About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cybercrime treaty

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: Cybercrime treaty
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 3 May 2000 12:10:01 -0400 (EDT)
Delivery-Date: Wed May 3 12:10:09 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

It appears that the draft text can be found at
http://www.politechbot.com/docs/treaty.html .  The text in Article 6
prohibits "a device, including a computer program, designed or adapted
[specifically] [primarily] [particularly] for the purpose of
committing any of the offences established in accordance with Article
2," which defines illegal access.

>(with Steve's permission), we'd like to get the view of the other
>board members on this issue, and ask if we can produce a joint
>statement deploring the unethical use of exploit code, but drawing
>attention to its many legitamate uses for information sharing.

I think it is reasonable to discuss this issue in this forum, as it
clearly applies to information sharing and could have an impact on
CVE.  For example, sometimes we need to determine if two bugs are
really the same.  When bugs look similar, looking at the related
exploits can answer this question.  This could then determine how many
entries wind up in CVE.

Some CVE candidates have been proposed without many technical details.
I believe that Scott and Mike Prosser have voted to REJECT or at least
REVIEW such candidates due to lack of information, even in cases where
the vendor has confirmed the problem with an advisory.  I haven't yet
named the content decision that will address this :-) but some samples
are below.

Adam and Scott, are you asking the Editorial Board to make a statement
as an entity, or are you asking individuals to join with you?  I
believe that some Board members may disagree (either in their own
position or their company's), so it may be difficult to get consensus
on a statement from the entire Board.

>Imagine how hard it will be to verify the existance of a vulnerability
>in Windows without exploit code.  Now, there are clearly problems with
>script kiddies that need to be addressed in some way.

I've seen some remote buffer overflow exploits that assume that a
small program has already been created on the target machine, which
could conceivably allow admins to test their own systems, and
researchers to analyze the nature of the vulnerability, without giving
script kiddies a free shell.  The question is, would this sort of
"exploit" be prohibited under Articles 6 and 2?

- Steve

Follow-Ups:
- Re: Cybercrime treaty
  - From: Adam Shostack <adam@homeport.org>
- Re: Cybercrime treaty
  - From: Stuart Staniford <stuart@silicondefense.com>
- Re: Cybercrime treaty
  - From: Gene Spafford <spaf@cerias.purdue.edu>

Prev by Date: RE: Cybercrime treaty
Next by Date: Re: Cybercrime treaty
Prev by thread: RE: Cybercrime treaty
Next by thread: Re: Cybercrime treaty
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007