The Australian government has thumbed its nose at legal safeguards for ethical hackers, according to a report from SC Magazine.
University of New South Wales security researcher Alana Maurushat on Thursday told the magazine’s “Security on the Move” conference that she and other industry professionals had gone out of their way to submit proposals for recent reviews of Australia’s cybercrime laws, but the government decided to reject them all.
“They asked me to make submissions; I said I couldn’t do it,” SC Magazine quoted her as saying. “They gave me extensions, so I went out of my way and took two days off, as many [industry professionals] may have, and they did not take on one suggestion in two years – disgusting.”
The government’s reaction “infuriates me to no end,” she said, noting that she and “many others” argued that Australia requires a “security research exemption” because the law “does not distinguish the motivation for hacking.”
Ms. Maurushat pointed to the case of OSI Security researcher Patrick Webster, who was thanked for his bug-finding by being slapped with legal and financial threats.
As you might recall, Mr. Webster, an Australian researcher, found a gaping, trivially exploitable hole in the security of his investment fund, First State Superannuation. If you’ll pardon me, I’m going to steal an image from a commenter when I say that this flaw didn’t just represent low-hanging fruit; it represented fruit dragging on the ground.
To wit: Mr. Webster found an instance of direct object reference, wherein other members’ statements could be accessed by changing a single digit in the displayed browser URL. This security hole ranks at #4 on OWASP’s top 10 list of application security risks.
For his efforts to responsibly alert First State Superannuation, the financial firm slapped Mr. Webster with legal threats, demands that he turn over his computer, and notice that he might be billed for the bug he himself had uncovered.
I was relieved to learn that, in light of more or less scathing media coverage, First State Superannuation soon backed off its threats. The company issued a statement to the effect that although they perceived Mr. Webster’s actions to be alarming and naughty, it was, in light of his cooperation and compliance in destroying sensitive downloaded materials, letting him go free.
"First State Superannuation appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him."
“Well, that’s a relief,” I thought when I heard of First State dropping the charges. “Now I can stop making fun of Australia suffering from some type of Coriolis effect that caused justice to flow backwards.”
After all, I was just teasing when I said that. I well know that the complexities and inadequacies of disclosure law cause justice to flow backwards equally in both hemispheres.
But this latest news, of Australia developing some odd form of narcolepsy when it comes to reforming disclosure policies, makes me wonder if, in fact, something is up down under.
According to SC Magazine, Ms. Maurushat is now taking the same ethical hacking standards spurned by Australia to the Canadian Government. She said that she hoped the effort will pay off within three years, making Canada the first country to adopt such safeguards.
In the meantime, here in the US we have the SCADA hack with its subsequent flaw disclosure by the responsible parties.
Soon after Sophos’s Chester Wisniewski wrote about the incident, hacker pr0f contacted him, giving Wisniewski a chance to ask, “What change could be made to the Computer Fraud and Abuse Act to encourage responsible disclosure of security flaws and unprotected systems?”
It should be “a matter of intent and actual damage caused,” the hacker responded. “Shutting one of these down is obviously a crime. Finding one and accessing it out of curiosity, then exposing how insecure it is responsibly, should perhaps be treated a lot more leniently.”
At the very minimum, nation-states must acknowledge that these issues are not black and white. Hackers range from white to gray to black, and the responsibility with which they disclose bugs varies as well.
Their vested interest in exposing flaws varies from individual to individual, but obviously, there are many white-hat hackers out there who deserve more than a set of blanket laws that call for their arrest and prosecution.