RE: Second draft of CyberCrime Treaty Statement

["Steven M. Christey" <coley@linus.mitre.org>]

I agree with David LeBlanc and Gene Spafford that we should come up
with a final draft, then ask people to sign it.  I wasn't clear,
sorry...

Here's what I see as a plan of action, with some overlap between the
different items:

1) Participating Board members finish and agree to a statement

2) Each participating Board member works with their organization to
   see if the organization itself can support it

3) Participating Board members endorse the agreement, as individuals
   or as an organization-wide endorsement

4) Identify a coordinator for outreach efforts

5) Each participating Board member performs their own outreach to
   their own contacts, and works with the coordinator, who maintains
   the "master list" of endorsements.

6) If any serious, near-unanimous concerns are expressed with the
   statement, *consider* making modifications.

Below are some of my editing comments on the draft.  Dave Mann, are
you coordinating your later drafts with Adam Shostack?  Who is the
"official holder" of the draft at this point?

Spaf suggested moving away from referring to ourselves as "experts"
and instead using "professionals" or related terms.  I agree with
this, and another Board member suggested a similar modification in a
private email.

I agree with David LeBlanc that we shouldn't specifically mention
"young security enthusiasts who behave unethically" - but on the other
hand, it's the free exchange of information that helps talented but
inexperienced people to learn and make contributions of their own.
(For example, how many high-quality posters to *Bugtraq with unknown
hat colors have been snapped up by security companies?)  So I think we
need to address this *somehow*, because some "young enthusiasts" with
white hats may not be recognized as professionals.

I suggest that we not mention funding at all.

I also agree with others that we shouldn't mention Stackguard.

- Steve