[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: v 5.2 (from Stuart) Reformatted

Um, "open-source" and "commercial" aren't necessarily mutually exclusive
terms...  You might want to say "freeware", or something like:

"Corporations and individuals routinely develop, use, and share software
designed to exploit vulnerabilities.  Various tools for system
administrators and security experts (both commercially and freely available)
include software that exploits vulnerabilities."

- Jim

> -----Original Message-----
> From: Stuart Staniford [mailto:stuart@SILICONDEFENSE.COM]
> Sent: Wednesday, May 10, 2000 3:27 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: v 5.2 (from Stuart) Reformatted
> Ugh - here it is after resetting Netscape's word wrap wider
> Andre's last is great.  This is my best experience ever of
> collaborative
> writing.
> Here's another version with very minor wordsmithing to remove a couple
> of grammatical infelicities.  Only substantial changes are:
> * add "and open-source" after "commercial" in re software.
> Dear <treaty drafters>:
> As experts, educators, and practitioners of information
> security, we wish to
> register our concerns about the Council of Europe draft
> treaty on Crime
> in Cyberspace.  Portions of the proposed treaty may result in
> criminalizing
> techniques and software commonly used to make computer
> systems resistant
> to attack.  Signatory states passing legislation to implement
> the treaty
> endanger the security of their computer systems.
> Professionals will not
> be able to adequately protect computer systems, and education
> of the next
> generation of information protection specialists will be hindered.
> Critical to the protection of computer systems and
> infrastructure is the
> ability to test software for vulnerabilities, verify the presence of
> vulnerabilities in existing systems, and exchange vulnerability
> information.  Professionals and companies routinely develop,
> use, and share
> software designed to exploit vulnerabilities. Commercial and
> open-source tools
> for system administrators and security experts include software that
> exploits vulnerabilities.  Academic institutions use this software to
> educate students and in research to develop and improve defenses.
> Our experience suggests that it is impossible to reliably distinguish
> software used in computer crime from that used for legitimate
> purposes.
> Article 6 of the treaty is vague regarding the use, distribution, or
> possession of software that could be used to violate the security of
> computer systems.  Legislation that criminalizes exploit software use
> would adversely impact security practitioners, researchers, and
> educators. Article 6 would throttle important progress in computer
> security research and engineering.
> We agree that breaking into computer systems is wrong and are strongly
> in favor of criminalizing inappropriate behavior. Our goal is for the
> treaty and resulting legislation to permit the development
> and application of
> good security measures. We urge the Council to avoid criminalizing the
> development, use, and distribution of software important to
> those of us
> working to prevent misuse.
> We request that the treaty drafters specifically recognize legitimate
> computer security activities and permit the creation and public
> dissemination of software and techniques used to study and verify
> computer security vulnerabilities.  Moreover, we urge that
> appropriate laws
> criminalizing software misuse replace the ownership or
> creation clauses
> of the treaty.
> Signed,
> <name> <affiliation>
> "Organizational affiliations are listed for identification purposes
> only,
> and do not necessarily reflect the official opinion of the affiliated
> organization."
> --
> Stuart Staniford  ---  President  ---  Silicon Defense
>                    stuart@silicondefense.com
> (707) 445-4355                     (707) 445-4222 (FAX)

Page Last Updated or Reviewed: May 22, 2007