RE: Third SHORTENED Draft of CyberCrime Treaty Statement
I've been the silent observer in the discussion to date , but must now speak
up (ok, Steve, you can move me to another category, now ;) ) to say I very
much *like* where the statement is heading. I especially like the more
succinct message. It focuses on a simple message and is short and to the
point. I would support this statement.
I do think the final sentence "Moreover, we urge that appropriate laws
criminalizing the misuse of such tools replace the ownership or creation
clauses of the treaty" may be a little unclear. How about sharpening it to
say these clauses should be removed from the treaty, and instead there
should appropriate laws ...?
> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Wednesday, May 10, 2000 12:49 PM
> To: firstname.lastname@example.org
> Subject: Third SHORTENED Draft of CyberCrime Treaty Statement
> Here is another cut at the draft.
> Note, I've basically taken an axe to it in order to
> shorten it. I'm following Spaf's sagely advice to make
> the statement as short and succinct as possible (was that
> Some other points...
> 1) One of the primary concerns here is the concept of
> full disclosure and public dissemination of of exploit
> code. In this version, I've tried to push the virtues
> of that concept without getting bogged down in controversial
> white hat/black hat sorts of questions.
> 2) Following LeBlanc's suggestion, I've removed stuff that
> does not directly the main thesis.
> 3) I've condensed several of the paragraphs in the middle
> of the draft. Hopefully this reduces the occurances of
> repeating what is essentially the same arguement and
> shortens the piece while keeping it accurate.
> 4) I've displayed my preferance for short paragraphs
> and have added some paragraph breaks.
> Dear <treaty drafters>
> We are a group of security experts who participate in the Common
> Vulnerabilities and Exposures Initiative. This project is a
> collaboration between a broad range of responsible computer security
> experts and companies to develop a common industry wide set
> of names for
> the many different vulnerabilities known in computer systems.
> As such,
> we represent a cross-section of the technical community which works on
> computer security vulnerabilities.
> As security experts, we have some technical concerns with respect to
> Article 6, which appears to be vague with respect to the use,
> distribution, or possession of software that could be used to violate
> the security of computer systems.
> We note that it is critically important to the advancement of science
> and engineering techniques for computer security professionals to be
> able to test software looking for new vulnerabilities, determine
> the presence of known vulnerabilities in existing systems,
> and exchange
> information about such vulnerabilities with each other. Therefore,
> most professionals and companies in this field routinely develop, use,
> and share scripts and programs designed to exploit vulnerabilities.
> In addition, these exploits are often included in commercial tools
> used by systems administrators and security experts to test
> the security
> of their systems.
> It is technically very difficult or impossible to distinguish the
> tools used for these legitimate and important purposes from the tools
> used by computer criminals to commit unauthorized break-ins. Further,
> important tools and techniques are regularly published by previously
> unknown individuals or groups. To criminalize their research and
> educational activities would be to slow the important progress of
> computer security research.
> We are concerned that Article 6 may prevent, impede, or criminalize
> such responsible development and use of exploit tools. This would
> have the unintended consequence of making computer systems LESS
> secure since it would stifle critical computer research, needlessly
> the development of commercial security tools, and ultimately limit the
> ability of systems and security administrators to test and validate
> the security of their systems.
> We ask that the treaty drafters specifically recognize the legitimate
> and important role that the creation and public dissemination of
> demonstration code plays in advancing the information security field.
> Moreover, we urge that appropriate laws criminalizing the misuse of
> such tools replace the ownership or creation clauses of the treaty.
> <name> <affiliation>
> "Organizational affiliations are listed for
> identification purposes only, and do not necessarily reflect the
> official opinion of the affiliated organization."
> Dave Mann || e-mail: email@example.com
> Senior Security Analyst || phone: 508-485-7737 x254
> BindView Corporation || fax: 508-485-0737