[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cybercrime treaty

Hash: SHA1

I'd suggest replacing the word "chill" with "limit" or "impede".

- - Jim

> -----Original Message-----
> From: Stuart Staniford [mailto:stuart@SILICONDEFENSE.COM]
> Sent: Monday, May 08, 2000 10:01 AM
> To: Steven M. Christey
> Cc: cve-editorial-board-list@lists.mitre.org
> Subject: Re: Cybercrime treaty
> "Steven M. Christey" wrote:
> > Nobody has sent any objections to me yet, and I did bring this
> > issue up to a few Board members who I thought might have concerns
> > (one is looking at it, the other hasn't responded).  It may be
> > that making a general statement such as "this item is too vague,
> > and here's why" could be agreed to by contributing members, and
> > benign enough that NOOP's may not mind.
> Here's some quick text that I would like, and that it doesn't
> seem to me
> treads on the toes of the objections that have been raised so far.
> Dear <treaty drafters>
> We the undersigned are <a majority, all, ..> of the board of
> the Common
> Vulnerabilities and Exposures project.  This project is a
> collaborative
> project by a range of responsible computer security companies and
> experts to develop a common industry-wide set of names for the many
> different vulnerabilities known in computer systems [1].  As such,
> we represent a cross-section of the technical community which works
> on computer security vulnerabilities.
> <Treaty> has recently come to our attention, and we have some
> concerns about it, specifically Article 6.  We note that it is
> critically important for computer security professionals to be able
> to test software looking for new vulnerabilitities, determine the
> presence of known vulnerabilities in existing systems, and exchange
> information about such vulnerabilities with each other.  Therefore,
> most professionals and companies in this field routinely develop,
> use, and share scripts and programs designed to exploit
> vulnerabilities.  It is technically very difficult or impossible to
> distinguish the tools used for this purpose from the tools used by
> computer criminals to commit unauthorized break-ins.
> We are concerned that Article 6 may prevent, or at least chill,
> such responsible development and use of exploit tools.  We ask that
> the treaty be reworded such that this is clearly allowed.
> If, instead, the treaty is used to ban any use of exploit
> tools, we fear
> that this will be very counter-productive.  Since computer
> criminals are
> currently largely beyond the reach of effective law enforcement,
> they will not be much impacted by new laws banning their tools.
> However, since legitimate companies and professionals will follow
> any laws that are put in place as a result of this treaty, our
> ability to  do our jobs will be severely compromised.
> If we can be of further help in drafting appropriate language,
> please contact us via <Steve>.
> <Signatures>
> [1] <More about CVE>
> --
> Stuart Staniford  ---  President  ---  Silicon Defense
>                    stuart@silicondefense.com
> (707) 445-4355                     (707) 445-4222 (FAX)

Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>


Page Last Updated or Reviewed: May 22, 2007