As part of SAGE-AU, we did several submissions on this to the Government, and during the Melbourne round of public submissions, it seemed like we were getting through. Most of the session was talking about our issues, and most of the pro-copyright people sat through it. They did amend it to take into account backups, etc, but they didn't go far enough. Now, the basic thing is that you have to have Intent to commit a crime. If you are doing pen-tests on behalf of customers, and you have lawyer-drafted waivers signed by the client, their ISP and your ISP, and you've notified AusCERT and the federal police (who are most commonly called by people not in the loop, if ever), then you do not have the INTENT to commit a crime. Only if you don't hand the money back is there a problem. :-) If you don't have a lawyer-drafted waiver, effectively getting the client to accept all risk, and putting some ability for the client to stop things at any time, then you shouldn't be doing this stuff. If you're doing a pen-test on yourself, there's no crime. Just keep it away from telco CPE and you'll be right. Now - the tools section. SAGE-AU is drawing up a Code of Practice for System Administrators (and people like System Administrators, such as Security Administrators or contractors). The CoP not only documents current best practice in a fairly high level way, it will specifically hold people to doing the right things, and ethically. If you are a member of SAGE-AU, holding to the CoP, and hold or develop tools, then you will be okay. Otherwise, if someone searches your PC and finds the tools, you can theoretically be charged. But there must be INTENT to commit a crime for serious jail time to be an option. Other organisations may also wish are also free to develop a CoP and get it registered. Andrew ex Presidente Of SAGE-AU, http://www.sage-au.org.au/ -----Original Message----- From: Tony Langdon [mailto:tlangdonat_private] Sent: Friday, 6 July 2001 08:52 To: 'Ari Weisz-Koves'; PEN-TEST Subject: RE: New legislation in Australia to make pen-testing illegal? > Anyone else out there from Australia, or was the internet > legislation of '99 > enough to make everyone leave? I'm struggling to understand > how these laws > could passed and enforced - essentially, it may soon be > illegal to have > scanners or hacking tools in your possession, and all > passwords and security > measures must be handed over to the government on request. Well, that would seem to be a rather short sighted approach. I know the Bill was passed in 1999 to enact the new laws (and I was involved in a couple of rallies to try and make the Government see reason). I, for one, believe that administrators like myself need access to tools and port scanners to be able to test our own systems resistance to attack. Failure to do so is failing to live up to our responsibility to the wider Internet community. To be honest, I'm not 100% sure what the law ended up saying on the possession or (legitimate) use of security scanners. > Does anyone know if these kinds of measures are enforced > anywhere else in > the world, or has my government just gone nuts? Well, I'll avoid political discussion on the list, but I saw a distinct lack of reason and understanding when it all developed in 1999. ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 08:40:52 PDT