Re: Second draft of CyberCrime Treaty Statement
I like Dave Mann's last draft. I support the process Steve outlines
below. I'm comfortable with Spaf co-ordinating since he's done this
kind of thing well in the past. But I think it's important that it's
made clear that the letter was a collaborative effort by many CVE board
folks, rather than Spaf's initiative.
I'm not quite sure what a practical process for gathering
signatures/endorsements is. Presumably that's for the co-ordinator to
"Steven M. Christey" wrote:
> I agree with David LeBlanc and Gene Spafford that we should come up
> with a final draft, then ask people to sign it. I wasn't clear,
> Here's what I see as a plan of action, with some overlap between the
> different items:
> 1) Participating Board members finish and agree to a statement
> 2) Each participating Board member works with their organization to
> see if the organization itself can support it
> 3) Participating Board members endorse the agreement, as individuals
> or as an organization-wide endorsement
> 4) Identify a coordinator for outreach efforts
> 5) Each participating Board member performs their own outreach to
> their own contacts, and works with the coordinator, who maintains
> the "master list" of endorsements.
> 6) If any serious, near-unanimous concerns are expressed with the
> statement, *consider* making modifications.
> Below are some of my editing comments on the draft. Dave Mann, are
> you coordinating your later drafts with Adam Shostack? Who is the
> "official holder" of the draft at this point?
> Spaf suggested moving away from referring to ourselves as "experts"
> and instead using "professionals" or related terms. I agree with
> this, and another Board member suggested a similar modification in a
> private email.
> I agree with David LeBlanc that we shouldn't specifically mention
> "young security enthusiasts who behave unethically" - but on the other
> hand, it's the free exchange of information that helps talented but
> inexperienced people to learn and make contributions of their own.
> (For example, how many high-quality posters to *Bugtraq with unknown
> hat colors have been snapped up by security companies?) So I think we
> need to address this *somehow*, because some "young enthusiasts" with
> white hats may not be recognized as professionals.
> I suggest that we not mention funding at all.
> I also agree with others that we shouldn't mention Stackguard.
> - Steve
Stuart Staniford --- President --- Silicon Defense
(707) 445-4355 (707) 445-4222 (FAX)