RE: [BOARD] Dissenting opinion on CyberCrime treaty statement
This goes back to the gun analogy... Or to draw another one, many people
throughout history have tried to limit access to information of all kinds
(e.g. book burning, etc.) because of its potential for exerting a
What it all boils down to (in my opinion) is the perceived scope of this
message. I feel that our goal is to inform legislators of our concerns, and
make them aware of the fact that the distributed denial of service agent
being analyzed on my computer is not the same as a the agent being written
and distributed by someone else.
The code may be identical. The intent is not. That's the message I want to
send, and in that spirit I continue to support the message as currently
From: Steven M. Christey
Sent: 6/7/00 6:58 PM
Subject: [BOARD] Dissenting opinion on CyberCrime treaty statement
Marcus Ranum, as the NFR representative on the Editorial Board, has
expressed a dissenting opinion with the CyberCrime Treaty statement.
I am posting Marcus' concerns here as a matter of record. This does
not impact the current activities with respect to garnering support
for the statement, as we have already decided that it is not an
"official" Editorial Board activity.
Since some of his concern touches on the controversial issue of full
disclosure, I encourage any potential responders to this email to take
care to avoid being "sidetracked" by that issue. There may be better
forums than the Editorial Board mailing list for those sorts of
The concern is with the following text of the statement:
# System administrators, researchers, consultants and companies all
# routinely develop, use, and share software designed to exercise known
# and suspected vulnerabilities. Academic institutions use these
# tools to educate students and in research to develop improved
# defenses. Our combined experience suggests that it is impossible
# to reliably distinguish software used in computer crime from that
# used for these legitimate purposes. In fact, they are often
And following is Marcus' response, extracted from various email
discussions and approved by him:
>The statement, as it is drafted, goes contrary to what I believe is
>the inevitable and right progression of legislative events concerning
>hacking/penetration test tools.
>While it is difficult to reliably distinguish between attack tools and
>security tools, I believe there are standards of reasonableness that
>can, and _must_ be applied. Too many attack tools are being developed
>and deployed, under the guise of "helping" and "education" - I believe
>that in the long run it is not helpful and is in fact detrimental.
>For example, nmap, by its very design, is intended to defeat certain
>forms of security. Therefore it is not a purely legitimate tool. Some
>may argue that it may still be useful to white hats. That may be true
>- but there are plenty of cases where legitimate tools that may be
>abused are restricted and regulated. I don't have a problem with that
>in this case.
Others have expressed concerns that if it appears that the Board as a
whole supports this treaty statement, that it may conflict with the
organizational opinions of some parent organizations of Board members.
Marcus effectively agrees with this:
>I am opposed to participating (and, by extension, NFR
>participating...) in any action that indicates support for further
>dissemenation, usage, teaching about, or otherwise condoning the use
>of hacking tools and techniques.