I actually like article 7, 8, 9, 10 and 11. It requires banning the development and sale of things like Pegasus, rootkits etc.
If your software is only intended to demonstrate the existence of a security flaw but contains no payload, then it is less obviously criminal. Still technically so, I suppose, but not so obviously that you couldn't make some kind of argument.
The collection of traffic and 'content' data is not beneficial though, so I suppose the treaty has to go for that reason.
> While establishing a basis for "mutual legal assistance", assistance may be denied "if the authorities of the requested State Party would be prohibited by its domestic law from carrying out the action requested with regard to any similar offence, had it been subject to investigation, prosecution or judicial proceedings under their own jurisdiction".
> But: a State Party "shall not decline to act" under the provisions of the freezing, seizure and confiscation of the proceeds of crime "on the ground of bank secrecy". The Convention is expected to be adopted by the end of the year.
So Russia and any other can country can ask for records on any US person they want under a pretext of committing some crime there and unless the US is itself investigating this party then it's allowed? & conversely, if the US tried to do this Russia or any hostile country can just claim they're investigating said persons in crimes? Surely my reading of this is absurd & it's not actually this badly written?
It's particularly telling that it was Russia & China who proposed it in 2017 in the first place.
Say a foreign law enforcement entity is investigating Mr X, and asking a domestic authority for some information on Mr X.
The treaty says that generally speaking, the domestic authority should provide such assistance.
However, assume that instead another domestic law enforcement entity was asking the domestic authority for information on Mr X, but (under purely domestic jurisdiction) the domestic authority would be prohibited to provide such assistance for some reason (say, due to privacy laws, procedural protections, or so).
Then, the foreign law enforcement entity would not be entitled to the assistance, either.
> If your software is only intended to demonstrate the existence of a security flaw but contains no payload, then it is less obviously criminal. Still technically so, I suppose, but not so obviously that you couldn't make some kind of argument.
I do not see anything criminal at all in writing some malware or exploits. _Applying_ them to a system, where they might cause damage however, that is a completely different matter.
You don't go after the blacksmith or manufacturer of kitchen knifes or guns either. You go after the one using them for the wrong purpose.
It's often the intentions that matter. Doing X may not be a crime, but doing it with the intention to commit crime could be. And while outsiders can't know the true intentions, courts are often happy accept the intentions seen by a "reasonable person" as the truth. Which means that if you want to write malware, you should look like a respectable person and not do anything too shady.
I find it hard to believe that Russia and China originated this idea in 2017.
Most ransomware gangs are believed to operate from countries with limited or non-existent extradition agreements with Western nations, making it difficult for law enforcement to apprehend them. Some of the countries where these gangs are thought to be based include:
Russia: Many of the most notorious ransomware groups are believed to operate out of Russia. The country is often seen as a safe haven for cybercriminals due to the lack of cooperation with Western law enforcement and the protection of criminals who avoid targeting Russian entities.
Eastern Europe: Several ransomware gangs are also thought to be based in other Eastern European countries, such as Ukraine and Belarus. These regions have a history of cybercriminal activity, partly due to their technical expertise and the geopolitical environment.
Iran: There are also reports of ransomware gangs operating out of Iran, often with links to state-sponsored activities.
North Korea: North Korea has been linked to several high-profile ransomware attacks, and it is believed that the regime uses ransomware as a means of generating revenue.
At some point the corporate espionage/sabotage and whatever sales taxes they get from funds stolen abroad is worth less than the potential earnings of money leaving the country.
> Our analysis reveals several notable patterns. First, we observe an increase in the frequency of attacks by Russia-based ransomware groups leading up to elections in several major democracies, with no similar increase in attacks by groups based outside of Russia. Second, companies that withdrew from or suspended operations in Russia following the invasion of Ukraine were more likely to experience ransomware attacks in the months following the invasion, potentially indicating retaliatory motives. Third, we find a decline in the number of daily ransomware attacks after the invasion, which could be attributed to Russia enlisting ransomware operators to support its cyber offensive against Ukraine.
Maybe not directly, but definitely indirectly. To avoid arrest, those criminals can't leave the Russian sphere of control, so they need to spend their ill-gotten gains in Russia. This feeds the local economy, over which the Russian authorities collect taxes.
