RE: Cybercrime treaty

To: "'Stuart Staniford'" <stuart@silicondefense.com>, Adam Shostack <adam@HOMEPORT.ORG>
Subject: RE: Cybercrime treaty
From: Russ <Russ.Cooper@rc.on.ca>
Date: Wed, 3 May 2000 13:59:40 -0400
Cc: cve-editorial-board-list@lists.mitre.org
Delivery-Date: Wed May 3 14:00:28 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

IMO, we should do nothing but prepare for a demonstration case where one (or
more of us) are the defendants.

1. "without permission" means, to me, that if I use a demonstration program
to attack my own systems, I have granted myself (or others in my org)
permission to perform such an attack. Ergo, I am not doing anything "without
permission". The same would hold true for attacks that originate from
scanning programs as they, too, are permissioned to do so.

It may mean that a disclaimer needs to be attached to any program warning
users that its execution must be done with permission.

The idea that someone cannot create something because of its potential
malicious use has been, I have to believe, killed numerous times in the
past. Were it not, fertilizer would be illegal on the same basis of the
proposed treaty.

Further, any software company who attempts to determine the extent of a
problem with their own software by using or developing Q&A testing software
would similarly be creating code for the sole purpose of gaining entry to a
system. As such, Q&A would become illegal if it were security-oriented (if
we extend the wording to illogical conclusions).

2. There is no better way to kill something than to defeat it. Lobbying
ahead of implementation, IMO, only leads to mutated laws that usually don't
fulfill their original promise and step on someone's toes somewhere.
Striking down a law with precedents has a much better effect, although the
interim may be "chilling".

WIPO specifically excluded "research", and in doing so made itself largely
ineffective against a larger portion of potential attackers (e.g. students).
The line between research and malicious attack is a fine one at best (those
guys in Wales attempted to claim their work was research, then awareness).
We, in the industry, need a way to delineate what we do from what any
"student" *might* claim to be doing. I certainly don't want to lose the
assets that the brilliant student minds bring to the business, but there
must be some limits.

If we shot this down what will come afterwards? If we're listened to, what
would prefer it to say?

Simply saying we're against it, or part of it, is insufficient in my mind
and better served by a prepared defense.

Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)

Follow-Ups:
- Re: Cybercrime treaty
  - From: Stuart Staniford <stuart@silicondefense.com>

Prev by Date: Re: Cybercrime treaty
Next by Date: Re: Cybercrime treaty
Prev by thread: Re: Cybercrime treaty
Next by thread: Re: Cybercrime treaty
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

RE: Cybercrime treaty