Nmap Announce mailing list archives
RE: Draft Convention on Cybercrime
From: Marjorie Simmons <lawyer () usit net>
Date: Sat, 3 Jun 2000 17:16:21 -0400
With my lawyer's hat on (I am a lawyer), I agree with Dale. It bears pointing out also that, as some of the posts in this thread are from US citizens, the US is not a member of the Council whose draft of a proposed legal-consortium this is, and this type of attempt at sweeping, all-inclusive legislative one-size-fits-all action is one reason. (Nor, for that matter, are Canada or Japan members, amongst others.) The focus of criminal law, in most countries, is based on conceptions of what constitutes an intentional, wrongful act that surpasses mere negligence (a tort). Inadvertent actions lack the requisite and primary factor of intent. Some acts may be adjudged criminal while lacking actual intent, as intent may be inferred given an individual set of facts & circumstances. Therefore, in any discussion of the proposed criminalization of scanning tools, one must look to (1) the tool's designed purpose -- for which Fyodor must be consulted, (2) to the reasonability of its use for that purpose given the tool's stated design purpose, which may be inferred from the tool's contemporary employment by systems people the world 'round, and (3) the tool's actual use within the scope of a wrongful act. In the US, Nmap as it stands now, is as any tool which has a useful, non-criminal purpose, which yet may be employed as a tool within the array of tools used by someone who commits a criminal act. I could kill someone with a toaster as well as with a knife, but the character of neither item bears an outright ban on its use, possession, or transfer. A gun, on the other hand, is designed for the primary purpose of killing, and as such, is subject to rather stringent governmental controls in most countries. Nmap is a tool that is in between knives and guns: it has the capacity to be used in an active fashion that may injure, and the designed purpose for use in a passive fashion that simply identifies and logs activity at the doors of a given system in order to alert and provide data for strengthening a vulnerable system. I expect when the dust settles, the Council's efforts will, after much revision and some partially successful implementation & litigation, effect controls on such tools that are more stringent in some European countries than in others, but that does not ultimately ban them outright in all cases. As far as Nmap is concerned, what is needed is a PR campaign that substantiates its rightful place amongst the respected toolbox items in general use of any competent systems person or security organization. Taking a proactive stance in this way now will go a long way toward staving off governmental attempts to criminalize it conceptually by those who lack the technical ability to differentiate it from "guns". Just my .02. Marjorie Marjorie Simmons, Esq. lawyer () usit net ~~~~~~~~~~ The Act On Saturday, June 03, 2000 10:45 am, dhaag [SMTP:dhaag () net-defender net] wrote:
I have watched this thread and have to interject in order to make a few points clear to everyone.All of us that use nmap would NOT be in trouble...only the author, the web/ftp site and possibly this mailing list.Dead Wrong. No more then a library is guilty of terrorism because it has books on terrorism. The Constitution and its Amendments supercede and apply here. The author is not, and could not be found to be, guilty of anything, as long as the program or software was not "specifically" designed to be used in a criminal activity as defined in the act.Quote: a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of theoffencesestablished in accordance with Article 2 - 5;The above offense and the definition below would say that making nmap and putting on a website for download would fit under the definition of "dolus eventualis" -- also know in Homer Simpson terms as "Doh!". There's no way that an author or web/ftp site could say "well gee, we didn't think itwouldbe used for bad purposes". It's only a little bit of a stretch to saythata mailing list is a "piece of software" that educates users how to do bad things (note -- I'm not talking about majordomo here...but the specific mailing list). Hacker websites would most certainly be targeted.Wrong again. NMap, to the best of my knowledge, is not [specifically] [primarily][particularly] designed or intended to commit any of the offences listed. It is a security review tool for legal use by authorized individuals in the maintenance and upkeep of their network and systems. The same as other products that assist in network tuning, such as NetXray, Openview, ISS Security Scanner, and a plethora of others. List groups that discuss the software or technology, as well as "hacker sites" that do not promote the software for illegal purposes would not be effected. This is covered under the 1st amendment.(6) In the understanding of certain members of the Drafting Group,"intent"may also cover "dolus eventualis". For common law countries, this notion would be similar to "recklessness", i.e. that a person is aware of thehighrisk that a certain result may occur and knowingly accepts it. TheDraftingGroup agreed that the interpretation of "intent" should be left tonationallaws, but it should not, where possible, exclude "dolus eventualis".Whether or not this ever makes it into the act is totally irrelevant. The courts would not allow it to be used in a prosecution due to "breadth of scope" and vagueness. "Dolus Eventualis" would never fly, if it did, one could also apply Dolus Eventualis in across the board litigation. As an example. you buy a new car - you drive the new car - you have an accident in the new car and are injured severely - you cannot sue the manufacturer using Dolus Eventualis as a basis, even though the manufacturer was aware of the high risk that a certain result ( injurous accidents ) would occur, and knowingly accepted the risk by continuing to manufacture automobiles. Just imagine the class actions that could by pursued on something so broad and vague as Dolus Eventualis. As in any "Draft" there is much to be hashed out. And, just because it may or may not become Law, it still has to stand the test before the courts. Which, in its present state, it would not do. Just my two cents worth. Dale Haag CCSA/CCSE/CCSI/CNTE/CIE/CFE/CCI/CFT/VCS/CSI/ICSA/ISSA/HTCIA/HTCN/HTCC President Net-Defender Seabrook, TX 77586 (281) 532-1488 voice (877)733-5451 fax http://www.net-defender.net -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Re: Draft Convention on Cybercrime, (continued)
- Re: Draft Convention on Cybercrime William Bradd (Jun 02)
- Re: Draft Convention on Cybercrime David Ford (Jun 02)
- Re: Draft Convention on Cybercrime Bart van Leeuwen (Jun 02)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime dhaag (Jun 03)
- Re: Draft Convention on Cybercrime Bart van Leeuwen (Jun 03)
- Re: Draft Convention on Cybercrime David Dennis (Jun 03)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime White Vampire (Jun 03)
- Re: Draft Convention on Cybercrime Tyler Allison (Jun 03)
- Re: Draft Convention on Cybercrime Matt Marnell (Jun 03)
- RE: Draft Convention on Cybercrime Marjorie Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Jeff Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Simple Nomad (Jun 04)
- RE: Draft Convention on Cybercrime Marjorie Simmons (Jun 05)