再保险(板):网络犯罪公约声明反对意见

首先,让我说,我认为ammended声明实际上是比旧的技术。马库斯是正确的,应该有合理的利用规则关于posession出版。现状与理想相差甚远。但我也认为网络犯罪公约草案是不合理的。这是典型的警察和司法部门试图解决犯罪:编造一些犯罪与低举证责任所以你可以把很多人而不是解决犯罪数据造成破坏。正如“盗窃工具”,它不应该占有或制造,是非法的,这些工具都有合法的用途,但“与意图占有”;更加难以证明。在某些情况下我有处理利用是唯一的方式向人们证明问题并不仅仅是理论上的,但非常真实。有时我仍然需要解释为什么缓冲区溢出是一个问题(“程序会崩溃,那又怎样?”"run this" "./this; #, ah, I see"). Writing exploits to document bugs is a valid thing to do. Security experts generally do not need exploits, just a pointer to the general area where the bug is will do; but getting past first line support often requires one. Another area of concern for me is exploits caught in the wild by customers; since the treaty would allow legislation that bans possession and distribution, customers who catch exploits in the wild are legally no longer allowed to pass the information to us, only to law enforcement (or even hang on to it). If law enforcement would actually cooperate with industry and send the security holes they come across to the vendors concerned this wouldn't be much of a problem. In my experience law enforcement acts pretty much like a black hole when it comes to any type of information. I'd love to hear reports on law enforcement officials doing the responsible thing and sharing exploit data with vendors. In fact, I hear consistent rumours that the only recipients of such information are TLAs* and we all know what those do for a living When it comes to publishing, I believe that the current trend of publishing something quickly without vendor notification is wrong, especially in those cases where there is no workaround. Disabling a service is not a workaround for many of our customers. But this is probably more of a matter for civil courts. Other distressing signs in europe are the proposed legislation banning anonymous email; it's an important tool for those areas where human rights are weak and in some cases for whistleblowers too (though they're typically more easily tracked down by the information they know). Casper *) Three Letter Agency