|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Third SHORTENED Draft of CyberCrime Treaty Statement
All, Here is another cut at the draft. Note, I've basically taken an axe to it in order to shorten it. I'm following Spaf's sagely advice to make the statement as short and succinct as possible (was that redundant?). Some other points... 1) One of the primary concerns here is the concept of full disclosure and public dissemination of of exploit code. In this version, I've tried to push the virtues of that concept without getting bogged down in controversial white hat/black hat sorts of questions. 2) Following LeBlanc's suggestion, I've removed stuff that does not directly the main thesis. 3) I've condensed several of the paragraphs in the middle of the draft. Hopefully this reduces the occurances of repeating what is essentially the same arguement and shortens the piece while keeping it accurate. 4) I've displayed my preferance for short paragraphs and have added some paragraph breaks. *********************************************************** Dear <treaty drafters> We are a group of security experts who participate in the Common Vulnerabilities and Exposures Initiative. This project is a collaboration between a broad range of responsible computer security experts and companies to develop a common industry wide set of names for the many different vulnerabilities known in computer systems. As such, we represent a cross-section of the technical community which works on computer security vulnerabilities. As security experts, we have some technical concerns with respect to Article 6, which appears to be vague with respect to the use, distribution, or possession of software that could be used to violate the security of computer systems. We note that it is critically important to the advancement of science and engineering techniques for computer security professionals to be able to test software looking for new vulnerabilities, determine the presence of known vulnerabilities in existing systems, and exchange information about such vulnerabilities with each other. Therefore, most professionals and companies in this field routinely develop, use, and share scripts and programs designed to exploit vulnerabilities. In addition, these exploits are often included in commercial tools used by systems administrators and security experts to test the security of their systems. It is technically very difficult or impossible to distinguish the tools used for these legitimate and important purposes from the tools used by computer criminals to commit unauthorized break-ins. Further, important tools and techniques are regularly published by previously unknown individuals or groups. To criminalize their research and educational activities would be to slow the important progress of computer security research. We are concerned that Article 6 may prevent, impede, or criminalize such responsible development and use of exploit tools. This would have the unintended consequence of making computer systems LESS secure since it would stifle critical computer research, needlessly hamper the development of commercial security tools, and ultimately limit the ability of systems and security administrators to test and validate the security of their systems. We ask that the treaty drafters specifically recognize the legitimate and important role that the creation and public dissemination of demonstration code plays in advancing the information security field. Moreover, we urge that appropriate laws criminalizing the misuse of such tools replace the ownership or creation clauses of the treaty. Signed, <name> <affiliation> "Organizational affiliations are listed for identification purposes only, and do not necessarily reflect the official opinion of the affiliated organization." -- ============================================================== Dave Mann || e-mail: dmann@bos.bindview.com Senior Security Analyst || phone: 508-485-7737 x254 BindView Corporation || fax: 508-485-0737
|
||||
