Re: Draft Convention on Cybercrime

[Bart van Leeuwen <bart () ixori demon nl>]

> I'm not a lawyer either...but...it reads pretty clear to me.                  

Well..

Part of the document is quite clear, but another part is not:

What constitutes a crime in cyberspace is defined by the draft, but the
draft fails to define what constitutes 'having a right to connect'.

On the internet such a right is often implicit, ie, you do not specificly
grant someone the right to connect to your smtp server to deliver mail,
but because you participate in mail exchange and that would be impossible
without others being able to deliver mail to you it is imho unrealistic
to see that as an illegal connection if you didn't grant explicit
permission. It is rather important how the council understands this, and
the draft does not make that clear imho.

My take is that by connecting to the internet I grant others implicit
rights to communicate,, and as such, connect to my system.

That says nothing about attempting to abuse my system, that is a different
matter, and the draft imho fails to make that distinction at all.

However, looking at reality, I think my interpretation of this is likely
to be closer to the intentions of the council and the draft then the imho
over paranoid response that this means that any tool that allows for
connecting to another computer is banned.

Also, the draft uses words like primary, specifically, particularely. Is
nmap specifically made to break into computers? or particularlely? or
primarely? well... it provides information that can be usefull when
attempting to break into a computer, thats however not the same as
breaking into computers being the primary purpose of nmap.

So regardless of the fact that an important definition is not very clear,
which makes imho the entire document flawed, the part that directly
deals with such tools as nmap is clear about the fact that it has to be
the primary purpose of the tool. I fail to see how that can be applied to
nmap.

This implies that distributing nmap does not constitute distributing a
device which primary purpose is to perform a crime in cyberspace, and notr
does creating nmap constitute such a crime. 

If nmap would do things like automatically breaking passwords etc the line
might become too thin... but for now imho nmap stays clearly on the legal
side of the line if this draft is to become law in many places.

Anyway, I can see how using nmap for certain things is illegal accordibng
to the draftr, but making and distributing it?
I kinda doubt it.

Will scanning a host with nmap be illegal unnless you got explicit
permission to do so? that depends on how 'having the right to connect' is
interpreted. In my interpretation you do have that right, but only when
you do this for legal purposes.

Anyway.. its nice to diiscuss, but part of the document is too unclear
imho to have it make much sense ;-)

Bart van Leeuwen
-----------------------------------------------------------
 mailto:bart () ixori demon nl  -  http://www.ixori.demon.nl/
-----------------------------------------------------------

On Sat, 3 Jun 2000, Mike Black wrote:

> I'm not a lawyer either...but...it reads pretty clear to me.
>
> All of us that use nmap would NOT be in trouble...only the author, the
> web/ftp site and possibly this mailing list.
>
> Quote:
> a device, including a computer program, designed or adapted [specifically]
> [primarily] [particularly] for the purpose of committing any of the offences
> established in accordance with Article 2 - 5;
>
> The above offense and the definition below would say that making nmap and
> putting on a website for download would fit under the definition of "dolus
> eventualis" -- also know in Homer Simpson terms as "Doh!".  There's no way
> that an author or web/ftp site could say "well gee, we didn't think it would
> be used for bad purposes".  It's only a little bit of a stretch to say that
> a mailing list is a "piece of software" that educates users how to do bad
> things (note -- I'm not talking about majordomo here...but the specific
> mailing list).  Hacker websites would most certainly be targeted.
>
> (6) In the understanding of certain members of the Drafting Group, "intent"
> may also cover "dolus eventualis". For common law countries, this notion
> would be similar to "recklessness", i.e. that a person is aware of the high
> risk that a certain result may occur and knowingly accepts it. The Drafting
> Group agreed that the interpretation of "intent" should be left to national
> laws, but it should not, where possible, exclude "dolus eventualis".
>
>
> ----- Original Message -----
> From: "Bart van Leeuwen" <bart () ixori demon nl>
> To: "Matt Marnell" <coldfuzion () coldfuzion net>; <nmap-hackers () insecure org>
> Sent: Friday, June 02, 2000 6:38 PM
> Subject: Re: Draft Convention on Cybercrime
>
>
>
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to 
> nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).