[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [BOARD] Dissenting opinion on CyberCrime treaty statement




> Marcus is right in that there should be reasonable rules regarding
> posession and publication of exploit.  The current situation is
> far from ideal.

Agreed. It is also unfortunate that some people have come to the conclusion
that the only way to get something fixed is to make the problem public in a
way that cannot be ignored. 
 
> But I also think the draft cybercrime treaty is unreasonable.
> It's the typical of way in which police and justice departments try to
> address crime: make up some crimes with a low burden of proof
> so you can potentially put away lots of people rather than tackle
> the crimes that actually cause damage to data.  Just as with
> "burglary tools", it shouldn't be possession or manufacturing that
> is illegal, as those tools all have legitimate uses, but
> "possession with intent"; much harder to proof.

Agreed - they'd rather have a law that they can selectively enforce than one
which is more precise.  Unfortunately, it is hard to get people to
understand that ping, nslookup and telnet are hacker tools...
 
> In some cases I have dealt with exploits are the only way of showing
> people that problems are not merely theoretical but very real. I still
> have to explain at times why buffer overflows are a problem
> ("the program will crash, so what?"  "run this" "./this; #, 
> ah, I see").
> 
> Writing exploits to document bugs is a valid thing to do.  Security
> experts generally do not need exploits, just a pointer to the general
> area where the bug is will do; but getting past first line support
> often requires one.

There is an exception to this - that is the area of security operations. It
is currently my job to write tools to find hosts with problems.  If I can, I
do so without actually exploiting the problem, but in other cases there is
no alternative.  At any rate, my tools can sweep very large address spaces
and locate vulnerable systems very, very quickly.  As long as I only use
these tools against systems owned by my employer, there is no problem.  If
someone used them against the internet in general, there would definately be
some big problems.  I also need live exploits to validate my tools, and in
some cases to demonstrate the problem.  ("you need to correct this", "so
what?", "the first 4 letters of your password are 'xxxx' and the use of a {
character was clever", "oh, I see - what do I fix again?").  I obviously do
not distribute these tools, and my previous employer at least makes a good
faith effort to restrict use.
 
> When it comes to publishing, I believe that the current trend of
> publishing something quickly without vendor notification is wrong,
> especially in those cases where there is no workaround.  Disabling a
> service is not a workaround for many of our customers.  But this is
> probably more of a matter for civil courts.

I agree with this, too.  It is irresponsible, and akin to crying fire in a
theatre.
 
I also support educating people about hacking techniques, because the only
way to really protect yourself is to understand the techniques that an
attacker will use.  Know your enemy as you know yourself, and success is
assured.

Page Last Updated or Reviewed: May 22, 2007