I wonder if it can be challenged in ICJ, if any of the countries previously considered safe would follow it to the letter regarding mass surveillance. As for security research and whistleblowing, that may be covered by laws as legitimate activities making them outside of the scope (and that would be much better approach).
If I'm not wrong, if you are in a "free" country and you develop a software to help Chinese people bypass the great firewall of China, by international convention your country would have to arrest you and share with China all the data about you and your equipment?
That's the dismal tradeoff with such things. Anything that can be used to help dissidents can also be used to help organized crime. Cryptocurrency, end-to-end encryption, Tor all ended up with this fate.
That's because from the perspective of an authoritarian state, there is no meaningful difference between political activists and ransomware gangs. Both are dastardly cybercriminals.
I've never heard of The Rage before, given the name I'm going to assume that they're deliberately phrasing things to be rage-bait. But even with that in mind, this seems insane. What are the odds of this actually happening? I have no idea how UN laws/treaties/conventions/whatevers are decided upon.
I understand national governments being obsessed with totalitarian surveillance states, but what's in it for the UN? Aside from pandering to Russia & China? I might have more respect for the UN if they were actually capable of being useful (e.g. stopping the Russo-Ukrainian war), but now they're turning impotence into active malice?
The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.. The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.
Advocates including the Biden administration said the deal reflects the interests of the U.S. and its allies. It balances privacy concerns with the need for every country to pursue criminal activity around the world, the Biden administration said. “We see this convention as a means to expand global law-enforcement cooperation,”.. The treaty — expected to win General Assembly approval within months — creates a framework for nations to cooperate against internet-related crimes.. Once approved by the General Assembly, the treaty becomes law upon the approval of 40 nations.
> IMO it is good that norms around offensive security are being formulated at the nation state level, especially because major nations like China, Russia, Iran, NK, SK, India, Pakistan, UAE, Saudi Arabia, Singapore, Indonesia, and Malaysia are NOT signatories of the Budapest Convention on Cybercrime.. This seems to be an attempt at creating a detente between China, US, Russia, etc over cyber espionage attempts on each other.. Realistically, offensive operations under direct nation-state control will continue, but this narrows the scope for gray-zone operations using a third party (Appin/India, LockBit/Russia, ChamelGang/China or NK).
Thats not.... state sponsored hacking. Thats testing vulnerabilities by a small time criminal entrpise called mossad aided by a small batallion of henchmen collectively called the us army.
Stuxnet wasnt an attack on a foreign soil, on foreign secure facilities, it was merely nothing.
On the other hand, oh my my. Iran and russia and China are using ai to manipulate American elections. We must censor them and stop them from destroying democracy.
The largest holders on money of crime is in the banks and real estate of the west. Where do most the dictators and their families go and live after they are removed from power? So blaming Russia and China might get you a good sound byte in the west but rest of the world just sees it as western hypocrisy.
Anyone know a good resource for searching through old DEFCON presentations? There's a couple I'd like to link in such cases, which will of course be swiftly taken down by the Dan, but maybe some lost soul will get the hint.
It's easy - the civilized world will follow the rule of law and they will still do what ever they want but now with additional benefits of pointing fingers and possibly gaining additional information for their attacks.
> Russia and China, the homes of state sponsored hacking
Your comment might be suggesting that the state sponsored hacking is something only China and Russia does. In this case, I have got few bridges to sell you.
Readit News
UN cybercrime treaty unanimously approved, https://news.ycombinator.com/item?id=41210110
EFF concerns, https://news.ycombinator.com/item?id=41207987
If your software is only intended to demonstrate the existence of a security flaw but contains no payload, then it is less obviously criminal. Still technically so, I suppose, but not so obviously that you couldn't make some kind of argument.
The collection of traffic and 'content' data is not beneficial though, so I suppose the treaty has to go for that reason.
> But: a State Party "shall not decline to act" under the provisions of the freezing, seizure and confiscation of the proceeds of crime "on the ground of bank secrecy". The Convention is expected to be adopted by the end of the year.
