再保险(板):网络犯罪公约声明反对意见

>马库斯是正确的,应该有合理的利用规则关于> posession出版。当前形势>远非理想。同意了。也是不幸的,一些人已得出结论,得到固定的唯一方法是公开的问题,不容忽视。>但我也认为网络犯罪公约草案是不合理的。>这是典型的警察和司法部门试图>解决犯罪:编造一些犯罪与举证责任>低所以你可以把很多人而不是解决>实际数据造成破坏的犯罪。正如>“盗窃工具”,它不应该占有或制造>是非法的,这些工具都有合法的用途,但>“意图占有”;更加难以证明。同意,他们宁愿一项法律,可以有选择地执行超过一个更精确。不幸的是,很难让人们明白ping,网路资讯查询和telnet黑客工具…… > In some cases I have dealt with exploits are the only way of showing > people that problems are not merely theoretical but very real. I still > have to explain at times why buffer overflows are a problem > ("the program will crash, so what?" "run this" "./this; #, > ah, I see"). > > Writing exploits to document bugs is a valid thing to do. Security > experts generally do not need exploits, just a pointer to the general > area where the bug is will do; but getting past first line support > often requires one. There is an exception to this - that is the area of security operations. It is currently my job to write tools to find hosts with problems. If I can, I do so without actually exploiting the problem, but in other cases there is no alternative. At any rate, my tools can sweep very large address spaces and locate vulnerable systems very, very quickly. As long as I only use these tools against systems owned by my employer, there is no problem. If someone used them against the internet in general, there would definately be some big problems. I also need live exploits to validate my tools, and in some cases to demonstrate the problem. ("you need to correct this", "so what?", "the first 4 letters of your password are 'xxxx' and the use of a { character was clever", "oh, I see - what do I fix again?"). I obviously do not distribute these tools, and my previous employer at least makes a good faith effort to restrict use. > When it comes to publishing, I believe that the current trend of > publishing something quickly without vendor notification is wrong, > especially in those cases where there is no workaround. Disabling a > service is not a workaround for many of our customers. But this is > probably more of a matter for civil courts. I agree with this, too. It is irresponsible, and akin to crying fire in a theatre. I also support educating people about hacking techniques, because the only way to really protect yourself is to understand the techniques that an attacker will use. Know your enemy as you know yourself, and success is assured.