Information Security News mailing list archives
Re: [2600-AU] More government crackdowns on cybercrime
From: Grant Bayley <gbayley () AUSMAC NET>
Date: Tue, 15 Aug 2000 19:58:03 +1000
(I've cc:d this message to the NSW Parliamentary Council Office lest they be interested in some public comment prior to this legislation actually being drafted by them for the Attorney General and the office of the Attorney General himself)
Date: Tue, 15 Aug 2000 16:33:51 +1000 From: Stephen Turner <sturner () access fairfax com au> Reply-To: 2600-list () wiretapped net To: 2600-list () wiretapped net Subject: [2600-AU] More government crackdowns on cybercrime It's mostly political grandstanding I know, but here's some news on more crackdowns on cybercrime (from smh online breaking news.) SYDNEY: Computer hackers who spread viruses such as the I Love You bug will face up to 10 years' jail under new laws proposed by the New South Wales government. Attorney-General Bob Debus said the government would introduce the laws later this year to combat cyber crime. Under the proposal, a maximum penalty of 10 years' jail will be introduced for people spreading damaging computer viruses.
Although this sort of thing would normally be decided in court on the basis of the intent of the person carrying out such "spreading [of] damaging computer viruses", the very nature of a computer virus is such that tracking the source of it is nigh on impossible, especially if the transmission (I prefer this word over "spreading") occurred automatically and without the user's permission or intervention. Sadly, attacking this problem by seeking to prosecute individuals that transmit such things either knowingly or unknowingly will probably mean we just have another law on the books that can easily be evaded with a well-enough paid QC/lawyer and a rapidly deteriorating memory on the part of those charged. As I and others have said before, if the energy expended on this kind of thing were otherwise used to pursue errant software developers down the path of producing software less able to be abused in a manner likely to cause harm, we'd be alot better off in the long term. This is especially the case considering the transmission might be carried out by someone overseas or a sufficiently obscured Australian (obscured in the sense that the trail of evidence does not lead back to them). If this isn't something that the Attorney General would like to take under his wing, perhaps he could expend some energy clarifying the situation relating to data logged by a victim or third party during the commission of a crime involving a computer. My implication here is that if evidence such as a log of entry into or access to data on a computer isn't anything more than a log file on an insecure computer system, how can it be relied upon without a leap of faith by the judge/jury as to it's authenticity and accuracy? Current best-practice in the computer security industry is to have a policy relating to such things and rigorously adhere to it, but when the systems themselves prove time and time again to be insecure or otherwise incapable of preventing unauthorised access, the policy document amounts to little more than potentially recyclable paper. Where I'm headed with this is essentially wanting to raise the bar on computer quality and security by making such malicious acts infinitely harder to commit in the first place, or failing that, making things auditable in a fashion that is both secure from a technical perspective and more importantly, likely to satisfy a court as to the innocence or guilt of the persons involved. Prevention is better than cure.
'Computer crime can of course have disastrous consequences for business and the wider community,' Mr Debus told parliament.
So can influenza outbreaks resulting from people deliberately not covering their mouth and nose while sneezing during winter, but I don't see the Attorney General expending any effort on pursing them. (The disastrous consequences with influenza might be downtime due to staff being away, death in the case of immunocompromised individuals etc)
'It is clearly inadequate to treat computers merely ... as physical objects when in fact it is the data stored on the computer and the access to the computer and the use of programs that is the conduit of criminal behaviour.' Mr Debus said the recent I Love You bug was estimated to have cost $6.7 billion worldwide in just five days.
Was this figure determined by a recognised statistical authority such as the Australian Bureau of Statistics or by companies whose bottom line might have been significantly fattened by such staggering estimates. Mind you, a quick survey of my colleagues determined that the cost of ILOVEYOU was about $50, mostly on time wasted telling users that their email system wasn't affected (either immune by virtue of it being non-Microsoft or protected by means of an appropriate filter on attachments). Sounds to me like the Attorney General isn't used to having his bluff called on the accuracy of statistical information provided as an argument for new legislation.
The new laws will also increase penalties for identity theft offences. Credit card fraud over the Internet will carry a jail term of five years or more under the proposal.
Fraud is fraud is fraud. The NSW Crimes Act (1900) appears to cover it quite well. http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/
Updating the Crimes Act will ensure existing indictable offences such as fraud and forgery apply to computers, Mr Debus said.
Might someone detail for me how it doesn't apply to fraud that happens to involve a computer right now? As to the latter, forgery is forgery is forgery.
The laws will place state legislation in line with national and international laws.
National Legislation? Am I missing something here? Again, how does the NSW Crimes Act (1900) not cover this? Care to comment on which International law? The British one is a particularly bad example, if that's the one the Attorney General would choose to use, if only because it rates so badly on the disclosure of encryption keys in a real-life situation, among other things.
The government would concentrate on questions of access, modification, impairment of programs and data and the consequences of those actions, he said.
Sections 308-310 of the NSW Crimes Act (1900) covers this pretty well: http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308.html http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s309.html http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s310.html
Several thoughts that people might find worth thinking about: - I hope the legislation they write up is more specific, but from this you could assume that every person who causes a virus to be spread would be liable for the damage - ie: all those idiots and their email attachment opening (sure it's innocent, but how often is it inept or even downright incompetent? They're spreading it as much as anyone else.)
Ain't semantics great :)
- Obviously they mean the virus creators, but are the virus creators always completely to blame? I'm sure there's been several occasions where viruses have been spread by persons other than whoever created it. Does the virus writer become liable even if they didn't spread it? This could effectively make any virus experimentation illegal, and I'm sure that has plenty of uses in combatting viruses and other programming uses. Wasn't there some suggestion with the "Love Bug" virus anyway that the Philippino students wrote it but may not have spread it? Or spread it completely by accident? Who could and should be liable under these laws?
I've brought this to the attention of the good folks at Sophos in Sydney who I assume, depending on moves by the Attorney General, may have something to say about this, even if the law is only applied to those found to be using it maliciously.
- The other thing is the credit card fraud penalty. That's fine in principal, but I just hope this penalty is the same for credit card fraud of any other description in any other medium. Because if it's not, chalk up another paranoid Internet law.
As above, fraud is fraud is fraud.
Just curious as to whether anyone has thoughts on these issues.
As above :)
-- Thanks, Stephen Turner. Icon Web Producer. sturner () access fairfax com au
Grant Bayley Wiretapped ------------------------------------------------------- Grant Bayley gbayley () ausmac net -IT Manager @ Foster Nunn Loveder (www.fnl.com.au) -Admin @ AusMac Archive, Wiretapped.net, 2600 Australia www.ausmac.net www.wiretapped.net www.2600.org.au ------------------------------------------------------- ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: [2600-AU] More government crackdowns on cybercrime Grant Bayley (Aug 15)