By Stephen Bell
Computerworld New Zealand (Online)
Now it’s been made law, the New Zealnd government’s so-called antihacking legislation is being picked to pieces by computer professionals.
The Crimes Amendment No 6 Bill, criminalizing interference with computer systems and interception of electronic communications, is sparking concern that it might prevent legitimate computer and network maintenance staff from doing their work.
Intrusion detection systems, the very tools used to protect computer systems from hacking, could be fingered as “intercepting” communications in a way that the provisions for legitimate maintenance do not seem to have taken into account, says one InternetNZ member.
The new act says interception of communications is not a crime if carried out by an employee of the organization providing the communications service solely and necessarily “for the purpose of maintaining that Internet or other communications service.” This may not exclude intrusion detection systems, the member says.
There is also concern about clauses that allow police and intelligence services to intercept e-mails and other digital communications. Another InternetNZ member wants to know how these agencies will effectively target the party named on an interception warrant without intercepting and seeing the traffic of innocent users.
A contractor who frequently troubleshoots private computer networks points out that the exclusions in the act refer only to “public” networks, and questions whether the caveats of implied authority and user expectation cover all cases of maintenance within an organization.
The act is clear that interference with a computer system is not a crime when “authorized” and that a private communication does not include “a communication occurring in circumstances in which any party ought reasonably to expect that the communication may be intercepted.”
“This comes down to the difficulty in informing 2000 staff that ‘your communication might be inadvertently intercepted while we fix this problem,'” the inquirer says, or in ensuring that everyone knows their ‘private’ e-mail is visible in various places along the way for various reasons.
Discussion on the NZNOG (network operators’ group) mailing list has raised the question of “authority” to access a computer system. By one interpretation, everyone has in some sense “authority” to access the Internet and computers connected to it, if only to view a Web site or send e-mail. An exclusion in the act, pointed to by Computerworld Online, Judge David Harvey and others, permits a user who has some authority to access a system to use it in ways not permitted by that authority.
This, NZNOG contributors suggest, allows “privilege escalation,” which is a common route for computer and network attacks.
“Get one level of access (which might be deliberate, and might be guest-only) and through trickery gradually upgrade your level of access until you ‘own’ the box or network,” one subscriber suggests. “This legislation appears to countenance that, so long as you had a valid reason for accessing the network or computer originally, which is easy to produce.”