[ISN] Crimes bill targets hackers, DoS attacks

From: InfoSec News (isnat_private)
Date: Tue Aug 28 2001 - 02:55:07 PDT

  • Next message: InfoSec News: "Re: [ISN] Defending against SYN-flood DoS attacks"

    Averill Parkinson and Bernard Woo
    27 August, 2001
    The select committee report on the Crimes Amendment (No 6) Bill has
    proposed two new sections to the bill with significant implications
    for all web users. The first new section is targeted at denial of
    service attacks. The second targets the creation, distribution and
    possession of "hacking software".
    There is no doubt that there should be laws to cover these situations.
    The questions that need to be answered are whether the proposed
    sections are adequate and whether they go further than necessary.
    New section 251(2)(c) is designed to deter denial of service attacks.
    In doing so it casts a very wide net. The section requires the
    "interferer" to recklessly or intentionally, and without authority,
    cause any computer system to deny service to any authorised users or
    to fail. The section is broadly drafted and may, in Techlaw's view,
    cover less culpable cases.
    Have you ever received an email with a virus attachment? Opening a
    virus-infected email attachment without virus checking, resulting in
    the virus being transmitted to every person in your address book,
    could be construed as reckless. The argument here is that every net
    user should be aware of viruses, especially with the front-page
    coverage they receive, and by not taking steps to ensure they do not
    propagate them, the user is acting recklessly.
    However, for some people, this may seem to be taking the concept of
    "responsible use" too far. If this were the effect of the new section,
    every user would need to obtain and keep updated a virus checker as a
    pre-condition to internet use.
    In Techlaw's view, it is unlikely that a nave or ignorant web user
    would be found to have acted recklessly. It is, however, possible that
    a person with a high level of understanding of the risks, such as an
    ISP, could be found liable.
    The second addition is Section 252, which introduces a new offence
    that the select committee says is the crime of "being in possession of
    'hacking' programs or other information in circumstances that show an
    intention to use it to commit a computer crime".
    While this may seem like a worthwhile amendment, there are a number of
    issues arising out of the precise wording used.
    First, what constitutes a "hacking" program? You and I are probably in
    possession of a "hacking" program at present or have been in the past.
    The proposed definition is "any software or other information that
    would enable another person to access a computer system without
    authorisation". This sounds like many useful network administration
    Second, the words "other information" are included in the definition.
    Although it has been commented that this would include the
    unauthorised distribution of passwords or digital certificates, it
    could include information on sites that attempt to educate people
    about hacking from a prevention perspective. Often there is little
    difference between the information on these sites and those that
    contain instructions on how to implement "hacks". The information that
    they provide could be more than useful in the commission of a crime.
    One possible solution is that the courts will look at the intention
    behind the mounting of the material, and therefore find that mounting
    of "prevention" sites is not a criminal activity.
    The third issue is that the new section refers to software or other
    information used or able to be used for "the commission of a crime".
    Unlike the select committee report, "crime", as used in the section,
    is not limited to "computer crime". Is the definition limited to
    unauthorised access crimes or does it means crime in general? If it is
    crime in general, the distribution, creation or possession of software
    for purposes other than "hacking", for example, file transfer or
    copying software (which could be used for copyright crimes), could
    fall within the section.
    The select committee has introduced these new sections at a late
    stage. There is no formal opportunity for public submissions.
    Techlaw's concern is that new crimes may be passed without the
    necessary weighing of competing interests, for example, rights of
    "fair use" of copyright versus the property rights of copyright
    A reasonable opportunity for public debate should be available before
    such potentially far-reaching crimes are introduced.
    Parkinson is a partner and Woo is a law intern in Clendon Feeney's
    technology law team. This article, together with further background
    comments and links to other web sites, can be downloaded from
    www.clendons.co.nz. Questions and comments can be sent to Averill
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 06:01:22 PDT