|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Cybercrime treaty
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd suggest replacing the word "chill" with "limit" or "impede". - - Jim > -----Original Message----- > From: Stuart Staniford [mailto:stuart@SILICONDEFENSE.COM] > Sent: Monday, May 08, 2000 10:01 AM > To: Steven M. Christey > Cc: cve-editorial-board-list@lists.mitre.org > Subject: Re: Cybercrime treaty > > > "Steven M. Christey" wrote: > > > Nobody has sent any objections to me yet, and I did bring this > > issue up to a few Board members who I thought might have concerns > > (one is looking at it, the other hasn't responded). It may be > > that making a general statement such as "this item is too vague, > > and here's why" could be agreed to by contributing members, and > > benign enough that NOOP's may not mind. > > Here's some quick text that I would like, and that it doesn't > seem to me > treads on the toes of the objections that have been raised so far. > > Dear <treaty drafters> > > We the undersigned are <a majority, all, ..> of the board of > the Common > Vulnerabilities and Exposures project. This project is a > collaborative > project by a range of responsible computer security companies and > experts to develop a common industry-wide set of names for the many > different vulnerabilities known in computer systems [1]. As such, > we represent a cross-section of the technical community which works > on computer security vulnerabilities. > > <Treaty> has recently come to our attention, and we have some > concerns about it, specifically Article 6. We note that it is > critically important for computer security professionals to be able > to test software looking for new vulnerabilitities, determine the > presence of known vulnerabilities in existing systems, and exchange > information about such vulnerabilities with each other. Therefore, > most professionals and companies in this field routinely develop, > use, and share scripts and programs designed to exploit > vulnerabilities. It is technically very difficult or impossible to > distinguish the tools used for this purpose from the tools used by > computer criminals to commit unauthorized break-ins. > > We are concerned that Article 6 may prevent, or at least chill, > such responsible development and use of exploit tools. We ask that > the treaty be reworded such that this is clearly allowed. > > If, instead, the treaty is used to ban any use of exploit > tools, we fear > that this will be very counter-productive. Since computer > criminals are > currently largely beyond the reach of effective law enforcement, > they will not be much impacted by new laws banning their tools. > However, since legitimate companies and professionals will follow > any laws that are put in place as a result of this treaty, our > ability to do our jobs will be severely compromised. > > If we can be of further help in drafting appropriate language, > please contact us via <Steve>. > > <Signatures> > > [1] <More about CVE> > > -- > Stuart Staniford --- President --- Silicon Defense > stuart@silicondefense.com > (707) 445-4355 (707) 445-4222 (FAX) > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBORczqQDjeqNVcQB5EQICsgCdEO2FywhvwGPPraGgeSC1axODHG4Ani/D Bvr+vYaHF7P3Y1nB4tDGeEi4 =P9oE -----END PGP SIGNATURE-----
|
||||
