Re: [2600-AU] More government crackdowns on cybercrime

[Grant Bayley <gbayley () AUSMAC NET>]

(I've cc:d this message to the NSW Parliamentary Council Office lest they
be interested in some public comment prior to this legislation actually
being drafted by them for the Attorney General and the office of the
Attorney General himself)

> Date: Tue, 15 Aug 2000 16:33:51 +1000
> From: Stephen Turner <sturner () access fairfax com au>
> Reply-To: 2600-list () wiretapped net
> To: 2600-list () wiretapped net
> Subject: [2600-AU] More government crackdowns on cybercrime
>
> It's mostly political grandstanding I know, but here's some news on more
> crackdowns on cybercrime (from smh online breaking news.)
>
>   SYDNEY: Computer hackers who spread viruses such as the I Love You bug
> will face up to 10 years' jail under new laws proposed by the New South
> Wales government.
>   Attorney-General Bob Debus said the government would introduce the laws
> later this year to combat cyber crime.
>   Under the proposal, a maximum penalty of 10 years' jail will be introduced
> for people spreading damaging computer viruses.

Although this sort of thing would normally be decided in court on the
basis of the intent of the person carrying out such "spreading [of]
damaging computer viruses", the very nature of a computer virus is such
that tracking the source of it is nigh on impossible, especially if the
transmission (I prefer this word over "spreading") occurred automatically
and without the user's permission or intervention.

Sadly, attacking this problem by seeking to prosecute individuals that
transmit such things either knowingly or unknowingly will probably mean we
just have another law on the books that can easily be evaded with a
well-enough paid QC/lawyer and a rapidly deteriorating memory on the part
of those charged.

As I and others have said before, if the energy expended on this kind of
thing were otherwise used to pursue errant software developers down the
path of producing software less able to be abused in a manner likely to
cause harm, we'd be alot better off in the long term.  This is especially
the case considering the transmission might be carried out by someone
overseas or a sufficiently obscured Australian (obscured in the sense that
the trail of evidence does not lead back to them).

If this isn't something that the Attorney General would like to take under
his wing, perhaps he could expend some energy clarifying the situation
relating to data logged by a victim or third party during the commission
of a crime involving a computer.  My implication here is that if evidence
such as a log of entry into or access to data on a computer isn't anything
more than a log file on an insecure computer system, how can it be relied
upon without a leap of faith by the judge/jury as to it's authenticity and
accuracy?  Current best-practice in the computer security industry is to
have a policy relating to such things and rigorously adhere to it, but
when the systems themselves prove time and time again to be insecure or
otherwise incapable of preventing unauthorised access, the policy document
amounts to little more than potentially recyclable paper.

Where I'm headed with this is essentially wanting to raise the bar on
computer quality and security by making such malicious acts infinitely
harder to commit in the first place, or failing that, making things
auditable in a fashion that is both secure from a technical perspective
and more importantly, likely to satisfy a court as to the innocence or
guilt of the persons involved.

Prevention is better than cure.

>   'Computer crime can of course have disastrous consequences for business
> and the wider community,' Mr Debus told parliament.

So can influenza outbreaks resulting from people deliberately not covering
their mouth and nose while sneezing during winter, but I don't see the
Attorney General expending any effort on pursing them.

(The disastrous consequences with influenza might be downtime due to staff
being away, death in the case of immunocompromised individuals etc)

>   'It is clearly inadequate to treat computers merely ... as physical
> objects when in fact it is the data stored on the computer and the access to
> the computer and the use of programs that is the conduit of criminal
> behaviour.'
>   Mr Debus said the recent I Love You bug was estimated to have cost $6.7
> billion worldwide in just five days.

Was this figure determined by a recognised statistical authority such as
the Australian Bureau of Statistics or by companies whose bottom line
might have been significantly fattened by such staggering estimates.

Mind you, a quick survey of my colleagues determined that the cost of
ILOVEYOU was about $50, mostly on time wasted telling users that their
email system wasn't affected (either immune by virtue of it being
non-Microsoft or protected by means of an appropriate filter on
attachments).

Sounds to me like the Attorney General isn't used to having his bluff
called on the accuracy of statistical information provided as an argument
for new legislation.

>   The new laws will also increase penalties for identity theft offences.
>   Credit card fraud over the Internet will carry a jail term of five years
> or more under the proposal.

Fraud is fraud is fraud.

The NSW Crimes Act (1900) appears to cover it quite well.

http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/

>   Updating the Crimes Act will ensure existing indictable offences such as
> fraud and forgery apply to computers, Mr Debus said.

Might someone detail for me how it doesn't apply to fraud that happens to
involve a computer right now?

As to the latter, forgery is forgery is forgery.

>   The laws will place state legislation in line with national and
> international laws.

National Legislation?  Am I missing something here?

Again, how does the NSW Crimes Act (1900) not cover this?

Care to comment on which International law?  The British one is a
particularly bad example, if that's the one the Attorney General would
choose to use, if only because it rates so badly on the disclosure of
encryption keys in a real-life situation, among other things.

>   The government would concentrate on questions of access, modification,
> impairment of programs and data and the consequences of those actions, he
> said.

Sections 308-310 of the NSW Crimes Act (1900) covers this pretty well:

http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308.html
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s309.html
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s310.html

> Several thoughts that people might find worth thinking about:
>
> - I hope the legislation they write up is more specific, but from this you
> could assume that every person who causes a virus to be spread would be
> liable for the damage - ie: all those idiots and their email attachment
> opening (sure it's innocent, but how often is it inept or even downright
> incompetent? They're spreading it as much as anyone else.)

Ain't semantics great :)

> - Obviously they mean the virus creators, but are the virus creators always
> completely to blame? I'm sure there's been several occasions where viruses
> have been spread by persons other than whoever created it. Does the virus
> writer become liable even if they didn't spread it? This could effectively
> make any virus experimentation illegal, and I'm sure that has plenty of uses
> in combatting viruses and other programming uses. Wasn't there some
> suggestion with the "Love Bug" virus anyway that the Philippino students
> wrote it but may not have spread it? Or spread it completely by accident?
> Who could and should be liable under these laws?

I've brought this to the attention of the good folks at Sophos in Sydney
who I assume, depending on moves by the Attorney General, may have
something to say about this, even if the law is only applied to those
found to be using it maliciously.

> - The other thing is the credit card fraud penalty. That's fine in
> principal, but I just hope this penalty is the same for credit card fraud of
> any other description in any other medium. Because if it's not, chalk up
> another paranoid Internet law.

As above, fraud is fraud is fraud.

> Just curious as to whether anyone has thoughts on these issues.

As above :)

> --
> Thanks,
>
> Stephen Turner.
>
> Icon Web Producer.
> sturner () access fairfax com au

Grant Bayley
Wiretapped

-------------------------------------------------------
Grant Bayley                         gbayley () ausmac net
-IT Manager @ Foster Nunn Loveder      (www.fnl.com.au)
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".