[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

v 5.4 - from Dave Mann

Tinkering with Spaf's last version.

Changes include:
* Word count driven down to 368 (I tried to retain meaning)
  - In particular, note the hack job I did on paragraphs 2 and 5
* Attempted to strengthen some a few passages
  - Replaced "register our opinions" with "register our misgivings"
    in lead sentence
  - Replaced "computer users... may not be able to adequately protect"
    with "computer users... will not be able to adequately protect"
    in second paragraph
* Added (undue?) influence of marketing "add speak" by
  - shortening/breaking apart sentences and paragraphs
  - adding bullets to add emphasis

I am super impressed with all of the work that took place
since I left work last night.   In my (not so) humble opinion, I
think this is looking really, really good and I would consider
it very close to final.  My only suggestion at improving it would
be to drive the word count down further.



Dave Mann                ||   e-mail:  dmann@bos.bindview.com
Senior Security Analyst  ||    phone:  508-485-7737   x254
BindView Corporation     ||      fax:  508-485-0737


As leading security practitioners, educators, vendors, and users of
information security, we wish to register our misgivings about the
Council of Europe draft treaty on Crime in Cyberspace.

We are concerned that portions of the proposed treaty may result in
criminalizing techniques and software commonly used to make computer
systems resistant to attack.  Signatory states passing legislation to
implement the treaty may endanger the security of their computer
systems since computer users in those countries will not be able to
adequately protect their computer systems and the education of
information protection specialists may be hindered.

Critical to the protection of computer systems and infrastructure is
the ability to
* Test software for weaknesses
* Verify the presence of defects in computer systems
* Exchange vulnerability information

System administrators, researchers, consultants and companies all
routinely develop, use, and share software designed to exercise known
and suspected vulnerabilities.  Academic institutions use these
tools to educate students and in research to develop improved
defenses.  Our combined experience suggests that it is impossible
to reliably distinguish software used in computer crime from that
used for these legitimate purposes.  In fact, they are often

Currently, article 6 of the draft treaty is vague regarding the use,
distribution, and possession of software that could be used to
violate the security of computer systems.  We agree that damaging or
breaking into computer systems is wrong and we unequivocally support
laws against such inappropriate behavior.  We affirm that a goal of the
treaty and resulting legislation should  be to permit the development
and application of good security measures.  However, legislation that
criminalizes security software development, distribution and use
is counter to that goal, since it would adversely impact security
practitioners, researchers, and educators.

Therefore, we respectfully request that the treaty drafters remove
section a.1 from article 6, and modify section b accordingly; the
articles on computer intrusion and damage (viz., articles 1-5) are
already sufficient to proscribe any improper use of security-related
software or information.

Please do not hesitate to call on us for technical advice in your
future deliberations.



"Organizational affiliations are listed for identification purposes
only, and do not necessarily reflect the official opinion of the
affiliated organization."

Page Last Updated or Reviewed: May 22, 2007