网络犯罪小组条约

我只是出现在面板在Esorics会议上关于网络犯罪的条约(欧洲计算机安全会议),马克Dacier组织。我想回来报告。这个面板是一个相当令人困惑和迷茫无过错(马克)的经验。他找不到任何来自欧洲委员会讨论条约因为起草人是匿名的。最后他得到了参与通过电话从贝蒂在美国司法部刮胡子。美国只是一个观察者在欧洲委员会,但显然已经参与起草,虽然还不清楚美国是否会最终签署了该条约。一个新的条约草案最近走了出来。日期是10月2日,但我们不能得到一个副本,直到4日——我了大约两小时来阅读和准备我的评论是远远低于理想。小组的其他成员都更好。除了自己,马克,贝蒂,小组的其他成员彼得(通过),网络法律专家从英国(主要是防御工作和很有名在IDS中圆圈),和约翰·麦克休CERT / CC在美国。首先,马克简述条约的介绍和一些担心被提出。 He introduced the panel. Betty spoke next and briefly introduced the benefits of the treaty and international co-operation between law enforcment in cyberspace. She also addressed a couple of issues that people had had with the treaty. In particular, she said it was not the intent of the drafters to prevent legitimate use of exploit scripts by security companies, researchers, and consultants. I spoke next. I briefly described the process that led to the letter, but said that I was not speaking for the CVE board. I then emphasized the general significance of vulnerabilities (how, as we make more and more aspects of our societies dependent on the Internet, a new vulnerability could be used to cause massive damage, and therefore society has a critical interest in the process by which vulnerabilities are reported and resolved). Although it's clear that the revised treaty is better than before, I expressed my doubts that trying to ban exploit scripts was the best we could do at making that aspect of society work better. I stated my fear that even the revised wording of the treaty could prevent full disclosure of vulnerabilities, and that might not make society more secure. Was that the intent of the treaty drafters? Betty Shave responded to this. The present wording of the draft treaty makes it clear that it's only intended to be illegal to create, possess, sell, distribute, etc. exploit scripts *if* you are doing it with intent to cause others to commit crimes. So it was not intended to hinder distribution of vulnerability information. She thought full disclosure sites were fine. Peter Sommer expressed his view that the intent language might mean that whether posting an exploit, fragrouter program, sniffer, etc is illegal would come down to the language on the web site from which it was distributed (did it look like a hacker site advocating breaking in, or did it look like a site distributing security information for the purpose of improving the security of systems.) Peter next spoke in general about his concerns that the treaty was too tailored to the law enforcement viewpoint. He said that he wasn't a conspiracy theorist, that he believed law enforcement generally was useful and beneficial and had reasonable concerns. But law enforcement is generally trying to make their own job easier and quicker, and in pursuing that, they don't necessarily have either enough concern for the rights of others, or a broad enough understanding of the overall problem to draft good legislation. In experience with past laws and treaties, he had observed a tendency for prosecuters working as law drafters, instead of saying "Ok we'll change the wording", to say "Oh, we'd never use it to do that" and then leave the dubious wording in. Peter felt we needed to care about what the actual wording said and means, and not be satisfied with assurances that the treaty would or would not be used for particular purposes. "Watch the final wording like hawks, and lobby furiously both at the international level and the national level". Next John McHugh spoke and expressed his concern that some of the information disclosure stuff could affect the likes of CERT. Around that time, I had to leave for my plane. My own feeling at present is one of uncertainty. I want to have our lawyers review the current wording, rather than take DOJ's word for it. I have some instances of the potentially contrabrand items on my laptop as I write this, as I'm sure many of us do. I'm not yet reassured that my ability to do that will continue. Stuart. -- Stuart Staniford --- President --- Silicon Defense stuart@silicondefense.com (707) 445-4355 (707) 445-4222 (FAX)