Cybercrime treaty targets hackers

[InfoSec News <isn () C4I ORG>]

http://www.msnbc.com/news/480734.asp

By Bob Sullivan
MSNBC
Oct. 24, 2000

AMSTERDAM, Meet the worlds newest class of persecuted artists:
computer hackers. European Union nations, and perhaps even the United
States, are about to make nearly any form of hacking even security
research illegal by treaty. The possibility scares a group of top
European computer security experts gathered in Amsterdam this week so
much that one declared, Its the witch hunt of the 21st century.

Use the term computer hacker and youve already touched off a battle of
semantics that leaves many scratching their heads. Thats part of the
problem with The Council of Europes Draft Cybercrime Treaty, authored
by the 41-nation body in consultation with the U.S. Department of
Justice. It could be signed as early as December.

To computer scientists, hacking merely means research by dis-assembly.
The end result of hacking is understanding how something works and
occasionally suggesting an improvement. Using such knowledge to break
into computers to steal information is, well, stealing not hacking,
according to purists.

Computer hackers say the distinction was lost upon the Council of
Europe earlier this year when it agreed in principal to the Draft
Cybercrime Treaty. The treaty makes it illegal to write or possess
hacking software. Currently, both are legal in the U.S.

The treaty even includes aiding and abetting rules that appear to make
the publishing of software vulnerabilities or exploits illegal,
according to U.S.-based cyberlaw expert Jennifer Granick. That could
make vulnerability mailing lists like BugTraq and NTBugTraq, both with
well over 30,000 subscribers, illegal, she said.

They are just afraid of things they dont understand, things that they
cannot control, said Stefen Buerger, a Germany-based security
professional. Yes, we might end up chasing witches.

TREATY SCARES HACKERS

At a two-day gathering in Amsterdam designed to discuss technical
computer security issues, Granicks discussion of the treaty drew
swift, emotional response.

This would have a terrible chilling effect on security research, said
Scott Blake, a Boston-based security professional. He belongs to a
research group that sent letters of protest to the Council of Europe
when the draft treaty was first released in April. A revised version
of the treaty, which was to have included updates based on an open
public comment period, was released last month with no changes on the
hacking software issue. They basically just ignored us, Blake said.

Its hard to find an appropriate comparison to determine whether mere
possession of software should be illegal. In the U.S., possession of
drug paraphernalia, even for novelty, is illegal in most states.
Ownership of some kinds of lock-picking devices is illegal. But
possession of bomb-making recipes is not.

Hacking software poses special challenges because most of the tools
have two equal uses, Granick says. For example, a popular hacking tool
called nMap connects to a remote computer and tells the user if that
computer has any open ports that can be used to establish a
connection. Finding such a port is often the first step in a computer
attack, making nMap popular among attackers. But the program is
equally popular with network administrators who want to check their
own systems for open ports.

The Council of Europe has promised to provide a list of exceptions to
the treaty, and professional network administrators will likely end up
exempt. But hackers at the Amersterdam conference were still worried
about the plight of the thousands of hobbyists who currently research
vulnerabilities in their spare time and in good faith. And software
writers such as the author of nMap would likely be offered no legal
protection.

The wide-ranging draft treaty also includes extradition agreements and
other controversial elements, such as requirements for Internet
service providers and network administrators to help police by
maintaining detailed logs of all network activity.

POLICE WANT TOUGHER CYBERLAWS

European police agencies say they desperately need some kind of help
to stem a tidal wave of this new, borderless cybercrime. Stuart Hyde,
chief superintendent of police in West Yorkshire and a British
cybercrime expert, told the hackers European nations need new laws to
deal with complicated issues like jurisdiction and evidence
transportation.

In part because of the ingenuity of lawyers and the ingenuity of
[computer criminals] to get around the laws weve got, the laws weve
got arent sufficient, Hyde said. The draft convention.will make it
much easier for people to investigate. It will have an immense impact.

Not every hacker found the law offensive. One system administrator
compared the discussion to the gun control debate familiar to U.S.
residents.

Its like arms control, said a German-based hacker, who requested
anonymity. Saying you cant walk around with a loaded gun produces
safety. You can compare an exploit to a fully-loaded weapon. Making
exploits illegal could decrease the number of hacked boxes.

But others openly questioned the existence of a massive cybercrime
outbreak requiring bold legislation.

Cybercrime just doesnt pay, said one hacker who requested anonymity.
Other forms of criminal activity are much more lucratice. And if you
are a hacker, you are smart enough to know that any crime which would
pay youd have to deal with people who could hurt you. All the hackers
who could do this have good-paying jobs they wouldnt want to lose.

Instead, another hacker suggested, the cybercrime outbreak is nothing
more than noisy teen-agers committing high-profile, low-impact Web
site hacks. But those crimes are being used as rationale by
governments and law enforcement agencies to pass highly restrictive
laws.

There is a certain hysteria about cybercrime, the hacker said. But I
dont think anyone has stolen money from a bank using the Internet yet.

And Granick fears Council of Europe, in an effort to create consensus,
has rushed forward and created a legal document with far-reaching
ramifications, but without far-reaching insight.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".