 2 - 5 all state or imply intent.

A system designed to map out routers, such as WSPing, would be "designed or
adapted [specifically] [primarily] [particularly] for the purpose of"..."the
access to the whole or any part of a computer system". This runs afoul of
Article 2.

A system designed to collect usage information on a copyright data object
would be "designed or adapted [specifically] [primarily] [particularly] for
the purpose of" collecting "non-public transmissions of computer data." This
runs afoul of Article 3.

A system designed to obscure a data object (in the interest of privacy)
would be "designed or adapted [specifically] [primarily] [particularly] for
the purpose of"..."alteration"..."of computer data." In a situation where a
browser's origin is being "altered" such that a web site cannot accurately
determine its true origin, this would run afoul of Article 4.

A system designed to stress test a web server to determine the load it can
carry would be "designed or adapted [specifically] [primarily]
[particularly] for the purpose of" the "serious hindering"..."the
functioning of a computer system by inputting, [transmitting,] damaging,
deleting, deteriorating, altering or suppressing computer data." This runs
afoul of Article 5.

Of course each of the articles use the term "without right" to qualify the
actions they describe.

If, in Article 6, they hope to make it illegal to create programs which
might run afoul of Articles 2 - 5, then they must accept that determination
of a given programs status (aX1, aX2) is going to be on the basis of whether
or not said program can demonstrate any "rightful" purpose. If a program can
be demonstrated as having a rightful use, then it could not be considered
under (aX1, aX2).

So, if I wrote a program and hard-coded it to attack Amazon.com, then
distributed it to any and all, it might be deemed as being in violation of
Article 6. If, however, I wrote the same program and forced the target
address to be entered by the person(s) running that program, it could be
argued it was designed to test your own systems (regardless of whether or
not I provided you with Amazon's IP address as an example address).

cDc have long argued (correctly IMO) that BO/BO2K have a "rightful" purpose.

Any demonstration code (binaries or source, snippet or fully implemented)
can easily be explained as having a "rightful" purpose if we accept the
notion that anyone may wish to test their own systems to determine whether
or not they're vulnerable or the severity of a given vulnerability within
their environment.

Take the example of the EICAR test file for Anti-virus programs. While
harmless in and of itself, it can trigger an organization into motion. I had
someone use it once as a signature on a message I sent through to NTBugtraq.
The result, for me, was more than 1000 responses from subscribers claiming I
sent through a message with a virus in it. Such actions might, in some AV
products, cause NTBugtraq to be put onto a black list (temporarily or
permanently), or cause other undesired actions.

Point is, the EICAR test file is an accepted "virus" used to test AV
programs. It has no point in life other than to trigger AV programs into

Microsoft Internet Explorer has a feature which permits you to schedule the
regular check for updates on a given Web Page/Site. Its able to check all
pages on a site if configured as such, and by using more than one of these
schedules you could effectively check the entire site every minute of every
day. The result of such a configuration could run afoul of Article 5, making
IE deemed illegal under Article 6.

Since its highly unlikely many programs will be found not to have "rightful"
purposes, it would make sense to redefine Article 6 to better articulate
"without right", or intent, in the interest of guiding signatory States to
form effective laws.

Russ - NTBugtraq Editor and purveyor of Cyber-crime Treaty Article 6
prohibited "data objects".

Page Last Updated or Reviewed: May 22, 2007