RE: [BOARD] Status of CyberCrime treaty statement
I'm in with Scott. I'd also note that INTENT isn't possible to prove. As we
all know, most hacker tools are distributed 'for eductional purposes only'.
Their language in no way addresses our concerns. I create tools all the
time that are meant to break into other people's computers and/or determine
if a computer has a security vulnerability. I am clearly in possession of a
large number of tools which meet the definition in a1, and whether or not I
intend to do bad things is extremely vague.
I'd also point out that I can normally do very bad things to most networks
using normal command line tools which ship with the OS, so what's next?
Criminalize my keyboard??? Or maybe my brain? I can see it now - sir,
you've been convicted of thinking outside the box... or - "He had net.exe
and was thinking bad thoughts, so we hauled him in."
Furthermore, I NORMALLY, AS PART OF MY JOB, use tools which really were
created with the intent of breaking into things to LEGITIMATELY determine
whether systems I am charged with securing are vulnerable, as well as
determining whether my own checks actually WORK properly.
The treaty needs to EXPLICITLY allow for white hat activities and research.
Also just read Elias' response, and agree with that as well.
I am not especially disturbed by MITRE discussing it with whoever they feel
like they should, but I don't appreciate this being done without notifying
everyone else involved. We should have been informed, and part of the
> -----Original Message-----
> From: Scott Blake [mailto:blake@BOS.BINDVIEW.COM]
> Sent: Monday, June 26, 2000 3:09 PM
> To: email@example.com
> Subject: RE: [BOARD] Status of CyberCrime treaty statement
> Do I understand correctly that MITRE is no longer willing to host the
> website, even if the Board wishes to proceed with the
> statement? Also,
> will MITRE personnel no longer endorse the statement?
> I have to disagree with the DoJ's assessment. Our position
> was not that
> the treaty would lead directly to the criminalization of our jobs.
> Rather, we (as I understand it) are raising a concern about
> the potential
> for misinterpretation. Some staffer at DoJ assuring MITRE's corporate
> counsel that that's not the intent changes exactly nothing in my mind.
> I'm also more than a little concerned about this response
> being discussed
> with DoJ by MITRE. But I'll leave that for another rant.
> Scott Blake firstname.lastname@example.org
> Security Program Manager +1-508-485-7737 x218
> BindView Corporation Cell: +1-508-353-0269
> >-----Original Message-----
> >From: email@example.com
> >[mailto:firstname.lastname@example.org]On Behalf Of
> >Steven M. Christey
> >Sent: Monday, June 26, 2000 4:07 PM
> >To: spaf@CERIAS.PURDUE.EDU
> >Cc: email@example.com; ptasker@MITRE.ORG;
> >gjg@MITRE.ORG; ramartin@MITRE.ORG
> >Subject: [BOARD] Status of CyberCrime treaty statement
> >Spaf asked about the status of the CyberCrime treaty
> statement. Below
> >is an update from Gary Gagnon, followed by a description of what we
> >will do next:
> >>We have completed the web site ready for public release.
> We have been
> >>discussing this with attorneys to validate our understanding of the
> >>treaty and concerns. In addition, we have also discussed
> our concerns
> >>with key government personnel. This past Friday, MITRE's corporate
> >>attorney and I spoke to Martha Stansell-Gamm, the US Department of
> >>Justice Section Chief responsible for the US delegations
> drafting the
> >>treaty. DoJ has convinced me and our attorney that treaty drafters
> >>have adequately addressed this issue. In particular, Article 6 has
> >>two section "a", both of which must hold true to be a criminal
> >>offense (emphasis added):
> >> "Each Party shall adopt such legislative and other
> measures as may be
> >> necessary to establish as criminal offences under its domestic law
> >> when committed intentionally and without right:
> >> a.THE PRODUCTION, SALE, PROCUREMENT FOR USE, IMPORT,
> DISTRIBUTION OR
> >> OTHERWISE MAKING AVAILABLE OF:
> >> 1.a device, including a computer program, designed or adapted
> >> [specifically] [primarily] [particularly] for the purpose of
> >> committing any of the offences established in accordance with
> >> Article 2 – 5;
> >> 2.a computer password, access code, or similar data by which the
> >> whole or any part of a computer system is capable of
> being accessed
> >> with intent that it be used for the purpose of committing the
> >> offences established in Articles 2 - 5;
> >> a.the possession of an item referred to in paragraphs
> (a)(1) and (2)
> >> above, WITH INTENT THAT IT BE USED FOR THE PURPOSE OF
> COMMITTING THE
> >> OFFENSES ESTABLISHED IN ARTICLES 2 -5. A party may require by law
> >> that a number of such items be possessed before criminal
> >> attaches. "
> >>The way this was explained to me is that the possession (production,
> >>sale, distribution, etc) with the intent to commit the offenses is
> >>what the treaty is recommending become a crime consistent across the
> >>member nations. DoJ recognized the difficulty proving the intent
> >>portion of this treaty language. In addition, I have re-read the
> >>summary of concerns by the CVE Editorial Board, and feel
> that based on
> >>the above the treaty language appropriately addressed them.
> >>Therefore, based on this legal review of the treaty language as well
> >>as personnel discussions with DoJ, we no longer feel this
> issue is of
> >>grave concern to security professional community. We would
> >>to NOT go forward with the letter and signature collection.
> >However, we recognize that some Editorial Board members may
> still wish
> >to move ahead with the statement, independently of DoJ's assurances
> >that such a treaty would not result in the criminalization of "white
> >hat" security activities.
> >To this end, we are doing the following:
> >1) We have scheduled a more detailed conversation with Gene Spafford
> > on Tuesday afternoon.
> >2) We will be packaging the web site up for transition to Gene
> > Spafford, who will take over the effort in the event that Board
> > members want to move forward with the statement.
> >More details will be available after our conversation with Spaf.
> >- Steve