Re: Cybercrime treaty
On Wed, May 03, 2000 at 12:10:01PM -0400, Steven M. Christey wrote:
| Adam and Scott, are you asking the Editorial Board to make a statement
| as an entity, or are you asking individuals to join with you? I
| believe that some Board members may disagree (either in their own
| position or their company's), so it may be difficult to get consensus
| on a statement from the entire Board.
I respect that different people and companies on the board have
differing opinions. However, I think that we can likely agree that
the existing example of a law on the subject (the DMCA) is not well
drafted, is unclear, and makes a poor model. I believe that we may
also be able to agree that any law that is created should be created
in such a way that the CVE and similar information sharing processes
So, I would like to see if the board can come to an agreement on a
statement. I haven't offered up a draft because I'd like to hear
comments from others, rather than trying to write something myself,
and miss important points that others will likely make.
I'm speaking for me, although Scott agrees that it would be useful to
have the board make the statement, rather than the organization.
| >Imagine how hard it will be to verify the existance of a vulnerability
| >in Windows without exploit code. Now, there are clearly problems with
| >script kiddies that need to be addressed in some way.
| I've seen some remote buffer overflow exploits that assume that a
| small program has already been created on the target machine, which
| could conceivably allow admins to test their own systems, and
| researchers to analyze the nature of the vulnerability, without giving
| script kiddies a free shell. The question is, would this sort of
| "exploit" be prohibited under Articles 6 and 2?
The lack of clarity in the treaty is one of my objections to it. Such
a lack of clarity has a clear potential to chill research.
"It is seldom that liberty of any kind is lost all at once."