RE: New legislation in Australia to make pen-testing illegal?

["Andrew van der Stock" <ajv () e-secure com au>]

As part of SAGE-AU, we did several submissions on this to the Government,
and during the Melbourne round of public submissions, it seemed like we were
getting through. Most of the session was talking about our issues, and most
of the pro-copyright people sat through it.

They did amend it to take into account backups, etc, but they didn't go far
enough. Now, the basic thing is that you have to have Intent to commit a
crime. If you are doing pen-tests on behalf of customers, and you have
lawyer-drafted waivers signed by the client, their ISP and your ISP, and
you've notified AusCERT and the federal police (who are most commonly called
by people not in the loop, if ever), then you do not have the INTENT to
commit a crime. Only if you don't hand the money back is there a problem.
:-)

If you don't have a lawyer-drafted waiver, effectively getting the client to
accept all risk, and putting some ability for the client to stop things at
any time, then you shouldn't be doing this stuff. If you're doing a pen-test
on yourself, there's no crime. Just keep it away from telco CPE and you'll
be right.

Now - the tools section. SAGE-AU is drawing up a Code of Practice for System
Administrators (and people like System Administrators, such as Security
Administrators or contractors). The CoP not only documents current best
practice in a fairly high level way, it will specifically hold people to
doing the right things, and ethically. If you are a member of SAGE-AU,
holding to the CoP, and hold or develop tools, then you will be okay.
Otherwise, if someone searches your PC and finds the tools, you can
theoretically be charged. But there must be INTENT to commit a crime for
serious jail time to be an option. Other organisations may also wish are
also free to develop a CoP and get it registered.

Andrew
ex Presidente Of SAGE-AU, http://www.sage-au.org.au/

-----Original Message-----
From: Tony Langdon [mailto:tlangdon () atctraining com au]
Sent: Friday, 6 July 2001 08:52
To: 'Ari Weisz-Koves'; PEN-TEST
Subject: RE: New legislation in Australia to make pen-testing illegal?


> Anyone else out there from Australia, or was the internet
> legislation of '99
> enough to make everyone leave? I'm struggling to understand
> how these laws
> could passed and enforced - essentially, it may soon be
> illegal to have
> scanners or hacking tools in your possession, and all
> passwords and security
> measures must be handed over to the government on request.

Well, that would seem to be a rather short sighted approach.  I know the
Bill was passed in 1999 to enact the new laws (and I was involved in a
couple of rallies to try and make the Government see reason).  I, for one,
believe that administrators like myself need access to tools and port
scanners to be able to test our own systems resistance to attack.  Failure
to do so is failing to live up to our responsibility to the wider Internet
community.

To be honest, I'm not 100% sure what the law ended up saying on the
possession or (legitimate) use of security scanners.

> Does anyone know if these kinds of measures are enforced
> anywhere else in
> the world, or has my government just gone nuts?

Well, I'll avoid political discussion on the list, but I saw a distinct lack
of reason and understanding when it all developed in 1999.

----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/



--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/