Government shuns ethical hacker safeguards

Powered by SC Magazine
 

Rejection of industry submissions was "disgusting".

View larger image View larger image View larger image

See all pictures here »

The Australian Government has rejected efforts to create legal safeguards for ethical hacking, according to a UNSW researcher.

Researcher Alana Maurushat was among several security professionals to raise the idea during the recent reviews of Australia’s cybercrime laws.

Maurushat told SC Magazine’s Security on the Move conference yesterday that rejection of the proposal "infuriates me to no end."

“They asked me to make submissions; I said I couldn’t do it; They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”

Maurushat and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking”.

She cited the case of OSI Security researcher Patrick Webster who was hit with legal threats after he quietly disclosed vulnerabilities to First State Superannuation. Those charges were eventually dropped following media pressure.

“It is up the public prosecutor whether or not to prosecute [a hacker] for a crime ... it leaves too much open to general discretion.”

The safeguards could also afford protection to some grey hat hackers similar to the Anonymous collective and LulzSec, and at minimum would ensure they were not simply arrested, she said.

Maurushat was pitching the ethical hacking standards dumped by Australia to the Canadian Government and said she hoped the effort to pay off within three years.

If it did, Canada would be the first country to have safeguards for ethical hacking.

Australia was “a long time” away, she said, since reviewed cybercrime bills had already passed.

The Federal Government had also rejected a parliamentary committee to discuss the legality of hacking-back. “They decided it was too hard and the decided to let the courts decide – that’s comforting.”

Maurushat suggested trust organisations could act as mediators for ethical hacking incidents, including proactive removal of malware on user computers. She also believed insurance companies could develop policies to cover this practice.

Marco Ostini, senior security analyst at AusCERT said he found the idea of removing malware from a victim without their consent challenging.

"Ethically, I think its extremely difficult," he said.

It would require "aggressive peer review" and  "very strict" rules akin to the GNU open source license, he said - features that ensure those that abused such a power "could get smacked down."

Copyright © SC Magazine, Australia


 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1043

Vote