Re: Final Draft?

[Bill Hill <bill@mitre.org>]

Time delays in my access to email have kept me lurking to date, but I want to add my support.  I like this letter very much.

Bill


Dave Mann wrote:

> Gene Spafford wrote:
> > The word "since" means "time since" and not causality.
>
> Great catch!!!
>
> New Changes:
>
> * Replaced the word "since" as suggested
>   - see aragraphs 2 and 5
>
> * Further strengthened 2nd sentance in 2nd paragraph
>   - replaced "the education of ... specialists may be hindered"
>     with "the education of ... specialists will be hindered"
>
> Spaf offered:
> > I do not believe the letter needs to be further shortened.   I think
> > it is ready to go.
>
> I agree.
>
> --
> ==============================================================
> Dave Mann                ||   e-mail:  dmann@bos.bindview.com
> Senior Security Analyst  ||    phone:  508-485-7737   x254
> BindView Corporation     ||      fax:  508-485-0737
> ==============================================================
>
> Greetings:
>
> As leading security practitioners, educators, vendors, and users of
> information security, we wish to register our misgivings about the
> Council of Europe draft treaty on Crime in Cyberspace.
>
> We are concerned that portions of the proposed treaty may result in
> criminalizing techniques and software commonly used to make computer
> systems resistant to attack.  Signatory states passing legislation to
> implement the treaty may endanger the security of their computer
> systems because computer users in those countries will not be able to
> adequately protect their computer systems and the education of
> information protection specialists will be hindered.
>
> Critical to the protection of computer systems and infrastructure is
> the ability to
> * Test software for weaknesses
> * Verify the presence of defects in computer systems
> * Exchange vulnerability information
>
> System administrators, researchers, consultants and companies all
> routinely develop, use, and share software designed to exercise known
> and suspected vulnerabilities.  Academic institutions use these
> tools to educate students and in research to develop improved
> defenses.  Our combined experience suggests that it is impossible
> to reliably distinguish software used in computer crime from that
> used for these legitimate purposes.  In fact, they are often
> identical.
>
> Currently, article 6 of the draft treaty is vague regarding the use,
> distribution, and possession of software that could be used to
> violate the security of computer systems.  We agree that damaging or
> breaking into computer systems is wrong and we unequivocally support
> laws against such inappropriate behavior.  We affirm that a goal of the
> treaty and resulting legislation should  be to permit the development
> and application of good security measures.  However, legislation that
> criminalizes security software development, distribution and use
> is counter to that goal, as it would adversely impact security
> practitioners, researchers, and educators.
>
> Therefore, we respectfully request that the treaty drafters remove
> section a.1 from article 6, and modify section b accordingly; the
> articles on computer intrusion and damage (viz., articles 1-5) are
> already sufficient to proscribe any improper use of security-related
> software or information.
>
> Please do not hesitate to call on us for technical advice in your
> future deliberations.
>
> Signed,
>
> <name>
> <title>
> <affiliation>
>
> "Organizational affiliations are listed for identification purposes
> only, and do not necessarily reflect the official opinion of the
> affiliated organization."
begin:vcard
n:Hill;William
tel;work:703-883-6416
x-mozilla-html:TRUE
org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
version:2.1
email;internet:bill@mitre.org
title:INFOSEC Engineer
fn:Bill Hill
end:vcard

S/MIME Cryptographic Signature