[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: Re: Draft Swiss AntiVirus regulation
Date: Thu, 14 Oct 93 09:53:34 -0400
From: shap@viper.cis.upenn.edu (Jonathan Shapiro)
To: brunnstein@rz.informatik.uni-hamburg.d400.de, bfi@ezinfo.vmsmail.ethz.ch
Cc: farber@central.cis.upenn.edu
Subject: Re: Draft Swiss AntiVirus regulation
Mr. Frigerio, Mr. Brunnstein:
I am pleased to see lawmakers using electronic information forums to
discuss electronic information issues. Let us hope that the United
States lawmakers will learn from you.
Regarding your proposed legislation:
###############################################################
Appendix 1:
Entwurf zu Art. 144 Abs. 2 des Schweizerischen Strafgesetzbuches
"Wer unbefugt elektronisch oder in vergleichbarer Weise gespeicherte oder
uebermittelte Daten loescht, veraendert oder unbrauchbar macht, oder Mittel,
die zum unbefugten Loeschen, Aendern oder Unbrauchbarmachen solcher Daten
bestimmt sind, herstellt oder anpreist, anbietet, zugaenglich macht oder
sonstwie in Verkehr bringt, wird, auf Antrag, mit der gleichen Strafe
belegt."
P.S.: gleiche Strafe =JBusse oder Gefaengnis bis zu 3 Jahren;
bei grossem Schaden, bis zu 5 Jahren Gefaengnis sowie Verfolgung
von Amtes wegen (Offizialdelikt)
###############################################################
Draft of article 144 paragraph 2 of the Swiss Penal Code
(English translation)
Anyone, who, without authorization
- erases, modifies, or destructs electronically or similarly
saved or data,
or anyone who,
- creates, promotes, offers, makes available, or circulates in any way
means destined for unauthorized deletion, modification, or destruction
of such data,
will, if a complaint is filed, receive the same punishment.
P.S.: same punishment = fine or imprisonment for a term of up to
three years; in cases of a considerable damage, five years
with prosecution ex officio.
Author: Claudio G. Frigerio, Attorney-At-Law, Swiss Federal Office of
Information Technology and System, e-mail: bfi@ezinfo.vmsmail.ethz.ch
In my opinion, the proposed law has a serious flaw in the second
clause. You are attempting to make the distribution of knowledge
illegal, and this is not practical. It is also not in the public
interest.
Several years ago, the internet went through a long debate about a
related issue: Is it proper to distribute detailed documentation of
security holes over a public forum? Their conclusions were as
follows:
1. What you don't know CAN hurt you.
2. The knowledge is already out there, because the security
hole is discovered when someone breaks in successfully.
This means that there is no benefit to the public in
keeping silent.
3. Most users are ignorant. If they are not told about
security problems, they are unable to fix them, and are
therefore vulnerable.
4. Vendors do not fix security holes without significant
market pressure, which cannot be created if the public
doesn't know about the holes.
Therefore, such knowledge should be widely disseminated.
This policy has been proven sound by the Internet Virus. What is
remarkable is not the number of machines that were victimized, but the
number that successfully *repelled* the attack. In addition, the fact
that the knowledge of the security problems was widespread allowed the
virus to be defeated within 48 hours.
I suggest that the issues for viruses are identical.
There are people who, in the public good, document and distribute the
code for viruses to ensure that the community is educated about the
latest techniques so they can defend themselves. You do not wish to
make their activities illegal.
Perhaps you should consider rewording the law to reflect this.
Jonathan S. Shapiro
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC