[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: v 5.3 (dcl)

merging changes

Also incorporated Jim's point by removing reference to whether the tool is
commercial, freeware, or both - makes for tighter writing.  Made last line
of that paragraph more specific - "that software" was ambiguous.

This version supercedes my previous post.

After attempting to write a reformatter in perl, to heck with the
formatting.  We can fix it when we're done.  All these different mail
readers screw with things too much.

> very minor changes in [] - one striking out "next
> generation", since even older security professionals need
> education, and another adding the word 'authorized' in the
> next to last paragraph for emphasis.

> -----Original Message-----
> From: Stuart Staniford [mailto:stuart@SILICONDEFENSE.COM]
> Sent: Wednesday, May 10, 2000 3:27 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: v 5.2 (from Stuart) Reformatted
> Ugh - here it is after resetting Netscape's word wrap wider
> Andre's last is great.  This is my best experience ever of
> collaborative
> writing.
> Here's another version with very minor wordsmithing to remove a couple
> of grammatical infelicities.  Only substantial changes are:
> * add "and open-source" after "commercial" in re software.

Dear <treaty drafters>:

As experts, educators, and practitioners of information
security, we wish to
register our concerns about the Council of Europe draft
treaty on Crime
in Cyberspace.  Portions of the proposed treaty may result in
techniques and software commonly used to make computer
systems resistant
to attack.  Signatory states passing legislation to implement
the treaty
endanger the security of their computer systems.
Professionals will not
be able to adequately protect computer systems, and education
of information protection specialists will be hindered.

Critical to the protection of computer systems and
infrastructure is the
ability to test software for vulnerabilities, verify the presence of
vulnerabilities in existing systems, and exchange vulnerability
information.  Professionals and companies routinely develop,
use, and share
software designed to exploit vulnerabilities. Various tools
for system administrators and security experts include software that
exploits vulnerabilities.  Academic institutions use software designed to
exploit vulnerabilities
to educate students and in research to develop and improve defenses.

Our experience suggests that it is impossible to reliably distinguish
software used in computer crime from that used for legitimate

Article 6 of the treaty is vague regarding the use, distribution, or
possession of software that could be used to violate the security of
computer systems.  Legislation that criminalizes exploit software use
would adversely impact security practitioners, researchers, and
educators. Article 6 would throttle important progress in computer
security research and engineering.

We agree that breaking into computer systems is wrong and are strongly
in favor of criminalizing inappropriate behavior. Our goal is for the
treaty and resulting legislation to permit the development
and application of
good security measures. We urge the Council to avoid criminalizing the
development, authorized use, and distribution of software important to
those of us
working to prevent misuse.

We request that the treaty drafters specifically recognize legitimate
computer security activities and permit the creation and public
dissemination of software and techniques used to study and verify
computer security vulnerabilities.  Moreover, we urge that
appropriate laws
criminalizing software misuse replace the ownership or
creation clauses
of the treaty.


<name> <affiliation>

"Organizational affiliations are listed for identification purposes
and do not necessarily reflect the official opinion of the affiliated

Page Last Updated or Reviewed: May 22, 2007