Government shuns ethical hacker safeguards

Powered by SC Magazine
 

Rejection of industry submissions was "disgusting".

View larger image View larger image View larger image

See all pictures here »

The Australian Government has rejected efforts to create legal safeguards for ethical hacking, according to a UNSW researcher.

Researcher Alana Maurushat was among several security professionals to raise the idea during the recent reviews of Australia’s cybercrime laws.

Maurushat told SC Magazine’s Security on the Move conference yesterday that rejection of the proposal "infuriates me to no end."

“They asked me to make submissions; I said I couldn’t do it; They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”

Maurushat and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking”.

She cited the case of OSI Security researcher Patrick Webster who was hit with legal threats after he quietly disclosed vulnerabilities to First State Superannuation. Those charges were eventually dropped following media pressure.

“It is up the public prosecutor whether or not to prosecute [a hacker] for a crime ... it leaves too much open to general discretion.”

The safeguards could also afford protection to some grey hat hackers similar to the Anonymous collective and LulzSec, and at minimum would ensure they were not simply arrested, she said.

Maurushat was pitching the ethical hacking standards dumped by Australia to the Canadian Government and said she hoped the effort to pay off within three years.

If it did, Canada would be the first country to have safeguards for ethical hacking.

Australia was “a long time” away, she said, since reviewed cybercrime bills had already passed.

The Federal Government had also rejected a parliamentary committee to discuss the legality of hacking-back. “They decided it was too hard and the decided to let the courts decide – that’s comforting.”

Maurushat suggested trust organisations could act as mediators for ethical hacking incidents, including proactive removal of malware on user computers. She also believed insurance companies could develop policies to cover this practice.

Marco Ostini, senior security analyst at AusCERT said he found the idea of removing malware from a victim without their consent challenging.

"Ethically, I think its extremely difficult," he said.

It would require "aggressive peer review" and  "very strict" rules akin to the GNU open source license, he said - features that ensure those that abused such a power "could get smacked down."

Copyright © SC Magazine, Australia


 
 
 
Top Stories
Photos: Global Switch opens Sydney East data centre
First stage opened, to some fanfare.
 
ATO releases long-awaited Bitcoin guidance
Everyday investors escape the tax man.
 
Why the Weather Bureau’s new supercomputer is a 'gamechanger'
IT transformation starts to reap results.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  67%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  7%
 
Insider threats
  11%
TOTAL VOTES: 470

Vote