Home page logo
/

isn logo Information Security News mailing list archives

2600 Australia response to 2nd Reading of Commonwealth Cybercrime Bill 2001
From: Grant Bayley <gbayley () ausmac net>
Date: Fri, 29 Jun 2001 02:03:01 +1000 (EST)

To all,

This is a "first response" to the second reading of the
Australian Commonwealth Cybercrime Bill, 2001 from 2600 Australia, a
self-described "hacker advocate group".  A full response to the bill
itself will be forthcoming, though this discussion sums up a large number
of the arguments against the proposed legislation.

Grant Bayley

-------------------------------------------------------
Grant Bayley                         gbayley () ausmac net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------

References:

Explanatory Memoranda:
http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-explanatory-memoranda.pdf

Cybercrime Bill, 2001 (at first reading):
http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-firstreading.pdf

House of Representatives Hansard 27 June 2001   P 27081
CYBERCRIME BILL 2001
First Reading

Bill presented by Mr Williams, and read a first time.

Second Reading

Mr WILLIAMS (Tangney?Attorney-General)
(9.57 a.m.)?I move:

That the bill be now read a second time.

More than three million Australian households and
over one billion people worldwide are connected to
the Internet. With the exponential growth in the
Internet population and in electronic commerce over
the last decade, the integrity, security and reliability
of computer data and electronic communication is
becoming increasingly important. Cybercrime activities,
including hacking, virus propagation, ?denial of
service? attacks and web site vandalism, pose a significant
threat to the integrity and security of computer
data. Indeed, according to recent estimates, cybercrime
is costing companies worldwide approximately
$3 trillion dollars a year.

First off, this figure is unsubstantiated.  It was not generated by an
organisation such as the Australian Bureau of Statistics or any recognised
authority on the matter, rather various commercial organisations whose
business depends on the existence of (or appearance of the existence of)
cybercrime.

This alone makes the basis on which this law is being proposed deceptive
and misleading at best.

Secondly, the term "cybercrime" is so poorly defined, even by the very
authorities that wish to pass laws regarding it, that almost any activity
that might be considered criminal in the context of a computer or
electronic equipment might qualify for prosecution under this law.

This is a dangerous precedent considering the lack of understanding
amongst legislators about the very activities they are wishing to outlaw.

Updated laws are vital if authorities are to effectively
detect, investigate and prosecute cybercrime
activities. The proposed new computer offences and
investigation powers in the Cybercrime Bill 2001 are
a significant development in the fight against these
activities and will place Australia at the forefront of
international efforts to address the issue of cybercrime.

Indeed, they are, but not in this rough-riding, rights-restrictive
fashion.

Computer offences
The Cybercrime Bill 2001 proposes the enactment
of seven new computer offences. The offences are
based on the recommendations of the January 2001
Model Criminal Code damage and computer offences
report developed with the cooperation of the Commonwealth,
states and territories. Implementation of
the Model Criminal Code offences is an important
step toward achieving national consistency and
remedying deficiencies in the existing laws. The new,
updated offences would replace the existing offences
in the Crimes Act, which, although only 10 years old,
are already seriously outdated.

Sadly, this is a common misconception.  Existing laws cover many, many
computer related offences, whether it be directly or indirectly.  Directly
in that they cover offences such as unauthorised access, unauthorised
insertion, modification and deletion of data, covers offences against
telecommunications carriers that may be used in the commission of an
offence, covers impairment of service offences carried out against
networks supplied by telecommunications carriers.  And indirectly relating
to such offences as false personation, obtaining credit by false pretences
and the like.

All are directly applicable to the type of situations that Justice
Minister Ellison and Attorney-General Williams crow about when attempting
to justify the creation of such laws as the Cybercrime Bill, 2001.

Yet, there have been very few cases where all of these existing components
of law have been applied to offenders.  In some cases, the offences simply
aren't easily traceable.  In others, the actual loss caused by the offence
pales in comparison to the time and effort of prosecuting an individual
for the offence.  In others, the offences alleged to have been carried out
by individuals have been grossly overstated, leading to short, suspended
sentences, good behaviour bonds and small fines.  None of these are
failures in the laws themselves, but the application of appropriate laws
to particular crimes.

Therfore, I ask the question - will this law make it any easier to trace
such crime?  Any less costly for individuals or companies or law
enforcement to bring actual, legitimate criminals to justice?  The answer
in both cases is no, because although the legislation seeks to bring a
number of these existing components of law together and extend them in
other cases to meet a perceived dire need, law enforcement simply aren't
any better equipped to deal with such cases than 5 or 10 years ago nor is
there any increased level of understanding in the judiciary to take into
account the horribly ill-defined phenomena of "cybercrime".

All the proposed offences are supported by extended
extraterritorial jurisdiction in recognition of
the fact that computer crime is often perpetrated remotely
from where it has effect. The proposed offences
have been drafted in technology-neutral terms.
The offences also dovetail with the terminology of
the Electronic Transactions Act 1999, which has been
an important vehicle for expanding electronic commerce.

Will extraterritorial jurisdiction bring about the prosecution of the
Phillipino creator of the so-called ILOVEYOU worm in this country,
considering it is alleged to have caused $7 billion by the Customs and
Justice Minister and the NSW Attorney-General, Mr Debus?

Lets not kid ourselves here.  It hasn't happened, and it won't.

The first offence in the bill targets those who access
or modify computer data or impair electronic
communications to or from a computer that they are
not authorised to access, modify or impair and who
do so with the intention of committing a serious offence,
punishable by five or more years imprisonment.
The offence would attract a maximum penalty
equal to the maximum penalty for the serious offence.
For example, if a person hacked into a bank
computer and accessed credit card details with the
intention of using them to obtain money, the penalty
would be equivalent to the fraud offence the person
was intending to commit (10 years imprisonment).

How would this change if the bank's computer contained no access
protection, such as that which you mention three paragraphs below?

   "The offence relates only to unauthorised access or modification of
    data that is protected by a password or other security feature rather
    than any data."

If the bank's computer was not protected by a password or other security
feature and an attacker (as we prefer to call such people) accessed credit
card details with the intention of using them to obtain money but did not
in fact follow through and do this, how would they be treated?  By my
layperson's understanding, they may not be liable for punishment for any
crime, especially if they only thought to use the credit cards to obtain
money after having found them then decided against it prior to doing so.

Although each case would be decided on it's merits, I can supply
sufficient counter-examples for each and every situation that might be
raised in support of this proposed legislation.

It's sort-of a saying in computer security circles that nothing is
absolute.  For every possible security protection, there is a potential
misconfiguration or fault or failure that renders such protection useless,
null and void.  While this proposed legislation is "technology-neutral",
whether some things are in fact a "bad" thing at all (such as exposing a
misconfiguration in a security system by means of a controlled
demonstration) aren't even clearly agreed upon amongst the computer
security community, let alone the Council of Europe with its' Cybercrime
Treaty.  The Australian Government is way out on a limb claiming it has
the answers to these questions, embodied in this proposed legislation.

It would be an offence for a person to cause any
unauthorised modification of data in a computer
where the person is reckless as to whether that modification
will impair data. A maximum penalty of 10
years imprisonment would apply. The offence covers
a range of situations, including a hacker who obtains
unauthorised access to a computer system and impairs
data and a person who circulates a disk containing
a computer virus which infects a Commonwealth
computer.

Just out of interest, how does the Government approach the topic of
"benign" or "good" viruses.  They're certainly the exception to the rule,
but they indeed exist.

An example of a "benign" virus would be one written for demonstration
purposes to expose an insecurity in an operating system that might be used
at some point in the future as a propagation vector for a not-so-benign
virus.  The benign virus (or possibly a worm, something that spreads of
it's own accord) simply sits resident on the computer, using very
negligible memory, processor and disk space resources and does not impair
the normal usage of the computer.

An example of a "good" virus is one that propagates in much the same
fashion as above, but carries with it a payload capable of repairing a
misconfiguration, patching an insecure piece of software or otherwise
preventing further potential damage to machines it is transmitted to.
Arguably, such viruses enhance the security of the machine.  That is,
they're doing the exact opposite to impairing the operation of the
computer - they're fixing it.

None of these scenarios are accounted for in the proposed legislation.
Some would respond by saying "it doesn't have to account for them", but
I'd challenge that on the basis of "where do you draw the line between
impairment and enhancement?".  Nothing is absolute in the world of
computers, remember.

The bill proposes an offence of causing an unauthorised
impairment of electronic communications to
or from a computer, carrying a maximum penalty of
10 years imprisonment. This offence is particularly
designed to prohibit tactics such as ?denial of service
attacks?, where a web site is inundated with a large
volume of unwanted messages, thus crashing the
computer server. The penalty for this offence recognises
the importance of computer facilitated communication
and the considerable damage that can result
if that communication is impaired.

There's an obvious target here - people that generate such large volumes
of traffic.  As before and as always, there's examples where this fails to
pass muster.  What is the Government's opinion about "Hacktivism" actions
(misguided as the causes themselves may be) where a significant number of
computers each place a tiny and insignificant portion of load upon a
server, whether it be in the form of "hits" to a website or "emails" to an
email server.

Under the law, each of the participants in this action would, in theory be
subject to prosecution under this part of the Cybercrime Act, 2001, but
where things get murky is where we consider how such an action differs
from the ordinary operation of a busy web or email server - a large
number of clients each make a small, insignificant number of connections,
generating on the whole a significant and sometimes destructive load on
the web or email server.  The slang term for this is "Slashdotting", named
after a website that was so popular at one point in it's existance that
when any other site was linked from it it, the sheer number of visitors
innocently following the link brought many a server to its' knees.

The definition between such illegal impairment and high-load ordinary
operation is dangerously blurry.  Would an Australian site have reason and
recourse under the law to charge the operator of another site that
directed visitors to it with a crime?  How does this differ from the
"denial of service" examples provided?

The proposed offence of causing unauthorised access
to or modification of restricted data held in a
computer carries a maximum penalty of two years
imprisonment. The offence relates only to unauthorised
access or modification of data that is protected
by a password or other security feature rather than
any data. The offence will target those who hack into
a password protected computer system in order to
access personal or commercial information or alter
that information.

Okay, so anything that is not protected by a password or other
(functioning) security feature is fair game for open, unrestricted public
access?

Like the detailed network diagrams for internal Commonwealth networks
found on a public file server on the Internet several months ago?

The bill proposes an offence of causing unauthorised
impairment of the reliability, security or operation
of any data held on a Commonwealth computer
disk or credit card or other device. A maximum penalty
of two years imprisonment would apply. This
offence is particularly designed to cover impairment
of data caused by actions such as passing a magnet
over a credit card or cutting a computer disk in half.

So, correct me if I am wrong, but would it be an offence to "impair the
reliability" of an electronic service by exposing an obvious, repairable
security flaw in it?  It would certainly instill doubt in the present and
future customers of the service, but would bringing this to the attention
of the proprietors of the service and/or the public be an offence?  If so,
what is to gain by making this an offence?  Is it the aim of the
Government to reduce the security of electronic services by preventing
appropriate disclosure of security faults?

Anyone remember the GSTAssist site?  The site that had no security
protection at all, yet freely gave out people's personal information to
all and sundry?  Who gained from this situation?  The young man who
exposed the flaw (albeit in an odd fashion)?  I doubt it.  He was
investigated by the Federal Police and received scorn from members of
Federal Parliament, who were understandably scampering about to divert
blame from the inability of their staff to properly design the system.
The only people that gained from this situation were those that had their
personal information put in jeopardy by incompetent Government staff -
after all, once the problem was exposed and the security of the system was
put into doubt (the reliability of it was impaired), it could be resolved
appropriately.  I doubt that without the young man's disclosure, this
could have occurred.

Again, for every example, there's copious examples of where such proposed
legislative changes do not make sense.

And what's this about destruction of computer disks?  Of passing magnets
over a credit card?  What's the basis for these examples?  The
justification?  If I own a disk, surely I'm not prevented from doing
whatever I please with it?  Doesn't the same apply to my credit card?

Lastly, the bill proposes two offences relating to
the possession and supply of data or programs that
are intended for use in the commission of a computer
offence. Each offence would attract a maximum penalty
of three years imprisonment. These offences are
designed to cover persons who possess or trade in
programs and technology designed to hack into or
damage other people?s computer systems. For example,
a person will commit an offence if he or she possesses
a hacking program or a disk containing a computer
virus with the intention of using it to access or
damage data.

This is downright dangerous, firstly because of the "dual use" nature of
large types of computer hardware and software and secondly because it
establishes a unique branch of "thought crime" - storing information that
could be used to "hack into or damage other people's computer systems" in
one's own mind (the danger of this should be self-evident).

The "dual use" nature of large types of computer hardware and software
exists because the very tools that can be said to assist a user in
preparing to break into a computer system can be legitimately used to
test the security of one's own computer system against such break-in
attempts perpetrated by others.  In fact, it is the wide public
availability of such tools in the first place and their utilisation in
the protective role that reduces their effectiveness as tools for the
former of the two roles - the unauthorised and potentially destructive
one.

The obvious and oft-quoted example of such a tool is "nmap" - a network
mapping tool.  nmap allows a remote user to map out the availability of
services on a network-connected computer.  Nothing more.  Nothing less.
With such a map, a user could attempt to break into a computer, narrowing
down the potential means of entry on the basis of what information is
contained in the map.  At the same time, the owner of the computer could
use the map to evaluate what defences might need to be put into place,
what services are exposed to the outside world, possibly as the result of
a misconfiguration.  In other words, nmap is a dual-use technology.

