By Kurt Seifried (kurt@seifried.org)
This was originally written in July of 2000, it still applies.
July 19, 2000 - The Council of Europe recently released a draft of a document called the “Draft Convention on Cybercrime.” This document is meant as an international treaty governing “cybercrime” and an attempt to standardize law for easier prosecution of attackers (some countries have no laws specifically governing computer attacks).
The creators of this document surely work from the best of intentions, but they do not fully comprehend the gravity of some of their proposals. Given the lack of technical awareness on the part of most politicians, lawyers, etc., the present circumstance is unsurprising. While to non-technical parties the proposals presented in the convention may appear reasonable, close examination makes it obvious they will do a great deal of damage to computer security efforts.
In my opinion, one of the most damaging portions is the following:
| Article 6 - Illegal DevicesEach Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:
|
As I read this — and discussion on various mailing lists parallels my reading - it would be illegal to posses, use or distribute “exploit” code in any form. This will severely damage computer security efforts in many regards:
- Vendors will worry less about exploit code being publicly released. Many commercial vendors do not release security fixes promptly, and the public release of exploit code prods them to fix problems. And since only the bad guys will have exploit code, chances are this will not seriously slow them down. (If you’re willing to break at least one law, chances are you will break others.)
- Without the necessary exploit code, vendors and other programmers will have a much harder time determining what the problems are (okay, we know this FTP server package is broken… hmm… where to start?). This means attackers will have a lot more time to exploit security breaches; moreover, chances increase for other programmers to make the same mistakes.
- Attackers will have an easier time, in general. Since security professionals will not legally be able to view exploit code, they will be denied an educational resource. For example, in the recent attacks on WuFTPD, the available exploit code publicized a serious type of flaw very common to software packages. Improper validation of user data has always been a known problem, but many people have ignored it. With the release of the exploit code, the problem became more public, and the resulting discussion encouraged people to fix and prevent the problem in future.
- Defenders will find it highly difficult to test the security of their systems. With all due respect to the efficiency of products like CyberCop and ISS in locating problems, sometimes you actually have to run the attack to make sure it won’t work. For example, Nessus, an OpenSource intrusion scanner, has the option to actually execute denial-of-service attacks, which very quickly reveals whether you are vulnerable or not. Under the proposed legislation, penetration tests would no longer be possible. Major corporations could not know where
security problems lie in their network.
The simple fact is this: The “hacker” (I should use the word “cracker”) community is very good at internal communications. As soon as an exploit is found, associates of the discoverer are notified, and one of them comes up with exploit code. These groups of hackers typically share among themselves, and sometimes with outside parties. Ultimately, the chances are good that the code will leak out to less skilled attackers (commonly referred to as script kiddies).
In one case, I was inadvertently sent a new type of exploit that made breaking into Linux boxes quite a bit easier. The sender then emailed me again, saying, “Oops, please delete and ignore the last email.” If I were a script kiddie, I would have taken the code and run with it, infecting many (sometimes thousands) of machines. For each machine the kiddies break into, recovery costs can range upwards of several thousand dollars (not counting lost productivity and attacks launched at other sites).
An open letter has been written concerning this issue (see http://www.gilc.org/privacy/coe-letter-1200.html), with an interesting list of signatories. They include security organizations such as SANS (one of the largest US computer security organizations), and several CERT organizations (people at the front lines of computer security). Even more worth noting are the corporations that have signed, not only makers of products to be impacted, such as Network Associates (makers of a number of computer security products), but also such companies as Ernst & Young LLP, IBM and Cisco.
 |
Without exploit code, NFR’s job will be much more difficult, as they could not legally download exploit code, run it against test systems and monitor the results. |
||
Note the response by Marcus J. Ranum, head of NFR (Network Flight Recorder). NFR makes a network intrusion detection system, basically a machine that looks at network traffic and detects attacks, and then alerts network administrators. Without exploit code, NFR’s job will be much more difficult, as they could not legally download exploit code, run it against test systems and monitor the results.
To create new signatures of attacks, they would have to observe the attacks in progress and then figure out what happened — a much more time- and energy-consuming process. Not to mention the damage to be done to customers currently relying on NFR to help secure their networks; or any customers with intrusion detection products, for that matter!
To add to the fire, there is more than one major problem in the draft convention. Certain articles concern the interception, storage, disclosure and preservation of data. Oddly enough, both articles regarding interception of data are missing: Articles 18 and 28 are “Under discussion,” without even a hint given as to what is planned.
Each article ends, “The powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law.” Unfortunately, some governments have shown a distressing tendency to try and remove personal freedoms and liberties, under the guise of controlling computer-related crime. The most (in)famous of all of these would be the RIP bill in England, which criminalizes the refusal to disclose encryption keys to the police, thus removing the right (common in most countries) not to incriminate oneself.
|
People like Eugene Schultz, Bruce Schneier, Crispin |
||
If it were just I railing against the Convention on Cybercrime, you might easily dismiss me. But people like Eugene Schultz, Bruce Schneier, Crispin Cowan, Elias Levy and Casper Dik have signed the open letter, and the issues will not be easily dismissed (if you are unfamiliar with these names, you are advised to search the web and read their papers and published books). If you wish to make comments, send email to daj@coe.int. Hopefully, with enough people in the security community expressing concern, this convention will be modified appropriately or scrapped entirely.
Just for the Record
I dislike the word “Cybercrime,” not because of its trendy buzzword conformity, but because the vast majority of people have no idea what it means, or have widely differing views on its meaning. Almost all white collar crime nowadays involves computers to some extent (email, records keeping). Case in point: www.cybercrime.org is “The National White Collar Crime Center.” If someone knows the actual definition of “cybercrime,” I’d love to hear it.
Related Links
http://conventions.coe.int/treaty/en/projets/cybercrime.htm
http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.html
http://www.enteract.com/~lspitz/motives/
