[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cybercrime treaty

Russ,

	Please note that this is treaty language, which will be used
to justify the creation of local laws.  I'd like to suggest that the
least the board should do is to work to ensure that the language
unambiguously supports your interpretation, not the more pessimistic
reading which I give the treaty.  That wil lead to fewer bad laws
being created.

	I personally believe that such language is counter-productive
however well its worded, because it will tend to chill speech, and
drive communication underground.  If a tool is created without rights
(a la your amazon attack tool), I still want to be able to see it and
discuss any new techniques or trends which it demonstrates.  The good
guys are already at enough of a disadvantage, we don't need to see the
underground driven back to silence by fear.


Adam

On Thu, May 04, 2000 at 01:45:00PM -0400, Russ wrote:
| Problems with the Treaty;
|
| http://conventions.coe.int/treaty/en/projets/cybercrime.htm
|
| Articles 2 - 5 all state or imply intent.
|
| A system designed to map out routers, such as WSPing, would be "designed or
| adapted [specifically] [primarily] [particularly] for the purpose of"..."the
| access to the whole or any part of a computer system". This runs afoul of
| Article 2.
|
| A system designed to collect usage information on a copyright data object
| would be "designed or adapted [specifically] [primarily] [particularly] for
| the purpose of" collecting "non-public transmissions of computer data." This
| runs afoul of Article 3.
|
| A system designed to obscure a data object (in the interest of privacy)
| would be "designed or adapted [specifically] [primarily] [particularly] for
| the purpose of"..."alteration"..."of computer data." In a situation where a
| browser's origin is being "altered" such that a web site cannot accurately
| determine its true origin, this would run afoul of Article 4.
|
| A system designed to stress test a web server to determine the load it can
| carry would be "designed or adapted [specifically] [primarily]
| [particularly] for the purpose of" the "serious hindering"..."the
| functioning of a computer system by inputting, [transmitting,] damaging,
| deleting, deteriorating, altering or suppressing computer data." This runs
| afoul of Article 5.
|
| Of course each of the articles use the term "without right" to qualify the
| actions they describe.
|
| If, in Article 6, they hope to make it illegal to create programs which
| might run afoul of Articles 2 - 5, then they must accept that determination
| of a given programs status (aX1, aX2) is going to be on the basis of whether
| or not said program can demonstrate any "rightful" purpose. If a program can
| be demonstrated as having a rightful use, then it could not be considered
| under (aX1, aX2).
|
| So, if I wrote a program and hard-coded it to attack Amazon.com, then
| distributed it to any and all, it might be deemed as being in violation of
| Article 6. If, however, I wrote the same program and forced the target
| address to be entered by the person(s) running that program, it could be
| argued it was designed to test your own systems (regardless of whether or
| not I provided you with Amazon's IP address as an example address).
|
| cDc have long argued (correctly IMO) that BO/BO2K have a "rightful" purpose.
|
| Any demonstration code (binaries or source, snippet or fully implemented)
| can easily be explained as having a "rightful" purpose if we accept the
| notion that anyone may wish to test their own systems to determine whether
| or not they're vulnerable or the severity of a given vulnerability within
| their environment.
|
| Take the example of the EICAR test file for Anti-virus programs. While
| harmless in and of itself, it can trigger an organization into motion. I had
| someone use it once as a signature on a message I sent through to NTBugtraq.
| The result, for me, was more than 1000 responses from subscribers claiming I
| sent through a message with a virus in it. Such actions might, in some AV
| products, cause NTBugtraq to be put onto a black list (temporarily or
| permanently), or cause other undesired actions.
|
| Point is, the EICAR test file is an accepted "virus" used to test AV
| programs. It has no point in life other than to trigger AV programs into
| action.
|
| Microsoft Internet Explorer has a feature which permits you to schedule the
| regular check for updates on a given Web Page/Site. Its able to check all
| pages on a site if configured as such, and by using more than one of these
| schedules you could effectively check the entire site every minute of every
| day. The result of such a configuration could run afoul of Article 5, making
| IE deemed illegal under Article 6.
|
| Since its highly unlikely many programs will be found not to have "rightful"
| purposes, it would make sense to redefine Article 6 to better articulate
| "without right", or intent, in the interest of guiding signatory States to
| form effective laws.
|
| Cheers,
| Russ - NTBugtraq Editor and purveyor of Cyber-crime Treaty Article 6
| prohibited "data objects".

--
"It is seldom that liberty of any kind is lost all at once."
					               -Hume
Page Last Updated or Reviewed: May 22, 2007