It's a logical step for the european council to take action against what they call "cybercrime". They try to establish a convention covering the illicit activities of hackers, crackers, smashers, DoS'ers, pedophiliacs - and, to some extend - the legal activities of security administrators/companies. Article 6 ("illegal devices") of this draft convention states that "a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2-5;" shall be illegalized. The Articles 2-5 deal with hacking (2), sniffing (3), spoofing (4) and DoS'ing (5) of computer systems. This draft is horribly incomplete, opens possibly dangerous legislative backdoors and generally is no good basis for further discussion/legislation in the area of computer security. What the makers of this draft don't want to understand is that even the most strict laws are nonsense if the person you want to hit with this law can not be found out. And we all know how difficult it is to trace a hacker or even get a general idea where he or she was coming from when he or she attacks several hosts. Some may say that it's a good thing to prohibit and/or illegalize the production of trojan programs like back orifice or netbus which are clearly programmed to cause trouble and to overtake foreign systems, but where do they stop? Do they (the european council) really intend to prohibit security apps like nmap, sniffit or the like? Are they up to lay the power of network security investigations in the hands of big companies who are able to proof (with lots of bakshish) that they are using their security tools "according the law"? The whole draft convention reads like a NSA paper in certain parts, specially where speech turns to collection and archiving of traffic data. I don't want to spread the fear of the "big brother", but I for myself would be much more alert and subversive if this convention turns into reality - and that is what most criminal elements will do, too; the real bad boys know how to protect themselves of being caught, regardless wether there are renewed laws or not. I will comment this draft convention and send some complaints to daj@coe.int (as stated in the draft) to express my doubts; I suggest you consider this, too. Legislation is not courtesy of the european council but of all of us. Boris --- On 26-Oct-00 bacano wrote:
http://conventions.coe.int/treaty/en/projets/cybercrime.htm
What this have to do with SuSe, you may ask. The answer is simple, several tools included in SuSe, as nmap, will be illegal if this cames law in Europe. The "production, sale, procurement for use, import, distribution or otherwise making available of" this tools will be illegal.
I'd like to listen what SuSe Security Team has to say about this, and of course all other people in the list (soon many of us - if not all -, will just be criminals by this law).
In that URL you can read the draft and send the comments you may feel proper.
[ ]'s bacano
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com