[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cybercrime treaty

"Steven M. Christey" wrote:

> Nobody has sent any objections to me yet, and I did bring this issue
> up to a few Board members who I thought might have concerns (one is
> looking at it, the other hasn't responded).  It may be that making a
> general statement such as "this item is too vague, and here's why"
> could be agreed to by contributing members, and benign enough that
> NOOP's may not mind.

Here's some quick text that I would like, and that it doesn't seem to me
treads on the toes of the objections that have been raised so far.

Dear <treaty drafters>

We the undersigned are <a majority, all, ..> of the board of the Common
Vulnerabilities and Exposures project.  This project is a collaborative
project by a range of responsible computer security companies and
experts to develop a common industry-wide set of names for the many
different vulnerabilities known in computer systems [1].  As such, we
represent a cross-section of the technical community which works on
computer security vulnerabilities.

<Treaty> has recently come to our attention, and we have some concerns
about it, specifically Article 6.  We note that it is critically
important for computer security professionals to be able to test
software looking for new vulnerabilitities, determine the presence of
known vulnerabilities in existing systems, and exchange information
about such vulnerabilities with each other.  Therefore, most
professionals and companies in this field routinely develop, use, and
share scripts and programs designed to exploit vulnerabilities.  It is
technically very difficult or impossible to distinguish the tools used
for this purpose from the tools used by computer criminals to commit
unauthorized break-ins.

We are concerned that Article 6 may prevent, or at least chill, such
responsible development and use of exploit tools.  We ask that the
treaty be reworded such that this is clearly allowed.

If, instead, the treaty is used to ban any use of exploit tools, we fear
that this will be very counter-productive.  Since computer criminals are
currently largely beyond the reach of effective law enforcement, they
will not be much impacted by new laws banning their tools.  However,
since legitimate companies and professionals will follow any laws that
are put in place as a result of this treaty, our ability to do our jobs
will be severely compromised.

If we can be of further help in drafting appropriate language, please
contact us via <Steve>.


[1] <More about CVE>

Stuart Staniford  ---  President  ---  Silicon Defense
(707) 445-4355                     (707) 445-4222 (FAX)

Page Last Updated or Reviewed: May 22, 2007