So Russia and any other can country can ask for records on any US person they want under a pretext of committing some crime there and unless the US is itself investigating this party then it's allowed? & conversely, if the US tried to do this Russia or any hostile country can just claim they're investigating said persons in crimes? Surely my reading of this is absurd & it's not actually this badly written?
It's particularly telling that it was Russia & China who proposed it in 2017 in the first place.
Say a foreign law enforcement entity is investigating Mr X, and asking a domestic authority for some information on Mr X.
The treaty says that generally speaking, the domestic authority should provide such assistance.
However, assume that instead another domestic law enforcement entity was asking the domestic authority for information on Mr X, but (under purely domestic jurisdiction) the domestic authority would be prohibited to provide such assistance for some reason (say, due to privacy laws, procedural protections, or so).
Then, the foreign law enforcement entity would not be entitled to the assistance, either.
I do not see anything criminal at all in writing some malware or exploits. _Applying_ them to a system, where they might cause damage however, that is a completely different matter.
You don't go after the blacksmith or manufacturer of kitchen knifes or guns either. You go after the one using them for the wrong purpose.
MaaS (malware-as-a-product) is certainly criminal. There’s no legitimate purpose in writing control servers or admin panels for DDOS or ransomware.
Deleted Comment
Dead Comment
Most ransomware gangs are believed to operate from countries with limited or non-existent extradition agreements with Western nations, making it difficult for law enforcement to apprehend them. Some of the countries where these gangs are thought to be based include:
Russia: Many of the most notorious ransomware groups are believed to operate out of Russia. The country is often seen as a safe haven for cybercriminals due to the lack of cooperation with Western law enforcement and the protection of criminals who avoid targeting Russian entities.
Eastern Europe: Several ransomware gangs are also thought to be based in other Eastern European countries, such as Ukraine and Belarus. These regions have a history of cybercriminal activity, partly due to their technical expertise and the geopolitical environment.
Iran: There are also reports of ransomware gangs operating out of Iran, often with links to state-sponsored activities.
North Korea: North Korea has been linked to several high-profile ransomware attacks, and it is believed that the regime uses ransomware as a means of generating revenue.
At some point the corporate espionage/sabotage and whatever sales taxes they get from funds stolen abroad is worth less than the potential earnings of money leaving the country.
https://cyber.fsi.stanford.edu/news/new-paper-assessing-poli...
That's because from the perspective of an authoritarian state, there is no meaningful difference between political activists and ransomware gangs. Both are dastardly cybercriminals.
I've never heard of The Rage before, given the name I'm going to assume that they're deliberately phrasing things to be rage-bait. But even with that in mind, this seems insane. What are the odds of this actually happening? I have no idea how UN laws/treaties/conventions/whatevers are decided upon.
I understand national governments being obsessed with totalitarian surveillance states, but what's in it for the UN? Aside from pandering to Russia & China? I might have more respect for the UN if they were actually capable of being useful (e.g. stopping the Russo-Ukrainian war), but now they're turning impotence into active malice?
https://therecord.media/un-cybercrime-treaty-passes-unanimou...
https://apnews.com/article/united-nations-cybercrime-compute...https://news.ycombinator.com/item?id=41211961> IMO it is good that norms around offensive security are being formulated at the nation state level, especially because major nations like China, Russia, Iran, NK, SK, India, Pakistan, UAE, Saudi Arabia, Singapore, Indonesia, and Malaysia are NOT signatories of the Budapest Convention on Cybercrime.. This seems to be an attempt at creating a detente between China, US, Russia, etc over cyber espionage attempts on each other.. Realistically, offensive operations under direct nation-state control will continue, but this narrows the scope for gray-zone operations using a third party (Appin/India, LockBit/Russia, ChamelGang/China or NK).
Deleted Comment
Stuxnet?
Thats not.... state sponsored hacking. Thats testing vulnerabilities by a small time criminal entrpise called mossad aided by a small batallion of henchmen collectively called the us army.
Stuxnet wasnt an attack on a foreign soil, on foreign secure facilities, it was merely nothing.
On the other hand, oh my my. Iran and russia and China are using ai to manipulate American elections. We must censor them and stop them from destroying democracy.
Oooolala
Your comment might be suggesting that the state sponsored hacking is something only China and Russia does. In this case, I have got few bridges to sell you.