Government shuns ethical hacker safeguards

Powered by SC Magazine
 

Rejection of industry submissions was "disgusting".

View larger image View larger image View larger image

See all pictures here »

The Australian Government has rejected efforts to create legal safeguards for ethical hacking, according to a UNSW researcher.

Researcher Alana Maurushat was among several security professionals to raise the idea during the recent reviews of Australia’s cybercrime laws.

Maurushat told SC Magazine’s Security on the Move conference yesterday that rejection of the proposal "infuriates me to no end."

“They asked me to make submissions; I said I couldn’t do it; They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”

Maurushat and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking”.

She cited the case of OSI Security researcher Patrick Webster who was hit with legal threats after he quietly disclosed vulnerabilities to First State Superannuation. Those charges were eventually dropped following media pressure.

“It is up the public prosecutor whether or not to prosecute [a hacker] for a crime ... it leaves too much open to general discretion.”

The safeguards could also afford protection to some grey hat hackers similar to the Anonymous collective and LulzSec, and at minimum would ensure they were not simply arrested, she said.

Maurushat was pitching the ethical hacking standards dumped by Australia to the Canadian Government and said she hoped the effort to pay off within three years.

If it did, Canada would be the first country to have safeguards for ethical hacking.

Australia was “a long time” away, she said, since reviewed cybercrime bills had already passed.

The Federal Government had also rejected a parliamentary committee to discuss the legality of hacking-back. “They decided it was too hard and the decided to let the courts decide – that’s comforting.”

Maurushat suggested trust organisations could act as mediators for ethical hacking incidents, including proactive removal of malware on user computers. She also believed insurance companies could develop policies to cover this practice.

Marco Ostini, senior security analyst at AusCERT said he found the idea of removing malware from a victim without their consent challenging.

"Ethically, I think its extremely difficult," he said.

It would require "aggressive peer review" and  "very strict" rules akin to the GNU open source license, he said - features that ensure those that abused such a power "could get smacked down."

Copyright © SC Magazine, Australia


 
 
 
Top Stories
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 284

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  61%
 
No
  39%
TOTAL VOTES: 102

Vote