Hi2all
It's nice to see that some people here share my concerns about this. Like
software, laws got holes, so laws about software usually have 'the best' of
both worlds. I did had some interesting 'issues' in my life about this, but
this is not the point, this is just a kind of justification about my
interest in the issue.
This draft is horribly incomplete, opens possibly dangerous legislative backdoors and generally is no good basis for further discussion/legislation in the area of computer security. What the makers of this draft don't want to understand is that even the most strict laws are nonsense if the person you want to hit with this law can not be found out. And we all know how difficult it is to trace a hacker or even get a general idea where he or she was coming from when he or she attacks several hosts.
Some may say that it's a good thing to prohibit and/or illegalize the production of trojan programs like back orifice or netbus which are clearly programmed to cause trouble and to overtake foreign systems, but where do
stop? Do they (the european council) really intend to prohibit security apps like nmap, sniffit or the like? Are they up to lay the power of network security investigations in the hands of big companies who are able to
Danger #1: If they are not sure if the suspect is the right suspect, but since he had 'illegal' software, is a defendant anyway (and the witch hunt will start right here). they proof
(with lots of bakshish) that they are using their security tools "according the law"?
Danger #2: If a 'certified' vendor makes the tool, it's legal. A private team makes a tool of the same kind (some times better), it's illegal (we had seen this before, didn't we?)
The whole draft convention reads like a NSA paper in certain parts, specially where speech turns to collection and archiving of traffic data. I don't want to spread the fear of the "big brother", but I for myself would be much more alert and subversive if this convention turns into reality - and that is what most criminal elements will do, too; the real bad boys know how to protect themselves of being caught, regardless wether there are renewed laws or not.
Danger #3: Again, the small fish is in trouble while the big fish will be
out of danger
Any chance this legislation could be MS sponsered? Who is actually the brainchild of this draconian document? Soemhow I just cannot see some old MEP in Brussles formulating this for obvious reasons.
I would say it is when it'll make things like nmap and tcpdump illegal. Of course once the treaty passes there is still a large window before countries pass laws to actually implement it, but this treaty scares the bejezus out of me, lists like Linux-Security will also be illegal, and vendor advisories
Today i had listen a local 'economist' guru saying that what will happend in
the future will be worldwide corps sponsoring and choosing goverments. I
suppose MS is big enough for that, the sponsership is just not clear, if it
exist anyway, but who knows? i dont know, but i'll not be surprised even.
There was an issue that was not public, the 128-bit upgrade of IE, that was
supposed not be available outside US and Canada. The fact was that it was
available worldwide, under a simple condition. Then they change their policy
and let local authorities handle that. Probably now, they luv too see
'proper' laws approved...
show how to exploit a problem would also be illegal (my interpetation might be wrong, but the way the treaty is going ..... ).
Law Hole #1: All laws that UE approve, must be regulated in each contry. Before that it just continue to be a draft. Law Hole #2: They say it will be exceptions to the law, like for legal system administrators, so i just have to create an enterprise about Security Consulting, and all staff will be 'legal'. And i will not have to pay sallaries, people will pay me for having a job :> Final note about other mails regaring the Microsoft hack, passwords from their servers where allways travelling around the globe, now that was public ;) (i'm afraid to say that only now they had discover that) [ ]'s bacano
participants (1)
-
bacano