[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 5th Draft - CyberCrime Treaty Statement - 5.01

very minor changes in [] - one striking out "next generation", since even
older security professionals need education, and another adding the word
'authorized' in the next to last paragraph for emphasis.

> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Wednesday, May 10, 2000 1:41 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: 5th Draft - CyberCrime Treaty Statement
> Below is the 5th version and the last that I can handle today.
> This version was produced by Matt Bishop.  Mostly just
> wordsmithing to shorten and clarify several points.
> IMO, I think it stand further shortening but I don't have
> time left today to devote to it.
> Could others also continue to place version numbers on
> their edits so that we can track the changes?
> Thanks!
> Dave
> --
> ==============================================================
> Dave Mann                ||   e-mail:  dmann@bos.bindview.com
> Senior Security Analyst  ||    phone:  508-485-7737   x254
> BindView Corporation     ||      fax:  508-485-0737
> ==============================================================
> Dear <treaty drafters>
> We are a group of security experts who participate in the Common
> Vulnerabilities and Exposures Initiative.  This project is a
> collaboration between a broad range of responsible computer security
> experts and companies to develop a common industry-wide set of
> names for the many different vulnerabilities known in computer
> systems.  As such, we represent a cross-section of the technical
> community that works on computer security vulnerabilities.
> As experts, educators, and practitioners of information security,
> we wish to register our concerns about the Council of Europe draft
> treaty on Crime in Cyberspace.  Portions of the proposed treaty
> may result in criminializing practices and tools commonly used in
> making computer systems resistant to attack.  If signatory states
> pass legislation to implement the treaty, they will endanger the
> security of their computer systems because professionals
> will not be able to protect those systems adequately. They will
> also hinder the education of [OMIT the next generation of
> protection specialists.
> Critical to the protection of computer systems and infrastructure
> is the ability to test software for new vulnerabilitities, determine
> the presence of known vulnerabilities in existing systems, and
> exchange information about such vulnerabilities.  Professionals
> and companies routinely develop, use, and share tools designed to
> exploit vulnerabilities. Commercial tools for system administrators
> and security experts include these exploit tools.  Academic
> institutions
> use these tools and techniques to educate students and in research to
> develop new and better defenses.
> Our experience convinces us that impossible to reliably distinguish
> between tools used in computer crime and instances of tools used
> for the legitimate purposes described above.
> Article 6 of the treat is vague with respect to issues of use,
> distribution, or possession of software that could be used to
> violate the security of computer systems.  Enabling legislation
> that criminalized tools or their uses would affect practitioners,
> researchers, and teachers, and would slow the important progress
> of computer security research.
> We agree that breaking into computer systems is wrong.  But, we do
> not want the treaty, and the resulting legislation, to impede
> the development and application of good security measures.  We are
> strongly in favor of criminalizing inappropriate behavior, but we
> urge the Council to avoid criminalizing the development, [authorized] use,
> distribution of tools that are important to professionals -- in
> commerce, academia, and government --  who are working to prevent
> misuse.
> We ask that the treaty drafters specifically recognize the legitimate
> and important role that the creation and public dissemination of
> demonstration code plays in advancing the information security
> field.  Moreover, we urge that appropriate laws criminalizing the
> misuse of such tools replace the ownership or creation clauses of
> the treaty.
> Signed,
> <name> <affiliation>
> "Organizational affiliations are listed for
> identification purposes only, and do not necessarily reflect the
> official opinion of the affiliated organization."

Page Last Updated or Reviewed: May 22, 2007