第二次的网络犯罪公约声明草案

星期二,09年5月,2000在-0400年11:45:41AM,抑郁症,安德烈(ISSAtlanta)写道:史蒂夫·斯图尔特和| | |出色的工作。我很欣赏你的努力在发展中该草案。我也做。我不得不说我很高兴很多人前进的意愿来解决这些问题。特别是由于斯图尔特,史蒂夫和安德烈提出起草的语言。亲爱的<公约起草者>我们是一群的安全专家参与共同弱点和风险敞口倡议。这个项目是一个合作的一系列负责计算机安全专家和公司开发一套共同的行业名称的许多不同的漏洞在计算机系统。因此,我们代表的截面技术社区工作的计算机安全漏洞。安全专家,我们有一些技术问题关于第六条,这似乎是模糊的关于使用,分布,或拥有的软件,可以用来违反计算机系统的安全。我们注意到它是至关重要的科学和工程技术的发展为计算机安全专业人员能够测试软件寻找新的vulnerabilitities,确定现有系统中已知的漏洞的存在,这样的漏洞和交换信息。 Therefore, most professionals and companies in this field routinely develop, use, and share scripts and programs designed to exploit vulnerabilities. In addition, these exploits are often included in commercial tools used by systems administrators and security experts to test the security of their systems. It is technically very difficult or impossible to distinguish the tools used for this purpose from the tools used by computer criminals to commit unauthorized break-ins. Further, important tools and techniques are regularly revealed by previously unknown individuals or groups. To criminalize their research and educational activities would be to slow the important progress of computer security research. We do not intend to challenge the idea that breaking into computer systems is wrong, but to ensure that laws are not made driving underground new research. (Should we mention Stackguard here? It wouldn't be available without exploit code.?) We are concerned that Article 6 may prevent, impede, or criminalize such responsible development and use of exploit tools. This would greatly limit the ability of systems and security administrators to test and validate the security of their systems, either through the use of freely available research tools, or with commercial tools, as are sold by several of the organizations involved with CVE. We ask that the treaty drafters recognize the legitimate and important role that the creation of demonstration code plays in advancing the security field. We ask that the treaty be re-worked so as to not chill or limit ethical and important research. If, instead, the treaty is used to ban any use of exploit tools, we fear that this will be very counter-productive. Since computer criminals are currently largely beyond the reach of effective law enforcement, they will not be much impacted by new laws banning their tools. (I think that this language is counterproductive, and suggest: If the treaty causes to be banned the creation or use of exploit tools, without recognition of their valuable role, then communication and research will be stifled, and many young security enthusiasts who today behave unethically will be made into criminals, and lose their opportunity to mature and grow into valuable members of the community. We urge that appropriate laws criminalizing the misuse of such tools replace the ownership or creation clauses. ) More contraversial: We urge that appropriate laws criminalizing the misuse of such tools replace the ownership or creation clauses, and further that the Council fund research into ways to encourage companies to produce more secure software, such as, but not limited to, recinding warranty law exemptions, requiring recalls of bad software, etc. Adam "Organizational affiliations are listed for identification purposes only, and do not necessarily reflect the official opinion of the affiliated organization." | > - I suggest that Board members should be able to decide whether to | > list themselves individually, i.e. without their organizational | > affiliation. | > | > | > Signed, | > | > Adam Shostack, Zero-Knowledge | > Scott Blake, BindView | > Steve Christey, MITRE | > | > MemberN, OrganizationN | > MemberN2, OrganizationN2 | > ... | > Member N+m, [no organization listed] | > | > ... and X other members of the CVE Editorial Board [names withheld] | >