RE: Third SHORTENED Draft of CyberCrime Treaty Statement

["Balenson, David" <David_Balenson@nai.com>]

I've been the silent observer in the discussion to date , but must now speak
up (ok, Steve, you can move me to another category, now ;) ) to say I very
much *like* where the statement is heading.  I especially like the more
succinct message.  It focuses on a simple message and is short and to the
point.  I would support this statement.

I do think the final sentence "Moreover, we urge that appropriate laws
criminalizing the misuse of such tools replace the ownership or creation
clauses of the treaty" may be a little unclear.  How about sharpening it to
say these clauses should be removed from the treaty, and instead there
should appropriate laws ...?

-DB

> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Wednesday, May 10, 2000 12:49 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: Third SHORTENED Draft of CyberCrime Treaty Statement
>
>
> All,
>
> Here is another cut at the draft.
>
> Note, I've basically taken an axe to it in order to
> shorten it.  I'm following Spaf's sagely advice to make
> the statement as short and succinct as possible (was that
> redundant?).
>
> Some other points...
>
> 1) One of the primary concerns here is the concept of
> full disclosure and public dissemination of of exploit
> code.  In this version, I've tried to push the virtues
> of that concept without getting bogged down in controversial
> white hat/black hat sorts of questions.
>
> 2) Following LeBlanc's suggestion, I've removed stuff that
> does not directly the main thesis.
>
> 3) I've condensed several of the paragraphs in the middle
> of the draft.  Hopefully this reduces the occurances of
> repeating what is essentially the same arguement and
> shortens the piece while keeping it accurate.
>
> 4) I've displayed my preferance for short paragraphs
> and have added some paragraph breaks.
>
> ***********************************************************
>
> Dear <treaty drafters>
>
> We are a group of security experts who participate in the Common
> Vulnerabilities and Exposures Initiative.  This project is a
> collaboration between a broad range of responsible computer security
> experts and companies to develop a common industry wide set
> of names for
> the many different vulnerabilities known in computer systems.
>  As such,
> we represent a cross-section of the technical community which works on
> computer security vulnerabilities.
>
> As security experts, we have some technical concerns with respect to
> Article 6, which appears to be vague with respect to the use,
> distribution, or possession of software that could be used to violate
> the security of computer systems.
>
> We note that it is critically important to the advancement of science
> and engineering techniques for computer security professionals to be
> able to test software looking for new vulnerabilities, determine
> the presence of known vulnerabilities in existing systems,
> and exchange
> information about such vulnerabilities with each other.  Therefore,
> most professionals and companies in this field routinely develop, use,
> and share scripts and programs designed to exploit vulnerabilities.
> In addition, these exploits are often included in commercial tools
> used by systems administrators and security experts to test
> the security
> of their systems.
>
> It is technically very difficult or impossible to distinguish the
> tools used for these legitimate and important purposes from the tools
> used by computer criminals to commit unauthorized break-ins.  Further,
> important tools and techniques are regularly published by previously
> unknown individuals or groups.  To criminalize their research and
> educational activities would be to slow the important progress of
> computer security research.
>
> We are concerned that Article 6 may prevent, impede, or criminalize
> such responsible development and use of exploit tools.  This would
> have the unintended consequence of making computer systems LESS
> secure since it would stifle critical computer research, needlessly
> hamper
> the development of commercial security tools, and ultimately limit the
> ability of systems and security administrators to test and validate
> the security of their systems.
>
> We ask that the treaty drafters specifically recognize the legitimate
> and important role that the creation and public dissemination of
> demonstration code plays in advancing the information security field.
> Moreover, we urge that appropriate laws criminalizing the misuse of
> such tools replace the ownership or creation clauses of the treaty.
>
> Signed,
>
> <name> <affiliation>
>
>
> "Organizational affiliations are listed for
> identification purposes only, and do not necessarily reflect the
> official opinion of the affiliated organization."
>
>
>
>
>
> --
> ==============================================================
> Dave Mann                ||   e-mail:  dmann@bos.bindview.com
> Senior Security Analyst  ||    phone:  508-485-7737   x254
> BindView Corporation     ||      fax:  508-485-0737
>