Information Security News mailing list archives
Cybercrime treaty targets hackers
From: InfoSec News <isn () C4I ORG>
Date: Tue, 24 Oct 2000 18:01:27 -0500
http://www.msnbc.com/news/480734.asp By Bob Sullivan MSNBC Oct. 24, 2000 AMSTERDAM, Meet the worlds newest class of persecuted artists: computer hackers. European Union nations, and perhaps even the United States, are about to make nearly any form of hacking even security research illegal by treaty. The possibility scares a group of top European computer security experts gathered in Amsterdam this week so much that one declared, Its the witch hunt of the 21st century. Use the term computer hacker and youve already touched off a battle of semantics that leaves many scratching their heads. Thats part of the problem with The Council of Europes Draft Cybercrime Treaty, authored by the 41-nation body in consultation with the U.S. Department of Justice. It could be signed as early as December. To computer scientists, hacking merely means research by dis-assembly. The end result of hacking is understanding how something works and occasionally suggesting an improvement. Using such knowledge to break into computers to steal information is, well, stealing not hacking, according to purists. Computer hackers say the distinction was lost upon the Council of Europe earlier this year when it agreed in principal to the Draft Cybercrime Treaty. The treaty makes it illegal to write or possess hacking software. Currently, both are legal in the U.S. The treaty even includes aiding and abetting rules that appear to make the publishing of software vulnerabilities or exploits illegal, according to U.S.-based cyberlaw expert Jennifer Granick. That could make vulnerability mailing lists like BugTraq and NTBugTraq, both with well over 30,000 subscribers, illegal, she said. They are just afraid of things they dont understand, things that they cannot control, said Stefen Buerger, a Germany-based security professional. Yes, we might end up chasing witches. TREATY SCARES HACKERS At a two-day gathering in Amsterdam designed to discuss technical computer security issues, Granicks discussion of the treaty drew swift, emotional response. This would have a terrible chilling effect on security research, said Scott Blake, a Boston-based security professional. He belongs to a research group that sent letters of protest to the Council of Europe when the draft treaty was first released in April. A revised version of the treaty, which was to have included updates based on an open public comment period, was released last month with no changes on the hacking software issue. They basically just ignored us, Blake said. Its hard to find an appropriate comparison to determine whether mere possession of software should be illegal. In the U.S., possession of drug paraphernalia, even for novelty, is illegal in most states. Ownership of some kinds of lock-picking devices is illegal. But possession of bomb-making recipes is not. Hacking software poses special challenges because most of the tools have two equal uses, Granick says. For example, a popular hacking tool called nMap connects to a remote computer and tells the user if that computer has any open ports that can be used to establish a connection. Finding such a port is often the first step in a computer attack, making nMap popular among attackers. But the program is equally popular with network administrators who want to check their own systems for open ports. The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt. But hackers at the Amersterdam conference were still worried about the plight of the thousands of hobbyists who currently research vulnerabilities in their spare time and in good faith. And software writers such as the author of nMap would likely be offered no legal protection. The wide-ranging draft treaty also includes extradition agreements and other controversial elements, such as requirements for Internet service providers and network administrators to help police by maintaining detailed logs of all network activity. POLICE WANT TOUGHER CYBERLAWS European police agencies say they desperately need some kind of help to stem a tidal wave of this new, borderless cybercrime. Stuart Hyde, chief superintendent of police in West Yorkshire and a British cybercrime expert, told the hackers European nations need new laws to deal with complicated issues like jurisdiction and evidence transportation. In part because of the ingenuity of lawyers and the ingenuity of [computer criminals] to get around the laws weve got, the laws weve got arent sufficient, Hyde said. The draft convention.will make it much easier for people to investigate. It will have an immense impact. Not every hacker found the law offensive. One system administrator compared the discussion to the gun control debate familiar to U.S. residents. Its like arms control, said a German-based hacker, who requested anonymity. Saying you cant walk around with a loaded gun produces safety. You can compare an exploit to a fully-loaded weapon. Making exploits illegal could decrease the number of hacked boxes. But others openly questioned the existence of a massive cybercrime outbreak requiring bold legislation. Cybercrime just doesnt pay, said one hacker who requested anonymity. Other forms of criminal activity are much more lucratice. And if you are a hacker, you are smart enough to know that any crime which would pay youd have to deal with people who could hurt you. All the hackers who could do this have good-paying jobs they wouldnt want to lose. Instead, another hacker suggested, the cybercrime outbreak is nothing more than noisy teen-agers committing high-profile, low-impact Web site hacks. But those crimes are being used as rationale by governments and law enforcement agencies to pass highly restrictive laws. There is a certain hysteria about cybercrime, the hacker said. But I dont think anyone has stolen money from a bank using the Internet yet. And Granick fears Council of Europe, in an effort to create consensus, has rushed forward and created a legal document with far-reaching ramifications, but without far-reaching insight. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Cybercrime treaty targets hackers InfoSec News (Oct 25)