Government shuns ethical hacker safeguards

Strict rules needed for removing malware without users' consent.

The Australian Government has rejected efforts to create legal safeguards for ethical hacking, according to a UNSW researcher.

Researcher Alana Maurushat was among several security professionals to raise the idea during the recent reviews of Australia’s cybercrime laws.

Maurushat told SC Magazine’s Security on the Move conference yesterday that rejection of the proposal "infuriates me to no end."

“They asked me to make submissions; I said I couldn’t do it; They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”

Maurushat and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking”.

She cited the case of OSI Security researcher Patrick Webster who was hit with legal threats after he quietly disclosed vulnerabilities to First State Superannuation. Those charges were eventually dropped following media pressure.

“It is up the public prosecutor whether or not to prosecute [a hacker] for a crime ... it leaves too much open to general discretion.”

The safeguards could also afford protection to some grey hat hackers similar to the Anonymous collective and LulzSec, and at minimum would ensure they were not simply arrested, she said.

Maurushat was pitching the ethical hacking standards dumped by Australia to the Canadian Government and said she hoped the effort to pay off within three years.

If it did, Canada would be the first country to have safeguards for ethical hacking.

Australia was “a long time” away, she said, since reviewed cybercrime bills had already passed.

The Federal Government had also rejected a parliamentary committee to discuss the legality of hacking-back. “They decided it was too hard and the decided to let the courts decide – that’s comforting.”

Maurushat suggested trust organisations could act as mediators for ethical hacking incidents, including proactive removal of malware on user computers. She also believed insurance companies could develop policies to cover this practice.

Marco Ostini, senior security analyst at AusCERT said he found the idea of removing malware from a victim without their consent challenging.

"Ethically, I think its extremely difficult," he said.

It would require "aggressive peer review" and  "very strict" rules akin to the GNU open source license, he said - features that ensure those that abused such a power "could get smacked down."