[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Cybercrime treaty
> -----Original Message----- > From: Matt Bishop [mailto:firstname.lastname@example.org] > And by the way, if you think 6a1 is bad, check out 6a2. -- kiss > crack, johntheripper, etc. goodbye. And merely POSSESSING these > seems to be illegal, under 6b (they mislabeled it a; it's the > second a). That's ridiculous - they clearly don't understand that these things have legitimate uses. It's been my job to write tools that do this for the last 4+ years. Ack - my source tree would be illegal... > PS: One thing, David -- if I remember my political science class > taken umptiddy-ump years ago, treaties in the US are at > the same level as the Constitution, so I'm not sure that the > US federal courts would accept an argument that restricting this > technology (break-in programs) is unconsititutional -- the issue > arose during the court cases about the seizure of Iranian > assets in the 1980s, and the US Government's efforts to return > (some of) the assets. The leinholders hollared bloody murder, but > -- if I remember correctly -- the US Supreme Court said too bad. > Any lawyers (or computer scientists who play lawyers on the web :-)) > know if I'm completely off base here? This doesn't sound right - first of all, Congress can't pass anything that supercedes the Constitution without approval of the states. What I think might be muddying the waters here is that we're dealing with an interaction between governments here. Also, as soon as you're dealing with even non-US citizens all bets are off - for example, if a foreign national commits a crime in the US, many of the rights we take for granted do not apply. Now, back to where we started - Howard Schmidt is sending a rep to a computer crime summit where this is going to be discussed. IF we can craft a reasoned response to why we think this article is a Bad Thing, then I will push that and see if it helps. Who would like to take a swipe at editing the initial response? Steve? I'll take an initial swipe at this thing - >Article 6 - Illegal Devices >Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal >offences under its domestic law when committed intentionally and without right: >the production, sale, procurement for use, import, distribution or otherwise making available of: >a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5; This section is vague. Numerous examples exist of programs which are primarily designed to intercept data, and these programs are considered part of a normal system administrator's trouble-shooting toolkit. Illegal access can be obtained to many systems merely by attempting to log on using normal system tools (e.g., telnet, net use, etc.). These tools are also normally present on most operating systems. There is also the issue that a part of normal security administration involves using tools which are designed to obtain unauthorized access to determine which portions of your own network may be vulnerable. Making these programs illegal would severely hinder our ability to test our defenses against the activities defined in articles 2-5. This clause, unlike the following two clauses, does not require that the use or possession of these devices be with criminal intent. >a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing the offences established in Articles 2 - 5; >the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5. A party may require by law that a number of such items be possessed before criminal liability attaches.