For those that aren't aware, "dual-use" is a term usually reserved for
technologies such as encryption, which (as emotive as these sound) could
be used just as effectively by a paedophile to hide archives of illegal
material as by a human rights crusader hiding information that could
compromise their personal safety or those in their care.

And this leads us onto the next part of this dangerously flawed
legislation...

Investigation powers
The bill will enhance the criminal investigation
powers in the Crimes Act 1914 and Customs Act
1901 relating to the search, seizure and copying of
electronically stored data. The large amounts of data
which can be stored on computer drives and disks
and the complex security measures, such as encryption
and passwords, which can be used to protect that
information present particular problems for investigators.
The proposed enhancement of search and seizure
powers will assist law enforcement officers in
surmounting those problems.

In short, and as expressed in the Walsh Report [1][2], Governments and
their Defence/Intelligence organisations have all but lost the crypto-war,
and they're really, really pissed off.

The upshot of this is that in the absence of intelligence ingenuity [3]
or mathematical assistance from quantum computing technologies, you'll now
be obliged by law to reveal any passwords, passphrases, keys, codes,
cryptographic and steganographic methods used to protect your information
from prying eyes.

Ignore the fact that you might be incriminating yourself in revealing
such passwords etc.  Ignore the fact that there will no doubt be
substantial criminal punishment for not disclosing such passwords etc.
Also ignore the fact that without disclosing the passwords etc, you will
have a tough time proving that the information contained inside an
encrypted file, for example, is not evidentiary.

In other words, all your crypto are belong to us.

[1] http://www.efa.org.au/Issues/Crypto/Walsh/
[2] http://the.wiretapped.net/security/info/papers/cryptography/au-crypto/walsh-report.html
[3] http://cypherpunks.venona.com/date/1995/09/msg00136.html

The proposed amendments would clarify that a
search warrant can be used to access data that is accessible
from, but not held on, electronic equipment
at the search premises. As most business computers
are networked to other desktop computers and to
central storage computers, it is critical that law enforcement
officers executing a search warrant are
able to search not only material on computers located
on the search premises but also material accessible
from those computers but located elsewhere.

If these computers are connected to the Internet, doesn't this mean that
such warrants are essentially unlimited, given that other material located
elsewhere is accessible using the Internet?

Computer equipment and disks would be able to
be examined and processed off site if this is significantly
more practicable than processing them on site.
The proposed amendment recognises that searching
computers and disks can be a difficult and time consuming
exercise because of the large amount of information
they can store and the application of security
measures, such as encryption. A further proposed
amendment would permit officers to copy all data
held on a computer hard drive or data storage device
where some of the data is evidential material or if
there are reasonable grounds to suspect the data contains
evidential material.

How does this differ from the current situation?  Hard drives can be
mirrored onsite by appropriately qualified personnel then returned to use,
especially if law enforcement aren't wanting to alert the target.

This is nothing new, is already partially covered in the changes made to
the ASIO Act in 1999, and is therefore largely unecessary.

A magistrate would be able to order a person with
knowledge of a computer system to provide such information
or assistance as is necessary and reasonable
to enable the officer to access, copy or print data.
Such a power is contained in the draft Council of
Europe Convention on Cybercrime and will assist
officers in gaining access to encrypted information.

See above.  All your crypto are belong to us.

Conclusion
The high speed and broad reach of computer technology
offers new means, methods and possibilities
for crime. The measures contained in the Cybercrime
Bill are vital to protecting the security, reliability and
integrity of computer data and electronic communications
and remedying the deficiencies in existing
laws. By addressing the threats posed by cybercrime
activities, the bill will strengthen community confidence
in the use of new technology and provide a
means of ensuring that the benefits of that technology
are not comprised by crime. I commend the bill to the
House, and present the explanatory memorandum to
the bill.

Debate (on motion by Mr Horne) adjourned.

This law does absolutely nothing to remedy perceived deficiencies in
existing laws relating to offences that might happen to involve a
computer, an electronic device or a communications network, as discussed
above.  In fact, it places a great many things in jeopardy, such as the
free flow of information relating to security deficiencies in computers
and electronic infrastructure, the free flow of information that assists
system administrators to secure and protect computers and electronic
infrastructure, and provides for forced disclosure of information that may
have been lawfully encrypted, protected or hidden.

It should not be passed in this or any similar form.

Grant Bayley
Speaking on behalf of 2600 Australia



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com 


  By Date           By Thread  

Current thread:
  • 2600 Australia response to 2nd Reading of Commonwealth Cybercrime Bill 2001 Grant Bayley (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault