Hacker Indicted In France For Publishing Exploits

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

Look on the bright side...

Now you get to search for holes in the French jail system. Find a big enough one and you're free!

Re:Look on the bright side...

[Orgazmus]

I think the other inmates might look for holes in him too.

Re:Look on the bright side...

nah, this is a french prison...

they'll offer him a cigarette, and then surrender.

Re:Look on the bright side...

It has always been illegal to compromise security in France, whether exposed or not.
Hack a smartcard, descramble pay tv, find a flaw in apache, whatever, u will get busted.
Whether french law allows for it or not, companies and judges will not tolerate it, and bust you ass, and you usually lose out.
They dont care about reason, just dont do that kind of stuff.
Sad but true.

Re: Look on the bright side...

[yankee-doodle]

I don't know much about this affair, but we only have one side of the story. Don't we? From what I see, "Guillermito" has posted at least 500 usenet articles about this antivirus. Not all nice things about the company, product and the people who work there. Maybe it has something to do with the company's lawsuit? Maybe they didn't just sue you for the vulnerabilities you found (from what I know about French law, this is definitely not enough to make a case work against you). Guillermito, are you really telling us the truth? I mean, the entire truth?

Re:Look on the bright side...

In mother Russia, the holes exploit you!

Re:Look on the bright side...

[linzeal]

If you do not know this is a joke based on the story of the Count of Monte Cristo.

Re:Look on the bright side...

[SphericalCrusher]

Maybe he'll be in communication with Adrian Lamo. I think the two should co-write some kind of novel dedicated to the Gray-Hats that get jailed.

Seriously. Look out your fucking window. People rape, murder, and steal all in bad names -- even if breaking into computer systems IS a crime, at least they did it with good intentions. I hate how hackers are looked down upon. Come on. We're computer geniuses, not the creators of a genocide.

Dinosaurs are dead

[AssProphet]

What does stenography have to do with software? Didn't they become extinct millions of years ago?

Re:Dinosaurs are dead

dude...i know you are new here..but for the love of karma,

post jokes as AC

even if you get a +3 Funny, your karma gets hammered.

funny doesn't net you karma, but the overrated/negative ones will hurt you just the same.

so in a case like yours, 1+1+1-1-1 does not equal +1

it equals -1

Re:Dinosaurs are dead

[Strog]

The author was probably thinking of

Stegosaurus:(from Gr. o-mvhc, close, narrow, and yp~eu, to write), the system or art of writing by signs representing single sounds or groups of sounds, single words or groups of words, sometimes also styled brachygraphy (Gr. ~poxi5r, short); it is a general term including all the various systems of shorthand writing (see SHORTHAND).

Give him a break, he's getting taken to court over this. Good spot though. ;-)

Re:Dinosaurs are dead

Who gives a shit?

Re:Dinosaurs are dead

karma is for pussies.

Re:Dinosaurs are dead

[shadowcabbit]

Agreed. Funny should be funny without regard for karma.

Oh, and actually-- "stenography" isn't the same as "steganography"... but it's still funny, thinking of court clerks dying out millions of years ago...

Re:Dinosaurs are dead

No - apparently they are writing our laws now.

Re:Dinosaurs are dead

[joshuaobrien]

steganography != stenography

Good luck!

I wish you the best. You should be given job offers, contracts, and cash for what do you, not put on a cross to die! It's a shame, really. Hopefully your case goes public and some good lawyers will help you for cheap if they think the press for themselves is worthwhile. Good luck!

Re:Good luck!

[dnoyeb]

He should have simply posted that these packages could be exploited and not posted the actual exploit. If the company ever tried to sue him, then he could publish the exploit.

I think the act of publishing the exploit would certainly be his undoing in this case.

Re:Good luck!

[Timothy+Brownawell]

He should have simply posted that these packages could be exploited and not posted the actual exploit.

But would anyone have believed him?

Tim

Re:Good luck!

[tomhudson]

If you read the article, he was charged with "counterfeiting and concealing counterfeiting". I guess that's because there's a way to twist the law in some prosecutor's mind so that the charge seems to apply.

Sort of like calling spitting on the sidewalk a "terrorist act" because it could be labeled a "biohazard" if you really stretched it.

I echo the parent posters' sentiment: bon chance!

Re:Good luck!

[gilesjuk]

The problem is such exploits are published and not referred to the companies in question for them to fix these faults.

By publishing exploits you are on one hand helping consumers choose their security software wisely, but on the other hand you are providing hackers will methods to penetrate systems.

Re:Good luck!

It actually is considerred a bio hazzard in many jurisdictions from laws passed after the 1917 flu epidemic which killed millions of strong healthy people worldwide. These laws have not been enforced for many years, but are on the books and could be enforced.

Re:Good luck!

[Buran]

On the third hand (this guy must be a mutant! ;)) a lot of companies won't bother to fix flaws if they aren't publicly and obviously posted, so crackers might find the flaws and use them for exploits, while the company that makes the software gleefully ignores the problem and gets to avoid responsibility and liability. That's definitely not good. I don't know (it's not clear from the English writeup) whether any attempt was made to notify, but many people who release exploit data do so only as a last resort.

Re:Good luck!

[shadowcabbit]

French spelling nitpick: "bon chance" is incorrect. "Chance" is a feminine noun (uses "la" instead of "le"). So it should be "Bonne chance".

I would have said "French spelling nazi" but then I realized that putting the words "French" and "nazi" in the same phrase was just plain wrong. ^_^

Re:Good luck!

[gilesjuk]

Oh some companies need to be humiliated into fixing bugs (the beast of Redmond is guilty of this). But most exploits aren't exploited until they are announced.

Re:Good luck!

[Buran]

Most, but I'd bet not all. It's an interesting debate, to be sure.

Re:Good luck!

[kfg]

Spelling Vichy, perhaps, mon frere?

Travail, famille, patrie, epellation .

KFG

Re:Good luck!

[JackCroww]

Or a Motie.

The Gripping Hand by Larry Niven and Jerry Pournelle

Re:Good luck!

[green_crocadilian]

On the third hand (this guy must be a mutant! ;)) a lot of companies won't bother to fix flaws if they aren't publicly and obviously posted...

Shouldn't that be "on the gripping hand"?

Re:Good luck!

[maxpublic]

The problem is such exploits are published and not referred to the companies in question for them to fix these faults.

And there's absolutely no ethical obligation on the part of the person who finds the flaw to inform the company before informing the public. It's up to the company to prevent the sudden appearance of egg all over their faces, not folks who aren't their employees and aren't getting paid by said company to find such faults in the first place.

Funny how well corporations have managed to brainwash some people into thinking otherwise...as if in the end we're all their employees and 'owe' them something beyond the price we pay for their (buggy and insecure) software. I wonder when this little tidbit was included in the definition of 'capitalism'?

Max

Re:Good luck!

It might not be ethical from a corporate point of view but, this may surprise you, there are actual people who bought the software and are using it, as a human being I feel you have some sort of moral and ethical obligation to protect other humans.
IMHO the proper procedure would be to contact the company involved with all information (a confirmed snailmail would do well) and give them proper time to fix the problem (about a month would be enough for most AV products but a company can always ask to hold back the publishing a while longer if needed) and then just publish the article regardless of whether it's fixed or not.

Hax0r teh planet!

Can't you just hax0r the courts computers and remove all instances of your name? Maybe replace it with bill Gates or something?

Alternatively, mail a picture of a rifle to the French government. that will make them back down.

Re:Hax0r teh planet!

[strictnein]

Alternatively, mail a picture of a rifle to the French government. that will make them back down.

Nah... they'll just draw a line on the ground and politely ask you not to cross it, or go around it.

Re:Hax0r teh planet!

Too bad he's already in there, courtesy of the EU.

Re:Hax0r teh planet!

[spood]

I send you this file to have your advice.

Attachment: maginot.jpg.pif

There is no faster way

[ThisIsFred]

There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly. But I am on your side. Companies that market security products that aren't are committing fraud, IMO. And I'd rather have you publish the vulnerability than someone else publish the automated exploit.

Re:There is no faster way

[Orgazmus]

Try attacking every country that looks like they could become a treath, and support a terrorist nation when you're at it.
(Just an imaginary example)
That should keep you relatively friendfree.

Re:There is no faster way

i don't understand... don't things like automobiles have flaws exposed all the time which lead to recalls by the manufacturer? do the people whose car exploded because of a faulty gas tank get sued for exposing such weaknesses to the public?

Re:There is no faster way

[LionMage]

There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly.

Never have truer words been spoken on Slashdot. (Well, OK, that's probably not true, but this is an idiomatic expression in English...)

After publicly commenting in my weblog that I found a WiFi access point in my office building being run wide-open, with no security (not even a password), and noting that this access point belonged to someone in the Honeywell office just down the hall, I ran into an interesting situation several months later...

It seems that one of Honeywell's lawyers noticed this blog entry and found out that I was employed by a consulting firm that had Honeywell as one of its biggest customers. So Honeywell's solution to the embarrassment of having a gaping security hole pointed out publicly was to pressure my employer into firing me. Luckily, cooler heads prevailed, and I let Honeywell image the hard drive on my laptop; the Honeywell employee who set up the rogue access point wasn't so lucky.

The moral of the story is, large companies are humorless, and the bigger the company, the more draconian the steps they'll take to protect themselves and their corporate image. That doesn't mean you should cower in fear whenever these companies flex their muscles.

Glad to see...

[BJZQ8]

I'm glad to see that the EU has broken the U.S. monopoly on wacky, mindless computer lawsuits!

Re:Glad to see...

[Dr.Dubious+DDQ]

I realized France had joined the 'stupid lawsuit that wins anyway' club with the whole Mobilix/Obelix thing...

Re:Glad to see...

I'm hoping your horizons will one day expand to the point that you realize the US has *never* had a monopoly on stupidity of any sort.

Re:Glad to see...

[skahshah]

While I agree with you about France, the Mobilix/Obelix lawsuit was German (Munich's court of appeal for the last decision), even if the plaintiff was French.

Re:Glad to see...

No, but we do seem to have significant market share.

Enshrined protection of whatever

[The+I+Shing]

I sure am glad I live here in the USA where my right to expose the weaknesses of corporate products is enshrined in our beloved Constitut...

Hold on, there's a SWAT team banging on my door.

I'd better go let them know that they must have the wrong house.

Re:Enshrined protection of whatever

[ThisIsFred]

Hold on, there's a SWAT team banging on my door.

Excellent! Would it be too much trouble for you to go outside and ask the SWAT dev team why the default is to look for smb.conf inside /usr/lib instead of /etc/samba? I mean, who puts configuration files in with userland libraries?

Re:Enshrined protection of whatever

[paranode]

You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.

Re:Enshrined protection of whatever

[The+I+Shing]

You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.

And, by God, let's pray that it stays that way, brother.

Re:Enshrined protection of whatever

[bugnuts]

No, his sarcasm is lost on you.

Why not GIS for "DMCA" and you'll see that this law DOES have a chilling effect on speech regarding security and security research.

Re:Enshrined protection of whatever

Why not GIS for "DMCA" and you'll see that this law DOES have a chilling effect on speech regarding security and security research.

Only if your security research has little to do with security and more to do with breaking copy protection. Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection. I don't like that law too much either, but it's not really relevant at all to this issue.

Re:Enshrined protection of whatever

[bugnuts]

Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection.

It's not just copy protection, but encryption schemes, which you can easily claim steganography is, since it shares many qualities. Remember that Adobe used the DMCA to prosecute someone for "breaking" their ROT13 encryption. And IIRC, 2600 lost their appeal for publishing links.

This law is being cited to enable all sorts of abuses by corporations that have roomfuls of attorneys, and has been used to leverage threats to a researcher from disclosing weaknesses at a convention. It was initially cited to threaten the guy that disclosed the "shift-key" exploit on CD protection. No sane researcher would rule it out in the USA -- you still would have to answer to it being abused.

Re:Enshrined protection of whatever

[MrSelfDestruct]

rofl!

Re:Enshrined protection of whatever

2600 won the right to link (the Ford case). They lost the appeal regarding their publication of the DeCSS source code.

Re:Enshrined protection of whatever

ah, thanks... I misremembered.

Re:Enshrined protection of whatever

[Zareste]

Oh, *whew* for a second I missed the 'such' and thought you were saying free speech -in general- is protected. That would've been awkward.

However, I make it a point never to say those dreaded words: 'ah, our government would never do that.' Cause, - maybe this is just a superstition - historically, whenever somebody says that, it's only a matter of time before it happens.

Oh, and there's not much the government can do about a well-worded threat from a company.

Re:Enshrined protection of whatever

[NoMercy]

ROT13 isn't encryption it's a character encoding, simply because diferent binary values mean diferent things isn't encryption of any sort.

ROT13 is asmuch encryption as ASCII or EDCDIC.

Re:Enshrined protection of whatever

[Maestro4k]

• You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.

At one time I would have agreed with you. Having had an encounter with the government over false accusations made against me (not even computer-related), and having seen the results, I have to say that in theory we have freedom of speech, in PRACTICE, the government can quite easily ruin your life over something you say, even if they can't even charge you with anything.

Remember, publicity about something you're accused of is all the court of public opinion needs to convict you. Winning at trial (if you're charged) or having things dropped later on aren't enough to undo that. To use what's probably a bad example, remember the OJ trial? He was found not guilty of murder, but exactly how many people do you know who believe that to be the truth? And how many do you know who'd hire him to work for them, even if it was digging ditches?

Finally don't forget that fighting charges against you can bankrupt you. Even if you end up innocent, you may find your life utterly and totally destroyed thanks to this. Frankly our "justice" system has lost all its justice, and innocent into proven guilty has gotten forgotten somewhere along the way.

Re:Enshrined protection of whatever

[Henk+Poley]

"SWAT" stands for "Skilled Workers With Advanced Tools." in the Rapid Application Development (RAD) context.

Re:Enshrined protection of whatever

[Sick+Boy]

Well, I'd hire OJ for my "Stabbing White Girls" side business, but he's on the other side of the country, in Florida. If I ever expand into a SWG chain though, FL will be my first stop, to capitalize on the obvious talents of Mr. Simpson.

Re:Enshrined protection of whatever

[The+AtomicPunk]

Nice try, we know you're lying. You just claimed you live in the USA, yet SWAT teams knock. Har har har.

Re:Enshrined protection of whatever

Remember that Adobe used the DMCA to prosecute someone for "breaking" their ROT13 encryption.

Although that sure sounds good, it was a heck of a lot more than just ROT-13. In fact, ROT-13 was really just includedin the ebook sdk as an example of how to implement an encryption system. One ebook publisher was stupid enough to use it (New Paradigm Resources, Inc) but the others used "real" encryption (obviously flawed, but it was not just something from a manual). For proof, see this affadavit from the EFF search for rot-13 to find the list of actual encryption methods that were circumvented.

IIRC, 2600 lost their appeal for publishing links.

That would be links to DeCSS not Elcomsoft's closed-source, proprietary software.

When arguing for the side of the righteous, factual errors only detract from the strength of your position.

Re:Enshrined protection of whatever

[rottcodd]

Why not GIS for "DMCA" I guess it's appropriate, given the steganography work he's done...

Re:Enshrined protection of whatever

[computational+super]

Unless you're accused of "Terrorism" (as the poster was). That's the tricky point - even here in the U.S., if they use the "magic word", the Patriot Act trumps the constitution. I'm not being facetious - that was the whole (only) point of the Patriot Act. "The bill of rights makes it hard to fight terrorism, so repeal it for people we say are terrorists. We promise we won't abuse it."

Re:Enshrined protection of whatever

A simple substitution cipher (or "Caesar cipher") is generally the first thing presented in an introduction to encryption. It may be weak encryption, but it's encryption none the less.

The ASCII code is, well, a code, rather than a cipher, which is to say it's an arbitrary mapping that must be well-known to all parties sharing the information. If you conceal the code book, you can use a code for security. Or you can publish the code book for the sake of standarization. Compare with, say, the standard tables of Huffman codes that define bit patterns in a fax transmission.

Re:Enshrined protection of whatever

[Short+Circuit]

I guess the results are on a case-by-case basis. When my mother (who had/has custudy...we're all grown now.) took me and my brother on a vacation to Florida, my biological father called the FBI telling them she had kidnapped us.

The FBI got really pissed at him when she provided the court documents proving she had custody.

The moral of the story is to document everything that can serve as evidence on your defence.

I may wear a tin foil hat, but I wear it with pride.

Re:Enshrined protection of whatever

ROT13 isn't encryption it's a character encoding, simply because diferent binary values mean diferent things isn't encryption of any sort.

ROT13 is asmuch encryption as ASCII or EDCDIC.

A little bit of knowledge is a dangerous thing.

Re:Enshrined protection of whatever

[Maestro4k]

• The FBI got really pissed at him when she provided the court documents proving she had custody.

  The moral of the story is to document everything that can serve as evidence on your defence.

I'm curious how things turned out for your biological father, given that the FBI reacts quite badly to being lied to AND that it's a federal crime actually, I wouldn't be surprised to hear he ended up jail over this.

Re:Enshrined protection of whatever

[whittrash]

Eventually the underground malicious hackers and spammer hackers will get this info eventually. Why not get it out in the open so everyone can fix their stuff. These companies unfortunately are in a catch 22 situation. They can get embarrassed by having their exploits published or they can suffer failures of their products when they get infected with viruses. They gain nothing with this lawsuit except to publicize the fact that they aren't livng up to their word.

Re:Enshrined protection of whatever

[Short+Circuit]

He got off with a warning. He may have claimed that he didn't know that the parent in custody could leave the area, etc. He's a real smooth talker.

Re:Enshrined protection of whatever

[TGK]

I finished reading the page and was still laughing out loud at this comment. I just wanted to let you know since mod points won't do anything at this point.

Damn that's funny.

Re:Enshrined protection of whatever

Remember, publicity about something you're accused of is all the court of public opinion needs to convict you. Winning at trial (if you're charged) or having things dropped later on aren't enough to undo that. To use what's probably a bad example, remember the OJ trial? He was found not guilty of murder, but exactly how many people do you know who believe that to be the truth? And how many do you know who'd hire him to work for them, even if it was digging ditches?

Obviously, he's not very good at digging ditches. The plastic and the shovels were still in the back of the bronco!!

Re:Enshrined protection of whatever

[stry_cat]

And IIRC, 2600 lost their appeal for publishing links.

Not exactly. They are not allowed to have a clickable link (i.e. use the A tag), but can display the URL in text. Totally shows that the judge is stupid.

Re:Enshrined protection of whatever

[lysander]

Actually, exactly. The fault was that of the prosecuting party, in that the case was only with respect to linking instead of something more generic.

Re:Enshrined protection of whatever

[JuggleGeek]

it has already been shown that such free speech is protected here

Technically, free speech is protected in the US - true enough. However, you can still be sued for telling the truth, and if sued, you have to defend yourself (a fairly expensive process) or you *will* lose the case. I've been doing some research in that area recently, after receiving a cease-and-desist letter from a lawyer. I have a webpage which describes how a company named MailWiper (supposedly selling anti-spam software) has been advertising via spam, with links to other sites showing that their sister company (supposedly anti-spyware) has been forcing spyware onto peoples computers and telling them "To get rid of this, you have to buy our anti-spyware software." The spammer apparently doesn't like the free publicity I've given him.

The page is at http://www.whitis.com/mailwiper.htm. Despite the fact that everything I say is true, and many other sites also discuss the companies business practices, if the spammer does sue, I will have to defend. I would certainly expect to win the case - but I'll have to hire a lawyer to do it.

Re:Enshrined protection of whatever

[Openstandards.net]

That's extremely true, and I wish more people were aware of it. This actually started in the 80s when we created the Foreign Intelligence Surveillance Court (FISA) court to gather evidence on alleged spies without public accountability and sealing of the evidence so the defendent can never see it even when it is the primary evidence used to prosecute.

This became a rubber stamp court, with only one request out of over 7,500 since its inception being rejected by the judges. Of course, the people are unaware of it because the proceedings of the court are secret, and the defendents are usually unaware of the evidence being used against them.

The existence of the court is not secret though, as it was created by a law passed in the 80s, and the quantity of searches granted by the court is public. Indeed, the US government was accused of abusing this court recently to broaden its purpose, before the Patriot Act was "clarified" to permit such abuse by the US prosecutors, FBI and intelligence agencies. One of the judges on the panel scolded the US government for being deceptive in the types of cases it was bringing, indicating that the US government does try to bring people before FISA that are not spies, but instead ordinary criminals. The US appealed a decision to legally obtain a broading of the courts purpose, originally without legislation.

If I remember correctly, congress passed a law to "clarify" that the Patriot Act extended this to cover those suspects of "terrorism". Hasn't it occurred to anyone that none of the trials of suspected terrorists are public?

This is such a sad demise of the US Constitution and American liberty. To me, I'd be willing to die like our forefathers did to preserve American freedom and create the Bill of Rights. I just wish we weren't so willing to discard it today under the illusion that our life-spans will be longer. When I was a child, being willing to die to perserve American freedom was a common notion. Now, being willing to give up freedom to avoid the remotest chance of dying, no matter how statistically improbable, has become a de facto notion. To suggest otherwise, well, that would be unpatriotic! Or would it be terrorist?

Unfortunately, without the ability for the press or the people to attend trials of suspected terrorists, it's unlikely that this will ever be overturned. We'd have to prove that the system as used unjustly, but the Patriot Act has removed all accountability, so that it is nearly impossible to prove the injustice.

The question is, if it was "spies" yesterday, and now includes those labeled as "terrorist" or "threats to national security" by the investigators and prosecutors today, then what label is next? Or, are the current labels broad enough to permit US prosecutors to throw anyone in prison for life that they see fit? It's hard to discern when our government is no longer accountable to the people it's supposed to represent.

Is there anyway to determine what cases the government has filed to prevent public accountability under the Patriot Act? I'd like to follow up on this to at least try to estimate how many cases there are today. If at all possible, I'd like to know if it even remotely possible to discover any injustices occurring. Justice is, after all, the purpose of all this. Right?

Links:

THE SECRET FISA COURT: RUBBER STAMPING ON RIGHTS
Secret court meets to consider Justice Department appeal
Secret court gives U.S. gov't wiretap powers
Secret Court Rebuffs Ashcroft
Secret court may limit government power to spy on domestic terror

These links aren't in chronological order, and I obtained them using a simple

Re:Enshrined protection of whatever

[pedrop357]

Off-topic,
Does anyone else find it interesting and hypocritical at the same time that it's a federal crime to lie to federal agents and usually illegal to lie to state/local police, yet the courts have said it's not illegal for police/feds to lie to suspects?

Re:Enshrined protection of whatever

[cehbab]

/me agrees

Re:Enshrined protection of whatever

> You joke as if people here do not have that right, but it has already been shown that such
> free speech is protected here

I bet you also expected to find pictures of Anna Kournikova in that .pif file huh?

Re:Enshrined protection of whatever

[NoMercy]

Depends on your definition of encryption.

ROT13 is nothing more special than any other encoding, and it is an encoding that I will stand by, but some encodings are also very weak encryptions personally I'd rather the law state planely that something has to undergo a mathmatical transformation of the data itself to be encrypted rather than other forms of bit-shuffling, look up table conversions and re-sequencing which are really just codings.

Guess I'll have to accept though that ROT13 is encryption, but I won't give up on ROT13 as being an encoding.

'Bout Time

[LooseChanj]

To move to a sane country. There any left?

Re:'Bout Time

[Orgazmus]

Could try Norway?
DVD-Jon got off the hook over here, why should'nt it work this time? ;)

Re:'Bout Time

Hmmm..

Welcome to 'Linux Island'! Diversity is high, conversations are long, and coffee is always in short supply... Sure our efforts are scattered but damnit we have a good time doing it! :-)

Re:'Bout Time

Plenty of them:

Mars, Venus, Saturn, Jupiter, Pluto, Neptune, Mercury, Uranus.

Take your pick. Although I'd personally stay away form Mars, de' man is already there.

Re:'Bout Time

[lambent]

DVD-Jon also got tried twice for the same crime. I'll stick in the US where double-jeopardy (and a very large back yard to hide in) affrods some sort of protection from that sort of thing.

Re:'Bout Time

[kajoob]

Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in? You can start by sending a few bucks to the EFF.

Re:'Bout Time

[necrognome]

Can I get DSL in the Easter Islands?

Re:'Bout Time

[Orgazmus]

I think he migth have been convicted and put away in the states.
The Norwegian Copyrigthlaws is a bit less fucked up ;)

Re:'Bout Time

[Ravensfire]

Nah - the state tried you first, then the federal government tries you if you're found innocent by a state jury.

-- Ravensfire

Re:'Bout Time

[Jugalator]

I'm sitting here, comfortable between the land of DVD-Jon and the land of Linus. Now, if you just excuse me while I go to shop some DVD's with tape (yes, tape) fees added to them to compensate for "lost revenues" from making use of our fair use rights.

I still wonder what revenues they're losing. If they're losing something, they're per definition thinking they'd gain someting otherwise. Oh right, the lost revenues from we not buying multiple albums for use in a car and at home... of course. Yes, that makes a lot of sense. :-P

Re:'Bout Time

Yes, here

Re:'Bout Time

Well, you could always pack up and move, and still send money to the EFF...

Re:'Bout Time

[Monkelectric]

How long before you're on some government watch list for giving money to the EFF? Just curious...

I don't remember who said it, but a very wise fellow once said, "Terrorism, drugs and kiddy porn are the root keys to the constitution."

Re:'Bout Time

[molarmass192]

Hej! Sweden's a nice place and the people are friendly. My biggest beefs about moving there would be the outrageous costs of alcohol and gasoline ... well, that and having to watch NHL games at 1 in the morning.

Re:'Bout Time

[liquidsin]

it's the american way, my friend. the country was founded by a group of people running away from things they didn't like. oh yeah, that and the fact that every damn slashdot reader giving five bucks to the EFF would still be a tiny drop in the bucket against the lobbying cashflow of the people who buy these shitty laws in the first place.

Re:'Bout Time

[(54)T-Dub]

the state tried you first, then the federal government tries you

.... for infringning on the rights of the offended party.

Re:'Bout Time

try Canada

it's legal to download MP3s here. (you just can't upload them.)

on the downside, it gets a little cold^H^H^H^H cool here in winter.

Re:'Bout Time

[Jediman1138]

Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in?

Because until the higher-ups in the judicial system listen to the little guys (the real heroes) without being biased towards slick-talking companymen, nothing will get accomplished...

Hey, Canada. Got room for one more?

___________________________________________

Re:'Bout Time

[Monkelectric]

Probably not, but I hear the girls there give great head.

Re:'Bout Time

[Jason+Hood]

Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in? You can start by sending a few bucks to the EFF.

Oh geeze, just cut to the chase and ask for mod points next time...

Re:'Bout Time

"'Bout Time To move to a sane country. There any left?"

And how many people can you fit on SeaLand?

Re:'Bout Time

[tverbeek]

I'll stick in the US where double-jeopardy (and a very large back yard to hide in) affrods some sort of protection from that sort of thing.

Canada's Charter of Rights and Freedoms also proscribes double jeopardy. And its back yard is even bigger (if you count the in-ground pool).

Re:'Bout Time

[General+Fault]

Maybe if all of us techies leave and invade some other country, kicking all of the non-techies out... we could rule the world! Talk about nerd nation. We could let the rest of the world fall into the dark ages, then take over.

So, now all we have to do is decide which country... How about the moon?

Re:'Bout Time

[Rick+Zeman]

DVD-Jon also got tried twice for the same crime. I'll stick in the US where double-jeopardy (and a very large back yard to hide in) affrods some sort of protection from that sort of thing.

Tell that to all of the people who get off on state charges only to find themselves facing Federal charges....

Re:'Bout Time

[uwquazi]

One small problem with this: The nerd-nation won't last past a generation. You need TWO sexes for that.

Re:'Bout Time

[iamacat]

why not stick around here and fight for what you believe in?

Because staying in jail is nasty and an individual should do everything possible to protect him/herself against that. Voting with your feet is also a form of fighting.

Sticking around is an option when majority of the population is against status quo and ready for an uprising or, in a working democracy, serious action at the voting booth. I doubt most French citizens care much about steganograpgy.

Re:'Bout Time

[aquabat]

When you say "If you don't like it, go to a country where you can do what you want", you are treating your country like a corporation, and instead of voting with your wallet, you are voting with your citizenship.

Moving would be detrimental to the country you move out of because they lose your skills.

Moving would be beneficial to the country you move to because they get your skills.

I think this tactic is effective in the long term, if there exists a country you can move to that lets you do what you want (and also satisfies your other needs, like security, standard of living, good health care, etc.).

Re:'Bout Time

[tverbeek]

Can I get DSL in the Easter Islands?

<pedantic>

• It's "Easter Island". There's only one.
• If you really want to get away from the rest of the world, Pitcairn Island (settled by the mutineers of the Bounty) is the place to go. It's farther from any continents, and has no pesky tourist-bringing airstrip like Easter has. The sexual-abuse trials and the jurisdictional issues with New Zealand are making the legal situation rather awkward there these days. But they do have regular internet access now.

</pedantic>

Re:'Bout Time

[Mixel]

In Mother Russia, lawyers pay YOU!

No, seriously, I think Russia is a nice sane place for hacking and software legislation.

Re:'Bout Time

[Patrik_AKA_RedX]

We could let the rest of the world fall into the dark ages, then take over.

After the techies left, the signs of decay appeared everywhere throughout the world. Every clock displayed the blinking 12:00 of doom. Frighted people went looting when their desperate search for the outlook-icon showed fruitless. Millions of messages never reached their destination as countless people failed to access their voicemail. Finaly famine striked the dark cities after so many were unable to plug their microwaves in. Chaos, darkness and fear were everywhere and soon Man was only but a vanishing memory in minds of the few surviving animals.

But after the dust had settled, the techies of the world resurfaced and a new nation was born. A nation without the fear of crashs, without spam or wild procecutions. Even the evil RIAA which terrorised the lands was no longer to be feared. And from that day on not a single clock had ever been stuck on blinking 12:00 again.

Re:'Bout Time

[Graspee_Leemoor]

Forget Norway!

More like Snorway!

Note to the clueless: Norway does not have lions and tigers.

graspee

Re:'Bout Time

[bckrispi]

Tell that to all of the people who get off on state charges only to find themselves facing Federal charges....

Jeez, anyone who's taken Criminal Justice 101 knows that this is not double jeopardy!! If you steal a credit card number and make purchases on it, chances are, your state has a law against this kind of fraud, so you've committed a crime against the state. Theft of a credit card is also a Federal Offense. And you've probabally also violated a Civil law that will open you up to a lawsuit from the theft victim for his "pain and suffering". Yes, you've committed "one" act, but that act is a crime in three separate jurisdictions - ergo three separate crimes, which means each jurisdiction will have an opportunity to get a piece of you. Double Jeopardy would be if you had been aquitted of the State charges, and afterwords the State charged you again for the same crime.

Re:'Bout Time

I hate to break the news to you but the world is -already- going down the path to a new dark age.

Technology is only one facet of enlightenment.

What we really need to do to halt this descent is eradicate the most divisive/progress stifling/dehumanizing force the world has ever known: religion.

We can tackle consumerism once the real evil in this world is defeated.

Re:'Bout Time

[zhiwenchong]

Yup. Canada.

Plus, if you're French, you will feel quite at home in la belle province, Quebec. Even the metro system feels like the one in France, runs on rubber tires and all. ;-)

Re:'Bout Time

[the_mad_poster]

Yes, you're absolutely right. It's not double jeopardy.

It's just abusive, unncessary bullshit.

Re:'Bout Time

[Rick+Zeman]

Tell that to all of the people who get off on state charges only to find themselves facing Federal charges....

Jeez, anyone who's taken Criminal Justice 101 knows that this is not double jeopardy!Not the legal definition no, but in effect, yes.

Re:'Bout Time

[General+Fault]

Who says? I'm sure we can figure out a way around that. Though, it will get a little scary when we lose our centerfold models. Maybe they can come too.

Re:'Bout Time

Maybe if all of us techies leave and invade some other country, kicking all of the non-techies out...we could rule the world!
Talk about nerd nation...
So, now all we have to do is decide which country.

How about India?

Re:'Bout Time

[poot_rootbeer]

why not stick around here and fight for what you believe in? You can start by sending a few bucks to the EFF.

Pfft. Money is cheap, and the "bad guys" have more of it to throw around than we do.

Donating your TIME will have a greater impact. Write to your elected representatives -- schedule an in-person meeting with them if you can. Let them know that your liberties are extremely important to you and if they won't take steps to protect them, you'll work towards taking them out of office and putting in someone who will.

Democracy is not something that happens organically. You have to get involved if you want change.

Re:'Bout Time

yeap but we wont take you

Re:'Bout Time

[Tropaios]

Beautiful, simply beautiful... I got goosebumps.

Re:'Bout Time

Come home to India. Lot's of tech jobs available too...

Re:'Bout Time

[maxpublic]

Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in?

Assuming there are enough people who give a shit. Seems to me that with each passing year there are more and more Americans who couldn't give a rat's ass about the Bill of Rights, and who'll defend any government action, no matter how inane, as 'necessary'. How many times have I heard the argument "but times have changed, the Constitution is an outdated document that isn't applicable to our modern world"? When I was a kid no one in their right mind would even dream of whispering such a thing, yet I hear it more and more often these days - with others chiming in over the 'wisdom' of the speaker!

There's a point where believers in the Constitution and the Bill of Rights will become such a tiny minority that it's no longer possible to win against the government, much less stave off the disintegration of freedom in this country. And at that point the only logical course of action is to go to some other country that's still sane, and let the morons stew in the pseudo-dictatorship they so obviously crave. Only idiots fight a battle they can't win.

Max

Proposterous!

[Doesn't_Comment_Code]

I'll admit right away that I'm not familiar with France's free speech laws.

But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)

From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.

Re:Proposterous!

[General+Wesc]

It's illegal to insult people. But so long as he didn't release the vulnerabilities saying 'this moronic company. . .' :-)

(Are companies 'people' in France?)

Re:Proposterous!

[gl4ss]

well most likely they made up most of their claims(of what the poster had done) and just want to set an example or something insane like that.

just like there's jerks in usa there's jerks in europe as well.. and probably in middle-east and far -east as well. there's quite a few of totally broken 'security' products that are not even meant to work more than just give false assurance to their users, they're people selling snake oil and as far as their products go their just as good as some "miracle magnets" for fuel-lines & etc. there's no point in informing the company in such case since the fuckin company is just basically fraudsters in the first place.

Re:Proposterous!

Einstein did not believe in god you dolt.

Re:Proposterous!

[Doesn't_Comment_Code]

That's very intersting! There are some crazy laws out there. Some local laws are just amazing.

Re:Proposterous!

[Particle010]

I think you're missing the point here. Freedom in genral does have one very important price, and that's responsibility. Sure you could point out those aspects of the software to the general public, but you have to ask yourself one question: with regards to the fact that leaking this information publicly could and most likely will lead to the compromise of systems using said software, is it the responsible thing to do? The common sense answer is NO. The responsible thing to do would be to privately alert the company of the security problem and perhaps documenting such to prove you warned them in case of inaction.

Re:Proposterous!

[Vellmont]

He's charged with "counterfeiting" (which I guess is equivalent to breaking copyright laws). The whole thing sounds very strange, since I'm not sure how coding exploits would break any copyright law.
France has never been very open with regard to free expression in code. I don't know if it's still true, but France used to have several laws controlling the use of encryption in France.

Re:Proposterous!

Sorry, but the responsible answer is YES.
If somebody has found a hole in a product (specially a security product) I am using , I want to know it ASAP in order to take measures to protect my systems.

Re:Proposterous!

"God does not play dice with the universe" - Albert Einstein

Re:Proposterous!

[Monkelectric]

Freedom in genral does have one very important price, and that's responsibility.

No jackass, you're wrong, and you're thinking like one of "them". The "responsibility" lies with the comapnies making *FRADULENT* claims.

You're saying this fellow should politely inform these companies that they are lying? I think they know already.

Re:Proposterous!

If there's only one hole and the company is willing
to work to fix it then it would be the best thing
to talk to the company. Unfortunately almost every
company would rather sweep problems under the rug and
pretend there is no problem than actually fix the problem.
When you have a company that makes outrageous claims
such as preventing "100% of all known and unknown viruses"
you know you're not dealing with honest people
and likely letting others know the truth is better.

Of course in the end he forgot its no longer legal to
do anything that will cause a company to make less money.

Re:Proposterous!

[Another+MacHack]

"From the viewpoint of a Jesuit priest I am, of course, and have always been an atheist.... I have repeatedly said that in my opinion the idea of a personal God is a childlike one. You may call me an agnostic, but I do not share the crusading spirit of the professional atheist whose fervor is mostly due to a painful act of liberation from the fetters of religious indoctrination received in youth. I prefer an attitude of humility corresponding to the weakness of our intellectual understanding of nature and of our being." -- Einstein

Re:Proposterous!

[silas_moeckel]

Yay one more for security through obsurity. Lets try this on something tangable if there was one spot on a certine car that if you did somehting the cars doors would open and the engine would start up lets say hit it with a 5lb hammer. Should you be arested for not telling toyota first and waiting for them to fix it? Should 5lb hammers start to be concirered car theft tools?

People need to be made aware of the vulerabilities of anything ASAP. The person that makes it public may not be the first person to find the issue. Network elements can be made to stop the exploits or reduce there impact. It's not fair to say well most people dont care about there systems so we will protect the lazy at the expence of the vigalent. Allways remember patching is not the only solution to an issue it's generaly the best in the long term but you can have a lot of other methods at your disposal as well in the short term.

Re:Proposterous!

[asmellysock]

You're assuming that the company knowingly released expoitable software. The state-of-the-art in software design and development does not yet have a way to ensure defect-free software.

Re:Proposterous!

[randyest]

Did you read the linked site which explains the weaknesses of these "security" products? I think not, for the issues described aren't bugs or obscure exploits -- they are obvious and wide-open for anyone to see who even bothers to look a little. It's obvious from the implementations that the programs do not even try to do what they are claimed to do.

Re:Proposterous!

[ultramk]

Lets try this on something tangable if there was one spot on a certine car that if you did somehting the cars doors would open and the engine would start up lets say hit it with a 5lb hammer.

You're thinking of a Citroen, not a Toyota.

m-

Re:Proposterous!

just like there's jerks in usa there's jerks in europe as well.. and probably in middle-east and far -east as well.

Wow, you mean to tell me there are jerks all over the world? No way! I'm glad I come to /. for insightful comments such as this.

Re:Proposterous!

All I know about Bush is I had a job when Clinton was president.

That is a call out to all of you wanna be politicans out there. Become job pimps. Don't bother to explain the economics of it...really it does not matter. They won't question the details of your plan as long as you fit it into a sound bite. Information overload. Keep it simple.

Don't tell them that you control the economy because then you have explain the ecomony. Me in power = you job.

Sheep need protection.

--
All I know about science is that when the church eplained things it made me feel better.

Re:Proposterous!

[pviceic]

It is not illegal to say the truth. The problem is that you have to pay lawyers and prepare for the long and expensive court battle.

The justice is the right that not everyone can afford..

Re:Proposterous!

[wfberg]

You're assuming that the company knowingly released expoitable software.

If they didn't do so knowingly, would they
a) fix the bugs, or
b) shoot the messenger, waisting precious time and money that could have been spent on item a)?

Re:Proposterous!

I think that you mean Preposterous

Re:Proposterous!

Freedom in genral does have one very important price, and that's responsibility.

No jackass, you're wrong, and you're thinking like one of "them". The "responsibility" lies with the comapnies making *FRADULENT* claims.

Freedom of speech does bring with it responsibilities. In an extreme case, writing a computer virus and posting it to usenet should not be protected by free speech.

Now, what this guy has done is at *least* a few steps removed from that and I think the people trying to prosecute him are in the wrong. But it is not as open and shut as you might think.

Just goes to show...

...that you don't need a DMCA to have people arrested for stuff like this.

Why waste your time on windows apps?

[Yaa+101]

You better do this with Linux apps, we will thank you for it instead of sue your ass.
Leave the incompetent crap for incompetents, might be what you have learned from this.

Terrorist??? Sounds like libel to me.

[JDRipper]

If they publicly called you a terroist in writing without sufficient evidence, can't you sue their berets off for libel?

In America it's totally different

We sue first, and then we call you a terrorist.

Re:In America it's totally different

[alb0]

> We sue first, and then we call you a terrorist.

I guess some people in Guantanamo would argue about that...

But I forgot, Guantanamo is not America!

Re:In America it's totally different

[commodoresloat]

Actually, according to what people say here in America, I was under the impression that if the French government thought he was a terrorist they would send him cheese and croissants, not sue him.

I'll burn in hell for this ...

[crimethinker]

Well, since you are French, there is only one thing you can do:

SURRENDER to the authorities.

Seriously, though, this sucks ass.

However, I'm quite sure that you're a terrorist, because we all know that terrorists publish the exploits they find. Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.

-paul

Re:I'll burn in hell for this ...

Well, since you are French, there is only one thing you can do:

SURRENDER to the authorities.

Or he can take them completely by surprise and go on the offensive. I bet he'll have Chirac begging for a peace treaty in no time...

Re:I'll burn in hell for this ...

Starting Score: 1 point
Moderation +2
.... 40% Insightful
.... 20% Flamebait
.... 10% Troll
Extra 'Insightful' Modifier 0
(Edit) Total Score: 3

Well, not quite burning in hell, but close enough.

Re:I'll burn in hell for this ...

Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.

Although I would have to agree with you in the current situation (current article), not all information should just be considered free-for-all. How about information on your personal life? Or how about information on how to build a nuclear bomb? Or how about information on how to break into a nuclear facility? Hacker mentality is great and all, but I wouldn't consider a howto guide on putting plastic explosives in your shoes some weakness that should be published for everyone to see.

Who was it that said...

[Le+Marteau]

"It's dangerous to be right when the government is wrong".

This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.

Re:Who was it that said...

good call. Informative AND insightful.

-------------------
Exercise your right to vote November 9, 2004.
This has been a public service announcement.

Re:Who was it that said...

[MarkusH]

That would be Voltaire.

Another good quote: "There are some acts of justice which corrupt those who perform them." - Joubert

Re:Who was it that said...

isn't

"...corrupt, ignorant politicians..."

doubly redundant?

As I tell my daughter, all politicians are either corrupt (e.g. Clinton) or retarded (e.g. Bush).

Sadly, voting often comes down to deciding which candidate will do the least harm while in office, then holding your nose and pulling the lever.

Re:Who was it that said...

[WormholeFiend]

ohh ohhh a quotation contest!

"Where is the justice of political power if it executes the murderer and jails the plunderer, and then itself marches upon neighboring lands, killing thousands and pillaging the very hills?"
Kahlil Gibran

"The very first law in advertising is to avoid the concrete promise and cultivate the delightfully vague."
Bill Cosby

"It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope, and crossing each other from a million different centers of energy and daring, those ripples build a current that can sweep down the mightiest walls of oppression and resistance."
Robert Francis Kenedy
- /got nuthin
-

Re:Who was it that said...

[Le+Marteau]

ohh ohhh a quotation contest!

"Did you really think that we want those laws to be observed? We want them broken.
You'd better get it straight that it's not a bunch of boy scouts you're up against . . .
We're after power and we mean it. You fellows were pikers, but we know the real trick,
and you'd better get wise to it. There's no way to rule innocent men. The only power
any government has is the power to crack down on criminals. Well, when there aren't
enough criminals, one makes them. One declares so many things to be a crime that it
becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding
citizens? What's there in that for anyone? But just pass the kind of laws that can
neither be observed nor enforced nor objectively interpreted - and you
create a nation of law-breakers - and then you cash in on guilt. Now that's the system,
Mr. Rearden, and once you understand it, you'll be much easier to deal with."

From "Atlas Shrugged" by Ayn Rand

Re:Who was it that said...

[EMH_Mark3]

How about "A witty saying proves nothing"? :P

Re:Who was it that said...

[Mateito]

ohh ohhh a quotation contest!

- WormholeFiend, 31/3/2004, Slashdot.

Re:Who was it that said...

How about this one:

"How would you like to suck my balls?"

- Eric Cartman

Re:Who was it that said...

[mr.nicholas]

ohh ohhh a quotation contest!

"Unenforceable laws make a mockery of justice."

-- some techno song

Re:Who was it that said...

Let me in the contest!

When love is gone, there's always justice.
And when justice is gone, there's always force.
And when force is gone, there's always Mom.
Hi, Mom!
-Laurie Anderson

Mo

Re:Who was it that said...

[Natchswing]

Man, I was so ready to post this as an ideal quote from the RIAA. Glad someone else sees a connection.

Re:Who was it that said...

[mojoNYC]

i'll just add my sig...

Re:Who was it that said...

[CrayzyJ]

"ohh ohhh a quotation contest!"

I bent my wookie.
-Raplh Wiggum

Re:Who was it that said...

[Thing+1]

Every time I trot that quote out I get +5 karma. I'm already at max so it doesn't matter anyway, but it's good to see someone else learn that trick. ;-)

I don't even keep a copy of it. Whenever I want to find it, I just google for "ayn rand pikers guilt criminals" and it's one of the top three. Enjoy!

Re:Who was it that said...

Man, Rand took 173 words to say what Voltaire would have said in 10. Just another reminder that Ayn Rand had all the literary delicacy and grace of a killer giant robot.

Signs of the future?

Now, if Microsoft is forced to release the windows source because of the EU, does this mean anyone who points out vulnerabilities will get sued too?

Seems like a strange way to thank someone for helping them. It's like beating someone to death with a tire-iron because they told you your tire is flat.

Re:Signs of the future?

Hah, Microsoft will never be forced to release the source of windows.

Re:Signs of the future?

[asr_man]

Fool! I am trying to sell this tire! Your statements are tortuous business interference. Prepare to have you mouth sued shut!

Re:And I thought the DMCA was bad ...

Not a problem. Just stand up for yourself. You're being indicted in France. The French gov't will back down very quickly and probably blame the Americans.

Stops 100% of unknown viruses?

[RubiCon]

Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:

if ( is_a_virus(me) ) { do_nothing() } else { replicate() }

So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?

Re:Stops 100% of unknown viruses?

If is_a_virus() gives some false positives, there would be no contradiction. I don't think this is an airtight argument.

Re:Stops 100% of unknown viruses?

[HeghmoH]

This is nicely covered by Rice's Theorem. In short, Rice's Theorem says that it's impossible to write a program to determine with 100% accuracy any property of another program's behavior or output.

Rice's Theorem is basically a generalized version of Turing's proof that the halting problem can't be solved, and it uses exactly the argument you outline.

Re:Stops 100% of unknown viruses?

[lavalyn]

Catching all viruses is easy. Label all files viruses. Isn't all that helpful but absolutely "true."

Just like flagging all spam is easy, or flagging all important email important is easy.

(For those in statistics, Type I and Type II error.)

Re:Stops 100% of unknown viruses?

Huh? How is this different than:

if ( is_a_program(me) ) { do_nothing() } else { dostuff() }

?

This program will do_nothing() in any case.

Re:Stops 100% of unknown viruses?

[musikit]

maybe they fulfill their claim by executing the following commands

deltree C:\Program Files\Outlook Express
deltree C:\Program Files\Internet Explorer
deltree C:\Program Files\Microsoft Office

Re:Stops 100% of unknown viruses?

[fwankypoo]

The initial assumption is that is_a_virus() works 100% of the time - no false poistivies, no false negatives - which is what the company in question claimed. So, in fact, it leads to the contradiction, meaning that _no_ is_a_virus() routine can succede 100% of the time in either direction.

Re:Stops 100% of unknown viruses?

[MythMoth]

You can reasonably assume that false positives are acceptable.

Rename "is_a_virus(me)" as

contains_replication_routine(me)

and you'll see my point.

Re:Stops 100% of unknown viruses?

[bugnuts]

This is exactly how Kirk and Spock killed all those evil computers like Nomad and Landrew.

Re:Stops 100% of unknown viruses?

Why did they have to call them "Type I" and "Type II"? Don't they know that some of us have trouble remembering arbitrary binary pairs? (I still can't remember if cations are positive or negative -- electrons are repelled by cathodes, and I think cathodes attract cations (although I could be wrong on that), so are cations positively charged? Google says yes! Yay! It's a breakthrough!)

Anyway, is type I false positive (w/r/t the null hypothesis) and type II false negative? Google says yes! Yay! Another breakthrough! Or, at least, another type I error. :^)

Re:Stops 100% of unknown viruses?

Just a variation on a classic result in theory of computation, which is itself related to Godel's Theorem.

Such limitative results are old hat by now, interesting as they were in the 20's. Now that Godel has showed us the general trick, you can crank them out by the barrel, sort of like Cantor and diagonalization proofs.

But there's still an interesting question buried in there: there may be "true but unprovable" theorems -- but are there any that don't embody just this style of self-reference? The incompleteness proof is sufficient to disprove a mathematically certain claim, but what is the real scope of such limits in a practical sense? The fact that not all programs can be proven to halt doesn't stop us from testing for correct termination on the programs we happen to be interested in.

Re:Stops 100% of unknown viruses?

[cballowe]

Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:

if ( is_a_virus(me) ) { do_nothing() } else { replicate() }

So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?

Not quite an accurate statement on your part -- your assumption relies on a specific construction of "is_a_virus()". And the paradox doesn't fail due to a reductio argument. It is purely due to the fact that it, if true, forces a contradiction. A reductio ad absurdum argument assumes the negation of what it tries to prove and from there proves that that leads to contradiction therefore it's opposite must be true.

Now... for your example. If the program that is running could call out to the is_a_virus() routine, that wouldn't be very useful to the anti-virus software, but ... besides that little issue - the virus you've constructed is still a virus even if it happens to do absolutely nothing when the software declares that it is a virus. The software wouldn't be wrong in erradicating it.

What you've basically presented is an arguement for completeness -- or, more specifically, a proof of incompleteness. However, that doesn't work here as the software doesn't claim to eliminate false positives. If after using some amount of resources, the software can't decide if the code is a virus or if it's harmless, then all it needs to do is block it.

Consider for a moment a virus checker that has signatures for all non-virus software (or even just some large subset). Now, when a virus is checked, unless it matches a known good piece of software, it is rejected. In theory, all viruses are rejected, as well as possibly some non-viruses, but... I never claimed to not stop intentional software from running, just viruses.

Re:Stops 100% of unknown viruses?

[rpresser]

If the program that is running could call out to the is_a_virus() routine, that wouldn't be very useful to the anti-virus software, but ...

Every antivirus program I've ever used has the ability for a user to scan a particular file at will. (It may be a simple command-line invocation, or it may mean navigating a dozen menus while holding down the alt key, but it's possible.) What a user can do, a program can do. Ergo a program can invoke the antivirus scanner on itself.

Re:Stops 100% of unknown viruses?

[cballowe]

fair enough -- but by identifying it as a virus, you have stopped it's viral tendancies and therefore done the job of an AV package, regardless of the assertion that "it's only a virus when it's not".

Re:Stops 100% of unknown viruses?

[Penguinshit]

Catching ALL malware is easy if we just implement this.

Re:Stops 100% of unknown viruses?

But it's not identified as a virus, that's the whole point.

Re:Stops 100% of unknown viruses?

[rpresser]

Agreed. I was just nitpicking.

The real point is that merely saying "I won't act like a virus if the scanner thinks I am one" won't stop the scanner from thinking it is one. So there's no contradiction.

did they redefine extorion and not tell me...?

[spacepimp]

they sued you for experimenting and testing their claims? ie the virii statement. i cant imagine how this is any different than test environments in larg ecorporations before a deployment or rollout.. did you perhaps send them bill, demanding it be paid or you will reveal their mis statment of facts or perhaps, say you found a way around their security pay you to keep silent or ruin toir prifit model like what happened with google perhaps.. im curious to hear more about how this was taken as extortion it doesnt seem to fit with the words definition.

contact the eff

[gmr2048]

dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:

www.eff.org

-gary

Re:contact the eff

[ManxStef]

Another one to check would be Reporters Without Borders/Reporters Sans Frontieres:

http://www.rsf.org/

Re:contact the eff

I would recommend "IRIS" instead. There are many EFF`alikes world-wide, the european ones tend to be in contact with European digital rights

Personally I would guess (ianal) any decent laywer should get you out of trouble without turning the court into a full disclosure gosphel church and the judge into an eff cheerleader. These things can backfire you know, even in the pre-DMCA-US not everyone agreed on full disclosure beeing the best first step to handle finding holes. Personally I think you put yourself at greater risk if you do not at least discus holes with the manufacturer privately. What if systems get cracked by a hole you knew about but claim never to have discussed with anyone ....surely script kiddies didn`t find it on there own, what is the chance of that?

Unless there is evidence of code that isn`t yours in your exploits a counterfeiting case should not come far I guess considering copyright/counterfeiting law tends to be the same world wide thanks to wipo. An expensive lawyer should also be able to take care of you being called a terrorist in a civil lawsuit, but wheither you would even be able to get your money back out of such a thing is anyones guess.

Just a thought...

[phaetonic]

Would publishing these vulnerabilities from an anonymous workstation at a public library on a new hotmail account used once posted to a mailing list be just a bit safer than saying "I, JOHN DOE, FOUND THIS PROBLEM, MOREINFO AT JOHNDOE.COM"?

Re:Just a thought...

[happyfrogcow]

safer, but should be completely unnecesary.

Re:Just a thought...

Only cowards post anonymously.

hmmm

[frode]

The French courts would probably back down if you threaten to invade.

Heck I'll help. I could use a spare country.

Re:hmmm

[Rick.C]

I could use a spare country.

Maybe, but why would you want France???

The morale of the story is..

[Murf_E]

don't go tell the company that their product is flawed but rather use your discovery to exploit people who use their product. Either way you will be sued but at least this way they have to find you

Of course

[wardomon]

Don't mess with Proprietary Software(tm). They'll whack ya every time. They don't take kindly to any reverse engineering, hacking or peeking under the hood. They don't want people knowing that their products are usually worthless.

How can *this* be illegal ?

[lazy_arabica]

Is looks like looking for security flaws is increasingly seen as an illegal action by both companies and governments.

Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.

It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...

Re:How can *this* be illegal ?

[DirkDaring]

"Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not."

Probably not, no. But you could easily get a lawyer to get someone to fake an accident and sue the bicycle manufacturer for damages.

Re:How can *this* be illegal ?

[mooman]

If we'd had this mindset a few decades ago, Ralph Nader would have gone to jail for "Unsafe at Any Speed" and we'd have Gore in the Whitehouse.

You're right, this is clearly overreaction. Identifying fraud or flaws should never be illegal.

Re:How can *this* be illegal ?

Yes (at least if you publish the info). Consumer Reports has been sued for demonstrating flaws in products .

Re:How can *this* be illegal ?

[TheCrazyFinn]

Nader should have gone to jail for 'Unsafe at any Speed', the conclusions of which where demonstratably false except for 1 particular configuration of the Corvair which was only sold for the first year (the base model with no anti-roll bars)

Re:How can *this* be illegal ?

[ekuns]

Oprah and Consumer Reports have been sued many times for telling manufacturers that their products are unsafe. So, yes, you can be sued for anything.

Re:How can *this* be illegal ?

The suzuki lawsuit against Consumers Union is still going strong over 10 years after the article critical of the "Suzuki Sumersault" came out.

Don't forget that talk show host Oprah Winfrey was sued by cattle ranchers when she exposed how dangerous America's beef supply was. Fortunately, she could fight back, although she has been quoted as saying it was the biggest hardship she ever had to endure (and she's a billionaire!).

Corporations are running the show in the USA, and are trying to create the same "investor friendly" environment elsewhere in the world. The results of new laws and such being passed are:

1) It becomes easier and easier for corporations to sue you for anything, no matter how nonsensical.
2) It becomes harder and harder for you to sue corporations for anything no matter how obvious their fault is.

Re:How can *this* be illegal ?

[j0eshm0e]

The short answer is yes.

Consumers Union

In short, Consumers Union reported in their magazine, Consumers Report, that the 1995-1996 Isuzu Trooper was dangerous because they tipped under minimal conditions and gave them a failing grade. Lots of people read Consumers Report. Isuzu sued for libel and eventually lost.

Carefully reading the article now, it cost Consumers Union over USD$100,000 to defend themselves which they received after the verdict.

The true question is: Do you have or does this researcher from Yale who does work in France have $100,000+ available to defend yourself/himself before a verdict is handed out?

Re:How can *this* be illegal ?

It will soon be forbidden to even talk about flaws

Are you implying there's some sort of flaw in your system of government?

(The first rule of Dissent Club is never to talk about Dissent Club.)

Re:How can *this* be illegal ?

[tybalt44]

I think this is incorrect. The main conclusions of Unsafe At ny Speed were NOT about the Corvair in particular, but rather the reluctance of Detroit to build safe cars, and that safety concerns were subordinated to style and marketing concerns.

If anything, the book was pretty bland, for the obvious reason that safety was subordinate because safety didn't sell.

Re:How can *this* be illegal ?

[dubiousmike]

Suzuki has been suing Consumer Reports for years because their tests showed the Suzuki Samuri was very prone to rollovers.

Re:How can *this* be illegal ?

[thepeete]

I can just see some religious freaks in the States invoking the DMCA on scientists because they're trying to break "God's" encoding.

100 Points...

[Eberlin]

+100 Points to the first one to create a "Free Frenchy" sticker for this.

Bonus points if they substitute "Freedom" for French and some bad pun about not hoping he fries or whatnot.

Re:100 Points...

They must have just raised their terror alert fromf 'Run' to 'Hide'.

Good or Not?

[Prince+Vegeta+SSJ4]

I haven't brushed up on the law concerning publishing exploits in either France or the US, but it seems a little ridiculous to indict someone for pointing out a security hole.

Sure it can be said that publishing an exploit will encourage a hacker to take advantage of said exploit, but by not publishing & letting it remain a secret is no guarantee that someone is not exploiting that same exploit. In fact, I'm willing to bet that some 3v1| H4x0r would eventually find it anyway. But I would rather know that it exists so that I may act, since, in my experience software companies are slow to react and try to hide or downplay flaws.

Security solely by obscurity doesn't work.

On the flip side, if the door to my house was wide open, I wouldn't want anybody yelling hey your door is wide open (to the world) without allowing me to fix it.

IMO it boils down to common sense, and in this case I think that it is a beneficial thing to publish that sort of information. An even better route would be to alert the software makers first, and give them a 'short' time to release a patch. But only a very short time.

Re:Good or Not?

[earthforce_1]

If you discovered a critical safety flaw in a particular model of automobile, do you:

i) Let everybody know, so those who drive that particular model can get it fixed, or

ii) Let only the manufacturer know, so they can fix it in next years model first.

What about the poor souls who are relying on the software for the security of their business? With your door analogy, it is equivalent to letting the lock manufacturer know that their locks are defective, without notifying the homeowner. (End user) It is their doors that are vulnerable. Of course by broadcasting this to the world, you let the bad guys know at the same time, but IMHO it is better than saying nothing.

Re:Good or Not?

[OldMiner]

So, let's face something. This point here, it's just a repeat of what's been said time and time again. It's what people mean when they say "Slashdot groupthink". Althought the author supports her point with seemingly sound arguments, there are no references. It's all idealism.

Here's a heads up to the rest of the world: Most people who abuse security holes don't write them. Most crackers are young and clever, but ignorant of many things. And, among those things, is how to search for, write code to abuse, and utilize security holes. The reason people fight publication of exploit code is because, without that code, most exploits would not happen. The reason people fight publication of mere issues is that there are people who will not search for security holes but will write and distribute code.

There are simple so many discontent script kiddies out there compiling together other people's code to break into machines to retain some feeling of power and importance. One feels powerless, and breaking into systems and making others feel violated suppresses that feeling. It's the control that muggers and disadvantaged youths revel in, otherwise disregards them. This is the advantaged youth's power grap. And similar motivation goes to the people who publish security exploiting code. And who find these exploits. Each level up, you find a more sophisticated mind and a different sort of disenfranchisement.

But what it breaks down to is that completely nonpublic disclosure of many application-specific vulnerabilities would fix these problems and filter out most actual acts of exploiting security holes.

Pardon me for straying offtopic.

Re:Good or Not?

[carn1fex]

but it seems a little ridiculous to indict someone for pointing out a security hole. Exactly. What if the magazine Consumer Reports was reviewing their product and found this defect? Could the magazine then be indicted? How does this bode for private entities doing public reviews of a product?

Re:Good or Not?

[arkanes]

Note that you fail to provide any support for your arguments - there are at least 2 types of groupthink on this issue and yours is just the opposite of the OP.

While you're quite correct that most script kiddies can't find holes on thier own, I don't think that most viruses come from bugtraq exploit code. There's enough crackers out there who're good enough to write exploit code once the fact of the vulnerability is revealed.

It's in the best interests of the public to have these things be in the open - it provides people with the opportunity to fix them. Without public disclosure, theres no way to know if things are really fixed. There's not even any way to know theres a problem. Application vendors are generally resistant to applying fixes (note how many of them threaten and sue people for public disclosure - even if they object to the disclosure on the grounds that it's dangerous, as you do, that doesn't mean that the discloser is a criminal).

It sounds to me like you're totally against any sort of responsibility or accountability for security flaws in software and thats so irresponsible it makes me cringe.

Re:Good or Not?

[flossie]

... Slashdot groupthink". Althought [sic] the author supports her point with seemingly sound arguments, there are no references. It's all idealism.

Here's a heads up to the rest of the world: Most people who abuse security holes don't write them. ... The reason people fight publication of exploit code is because, without that code, most exploits would not happen.

If I understand your post correctly, you are of the opinion that security by obscurity is a valid method. Would you care to back up your "seemingly sound" arguments with some references?

Re:Good or Not?

I sort of doubt *this* firm would have bothered with fixing an exploit not publically known. Also, there is merit in warning customers the software they are using is unsafe at least for the moment, so they can, in theory, stop using it until the patch comes.

Re:Good or Not?

[mvdwege]

[..] completely nonpublic disclosure of many application-specific vulnerabilities would fix these problems and filter out most actual acts of exploiting security holes.

Nice idea in theory. However, history has shown us that without the threat of full disclosure hanging over their heads, vendors will not fix vulnerabilities in time.

Also, full disclosure, while giving hackers the tools to exploit a hole, will also at the same time give sysadmins and users the information to close or work around the security vulnerability.

So while the chances of an initial exploit may rise, the 'Window of Exposure' is dramatically shrunk. Bruce Schneier has written a good essay on both the history and the theory behind Full Disclosure. Read it.

Mart

Re:Good or Not?

[MikeXpop]

Bad analogy I'm afraid. Hoodlums can't exploit saftey flaws. Not to mention that if there was a safety flaw, people could drive to a garage and get it fixed. What would happen with the anti-virus program?

Re:Good or Not?

[Belsical]

I don't believe the Ford analogy mentioned in the blog is appropriate. It's more like finding a way to remotely detonate a Ford's gas tank and then telling all the pyromaniacs in the world. The difference being that the harm will not happen unless someone knows about it.

I don't think publishing exploits without informing the company is appropriate. I believe that notifying the company and then saying, "I'm going to make this public in x units of time" is fair. That way the company is under pressure to fix it and can distribute a patch before the exploit is well-known.

Ben

Re:Good or Not?

[Thing+1]

What if the magazine Consumer Reports was reviewing their product and found this defect? Could the magazine then be indicted? How does this bode for private entities doing public reviews of a product?

I think you've hit on a solution: find an exploit, report it to Consumer Reports.

Of course, if they don't act on it then you've gotta shout it from the rooftops, but perhaps Consumer Reports has a web forum...

Hmmm...

The Socialists are just as messed up as we are...sweetness!

Note to Europeans

[strictnein]

Note to Europeans: while it is fun to point and laugh at us "stupid" Americans and our silly laws and lawsuits, you might want to take note that the same things are going on in your countries too, and will continue to get even worse.

Re:Note to Europeans

[westcourt_monk]

But who showed them how to do it? It American companies and their successful lawsuits that encourage this crap globally.

Re:Note to Europeans

It American companies and their successful lawsuits that encourage this crap globally.

It apears you are saying one of two things:

1. Europeans are too stupid to learn from the "error" of the US, something which most Europeans will deny.

2. The world still follows the lead of the US, something which most Europeans will deny.

Which is it? Or is it both?

Re:Note to Europeans

How is this flamebait? F'en stupid mods. We as Europeans need to hear this message and wake up to the reality that the poster is commenting on. While America clearly leads the world in stupid lawsuits and laws, it doesn't work to blame them if that same system of laws and lawsuits starts to appear in our countries (as another poster tried to). We need to do something about it before it gets worse.

Re:Note to Europeans

[phsdv]

Apperently the French are more like the Americans. And the otherway around. Much more than either side would like to admit/beleive!

<disclaimer>Don't harrash me for telling the truth. I know neither of you will believe me</disclaimer>

This sucks

[Nevo]

Unfortunately, it appears that expertise in French law is lacking here at slashdot.

I second the suggestion above: contact eff. Now. If they can't help they probably can point you to organizations that can.

Well.... Let's be honest here...

[Shirov]

If you were simply using the software and found exploits through the interface, then I totally agree, this is bullshit...

HOWEVER, if you were digging through reverse engineered proprietary code, and publishing exploits at the code level... well, that is infact illegal...

Good luck either way though...

"I used to have a sig, but a cheese eating surrender monkey ate it..."

--Ryan

Re:Well.... Let's be honest here...

"reverse engineered proprietary code"

If it's reverse engineered, then by definition it's your own code.

Re:Well.... Let's be honest here...

[Shirov]

That's not even close to true... If I decompile code, and us it elsewhere, I'm not using "my" code. I'm mixing stollen code into my application.

Let me be more specific. In my post, reverse engineered = decompiling.

--Ryan

Re:Well.... Let's be honest here...

[logical1010]

if you were digging through reverse engineered proprietary code,...

This makes no sense, if you have proprietary code, there is no need to revese engineer anything. This guy has no proprietary code, therefore has no obligation to these companies wrt protecting copyrighted code.

...and publishing exploits at the code level... well, that is infact illegal...

Your saying publishing compiled exploits is OK?

Despite your poor choice of words, I catch your meaning, you think reverse engineering software and using that knowledge is wrong.

If this were true we would not have Samba, Wine, freeDOS, NTFS support on non-MS OSes etc. The real question is; does French law protect reverse engineering as free speech? Many countries do, I seem to remember a recent Danish case that turned out in favor of free speech. But of course this should remind us of the DeCSS and the Dmitry Sklyarov/Elcomsoft cases in the U.S.A.. Considering there is a Eupoean version of the DMCA , maybe this guy's in deep trouble, maybe this will be a major case in France. If so, this guy needs good representation and needs to build a good tight argument.

Re:Well.... Let's be honest here...

[logical1010]

Yes I see. Your talking specifically about the copyrighted work.

FWIW, I dug this up,

[Disassembly of copyrighted object code is a fair use of the copyrighted work if]"disassembly provides the only means of access to those elements of the code not protected by copyright and the copier has a legitimate reason for seeking such access."

--The Ninth U.S. Circuit Court of Appeals, Accolade vs Sega.

I think if this guy was being tried in the U.S. he could develope a good case. He's looking to expose weak stenographic methods, not to steal/reveal copyrighted code. I don't think he's stolen anything.

/obligatory IANAL.

Re:Well.... Let's be honest here...

[Shirov]

Bottom line: The guy PUBLISHED executable exploits. He didnt just go out on his site and say, "You could do so and so..." He DID go out and distributed a working exploit... Nothing educational about that... He should get the maximum penalty. I cannot think of one case where someone found a bug, reported it to the company, posted about it, and got in trouble...

--Ryan

blech

[Vlion]

Faceitiously, it looks like the US had the right idea when they started calling everything french "freedom". They were just trying to get a point across...

Hm.
Well mister, I'd say you should stay in the US for awhile and see how things go. Quite possibly you could work on becoming a US citizen. I think we are a little more advanced(not nessisarily lots) than France wrt these issues.

Re:And I thought the DMCA was bad ...

Yes, resorting to rude, foul language. The true sign of a Frenchman. No doubt smoking a cigarette and speaking while looking down your nose. Smug and stupid is no way to go through life.

I think so

[aepervius]

Lately they were defined as far as I remmember as "moral" person (as opposoed to the physical one). But btter check with a french lawyer since I am too sure.

Re:My bank robbing spree

[TheSpoom]

Worst analogy ever. Robbing a bank puts several people in immediate danger and has an instantaneous effect on the economy. You're actually taking something that's not yours. In this circumstance, he had the software in his possession, and could thus do what he wanted with it, depending on whether you believe that click-through licenses have any effect (and if they do, I seem to be owned by about 30 different companies right now).

Doctors have stopped pointing out melanomas...

...because the sun might sue.

Re:Terrorist??? Sounds like libel to me.

[garcia]

They consider what he did to be terrorist-like. Unfortunately, these days, we have little to no recourse in the Witch Hunts that have appeared...

Don't piss off those that pay more money to the "Gods" than you do.

France is Stupid

[Omega037]

I know a guy who for his senior thesis worked with a group of people and hacked a company's network. At the end of the semester, they gave the company a 42 page document stating all the problems and exploits the company had.
He got an A for the class and a job offer from the company. Granted, he already had better offers, but it is a good example of how it should be.

Re:France is Stupid

[frs_rbl]

Unfair booooh! You associate an "informative" body to a "flamebait" subject to get the ensemble moderated "informative"...

...hey! this should be "funny"!

French First Ammendment?

[Lord+Ender]

Does the French constitution contain protection for Freedom of Speach, as the US constitution does? If so, you are probably safe. However, you may have to put up with a legal battle. Also, are there any laws protecting reverse engineering specifically as a form of Free Speach? If you were being tried in the US, it seems likely the EFF would help you with the battle. Is there such and org in France?

Re:French First Ammendment?

[aat]

Here is the English translation of the constitution of Fifth Republic, France's current constitution, written in 1958. Last time I looked at it, I couldn't find any free speech clause. (Some of France's earlier constitutions had such clauses though).

French constitution

Or maybe the Declaration of the Rights of Man, which does have a free speech clause, and is a principle as mentioned in the Preamble to the French Constitution, has legal binding. I don't know.

You should also note that France heavily restricted the use (not just the export) of crypto for a long time, (except possibly if you deposited your keys with the government), so I really doubt their commitment to computer freedom per se.

Re:French First Ammendment?

[lxdbxr]

Article 10 of the European Convention of Human Rights might apply, though (IANAL) I believe the wording is rather weaker than the US version (with my emphasis):

1. Everyone has the right to freedom of expression. this right shall include freedom to hold opinions and to receive and impart information an ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or the rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

France is a signatory to the Convention though I have no idea how (or indeed if) it is implemented in French law directly.

Re:French First Ammendment?

[mehgul]

Yes the "Declaration Human Rights" is cited in preamble to the constitution, which means, in effect, that it is part of it, or maybe even considered a higher level. The constitution has changed 5 times, however the Declaration of Human Rights is the same as in 1789, and and has always been put in preamble of the constitution. Note that the 1789 declaration has not been touched or modified, but rather a new text has been written to complete it in 1946, and both apply.
Basically, the ideals of the Republic are in the Declaration of Human Rights. The Constitution is just a defining document on how those ideals have to be put in practice, like, what is the role of the president, the parliament, the judiciary, for how long these are elected, and stuff like that.

Re:French First Ammendment?

[El+Cabri]

Protection of free speech is included in the 1789 Declaration of Human Rights, which is itself made part of the preamble of the 1958 constitution.

However one must understand that the constitution in France has a function that is radically different than it has in the US.

In France the constitution's role is solely to give a framework for the functionning of political institutions, including the legislative and executive branches of government. It is not meant to directly regulate the functionning of society itself. Such questions are exclusively dealt with by the law.

The only way to leverage the constitution is to have a bill vetoed by the Constitutional Council after it is voted by the parliement, on the grounds that it is unconstitutional, including that it is countrary to the 1789 preamble. Appeal to the Constitutional Council can only be made by members of the parliement, usually the opposition. (and by members of the cabinet, which is irrelevant in practice since the cabinet is the origin of most of the laws).

Such vetoes on part of important laws are relatively routine (say once or twice a year), but I cannot recall a specific case of free-speech issue. Constitutionnal principles that are invoked are usually the fact that the law cannot augment the financial burden of the government, the principle of equality between citizens or the presumption of innocence.

But there's no way you can use the constitution in courts. Courts only care about the law itself.

The only thing that one can do to appeal a court order on the basis of "constitutional" principles is to go to European instances.

Viva la Blizkrieg

And we thought that WWII rid the world of all the Nazis.. The truth is we let them all out of Germany and then let them migrate to the rest of the world as corporate and government heros.

Are you kidding?

Libel is a favorite pasttime of the French. It's their only weapon of defense.

Oh dear..

First you tell snake-oil salesmen that their product is broken and next you find them calling you names. O tempora o mores, or something.

Please Publish Address of Officials here

[randall_burns]

I would like to write a letter in support of you. The people that should be legally hassled here is the software vendor whose fraud you exposed-not
you.

IMHO a pile of letters coming from all parts of the world in your support might send a signal. I also think that Amnesty International should be contacted here. This is even more sleezy than most of the stuff they take on--in this case you appear to be hassled not because of your political opinions, but because French officials are using their offices on the behest of corrupt corporate interests.

Re:Question:

Yeah. They call them "Les Freedom Fries".

I wonder...

How will the judge look at the terms "fraud" and "deceptive business practices"?

Don't go home...

[RaeF]

Looks like you better not go home for the holidays.

Been done in other respects

[Stevyn]

This is like a mechanical engineer publishing tips and tricks on how to break open safes that claim to be "burgler proof." Or Diebold suing someone who figured out how to rig elections. This is like the "wag the dog" scenario where you start a fight with someone to move attention to them and away from your shortcomming.

Re:Been done in other respects

[Rick+Zeman]

This is like a mechanical engineer publishing tips and tricks on how to break open safes that claim to be "burgler proof." Or Diebold suing someone who figured out how to rig elections. This is like the "wag the dog" scenario where you start a fight with someone to move attention to them and away from your shortcomming.

"Look at the nice wookie over there!"

Good Idea

Counter-sue them for fraud either as yourself or as part of a class action lawsuit.

Why is software special?

[wbattestilli]

Can anybody see this happening if Consumer Reports published a study indicating that a dishwasher wasn't as quiet as claimed or a car wasn't as safe as claimed.

Funny how proving a piece of software isn't as secure as they claimed is somehow special.

Re:Why is software special?

[M-2]

Can anybody see this happening if Consumer Reports published a study indicating that a dishwasher wasn't as quiet as claimed or a car wasn't as safe as claimed?

I think they're waiting for something akin to a car being rated as badly as those mini-jeeps back in the early 90s, that they managed to get to tip over in a standard driving scenario test (not even the extreme ones they have), so they can leap on them. Attack someone when they've hit you with the worst criticism, and ignore anything other than the most damning.

Re:Why is software special?

quite simply, because a large percentage of the population can't understand software/technology nearly as well as they can understand their dishwasher exploding.

Easy

Should you be forced to go to France, just show up with a bunch of Jerry Lewis movies on DVD, and declare that you conquer the country in the name of Guillermito the great. They should surrender without a shot.

If that doesn't work, just point in the middle of the street, and yell, "Hey, isn't that the German Army approaching!" And then turn and run.

Re:And I thought the DMCA was bad ...

[Peden]

Whats up with this France bashing? Seriously, is this all because France and Germany (unlike Denmark, where I am from) wouldn't fall for baby-boy Bush's nagging and crying? I did not really get the whole "french toast" and "freedom toast" stuff, whats your (and here I mean Americans) problem with the French?

Surprise surprise

[ltjohhed]

You're talking 'bout the land that banned strong cryptos by law (Who doesn't remember Checkpoint fw-1 french edition).

And now you're brakeing crypto's from the time of the roman empire... no wonder they're pissed!

Donations!!

[3terrabyte]

If anyone knows of a way to donate to this guy to pay for his legal bills, and (hopefully not) fines, please post a link.

Re:Donations!!

[DeionXxX]

I wonder if he ends up being convicted if we can be accused of aiding a terrorist...

-- D3X

Re:Donations!!

Just paypal the money to: 1337@hotmail.com.

Uh, I promise that's not my email address.

Re:Donations!!

You're just begging for me to post my "I'm unemployed, please pay me cold hard cash" paypal link and claim it's "pay this guy who's obviously going to win his court case AND get paid for damages."

Re:Terrorist??? Sounds like libel to me.

[NotAnotherReboot]

Yeah...or what about calling him a coward?

I keep seeing things about him being French...

Two things...

[Frennzy]

There are organizations that can help you (Amnesty International, EFF, etc). Now that that is out of the way...

I'm still waiting for someone to make the 'AssBerets' joke aout the French Government.

tell us what to do!

At least tell us what we could do!

Let us donate some money. Give us an address where we could write letters to...

Anything.

Nevertheless I hope you are exaggerating, when you say that this seems to be the general trend.

Copyright infrigement

[aepervius]

Plese note that he has been accused of copyright infrigement. He seems to have reverse engineered and copied/used part of the intern code of the programs. Whether we like it or not DMCA like law forbid it except in a few case (interroperability and maybe for academia). Since he did not publish it for academia, and he did not contact first the company, they can fall on him and he has big probability of being judged guilty.

The law might be broken in that case (as we all know for DMCA like laws) but nonetheless the company has a case...

Re:Copyright infrigement

[DR+SoB]

Sweet:

1. Create really shitty code.

2. Claim code is UNHACKABLE and will detect ANY unknown virus

3. Wait to get hacked (should take about 2 minutes)

4. Sue hacker(s).

5. Profit!

6. Sell your crappy code to microsoft

7. More profit!!

(Does this mean we could make a class action suit against SecurityFocus?)

From your website...

[Heem]

and it's so difficult on the other hand to explain the scientific method and the deep curiosity that makes us analyze how software works and find their flaws.

Good luck, and hopefully you will have your chance. You should be able to use your rational skills as a scientist to prove that what you were doing was just.

WE INVENTED IT

[TheZax]

First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

They copied US. We invented FUD and SUE (FAS), and have the current record holder in FAS in SCO. So give credit where credit is due!

GO USA ;-)

Be sure to tune in next week...

[Liselle]

... when the intrepid crime-fighters in the US DOJ sue the EU for patent infringement to proect their monopoly.

Time to change hobbies ...

[spectasaurus]

Maybe try stamp collecting.

This is sad...

you don't have to be good anymore. You don't even have to look good anymore. All you have to do is sue the pants off of anyone who proves you are not good!

Anyone who buys this company's products needs their fucking heads examined!

Class-action against the AV company?

[twigles]

Maybe I'm missing something, but hasn't the anti-virus company been deliberately marketing a product based on lies? In the US we call that false advertising, not sure what the French call it. Can the consumers of this software take legal action against the company now since it has been proven to not work as advertised?

This kind of bullshit makes me want to go to law school and become a judge so I can point at the plaintiff's lawyer trying to confuse me with the technical details I'm not expected to understand and yell, "SHENANIGANS!". Then have officer Barbrady wack the son of a bitch with a broomstick.

maeks yuo think...

Ever notice that when there's a Bush in office, gas prices reach new highs?

I so glad we didn't go to war for the oil. Because that sure didn't help the consumer.

I'm sure that oil refinery fire in Texas won't be used as an excuse to jack up prices another 6 cents.

Re:France == better than America!

[MillionthMonkey]

Billions of barrels of free, high-quality oil and thousands of dead Muslims as a bonus? How can you possibly call that a "waste?" I'd say it was worth every penny.

The oil infrastructure is a mess and is not producing oil to pay for the invasion as was promised. Saddam Hussein is commonly blamed for this state of affairs, but seriously, if you're going to make a major long-term investment in a country by invading it, you should at least kick the tires first to see if 20 years of sanctions and corruption have affected its ability to produce oil. No due diligence was done on Iraq before the invasion, and as an oil producer it has turned out to be a lemon.

Your "thousands of dead Muslims as a bonus" comment needs no response- it speaks volumes about you. Figures you would post AC, you pussy.

The only screw-up Bush made in Iraq was waiting so long to get started.

I wish he'd waited longer, since it's been costing us one billion dollars per week. Why not just do a targeted assassination, or a snatch, which would have been cheaper? Now we're saddled with rebuilding a country where they drag our dead bodies through the streets.

I'm sorry I spent money there... (OT)

[copponex]

I was looking forward to my two week France trip as an escape to a place where people knew how to live life. The country was beautiful. The history and art that are simply everwhere was incredible. I'm by no means jingoistic, however, I came back with these conclusions:

1. French culture exists mainly to perpetuate itself. I know all cultures do this, but if you aren't a French-speaking Frenchman doing something French in France, they just don't like you.

2. For a country that derives so much of their income from tourism, they have the worst customer service I have ever experienced.

3. There aren't any fat people in France because their food consists of vegetables boiled to the consistency of glue and the worst cuts of meat I have ever tasted. Service and food were always better in ethnic restaurants.

So, it's not so bad here at home. As long as Bush gets kicked out of office, education becomes a priority, lobbyist power is reduced, the Patriot Act and the DMCA are revoked, and we redesign the city plan of every city not in the Northeast, we'll be just fine.

Ahh, and now my favorite joke. What do you call 100,000 men with their arms raised?

The French Army.

Re:I'm sorry I spent money there... (OT)

[MillionthMonkey]

I don't believe you. If you had really been to France you would have mentioned the cigarettes. I didn't realize how much progress we've made against smoking until I saw people in France. I was there for a week in September, and twice I almost got hit with flaming butts tossed out of windows onto the sidewalk. And the damn cellphones- it's worse than here! Cigarettes and cellphones appear as props on every cafe table. Part of a well-balanced French breakfast, I guess.

There are fat people in France. You do have to look around for a bit to find one. The cigarettes and the cellphones might be keeping them from eating.

Re:I'm sorry I spent money there... (OT)

[saforrest]

1. French culture exists mainly to perpetuate itself. I know all cultures do this, but if you aren't a French-speaking Frenchman doing something French in France, they just don't like you.

The postmodern French art crowd likes Algerians and others from former French colonies right now.

2. For a country that derives so much of their income from tourism, they have the worst customer service I have ever experienced.

Were you speaking English?

I heard many stories of French rudeness, both from fellow North Americans and some by other Europeans. All of these people had spoken exclusively in English. Of course this is a totally reasonable thing to expect to be able to do, given the number of English-speaking tourists in France.

During the two weeks or so I spent with my girlfriend in France last summer, we spoke all French to people (her spoken French is a lot better than mine, so I let her do most of the talking). I don't remember specifically any instance of rudeness except once on the metro, when someone shoved me roughly aside to get by. However, this only helps my theory because I'd spent the last five minutes standing within earshot of the rude person and talking with my girlfriend in English.

Frequently, we were asked where we were from, as though the questioners were surprised to hear us speaking French. When we said we were Canadian, we got a clued-in "ahhh" look, and usually friendly service. I suppose this may also be related to anti-American or anti-British sentiment (i.e. they thought we were Americans or Brits, and are glad we were neither), though I don't know how good non-English speakers are at distinguishing English dialects, though the initial friendliness usually preceded the question.

So, I would guess most of the irrational rudeness is a linguistic thing, not a national/ethnic thing.

Re:I'm sorry I spent money there... (OT)

[copponex]

I speak French well with a heavy (but completely understandable) accent.

I think it was probably because I do not look French or European. I'm 6'8 and my girlfriend is almost 6' and we don't dress in all black, or in designer anything.

On one occasion, we went into a little cafe in Avignon. I thought the owner asked what my friends name was, so I told him and introduced myself. He frowned, grabbed a menu taped to the wall, and threw it on the table and walked away. I politely ordered two coffees, left a huge tip, and thanked him for his hospitality when we left. That wasn't the norm, but he just seemed to do what others wanted to.

As I said, if we were in an ethnic establishment, the service was hundreds of times better, and they were happy to speak French with me. I don't know. I've heard that Spain is the same way - you're lucky if they don't throw your change at you.

And, from what I've read and seen in Paris, it doesn't look like immigrants are too popular there.

So Much for France Setting Trends

[Cruxus]

I thought France set the trends! They're just following the U.S.'s lead (i.e., the DMCA) with this foolery! C'est triste!

In the interest of fairness

[Progman3K]

It should also be a punishable offense for a software maker to NOT close exploit holes in a timely manner.

I can see the case being made that leaving exploits open is essentially supporting terrorism, or depraved indifference at least.

Security Cracker = Heretic = Terrorism.

[qualico]

With the current state of our worlds mentality, being called a terrorist is a dangerous thing. You can be arrested and not charged for 2 weeks! (at least this is the case in Europe) The bullshit that is going on right now is a like a virus going through the minds of anyone with power. Remember the witch hunts of old? Security Cracker = Heretic = Terrorism.

Fighting back

[Animats]

It's going to cost him, but this guy needs to file false-advertising and libel claims in France. France has stricter laws against both than the US does. Then he needs to get a few good articles published in some French papers. Libe, for starters.

He may be in Le Figaro today. Look for "Quand les createurs de virus se font la guerre" in Le Figaro's archive. You have to pay to read the article, though.

Even though I am not a lawyer,

[Morologous]

I would strenuously advise you *NOT* to discuss your legal situation or case with anyone but your lawyer.

I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.

Re:Even though I am not a lawyer,

[happyfrogcow]

Sure, but with the laws they've been comming up with lately, once he's arrested he might not be heard from again. I think it was a necessary move to make the situation publically known. Otherwise, all you see is a blurb on page 12 of the newspaper saying "French Hacker Arrested" and no one thinks anything about it.

Though, do seek professional counsel.

Re:Even though I am not a lawyer,

[violet16]

I couldn't agree less. As Guillermito says himself:

It's so easy to impress judges with heavily connoted words like "virus", "pirate", "terrorist", "hacker", and it's so difficult on the other hand to explain the scientific method and the deep curiosity that makes us analyze how software works and find their flaws... Words, knowledge, and information: the defense I prefer.

The courts could swallow this guy up: force a settlement and a non-disclosure on him and we'd never anything more about it. And this crucial issue -- that it's allegedly illegal to demonstrate security flaws -- would fail to achieve public recognition. Companies would continue to market security products that aren't actually secure, and their customers (including government departments!) would remain at risk.

Re:Even though I am not a lawyer,

[shadowbearer]

I absolutely agree. If nothing else, by making his situation public, that puts pressure on the company in question, and provides for many viewpoints on the situation to be aired where the people prosecuting and defending the case will see them. That is *exactly* how participation in the system works (fuck voting, it's meaningless; it's direct participation thru airing your views publicly that really matters)

Sure, a fair number of those contacts will be bunk, but many of them will contain useful information for his defense - as the first few comments to this story did.

SB

Of to Guantuanmo for you!

[Thud457]

Who the hell let you look at the constitution?!!! That's classified!

Re:Of to Guantuanmo for you!

[Mr.+Slippery]

Who the hell let you look at the constitution?!!! That's classified!

<overact class="Shatner">That which you called Ee'd Plebnista was not written for chiefs or kings or warriors or the rich and powerful, but for all the people!</overact>

Questions...

[cindy]

I'm sure I'll get burned at the stake for this, but what the heck...

How many sides of this story do we have? Hmm, just this guy's side. Interesting.

Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info. It sounds like he just posted it on his web page and published it in a crackers magazine and let the chips fall where they may. Not exactly responsible activism.

What exactly *is* the law regarding this in France? Here in the States we have the DMCA. It's a terrible law, but we all know what we're getting into if we break it. That's what civil disobedience is all about, isn't it? I seem to recall that Europe has similar laws on the books.

I'm sorry, but with the info we've been given this sounds a little like "I did something naughty and I got caught and now I might get PUNISHED! Oh poor me!"

All kneejerk reactions aside, maybe there's more to this situation than we've been given.

Re:Questions...

[lone_marauder]

Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info.

That raises an interesting question about responsible/ethical/legal vulnerability reporting practices. Could you imagine how absurd it would be to require similar restrictions upon political speech? :

• If you find a vulnerability in a candidate, you must privately contact the candidate to discuss remediation terms
• Only after a remediation period determined by said candidate can you discuss the flaw publicly.

Even in civil law relating to libel and slander, your only problem is usually whether or not the information is true.

Re:Questions...

[cindy]

Could you imagine how absurd it would be to require similar restrictions upon political speech?

I don't think your comparison is valid.

This is more of a consumer activism issue than a political speach issue. If you know something is wrong with a product that is advertised as safe, how do you deal with it? Do you go to the company and ask them to fix it? Do you go to the responsible government agency and inform them of the problem? Do you go to the national and international news agencies and ask them to warn people? Or do you go the fringe publications and post your info there so you can show yourself as the L33t Haxor you really are?

I don't disagree that getting the word out is the right thing to do, I'm just a little puzzled as to the method, motivation, and response.

Re:Questions...

[lone_marauder]

This is more of a consumer activism issue than a political speach issue. If you know something is wrong with a product that is advertised as safe, how do you deal with it? Do you go to the company and ask them to fix it? Do you go to the responsible government agency and inform them of the problem?

The only problem is that in the case of computer security, "working within the system" bars me from discussing the problem publicly - with people who may be affected by it. My whole point is that the level of secrecy involved in computer vulnerability reporting does not have precedent in other aspects of society or economy. Since the issue at hand is secrecy, this has everything to do with free speech. The media engage in protected speech every day dealing with subjects that have nothing to do with politics. Your having attached the qualifier: "political speech" tends to suggest that free speech is a question of whether the ends justifies the means. You seem to be willing to risk a politician's career in exchange for free speech, but not the embarassment of a software company. That is neither in keeping with the original intent of the first amendment, nor is it logically consistent.

I don't disagree that getting the word out is the right thing to do, I'm just a little puzzled as to the method, motivation, and response.

Agreed. I was sounding off on the philosophy of vulnerability reporting in general.

Re:Questions...

[greppling]

Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info.

Well. The "exploits" he published are so trivial that the company certainly knew about them being possible (see my other post here). Any hacker caring about this product would be able to find them. In such a case, I agree that the responsible is to educate the public about the flaws.

Re:Questions...

[cindy]

You seem to be willing to risk a politician's career in exchange for free speech, but not the embarassment of a software company.

Hold on there, that's not what I said! I have no problem with the message or the results - just the forum and the motivation. (And the whining quality of the cry of injustice.) To use your politician example, there's a big difference between a letter to the editor of the Washington Post and an spam of the usenet. There are a lot of "legitimate" technical forums that this info could have been released to. He chose a "look at me" web site and a cracker magazine.

Of course, I could just be cynical. :-)

That is neither in keeping with the original intent of the first amendment, nor is it logically consistent.

I couldn't agree more.

Re:Questions...

[lone_marauder]

Of course, I could just be cynical. :-)

No, as regards this guy, I think you're dead on.

Re:Questions...

Did he make any effort to alert the creators of the software before he published the info?

Does he have a legal obligation to? Morals have no part in law.

Re:France == better than America!

Richard Clarke is telling the truth

Which time? Before Congress or in his book. I'm afraid they are mutually exclusive.

lots of unanswered questions here

[tuxette]

The question: is it possible in France today to publish software flaws, and the practical demonstration of these flaws? I am not yet judged, but I am pessimist about it, and it seems that we are heading towards a negative response. If I am declared guilty, full disclosure is going to be de facto forbidden in my country.

I'd be surprised if he were not acquitted, but you never know these days. It's very easy to pay off a judge. Anyways, one thing I would like to know is how publishing code in order to expose security flaws, and where the author(s)/owners of the code are referred to, is any different than publishing excerpts from a book in order to expose, say racist sentiment.

Re:Question:

[Thud457]

Actually, they call them "pommes de terre a'la politicien flattant bassement stupide", Jules.

In other news...

[blueZ3]

French military uniforms and rifles for sale. Uniforms: Reversable (Axis on one side, Allies on the other) Rifles: Never fired, only dropped once.

Re:And I thought the DMCA was bad ...

Sign at the border closest to Germany:

"Welcome to France - We Surrender!"

As to why - come on, insulting the French is nearly the national passtime!

It's not!

[Gwenna]

Consumers Union (which publishes Consumer Reports) was sued by Suzuki in 1988 when it reported problems with its SUVs. The lawsuit was initially dismissed, but Suzuki appealed and they're back in court.

Other side?

[BillFarber]

The court of Slashdot seems to be siding against the French judicial system, but shouldn't we hear their side of the story first? I'm not saying this guy is lying - just that there are two sides to every story.

Re:Other side?

[FroMan]

BWAHAHAHAHAHAHAH!!

This is \. where anything American is EVIL! Forget about a fair shake, crucify the American government!

Actually, I am quite surprised that this even was posted though. Certainly not by michael, but his mini-michael (timothy) actually posted it.

Truth to tell though, I do not know who to laugh at more with this article as atleast \. is being internally consistant here, or you (I don't know who you are) insisting that the French government may actaully be right.

Well

[bigjnsa500]

Well prisons are probably better in France anyway, so why don't you just go back?

don't get too pessimistic yet

[tuxette]

He just might be acquitted, and this could be the case that sets the trend for legally publishing these kinds of security flaws.

They tried and failed with DVD-Jon. Let's hope they fail here as well.

Re:And I thought the DMCA was bad ...

[Darby]

A lot of the recent France bashing is due to this, but that is hardly the only reason.

I personally do not like the French in general because both my father and step-father were in the Air Force in Vietnam.

That should be enough info for some of you out there, but for those who don't know:

Some Air Force personnel were shot down over North Vietnam and managed to get themselves safely to the French embassy thinking that since we were allies and we were fighting a war they had started in the first place that they would be smuggled back to their unit.

Instead the French, hoping to get in good for the after war profiteering, turned them over to the North Vietnamese who proceeded to torture and murder them.

That is one reason people (in general, not just Americans) hate the French.

Re:And I thought the DMCA was bad ...

[Deflagro]

Propaganda, that's the real enemy. Here in the US, Europe is seen as ignorant loaners who don't want to help anyone take over the world. I'm not a big fan of the french attitude, and I am french (Canadian). I just hate to see people blindly spout vulgarities when most of them probably have never met a real frenchman. In my experience, they're annoying but fun at parties.

Counter sue

They clearly broke the law if they ever made a claim like you state, sounds like theve been watching to many american news programs and think legal action is everything, I'm pretty sure that if you stuck to your guns that you didn't want a companny deluding there customers with false claims and simply wanted to prove to there customers in a non destructive way that there solution wasn't everything they claim it to be, as well as then allowing the company to see the error of its ways without resorting to direct legal action....

But then IANAL... and I'm not a lawyer either ;)

Went too far?

[mblase]

Looks like the problem isn't that the individual identified security flaws in the products, but that he devised and published exploits to take advantage of them.

The difference is analogous to an auto mechanic explaining why flipping a combination of switches will cause your ancient engine to spontaneously combust, and then actually flipping them to prove it to you.

Re:Went too far?

[happyfrogcow]

Ban mathematical proofs! Ban mathematical proofs! Not only can I say an odd number plus an even number is an odd number, but I can publish the proof demonstrating the fact!

too far my (_|_)

Haven't he learned his lesson?

[WildBeast]

I remember some articles on Slashdot about something like this happening to hackers like that. Obviously this hacker missed those articles. And now with all the terrorist crap and new laws, it's very easy to put people in prison for anything.

Jail for THE Children!!!!!

[Tei]

Aniyone at France know the "New costume of emperator" tale?????

So, jail for the children that reveal that the Emperator is naked. Cool.

Look on the bright side...from another french...

[da5idnetlimit.com]

1/ Call France 3, TF1 if you can.
TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.

2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
The Libel one will only bring you 1Eu (the official price for honor)

3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)

60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.

Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...

Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.

Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...

If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
So, this is just the top of my head ideas, but I hope it will help you...

In such cases, the better defense is offense...

Bonne Chance, Courage, et ne te laisses pas faire !!!!

don't be silly

[mblase]

Unfortunately, it appears that expertise in French law is lacking here at slashdot.

You must be new here. On Slashdot, everyone is a legal expert in everything.

publishing vulnerabilities paper

[weld]

At a recent Yale conference, Digital Cops in a Virtual Environment, Jennifer Granick presented a paper, Computer Crimes and Intermediary Liability: The Case for Protecting Vulnerability Publications on the legality of publishing vulnerability information.

Vulnerabilities in security products, especially those making outrageous claims, need to be exposed.

excerpt from NAI ePolicy Orchestrator Format String Vulnerability

"When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce."

-weld

Increasing security

[rfrenzob]

Computer security can be increased by the following methods:

1) Deny the flaw exists
2) Sue the person who discovered the flaw under the DMCA or something similar in your locale
3) Blame "hax0rs" who write tools like diff
4) "Donate" to campagin funds of elected officals who pass laws that make security research a federal crime

Not an all inclusive list, but it should be a good start for your security minded company or .com

My only question...

[orty78]

My only question is, aside from application of the DMCA in the U.S., how is this kind of information any different from say, Consumer Reports? Those guys go out of their way to break cars, appliances, and other consumer products.

Re:My only question...

[SillyNickName4me]

Yeah, and surprise surprise, companies try to sue the publishers of such reports as well.. not that they win often but you can always try.

Re:My only question...

Do you realize that Consumer Reports has been defending itself against a lawsuit for about 10 years now. It is about a small SUV that they rated "Poor" because of it's tendency to roll-over. Well sales of that vehicle just died. So the manufacturer sued them.

Comsumer Reports will be *lucky* if they survive the financial costs for the never ending litigation.

Kill the lawyers first!

Re:My only question...

If you're referring to the suzuki samaurai, they rated it "not acceptable" as in, "we aren't even going to examine this vehicle because we think it is unsafe, and here's proof."

I wasn't aware they were STILL in litigation!

Do you own a ...

[me98411]

Do you own a Porsche ? ;)

Typical Judicial Response

[retasker2k]

It appears that even in the EU, some folks are educated beyond their intelligence. The corporate response makes me want to run out and buy their product. You call to tellthem it didn't work, they respond "tell and we will sue."

Re:And I thought the DMCA was bad ...

Whats up with this France bashing? Seriously, is this all because France and Germany (unlike Denmark, where I am from) wouldn't fall for baby-boy Bush's nagging and crying?
No.
I did not really get the whole "french toast" and "freedom toast" stuff
Most people didn't(including myself)
whats your (and here I mean Americans) problem with the French?

The French have a completely different attitude than Americans. I personally do not and never have considered them an ally of the US. They go to GREAT lengths in attempts to reduce US influence/power in all aspects while always claiming the moral high ground. In my opinion, France's number on policy is to be in the position the US is right now at any cost. And if not in the world, at least in the EU. Note that like the US, the French government does not always represent its people.

Re:And I thought the DMCA was bad ...

Are you still going on about last year's illegal war? The one that hasn't really made any of us in the west any safer? How come Blair is Bush's poodle for going along with the republicans' plans, but France 'just rolled over' for opposing them?

Re:than vs then

Could you repost your comments in perfect French please?

People can uninstall faulty products

[Rares+Marian]

If people know of flaws, then why would they continue to use a product?

Second, when a product has a vulnerability, it opens the possibility of that computer being used maliciously. Telling the world not to use a certain product is self-defense.

Now what would be cool is to find away to watermark code to see that it was used for nefarious purposes making it easy to track the perps.

99 out of 100 exploiters claim to be researchers

[Flentil]

As it was back in the BBS days so it still is now. I always take anything these researchers say with a grain of salt.

Merlyn

[naChoZ]

Probably ought to have a chat with Merlyn about his case that definitely had some similarities... He might have some worthy insights.

Living in Boston, indicted in France

[tannhaus]

You better hope that work visa doesn't expire anytime soon :P

Re:France == better than America!

[YrWrstNtmr]

Richard Clarke is telling the truth.

Which truth?

[August 2002]
"So, point five, that process which was initiated in the first week in February, uh, decided in principle, uh in the spring to add to the existing Clinton strategy and to increase CIA resources, for example, for covert action, five-fold, to go after Al Qaeda."

or

[60 Minutes, March 2004] "Clarke was the president's chief adviser on terrorism, yet it wasn't until Sept. 11 that he ever got to brief Mr. Bush on the subject. Clarke says that prior to Sept. 11, the administration didn't take the threat seriously."

Re:And I thought the DMCA was bad ...

Yes you are right. National stereotypes are clearly the way forward.

No...In America

[FerretFrottage]

...terrorists sue you. Some coward cherry bomber blows his head off attempting to kill people and his family sues you for not being the intended victim. I know there are lawyers who would take this case (well they might be too busy with SCO right now, but afterwards)

Re:France == better than America!

[MillionthMonkey]

Which time? Before Congress or in his book. I'm afraid they are mutually exclusive.

Oh really? Why don't you produce some evidence to support this assertion, and I'll change my sig. What specifically did Clarke say in his book and testimony that was "mutually exclusive"?

("Evidence" does not mean links to people simply parroting the same assertion you did without giving specifics. I know you could provide hundreds of links like that.)

May I suggest a lawyer?

[exp(pi*sqrt(163))]

Jacques Verges seems appropriate for an evil terrorist like this.

Re:Look on the bright side...from another french..

1/ Call France 3, TF1 if you can.

2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)

3/ ???

4/ Profit!

Finally, justice.

[Anthony+Boyd]

<cynicism>
I have no sympathy for terrorists. I'm glad this company is protecting us.
<cynicism>

Re:Finally, justice.

[mecredis]

And remember, when you forget to close your HTML tags, the terrorists win.

But...

[warrax_666]

I believe Rice's Theorem only applies if your computational model allows for infinite storage (or something equivalent).

Computers don't have infinite storage, so you could theoretically map out all possible states that a computer could be in and get a proof of termination (or any other property) that way.

Obviously this isn't practical by any means, but that's no excuse for being imprecise. :)

Re:But...

[js7a]

I believe Rice's Theorem only applies if your computational model allows for infinite storage (or something equivalent).

On the contrary, both the halting problem and predicting another program's output are indecidable with finite and infinite resources.

The easiest way to explain it is that you need all the possible inputs to map out all the possible outputs, and with conditional branch loops there are an infinite number of both.

Re:But...

all the possible inputs

There you go... infinite storage. If the program can read infinite input, then that input represents infinite storage (in some sense, since you can just encode all the storage you need into the input). Case closed.

Re:My bank robbing spree

[DR+SoB]

I wonder if they could sue you for pointing out the vault isn't locked during day-time hours?

Re:Look on the bright side...from another french..

[Petronius]

Mon conseil:
- marrie toi a une americaine
- prends la citoyennete US
- ne retourne jamais en France

(ou la meme chose avec une Canadienne si tu aimes la neige).

your rights in cyberspace

[N3wsByt3]

Your rights may become even far less, if the EU gets away with it's latest round of internet-despotism.

Soon, scientists and others all over europe may become sued when exposing flaws or reverse-engineering stuff. I therefor urge everyone to react, and this is how:

*PLEASE HELP TO WIDESPREAD*

14-15 April 2004 : Brussels is the Hub to go

Conferences and LUG in Brussels European Parliament Chaired by Dany Cohn-Bendit MEP

http://plone.ffii.org/events/2004/bxl04

http://www.greens-efa.org/agenda

http://laurence.domainepublic.net

Most legal frame related to new technologies is cooked up at Brussels. To get a feet into European Parliament's door and show that you care right before the election. Its future Members will decide on the patentability of software, on data privacy issues, TPRM, and so on), join an install party within parliament (and bring your favourite MEP with you), attend a panel with eg Alan COX, Georg GREVE, Jon Lech JOHANSEN (of decss fame), participate in a guided tour through brussels (anti-swpats "demo"), meet LUGs and programming rights groups from all over the place, and some chaotic nerds of FFII. A Wiki DSL connection will be available.

On 14 April evening, there will be a diner/party at restaurant La Tentation, in the center of Brussels. http://plone.ffii.org/events/2004 (also to book you hotel).

Entrance is free however to access the building you have to register online before 7 April http://www.greens-efa.org/agenda

Contact : lvandewalle@europarl.eu.int

euroG/LUGparty

Brussels European Parliament room ASP 1G2

15 April 2004

The Greens in European parliament invite representatives of GNU/Linux Users Groups of the 25 Member States of the European Union to come to Brussels to

- enhance the networking among the free software community in Europe(in particular with the New Member states)

- prepare the second reading on the software patents directive

- show inside EP what free software is, how it works and what ideas lie behind

- participate to the FFII conference and demo against software patents on 14 April

Programme and registration on http://www.greens-efa.org

lvandewalle@europarl.eu.int

PROGRAMME

9.00-11.00 25 G/LUGs for a Free Europe

Gathering European GNU/Linux Users Groups and associations for the promotion of free software : BxLUG - Belgium, RWO - Plug - Poland, Vrijschrift - The Netherlands, LiLux - Luxemburg, FFS Software - Austria, APRIL - HNS-info.net - France, GUUG - Germany, SSLUG - Sweden&Denmark, LUGOS - Slovenia, Debian - Latvia, AKL - Lithuania, LugRoma - Italy, Grece, Cyprus, Finland, Estonia, ...

11.00-12.30 Linux Install Party for MEps with Monica Frassoni Dany Cohn-Bendit, Hiltrud Breyer, Bart Staes, ... organized by BxLug

15.00 PANEL I: FAIR USE/COPIE PRIVEE

Gwen Hinze(Electronic Fronteer Foundation), Laurence Lebersorg(Test-Achat Belgium), Jon Lech Johansen(DVD-Jon)

16.00 PANEL II: FREE/OPEN SOURCE SOFTWARE

Cristiano Paggetti(Italy): eGovernment,Andrea Glorioso (Italy) : Free Content, Herman Bruynickx(Belgium): Free software in education, Jens Muhlhaus(Germany): Public administration: Linux fur Munchen

17.00 PANEL III : FREE AS IN FREEDOM

Georg Greve, FSF Europe (Germany) Agenda 1910

17.30 Alan Cox www.linux.org.uk co-signatory of the letter sent by Linus Torvalds to the President of EP against software patents(UK)

Cue conspiracy theory/tinfoil hat cliches

[Catbeller]

I've mentioned it, over and over on various fora since 9/11: anti-terrorist laws were not written to prosecute terrorists.

All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.

For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?

What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.

I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.

The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.

Re:Cue conspiracy theory/tinfoil hat cliches

[ahem]

I, for one, am anxiously awaiting the day when the representatives from an interstellar federation will alight on our planet and tell us that we've got to get our act together. Stop oppressing and killing ourselves. Etc.

Re:Cue conspiracy theory/tinfoil hat cliches

[Anonymous+Meoward]

Whew, for a moment I thought the 1st sentence of your 2nd paragraph read:

All over the world, these tranvestites are now in place.

Of course, you could argue that the original travesties were also false advertising...

Re:Cue conspiracy theory/tinfoil hat cliches

[poot_rootbeer]

Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?

If you honestly can't see the differences, I feel sorry for you.

Re:Cue conspiracy theory/tinfoil hat cliches

[ducomputergeek]

In Bill Maher's case it was, "What you might say may not play well with the audenice. At which point, they have the right to boycott your program and create negitve press for (IIRC) Disney". Watching what he says basically got him trouble with the consuming public, not the government and Disney made a business decision: He's a loose cannon, drop 'em.

While Jefferson et. al wrote

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.

--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed,

Note that the "Governments are insituted amoung Men, deriving their just powers from the consent of the governed". Aka, Government is made up by people that can decide to give or taketh away freedom so long as the governed agree.

Nice little thought, isn't it.

Re:Cue conspiracy theory/tinfoil hat cliches

[meringuoid]

If you honestly can't see the differences, I feel sorry for you.

True - the difference is enormous. In Soviet Russia, the State owned the industries. Here, the industries own the State. But hey, at least we get to vote on exactly who it is that does what the corporations tell them - and occasionally the winner is the person who got the most votes! Isn't freedom great?

Stupid Comment

Good to know that we as Americans aren't the only ones with a crappy gov't. Let's revolt!!

Then you're in luck

[pHatidic]

Don't worry, the French don't go after terrorists so you should be perfectly safe.

/sarcasm

Comment on dit "DMCA" en francais?

[OhHellWithIt]

Tell them your American friends are proud of how like the Americans your government is becoming. If that doesn't get you off, I'll be surprised.

Did you give the companies fair notice....

[flea69]

Did you notify the companies and give them a chance to fix the holes before you made them public? If not then your not a terrorist, just a moron.

and no I don't have time to RTFA...

"laws controlling the use of encryption in France"

[da5idnetlimit.com]

Yes there are such laws, but they are carefully ignored by everyone...

A bit like the "High Security Encryption Patch" from Microsoft, that gave you 128 bits encryption...

And it has been released something like 1 week after it had been proven that ANY top 10 National Security agencies with a supercomputer can break it under 2 hours...

Or the fact that American encryption schemes are forbidden to be exported to a select list of countries.

Just to be on the point...128 Bits encryption will protect you from 99.9% of would be hackers.

Anyone with the right tools can hack it...And please remember that some Quantum Computers are on the prototype stage, meaning LARGE governments already have one or two monstruous calculations beasts working and spitting numbers all day long...

Encode at 2048 bits minimum, and even then they can just knock your door and get the datas from your hdds...

Security, yeah, right...

Once again

[KalvinB]

stop going through the wrong chain of command with these issues.

First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.

Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.

Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.

And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.

If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.

If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.

By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.

If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.

If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.

You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.

Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.

Ben

Re:Once again

[nate1138]

stop going through the wrong chain of command with these issues

What chain of command? If this company isn't paying his salary, he has NO obligation to tell them shit.

punishes them by not giving them time to deal with the issue.

And do you argue that companies that make claims like "catches 100% of known and unknown viruses" don't deserve to be punished for blatantly lying to the public?

all you're doing is sabatosing a lot of innocent companies

See the above point

The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody.

You don't think that finding problems in software that people rely on is helping? Would you prefer that people continue on with the illusion of security where none acutally exists?

If you ever, in the process of these discussions, even hint at going public it's called blackmail

Now there's the uninformed legal opinion I have come to expect from Slashdot. It's not blackmail unless you ask for money. Going public is pretty much standard practice in the security biz.

And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company

So their customers have no right to status updates on problems with a product that they have purchased?

Go home and read a book

Re:Once again

[mehgul]

Yeah sure, all is well, and you've written a long trollish post that has even been modded as insightful. You seem to think it would be interesting to ask for a job at a company which is obviously a bunch of liars, make dubious claims, are amateurs, self-aggrandizing, unpleasant to deal with, retort with stupid accusations of terrorism or whatever stupid might go through their head this week (a bit like SCO, btw). Well, go ahead: contact MS today. Tell them you found a lot of bugs and exploits in their software, and you'd like to help them fix all this bloated thing called Windows. Please let us know how it works out for you.

If you'd done your research instead of making grand and moralizing comments, you'd obviously seen that Viguard is not interested in their customers' security, otherwise they would have been honest from day one, and they would have used the 2 years in between the first posts of this guy on the web and today to try and fix the shit they sell. This guy is not even a computer scientist, he's just a guy interested in computers, but works in molecular biology. He tested several versions of the software, he even used known viruses to test it, and saw that it didn't stop the infection, while a much older DOS program (F-Prot) could detect the viral attack.
What this guys did boils down to saying: "look how the big claims of Viguard are just bullshit. It's so easy to trick the software it's not even funny !"

Re:Look on the bright side...from another french..

[InterruptDescriptorT]

Pourquoi veut-on prendre la citoyennete US? Il n'y a aucun pays dans le monde dont on deteste les citoyens. On a un gouvernement dingue avec un president non elu et qui est au service des personnes riches et leur compagnies. De plus en plus on enleve les droits des citoyens avec l'aide du Cour Supreme, controle aussi par le president et ses amis neo-conservateurs.

Mieux d'aller au Canada, qui est mille fois plus sensible que les USA.

(Je m'excuse pour des erreurs... je parle francais mais ce n'est pas ma langue maternelle. J'aime bien essayer de le parler de temps en temps.)

Re:Look on the bright side...from another french..

[Mateito]

> marrie toi a une americaine

I thought you were trying to make this guy feel better?

What's he going to do, chance his place of birth to "Freedom"?

Re:Look on the bright side...from another french..

Becoming an American citizen won't help you. We have this nasty piece of merde called DMCA that provides for hefty fines. A company that doesn't like you can point to DMCA as a vehicle to charge you under.

I agree with the previous poster, a good offense is the best defense. Hit them hard in the court of public opinion, and if it is indeed true that you cannot punish someone in France for telling the truth, then by all means, hammer away.

See my Last Post

[Greyfox]

About corporations having no honor.

For example, an honorable corporation would say, publicly, "Oops! We screwed up! Here's a fix for that exploit and we'll be doing a thorough audit of our code and design process to insure that our product is as secure as we say it is!"

A dishonorable corporation (Are these two words used together like this redundant?) would attack the person exposing the flaws in their product as this company has.

You should challenge their CEO to meet you on the field of honor for a duel to the death.

Re:Look on the bright side...from another french..

[valmont]

Bien vu tout ca!

Is "Arte", channel 5 still around? I'd definitely give these guys a call. While their audience is prolly a small fraction of France 3's, they're usually an educated audience. They like doing documentaries, seek out truth and present things as they are. i couldn't find any direct contact information beside this mailing address:

ARTE G.E.I.E.
4, Quai du Chanoine Winterer
F-67080 Strasbourg Cedex

I'd do whois arte-tv.com and send an email to the contact info on there, you never know.

Bon courage vieux! Fous-leurs une grosse bite au cul de ma part, avec mes remerciments ;]

European Court of Human Rights

[zoney_ie]

I believe the right to free speech is guaranteed by the E.U.

People can bring cases to the European Court of Human Rights - even to allege their own govt. has denied them their rights. It's been quite popular with various people in Northern Ireland.

just goes to show

[Stinking+Pig]

to be right is an unforgivable sin.
good luck,

Re:France == better than America!

Already done

Harvard? I think not.

[adamscottphotos]

I find it impossible to believe that the author of these documents is employed at either Harvard or Mass. These are incredibly competitive institutions; they would NOT bring onboard someone with that kind of spelling and grammar. Someone want to call the Harvard Bio department and make some inquiries?

Re:Terrorist??? Sounds like libel to me.

[B3ryllium]

The ironic thing is that if he had told the company before he released the exploit, they could probably have been able to charge him with the French equivalent of Blackmail.

It kind of brings a whole new meaning to the saying, "you're damned if you do and damned if you don't."

DVD-Jon twice for same crime

[RoundSparrow]

First off, I don't know much about the case and laws in Norway...

However, I do know in the US you _can_ be tried for a crime more than once. Especially in case like this were 'time of war' = 'terror' label is slapped on the crime (which the French company did).

Also - consider that OJ Simpsons had two trials: one for criminal, the one for a private lawsuit (IIRC, he was found guilty).

Re:Look on the bright side...from another french..

god damn it stop writing in french! i don't know french! arrgg!!

/usr/lib/php.ini

'nuff said...

All the more reason...

[MImeKillEr]

..the loser in the next world war has to keep France.

Hey - maybe we say the French gubmnet is supporting al Quida and use this as an excuse to invade and set up a puppet government.

Wait. Nevermind. I guess we can see it already has one.

Hmm

[Kjella]

...French post at +5, and no translation? Let me guess (I speak Norwegian, English, German but no French):

My council (advice):
- Marry to an American (woman, -in postfix like in German?)
- Pretend you're a citizen of the US
- Never return to France again

Though I have no clue what the last one means, apart from mentioning "with a Canadian". Any better translators than me? :) And why the US? With the DMCA, isn't that going from the frying pan into the fire?

Kjella

Re:Hmm

[sahonen]

From a rough translation at The Fish, combined with what you said, I'd say it means "Or you can marry a Canadian if you don't mind snow."

Re:Hmm

[vrt3]

My council (advice):
- Marry to an American (woman, -in postfix like in German?)

Correct.

- Pretend you're a citizen of the US

I think: Get the US nationality.

- Never return to France again

Correct

Though I have no clue what the last one means, apart from mentioning "with a Canadian". Any better translators than me? :) And why the US? With the DMCA, isn't that going from the frying pan into the fire?

"Or the same thing with a Canadian, if you like the snow."

Re:Hmm

[PantsWearer]

Mon conseil:
- marrie toi a une americaine
- prends la citoyennete US
- ne retourne jamais en France

(ou la meme chose avec une Canadienne si tu aimes la neige).

Quick translation (I hope my high school French can handle this): My advice: - Marry an American (yes, it's feminine) - Take US citizenship - Never return to france. (Or the same thing except with a Canadian (again feminine) if you like snow.)

Re:Hmm

Another translation:

My advice:
- marry an american girl
- become an US citizen
- never return to France

(or same thing with a Canadian girl if you like snow).

Re:Hmm

[Petronius]

Yes.
- marry an american woman
- take the US citizenship
- never go back to France
(or same thing with a Canadian if you like snow).

Why the US? The guy lives in Boston, it might work out for him... he'll just have to watch out for the DMCA and the Patriot Act. Blah.

Re:Hmm

If the retard who started writing in French had written in English to begin with, we wouldn't have required 20 comments to translate the bastard comment. :D And yes, I'm pretty certain most readers of Slashdot can understand English.

Re:Hmm

[Schemat1c]

- marry an american woman
- take the US citizenship
- never go back to France
(or same thing with a Canadian if you like snow).

I thought that on Slashdot all lists like this are supposed to end with the work 'profit'.

Stay where you are and VOTE!!!

[AltGrendel]

If you have the right to do so, Vote.

You can vote the rascals out. Make it as issue oriented if you like. I personally don't care how someone votes, just VOTE!

Re:Stay where you are and VOTE!!!

I have the right to vote. But thanks to my country's stupid first-past-the-post system, and the fact that I live in a safe seat for the one party I'd never consider voting for, my vote means precisely diddly-squat.

What's the point of my voting, when there's a better chance of Elvis becoming the next president than of my vote actually affecting anything?

Re:Stay where you are and VOTE!!!

There was a nice article in the guardian complaining that France's government was being prevented from getting things done because the voters kept voting. Unfortunately I can't find it using the websites search feature.

Re:Terrorist??? Sounds like libel to me.

Blackmail? Surely you mean Extortion.

Bring Back Fully Informed Juries!

[spun]

See the American Jury Institue/FIJA page for more info. We need juries that also decide whether the laws are valid, not just whether they were broken. That is the whole reason we have juries and not 'Star Chambers.'

Re:Bring Back Fully Informed Juries!

[Idarubicin]

We need juries that also decide whether the laws are valid, not just whether they were broken. That is the whole reason we have juries and not 'Star Chambers.'

Discussion of 'jury nullification' aside, no, this isn't why we have juries. We're supposed to elect representatives to decide if laws are appropriate, with oversight by the judiciary to ensure that the laws are constitutional. Juries are supposed to weigh evidence.

Question to ponder: We're supposed to choose representatives to design and implement laws. Should we be looking to random groups of twelve to second-guess that?

Re:Bring Back Fully Informed Juries!

[spun]

Juries are really the final check in the series of checks and balances. What happens when Congress proposes a bad law? Maybe the president will veto it. What happens if he doesn't? Maybe the Judiciary will strike it down as unconstitutional. But what happens if that doesn't happen? What if the law is so bad that you couldn't find 12 people to uphold it if someone were charged with it? That is what juries are supposed to be for.

Otherwise, why have juries at all, why not just let the judges decide? If all that is at issue is the facts of the case, whether or not the laws were broken, then a judge is arguably more qualified than a jury to decide.

Re:Bring Back Fully Informed Juries!

The problem is that under the current status quo, the people that get elected are self-selected, which means that they have an above average lust for power. This translates into special perks and privileges for legislators (past and present, get elected even once and you get a retirement for life, at least in Federal legislative positions). For example, with all the Martha Stewart fuss lately, how many Senators, whose portfolios consistently WAY outperform the general population's, are or have been under investigation by the SEC for "insider trading"? Zero, you say? {/sarcasm} Why that must mean they never do any illegal profiting from insider knowledge!! I mean, they only WRITE the legislation that affects companies' performance!! Of COURSE they would never exchange insider information with other members!!{/sarcasm off}

The same problem arises with much of law enforcement... who applies to the law enforcement agencies? People who enjoy the power and privileges it brings, with immunity from many things that would get you or I thrown in jail for quite a while.... I am speaking as a person who has never been arrested or in any kind of legal trouble, but I have worked close enough to law enforcement personnel to see the things that happen.. I guess it boils down to the old question: Qui custodiet custodiens?? Who shall guard the guardians??

Re:Bring Back Fully Informed Juries!

Question to ponder: We're supposed to choose representatives to design and implement laws. Should we be looking to random groups of twelve to second-guess that?

In a word: YES!

Have you taken a look at Congress lately?
In case you haven't noticed the process is for sale to the highest bidder.

Re:Harvard? I think not.

[twistedcubic]

Are you kidding? Some of the most brilliant people in the world are at these institutions educating young minds in unintelligible english. This is nothing new.

Re:Look on the bright side...from another french..

The first comment recommended hiding from his accusers instead of fighting them. Specifically hiding in the USA or Canada. The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is.

Translation

[SeanDuggan]

I haven't spoken French since High School, but I think this is doable:
My advice:
- Marry an American girl.
- Acquire a US citizenship.
- Never return to France

Or do the same thing with a Canadian girl if you like snow.

Re:Translation

[jo42]

In Canada you can do it (marry) with a Guy...

Re:Translation

True, but the feminine version of American and Canadian were used, I believe.

DMCA? France?

[Mistlefoot]

Even if he did break the DMCA, he was charged in France.

The US is not the World.

damn..

damn, and i thought france was supposed to be perfect? guess not.

OK

stop writing in french! i don't know french! arrgg!

OK. I'll just say:

Illegitimi Non Carborundum!

sounds like you need to...

[quick9vb]

...get a new hobby

Re:France == better than America!

[MillionthMonkey]

I don't see any contradiction here. Is this the best they can come up with?

[August 2002]"So, point five, that process which was initiated in the first week in February, uh, decided in principle, uh in the spring to add to the existing Clinton strategy and to increase CIA resources, for example, for covert action, five-fold, to go after Al Qaeda."


While it was decided in February that resources would be increased (by whom? Note passive voice), according to Clarke now, from an operations standpoint nothing was done until September. All that happened between February and September was Powerpointing and meetings to rearrange the war on terror as a formal process, during which time no action was taken on it. Meetings and Powerpoint presentations don't stop terrorists. But when doing spin for the White House, especially the loyalty-obsessed Bush White House, you might want to leave that part out. The omission doesn't make any of the rest of it inconsistent with what he is saying now.

[60 Minutes, March 2004] "Clarke was the president's chief adviser on terrorism, yet it wasn't until Sept. 11 that he ever got to brief Mr. Bush on the subject. Clarke says that prior to Sept. 11, the administration didn't take the threat seriously."

Yep.
Clarke has dared them to release all his testimony. But they won't do it. The White House has the CIA reviewing his testimony, looking for politically useful sound bites to declassify and use against him politically. Makes me wonder if this happens in France. Does the French government use its intelligence agencies for petty domestic political purposes?

it will all come back to haunt them

[rabbot]

If companies and governments punish people for publishing flaws in software, they are just shooting themselves in the foot. Soon these companies will be the last ones to know about a vulnerability...when its too late.

Jail the Bastards!

[serutan]

One of the guards at the company I work for showed me how a simple strip of metal with a notch in it can be used to penetrate the security system of almost any motor vehicle. Naturally, my first reaction was to notify the Dept of Homeland Security. Hopefully they will visit this terrorist at his home in the middle of the night, and remove him to an undisclosed location where he belongs.

You say tomaito, I say tomahto

[spun]

Alien representatives, Messiah, Godot, whatever. He ain't coming, get over it. Get off your ass and DO SOMETHING if you want to stop oppression and killing.

You are a terrorist if..

IMO, if you publish it without notifing the companies and allow them to have time to fix it and distribute the patch to the customers, then you are a terrorist.

The root of the problem

[spood]

This paragraph really hit home:

There is something very strange when you are in front of the judge who is doing the preliminary investigation: we do not speak the same language. I'm unable to understand law jargon, and the person in front of me does not understand anything about computer security and the internet. The lawyer is supposed to be the translator. But the lawyer in this case cannot speak during my declarations. It's kind of weird. You have to find a good argumentation, try to explain in simple words complex methods, how programs work, try to show that the accusations of the company are basically void.

Justice is supposed to be blind, but not the judges. I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.

BTW, I really enjoyed your steganography articles. It's comforting to realize just how difficult it is to implement stego correctly. It really puts mainstream media hand-waving about terrorist use of steganography into perspective.

Re:The root of the problem

[shadowbearer]

I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.

Well, yes, but the real problem is that many of the legislators, judges, and lawyers don't understand the details of what it is they are dealing with... in some senses you can't blame them, it's really only a generation or two since all this started to become real issues; but on the other hand, these people are dealing with legal cases in which they *should* be at least cognizant with the basics (many of them are older and didn't grow up with it, not that "ignorance is an excuse" :); and lots of competing tripe from so-called (and often biased) "expert witnesses" and...god, one could go on for hours; witness the SCO publicity barrage.

The gripping hand is that it's probably going to take generations for the legislation, law processes and education to catch up. Which really means that there are a lot of innocent people who are going to be in for a world of hurt in the meantime.

The upside is that those concerned with it now have public/private forums in which to voice their concerns in a much easier way - if open speech on the internet isn't curtailed.

SB

Yes of course

[niom]

Because we all know this could never have happened in the U.S.

No other side

[greppling]

Unless he is lying extremely grossly (about which we would have gotten to know about it by now), I really cannot see how there can be a "other side" that is worth hearing.

I read his originial analysis (in french) of this antivirus software which, according to him, prompted the charges of "counterfeiting". This article contains a description of the software, a section about "exploits" (you will agree about my question marks in a minute), a section where he demonstrates false positives, a test against a couple of known viruses, a short section about 2 points he liked about the software, then a list of detailed suggestions to improve the product, and finally an epilogue on the response from the company.

Probably didn't like the first suggestion for improvement "First of all: stop making believe that Viguard can do miracles." (The other suggestions are completely technical.) But let's focus on section 2, containing the 6 "exploits":

• 2.2 Deactivating Viguard by simulating the mouse-clicks with which a human would deactivate it
• 2.3 Just use TerminateProcess() (the windows equivalent of kill -9 if I understand correctly)
• 2.4 Add the md5sum of the trojan to an (unencrypted) whitelist of md5sums maintained by Viguard
• 2.5 In each directory, Viguard maintains a file "certify.bvd" which lists all known-good executables in this directory, "encrypted" by a XOR with a fixed key. So a virus just has to install itself in a new directory along with the appropriate certify.bvd file.
• 2.6 "For a good laugh": Rename a virus from .exe to .bat
• 2.7 Almost the same as 2.5.

All completely trivial. The only thing that comes close to the counterfeiting charges is that he offered programs for download that decrypt the configuration file and the certify.bvd files (both "encrypted" by XOR with a constant and short byte sequence).

Re:Look on the bright side...from another french..

Too bad this probably wont be seen and wont be modded informative :)

Start a Donation

[esdjco]

For your legal funds, I suggest you start a legal donation fund.

Same country, similar case (?) : Serge Humpich

[christophe]

A few years ago, Serge Humpich discovered a flaw in the French smart-card payment system, and proved that it was possible to get money from an ATM with a false card ; he never earned money with it and just showed journalists he could get money, and gave it back.
Banks sued him, and won: 10 months jails (deferred), about 4000 euros to pay (amends+banks' laywers fee). Technically, he was guilty of "unallowed access to a computer system". Banks have denied that the flaw existed but changed their system ; it didn't prevent many false cards to appear in the following years. Disgusted, Humpich wrote a book ('Le Cerveau Bleu').

Although similar, I hope it won't finish the same way. Guillermito didn't crack any computer, so the Humpich precedent does not apply. The European version of the DMCA is not yet voted in France (it won't last), and copyright infringment claims are stupid. But America does not have the monopoly of technically illiterate judges, and he influence of good lawyers, as was already shown in his case. The "terrorist" accusation should be enough to sue ("diffamation"). Ironically, cryptography and stenography are supposed to be terrorists' tools!

I'd say he should contact "60 millions de consommateurs" and "UFC-Que Choisir", two powerful consumer organizations.

Re:Same country, similar case (?) : Serge Humpich

Yes, same country and very similar case: being sued for exposing flaws. And yes, french justice found nothing better to do than shooting the messenger.

Re:Harvard? I think not.

[dr+bacardi]

Here, read it in french (his native language) and see if it flows better.

Then sued you

It wasn't comparing so it had to be transitioning.

Re:Look on the bright side...from another french..

[nkh]

Yeah!! French invasion!! Let's kick the americans out of /.!
and remember that: I fart in your general direction! Your mother was a hamster and your father smelt of elderberries!

Re:Harvard? I think not.

[flossie]

These are incredibly competitive institutions; they would NOT bring onboard someone with that kind of spelling and grammar.

His English spelling and grammar are significantly better than my French spelling and grammar. You did notice that he is French, didn't you?

Why the FUCK

would anyone want to do THAT??

Re:DMCA? France?

[Timmeh]

He said "DMCA like law" not "DMCA", and as I recall a number of draconian DMCA-like software laws have been passing throughout the EU, non?

I'm sorry...

...but reverse engineering proprietary code is NOT illegal.

actual text of the indictment?

[bani]

is a link to the actual text of the indictment anywhere? without it we won't know exactly what the claims are, and only have his version of the story to go on.

Why do you guys even try to help?

I don't understand why the various security types try to help other people be aware of their problems.

Is it really worth that much trouble?

At least in the Linux world (for now) you don't have to worry about going to jail or getting sued over discovering a security problem. We rejoice when one is published so we can all hack away at the code to fix it.

Let windows die it's death.

Re:DMCA? France?

[Halo1]

We have the EUCD (European Union Copyright Directive), but it explicitly allows reverse engineering for the purpose of research.

And EAT CHEESE too

You forget the fromage-eating part. Really, where are all you Americans who bashed the French over Iraq and boycotted French restaurants even? Still not buying any Dixie Chicks music? Read the Hall of Fame "Strike on Iraq" story and see the irrational fear-mongering that went on there and be ashamed.

Rather ironic that there was the whole mess about changing "French Fries" to "Freedom Fries", given that US citizens no longer have some of their basic freedoms anymore.

Re:And EAT CHEESE too

[VilePSU2]

You forget the fromage-eating part. Really, where are all you Americans who bashed the French over Iraq and boycotted French restaurants even? Still not buying any Dixie Chicks music? Read the Hall of Fame "Strike on Iraq" story and see the irrational fear-mongering that went on there and be ashamed. Rather ironic that there was the whole mess about changing "French Fries" to "Freedom Fries", given that US citizens no longer have some of their basic freedoms anymore. Kinda like how the French changed the term "e-mail" to "courriel" at about the same time? How about how when the French government convicted cop killers like Mumia Abu-Jamal an honorary citizen of Paris or how about when they refused to extradite convicted murderer Ira Einhorn? Oh oh, how about the time your government gave members of Saddam Hussein's regime passports to enter Europe? These are the same guys who gassed the Kurds. France should be our best friends, right there with the British. But for some reason, the French people take it upon themselves to trash the U.S. any minute you get. Now don't think I'm one of those "the USA saved France" people, I know it was a collective effort from the Allies. However, please don't forget thousands of Americans died defending your country.

Re:Terrorist??? Sounds like libel to me.

[adamofgreyskull]

Technically..the "don't" bit in this story is if he'd kept it entirely to himself.

Reminds me

[Venner]

People tend not to understand what double jeopardy means...

(Virginia, AP) - A man who wrote a prosecutor a letter boasting about killing a 16-year-old girl--thinking a court ruling prevented him from getting the death penalty--has been convicted of capital murder. A jury recently found Paul Powell, 24, guilty of attempted rape and murder in the 1999 stabbing death of Stacie Reed. Powell had been convicted in 2000, but the Virginia Supreme Court overturned the verdict, ruling he could not be executed because prosecutors lacked evidence that Powell tried to rape or rob the girl. While awaiting trial, Powell wrote to prosecutor Paul Ebert. "Since the Virginia Supreme Court said that I can't be charged with capital murder again, I figured I would tell you the rest of what happened on January 29 1999 to show you how stupid all of y'all are." He described how he tried to rape Reed, then killed her. The letter enabled prosecutors to indict him again on capital murder charges.

imaginez...

un Beowulf Cluster de ca! M'enfin!

French National Terror Alert Level Raised!

[kcurtis]

In light of the Madrid bombing, France has raised their terror alert level from "Run" to "Hide".

The Defense Ministry noted that the only two higher levels in France are "Surrender" and "Collaboration"

Re:Look on the bright side...from another french..

Actually, the second post asked why one would want to take out US citizenship, given how the Supreme Court, with the help of the president and neoconservatives, is taking away civil liberties. He highly recommends Canada instead.

Note to parent poster: Tu dois ameliorer ton francais! (And I live in New Jersey, hardly a bastion of French...)

Re:And I thought the DMCA was bad ...

[SnappleMaster]

The French aren't the only "bad guys". As a Canadian I have some resentment against the US because in recent years several Canuck soldiers have been killed by American "friendly" fire. The US pilots involved were basically just slapped on the wrist.

War is hell.

Re:Look on the bright side...from another french..

[cocotoni]

Or as an alternative - join the foreign legion :)

Re:Look on the bright side...from another french..

[focitrixilous+P]

Literal translation: My Advice: Marry yourself to an american woman Take a US citizenship Never go back to France (Or the same thing with a canadian woman if you like the snow) I know this has been done, but never preserving the original intent of the French!

Unless you are a customer

[kcdoodle]

These programs that have a price indicate that Guillermito must have purchased them to find the vulnerabilities. Purchasing gives him the right to force the companies to fix their product because he is a paying client of a company that makes fraudulent claims. This argument may or may not work for the free/shareware products he tested.

At Eu level yes

[aepervius]

That is why I said DMCA like law. You are spot on.

The DIY Cruise Missile and freedoms

[NewtonsLaw]

The NZ government has gone out of their way to try and destroy my life since I publicized the risks associated with home-built cruise missiles.

I still have my missile (largely due to the fact that a network of friends have stored it safely in such a way that I can honestly say "I have no idea where it is") and had considered taking it on a tour of the country so that people could actually see what I've been talking about.

My lawyer advises me however, that to do so would almost certainly result in a very severe prison term. After all, they've already broken the law in respect to the actions they've taken against me so they've proven that, as far as they're concerned, the ends justifies the means.

He's strongly of the opinion that the government is just itching for an excuse to throw me in jail on some trumped-up terrorism charge because I've become such a thorn in their side.

In this country It's not illegal to build a cruise missile, and it's not even illegal to own one, nor is it illegal to transport one -- but, as a criminal lawyer of long standing he made it quite clear to me that under the new anti-terrorism laws we now live in a police state and that the government can do whatever it wants to who-ever it wants to -- by simply accusing them of terrorist activities.

In the case of my tour, they'd likely accuse me of moving the missile as the precursor to a terrorist action.

It wouldn't matter whether they were able to win such a trumped-up case, because here in NZ (as in the USA), people accused of such things seem to spend inordinately long periods of time in jail just waiting for their case to come to court. We have a guy here who's been in prison for 16 months already and, even though our High Court ruled just the other day that the head of our Security Inteligence Service had shown bias against the guy and has had to resign -- the imprisoned "suspect" is still having to wait at least another 6 months for his day in court.

It makes no difference apparently, that I've always been totally open in my activities and the reasoning behind them, and was planning to have a media contingent on my little tour. I don't recall any *real* terrorists inviting the media along on one of their attacks or offering to share all their information with the government.

I don't know whether I should really angry that governments have used the war against terror to give themselves such draconian powers, or if I should feel sad that the public are allowing them to do this without even a whimper.

I suspect that we will eventually regard these days as a dark period in the world's history -- not because of terrorist activities, but because so many people gave up so many freedoms so easily.

P.T. Barnum was right I'm afraid :-(

Re:The DIY Cruise Missile and freedoms

What you maybe should have done is pack the cruise missile with harmless stuff like hidrogen sulfide (the stuff in stink-bombs) and actually launch it in a busy area... You might have better achieved your goals of showing how easy it is to make DIY Tomahawks.

Stupid fantasy put aside, the Humpich case and this one just sets a bad example : if you're trying to be helpful you get punished, so it basically just encourages putting such knowledge to malicious use. Seeing what happened to this Humpich guy, if I were to find a flaw in a banking system I certainly wouldn't tell anyone about it, maybe even would put that knowledge to malicious use (since you're guilty anyway...). It's sad.

Re:The DIY Cruise Missile and freedoms

[NewtonsLaw]

It seems that our lords and masters still believe that security by obscurity is a valid model :-(

The problem is that its *everyone* who pays the price for the stupidity these people force upon us.

Godel off topic

It's actually not that hard to detect infinite loops of the parent variety. It's only a nondeterministic finite autonoma with two elements. A computer looking at the program would do just what a person would do. It would see that if you followed it you simply oscillated between being virus ladden and not virus ladden.

The proof is that the number of states in an infinitely long running program would be infinite. If the number of possible program states is larger than what you can pack into your memory then you cannot determine if there is an infinite loop. Consider for example how a computer program would determine if this were an infinite loop:

while(rand()) { // do something }

You need knowledge about the statistics of the rand() function in order to answer this question quickly. Otherwise you would have to just run the program for all the possible rand() seeds before you could answer it.

Michael

counterfeiting

[Chep]

The creation of an unauthorised copy of a copyrighted work, in French law, is a form of counterfeiting ("you are creating illegitimate goods"). This just means he's indicted for a copyright violation and an attempt to conceal that he (allegedly) did.

Tough time for the guy. I hope he did things the right way (ie. that the allegations are proven false or falling within fair use), and has enough juice in the bank to countersue and prevail for his costs.

Does this guy exist?

[Sara+Chan]

According to the guy's web page he is a "researcher in molecular biology in ... the department of genetics of Harvard University". Yet his stated name, "guillermito", doesn't show up in a google search of harvard.edu. So I telephoned the Genetics department (617 432 7666) and they don't know of him.

Could this all just be made up?

Re:Does this guy exist?

[easter1916]

Jeez man -- who says "Guillermito" is actually his name? It sounds like a play on "Guillermo" (William in Spanish, I think). It's probably a "nom de guerre".

Re:Does this guy exist?

[Sara+Chan]

You might be right about "nom de guerre". But that doesn't answer the question: does this guy really exist? So far, there has been no evidence posted to verify his identity. How do we know that the whole story isn't a hoax?

Re:France == better than America!

[YrWrstNtmr]

Well..I guess you have a different definition of contradiction than I do.

"increase resources to go after Al-Qaeda" and "didn't take the threat seriously" sure sound different to me.

Just goes to show you...

No good deed goes unpunished.

Its starting already

[t_allardyce]

Terrorist = Witch

Im wondering how long before we all get into a full scale witch hunt and how far it will go! It seems realistic that anyone with any computer skills above 'Excel' who doesnt belong to some software company will soon be branded terrorist, anyone who protests _anything_ is sure to join them and if you dont think [insert leader] is a wonderful person you better keep your mouth shut. Who thinks it will go as far as voting? with electionic voting coming in its going to be easy to tell who voted what, or to just fix votes, and once that happens, the only way to change things will be to rise up against the governments in some way, and that really will get you branded terrorist.

Just remember, the fight against terror is a catch-all filter.

Re:Look on the bright side...from another french..

- marrie toi a une americaine

Come on, the indictment is not that serious, they're not threatening to send him to Devil's Island for life, he's probably only risking a 10-year prison sentence. Extreme measures like this are worse than what he's trying to avoid.

Re:Look on the bright side...from another french..

[Red+Alastor]

He stated that *Canada* is a much better place to live. And I agree.

Try scoping out a bank

[KalvinB]

and publishing how to rob it on the internet. When someone does and fingers you as the guy they got the info on how to rob the bank you've just become the accessory to a felony. He hasn't done anything illegal that wasn't illegal before the DMCA.

"And do you argue that companies that make claims like "catches 100% of known and unknown viruses" don't deserve to be punished for blatantly lying to the public?"

You should try reading a post before responding. I stated exlicity a couple of times to give a copy of your findings to the authorities or to sue the company yourself for false advertising. The authorities can then determine whether or not you have a case worth pursuing. This guy made himself prosecutor, jury and judge. And not shockingly he's going to jail for it.

What this guy did was scope out a bank and then published how to rob it publically. He was an idiot that made himself an accessory to crime because he couldn't keep his big mouth shut and go through the proper channels to resolve the issue.

Watch "Sneakers" for how to legally handle security issues if common sense isn't your thing. You get hired by the bank, you get permission from the authorities in case something goes wrong and then rob the bank and then you take the money to the manager and explain to him how to fix the holes. You do not call a press conference at any time, before, during or after the security check unless given express written permission to do so. Doing so makes any problems the bank has your sole legal responsibility.

It's really going to hurt his case if the company already had experts working internally to resolve the issues.

Black hats are the people who commit computer crimes. If White Hats are stupid, they make themselves accessories to those crimes. This is what happened to this guy. And now he's screwed. Admitting his crimes on Slashdot isn't going to help his case either. The best he's going to do is a plea bargain.

"So their customers have no right to status updates on problems with a product that they have purchased?"

Nope. Microsoft never offers anybody any notice that new patches are available. You have to subscribe to newletters for any update notices from any company (even Linux) and none of them are legally responsible for such notices. You are not legally obligated to know anything about what's going on with a company unless you work there and even then it's at the manager's discretion what they tell you.

"Go home and read a book"

Go home and get a clue.

Ben

Re:Try scoping out a bank

[nate1138]

He hasn't done anything illegal that wasn't illegal before the DMCA.

Ok, this is FRANCE we are talking about here. The DMCA holds no weight there. Pay attention and you might learn something. In addition, the illegality of what he has done is questionable at best.

Nope. Microsoft never offers anybody any notice that new patches are available

Um, those newsletters, and windows update ARE notifications. And since when is Microsoft's behavior the standard by which others should be judged?

What this guy did was scope out a bank and then published how to rob it publically

No, he didn't. He published a security flaw in a software product. These are two totally different things.

You are not legally obligated to know anything about what's going on with a company unless you work there

I think this sentence higlights a fundamental difference between your way of thinking and mine. You seem to be of the opinion that the law is the end-all-be-all of morality. You are wrong. Certainly, these companies may have no legal requirement to release this information. But that doesn't mean that keeping their customers in the dark is the right thing to do. Would it be OK with you if Ford didn't have to disclose brake problems on their cars? Would it be OK with you if drug manufacturers didn't have to list side effects? You are a tool.

Since you don't have a leg to stand on here, I'll commence with the ad-hominem argument:

I love the pre-teen logic you use to decide that this case is so black and white. Did you even read the article? These two companies have been spreading disinformation since day 1. What makes you think that they would be receptive to his discovery? The immediately branded him a "terrorist" and said that he was "hiding in an offshore country". How exactly is he "hiding" at Harvard (a place that is known for harboring "terrorists", you know)?

I'll bet you had this whole diatribe set out ahead of time for the next Slashdot story about a security researcher being threatened by overzealous companies with shitty products.

Asshat.

How long till we see this on 0wn3d websites:

Libre Guillermito!

You never have a right

[KalvinB]

to force a company to do anything.

You cannot force Microsoft to make a 100% secure product. They do it from market pressures and their own volition on their own time table. Exposing holes in their software that can lead to crimes makes you an accessory to those crimes if they are committed using information you provided. If MS provides that information and doesn't offer a patch to go with it and that information leads to the committing of a crime, MS is responsible. Well would be if you didn't agree not to hold them responsible by using their products. It would just make them stupid to supply exploit explainations without fixes.

Linux is under these same rules.

If a product is insecure the only right you have is to not use it and warn people it's not secure. Posting how to exploit a flaw is not the same as claiming it's insecure and describing the consequences. The latter is legally safe, the former could make you an accessory.

A black hat who discovers an exploit on their own and commits a crime is solely responsible. Just like a bank robber who scopes out the bank himself and plans the act and carries it out.

A white hat who discovers and exploit and posts it publically is the same as a person who goes into a bank, finds all it's flaws and then posts the information publically. Anybody who uses that information to rob the bank and points the finger back at you for telling them how will get themselves a partner in crime.

Windows and Linux et al don't have exploits on purpose which is why they're aren't liable. You willfully expose the exploits for the intent to allow or cause harm. This is why you are responsible if you post them.

Ben

Re:You never have a right

[nate1138]

Exposing holes in their software that can lead to crimes makes you an accessory to those crimes if they are committed using information you provided.

NO IT CAN'T. YOU ARE WRONG! How many times do I have to say it to get it through your fucking head! You are not an accessory to anything. You merely created a tool. That's like saying since Stanley makes screwdrivers, they are liable for robbery. If you are right, then why does SecurityFocus continue to exist? They publish dozens of exploits every day. Nobody has EVER sued them.

Windows and Linux et al don't have exploits on purpose which is why they're aren't liable.

Wrong again dipshit. They aren't liable because of clauses in their licenses, not because of some intrinsic right of a company to produce shitty products.

Re:Look on the bright side...from another french..

[Welsh+Dwarf]

They are, their not on current affairs, he'd have a lot more chance going to M6, who'd jump on the possibility of telling us just how bad things have become. Then again mabey they've changed, I haven't had a TV for seven years :).

Re:Note to Americans

Oh really?

Where I live, DMCA-like laws have been proposed but denied for being to idiotic.

Note to Americans:

All European countries aren't the same. We speak different languages, have different religions, different monetary systems, have different cultural habits, different laws, etc.

France is known to other Europeans to always think that they are more clever than others, and the rest of the world should follow their lead. Just like many Americans do.

For example, France had some really stupid cryptography laws for years. This had the impact that Internet providers had to make sure the connections never, ever crossed the France borders, even if that would've been the sane thing.

French laws caused GSM to have a non-encrypted mode; otherwise it would have been illegal in France.

(Yes, they've changed those laws.)

Oh, and have you ever listened to french radio stations? They are required, *by law*, to play some-percentage of french music. And some radiostations did get into some *really* deep shit for sending a few percent too little.

So please don't assume that the rest of Europe works as France, or any other particular country for that matter.

Re:Look on the bright side...from another french..

[fbonnet]

I Television also has a pretty good local coverage, but less audience than France 3. I'd also suggest writing to Le Canard Enchaine, which has a dedicated column for this kind of stories ("Couac").

I'm not as optimistic as the previous poster, remember what happened to Serge Humpich. This guy found a way to crack the so-called most secure bank card system in the world (french Carte Bleue). He then contacted the system's proprietor (GIE Cartes Bancaires), offering help (not freely, alas for him) to fix the system thanks to his expertise, and as a demonstration bought a handful of metro tickets. He was indicted, temporarily jailed and found guilty of fraud, falsification and unauthorized access to an automated system. During the trial GIE kept on claiming that their system was unbreakable, yet some time later the first "Yes-cards" appeared on the black market and cracking info spread on the Net. Had the GIE taken Humpich seriously, no yes-cards could have been produced and no businesses harmed (usually small ones such as automated video cassette rental).

Merde pour la suite (frenchmen never wish good luck)

Eternal war -- huh?

[AxelBoldt]

Eternal war against money and knowledge. I've chosen my side a long time ago.

So I presume you fight for money and knowledge? Who exactly fights against money and knowledge?

Re:France == better than America!

[MillionthMonkey]

Well..I guess you have a different definition of contradiction than I do.
"increase resources to go after Al-Qaeda" and "didn't take the threat seriously" sure sound different to me.

As vague cherry-picked sentence fragments, these "sound different" but that doesn't mean anything. It's a far cry from a "contradiction". The 2002 statement refers to a decision made in February 2001. The 2004 statement refers to the failure to implement that decision in the period between February 2001 and September 4, 2001. Do you get it now? Bush can plan a fivefold increase in counterterrorism resources- hell, he can plan a hundredfold increase- and until he implements the increase, it's all talk that does nothing to stop terrorism.

A government with the luxury of selectively declassifying the classified statements of its political opponents should be able to come up with something better than this.

Re:Look on the bright side...from another french..

Rien n'est mal des conservateurs. Les problems avec le monde aujourd'hui sont que tout le monde essaient employer la liberalisme pour justification des moins morales. Le Canada n'est que meilleur parce que les plus personnes parlent francais la.

shades of J. Edgar Hoover

[commodoresloat]

All over the world, these travesties are now in place.

*blinks*

Oh. I thought you said "All the world, these transvestites are now in place."

Re:Look on the bright side...from another french..

[moumine]

ne pas oublier 30 millions d'amis!

Re:France == better than America!

[YrWrstNtmr]

The monetary increase was proposed for the budget, approved, and was to be instituted in the new budget year beginning Oct 2001.

But that's besides the point. This is not the 'government' declassifying and putting forth these statements, but rather Clarke himself.

Did the Bush administration actively seek to increase the pressure on (and/or eradication of) the Taliban? Or did they not take the threat seriously.
These are the two conflicting statemnts coming out of Clarke's mouth (and book). First he says one thing, then quite another.

Again, I ask..."which truth"?

Re:Look on the bright side...from another french..

And then he apologized for having such crappy french. Which means he should have written in his native tongue in the first place.

Guillermito = Spanska Vx'er

Feed Guillermito and Spanska into Google.

Then feed Spanska and virus into Google.

Happy 99?

Hybris?

Boo hoo, boo hoo.

European court ?

[clarkie.mg]

I suggest that this case be brought to European court of human rights after an appeal.

This case involves free speech which is a case for a human rights trial.

Liberte, Eqalite, Fraternite...

From (a translation of) Declaration of the Rights of Man and Citizen, 26 August 1789
"The free communication of thoughts and opinions is one of the most precious of the rights of man. Every citizen may therefore speak, write, and print freely, if he accepts his own responsibility for any abuse of this liberty in the cases set by the law."

What ever financial hit these bad software companies (or at least companies with bad software) take is surely outweighed by THE TRUTH and secondly by this guy's right to say what he wants. In a free country. With good, no great cheese.

Re:Look on the bright side...from another french..

[guacamolefoo]

While you suggest marrying an american an pretending that you are an american and never returning to France, I note that you did not specifically direct that he live in the United States. I interpreted it that way in the original post as an implied "live in the US" but you did not actually include it there.

In any case, why not some other country? What makes you think that this scenario is any more or less likely in the US? Also, what about extradition? I think that the US would extradite under these circumstances.

GF.

Re:Look on the bright side...from another french..

[Bun]

" The first comment recommended hiding from his accusers instead of fighting them."

Actually, he recommended going to America, finding an American, (or Canadian - if you like snow) girlfriend, and marrying her for the citizenship so you could live there. It was funny.

"The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is."

Nope (or are you trying to be funny?). The second poster asked him why he would want to live in the USA when everyone in the world detests its citizens, when it has a government with a president that caters to rich people and their companies, etc., etc... He then said it was better to go to Canada, which is a thousand times more sensible than the USA. (I'm paraphrasing here, since my French isn't so good these days.)

From the article:

[DF5JT]

"Of course I'm going to defend myself, but to be frank, I'm kind of pessimistic."

GET A LAWYER to defend you, anything else is suicide.

The whole truth? Nothing but the truth?

[yankee-doodle]

I don't know much about this affair, but we only have one side of the story. Don't we? From what I see, "Guillermito" has posted at least 500 articles about this antivirus. Not all nice things about the company, product and the people who work there. Maybe it has something to do with the company's lawsuit? Maybe they didn't just sue you for the vulnerabilities you found (from what I know about French law, this is definitely not enough to make a case work against you). Guillermito, are you really telling us the truth? I mean, the entire truth?

Re:And I thought the DMCA was bad ...

it sucks but. friendly fire and being turned over to be tortured / murdered are a little different. once again i know it sucks. friendly fire is shity but not done out of malice or greed ( i guess this is where they get the friendly part). turning an ally over to a war time enemey for future profit is disturbing at best.

You are an accessory

[KalvinB]

You are in many cases responsible for any harm that results from information you make publically available.

This information was posted with the intent to allow or cause harm to the software owner. And that is why he's in deep shit. He didn't have to sense to just let it go.

If the company is being retarded, that doesn't give you the right to sabatoge them and their clients. It's called the legal system. If he actually had a case he could have taken the company to court over it.

He didn't. He took the law into his own hands and now he's screwed.

"not because of some intrinsic right of a company to produce shitty products."

They're not liable for both reasons. The reason companies have to put it in writting is the same reason we have stupid warning labels. Too many lawyers and too many stupid people.

Ben

Re:You are an accessory

[nate1138]

You are in many cases responsible for any harm that results from information you make publically available.

No, you aren't. Not at all. Researching these kinds of things is perfectly legal. Publishing your results is perfectly legal. As long as what you say is true, it is perfectly legal. If it isn't, it can be called libel, or slander (depending on the medium). There is no case here.

Sucks to be a citizen.

[nurb432]

If you are private citizen doing something that is even remotely shady., expect to be sued by corporations and jailed by your government. Thereby stripping you of most of your rights and freedoms for life.

If you are a private citizen doing nothing wrong, expect the rules to change to include you in the above group. Again, in order to strip more people of their rights and freedoms.

If you are a corporation or a government, expect neither.. as you are exempt.

Its amazing how quickly things are degenerating.. if I was religious id say the end was near.. But I'm not, so Ill hold out hope that we the people can stop this carnage on our rights.. before there are none left.

Re:Look on the bright side...from another french..

He could always marry a french canadian ..

First of all...

get a lawyer. A team of lawyers.

Contact organizations that may be interested in your cause and that fight for civil liberties. (EFF?)

Then, show you are a responsible, God-fearing pillar of society, and what-not. Make sure people say the same about you. Good publicity is a requirement these days.

Also show that it was just research, and of a casual nature. Everyone has a right to investigate. There was no intent to injure. You were just researching and presenting facts. True facts. (And woe betide any that misrepresents facts.) There was no misrepresentation, no slander. And it wasn't over money. You didn't get money for it. No one was paying you to do it.

And fight like hell for your right to free speech.

I wish you well.

DVD Jon

[delirious.net]

Doesn't this smell like DVD Jon? The norwegian guy who coded "illegal" dvd software.
He won in court. Destroying his youth by this sword of justice penduling over his head.
What difference is there between "illegal" dvd software and "illegal" exploits?

If I would see a car with a faulty part that could result in death to the driver, and suggest a fix for that part, I am a terrorist ?

Suppose I tell everyone in the world that the car has a faulty part, but I would not tell the manufacturer.

(After all I am a hobbyist, I don't know how to reach the manufacturer.)

People knowing the flaw could alert the manufacturer, or obtain a proper working part for their car themselves.

As a person I would feel the urge to spread my findings. It would too be convenient.

Even so, would a faulty part in piece of software not be heared of ? It would too be convenient.

Not Guilty.
Expenses paid.

Have a nice day.

I think it was something about hovercraft and eels

[siliconbunny]

according to my phrasebook

Re:Look on the bright side...from another french..

[kubrick]

"Arte" ... They like doing documentaries, seek out truth and present things as they are.

This is the same station that did the documentary about how Stanley Kubrick faked the moon landings for the Americans... screened here on April 1 a couple of years back, and from that link looks like they'll be playing it again very soon. :)

Asylum

[donheff]

We have a special program for people oppressed by repressive regimes - Asylum.

TIME to go underground WORLD HACKERS!

the majoritys of you whitehats thought
you were being bright and intelligent showing
off your exploits , well thar goes yar brilliance!

If you would have stuck to your
irc.2600.org or irc.debian.org and joined
the elite group you wouldnt be sitting there
feeling sorry for yourself....

Lol...

[da5idnetlimit.com]

just that 8)
I hereby grant you a virtual karma point...

Joining the Legion...

Any Army, Anywhere, Anytime...They'll beat their asses till they can only speak in Farts !!!

Recently (some 20 years ago), they modified the entry selection a bit...You can't enter if you are sought for a crime of blood...of course, being somewhat fit will help, but be sure you will lose all fats or die trying...

I think you have to sign for 10 years minimum. Then you are given a new name, a new (empty) bank account with the Banque De France, and will have to become a Legionnaire.

It was created under Napoleon (don't hesitate to correct me 8) as a last chance for those that had nothing to lose or where you went when you were very, very badly in need of a new identity.

With 15 years surviving the Legion (at the time), it was considered as an equal or superior punishment for almost anything you had done...

As I said, today, they don't accept people with blood on their hands.
And still considered punishment enough for most of what you may have done...

Lets say Human Granted Redemption... The Hard Way..

So do it only as the very, very last ressource 8)
(I really hope it never goes to that point... he didn't do anything that bad...I hope 8)

M6

[da5idnetlimit.com]

Hem...

You heard of TF6 ? the joint venture tv between TF1 and M6?

And an 8'clock News that is called "l'actu en 5 Minutes" ?

Arte is (I think) a better way to have some time in the news and/or (mostly or) a nice small 10 minutes of their next public questions...

Also someone up there added something about "la bite au cul" or something close... Well, that's the spirit ! 8)

legal systems, insurance

[hak1du]

It's quite interesting to discover, from the inside, how the french justice system works. I'm back from Paris. I've just been indicted and charged of distributing programs that violated Intellectual Property rights (literally translated, it's "counterfeiting and concealment of counterfeiting"). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I'm not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees. I already talked about my story here (in french).

That's the way justice systems work in general: if someone accuses you of a crime and makes what looks like a reasonable case to the police, it ends up costing you money. Welcome to the real world. Life sucks sometimes.

If it's a civil complaint, in some countries, the people sueing you may have to pay your expenses if they lose, but that's also not exactly a blessing--it also means that if you have a complaint against someone else, you may end up paying them a lot of money if you lose--a strong disincentive to enforcing your rights when you have been wronged.

In Europe, many people have private legal insurance, which will pay for legal fees and lawyers when you get sued; something like that might cover this case. Many people who work professionally in some field also get professional insurance, which also often covers them against lawsuits. So, the short answer is: in order to avoid getting bankrupted by frivolous legal claims, people insure themselves.

If you have been falsely accused, your accuser may have committed a criminal offense themselves and you may also be able to recover damages in civil court. However, in a case like this, that may be too hard to prove even if it is obvious to you and me.

If independant researchers cannot analyse security softwares and publish their discoveries, final users will just have marketing press releases from editors to assess the quality of a sofware. Unfortunately, it seems that we are heading to this kind of world in France and maybe in Europe.

No, it just means you have to go about exposing their product differently. Publish an article in a respected publication. Then, they'd have to take on the publisher.

Or file a complaint against them for false advertising. That could be either a complaint to an organization like the Better Business Bureau (or the French equivalent), or an legal complaint.

It may still be worth filing a counter-complaint at this point. You need to talk to a lawyer about that.

Serge Humpich, forgot that one...

[da5idnetlimit.com]

but then he have GIE Cartes Bancaires (you non french imagine a company that have ALL banks as customer, plus most card security related, and that for most of Europe and the part of the civilized world that have a data chip and a pin code with their cards, as in cell phones, etc...) and his affair escalated to the "high" (dope suspected 8) levels of executives from the financial (read, we got the money, we own you...) world.

And I think the Humpich case was a gross injustice.

(detail of the technical flaw, for this is Slashdot, after all : the last 4 or 8 digits of the "I don't remember how long,search for yourself's" code were...0s. Making the Credit Card encryption testing (brute-force) a lot easier.

Since then, the problem has been fixed, and almost all the old card have been renewed, so this technique is no more as usable...

And he DID use the card, even if it was only for 2$ of metro tickets...which is what lost him in the end...

Here we have someone that have proof that someone is a liar, and is calling it out loud.
And a Bully, that might have been smart by trying the Hard Legal Way.

This one is against a "small one", so I think he stands a good chance if he makes a good case and some fuss...Especially as in France, we don't really have that much "Attorney General" thingy, with pre-trial, auto-guilty for cheap resolutions.

Also, if you have to, explain very simply what you did, use Powerpoint or OOO a lot and help them understand of what you made, and show the international and national organisations that do just what you do...exposing flaws so they can be corrected, and, if the bad coder doesn't fix, tell the world so people can be aware of the risk they have wrongly feeling safe and having paid for it.

Also, the part about Publicite Mensongere...
You are bookmarked. Tell us more as it goes...

Re: My bank robbing spree

Bank robbery is a serious crime because it strikes at people's trust in the financial system.

This is why the FBI doesn't investigate armed robberies -- that kill and maim more people -- at the 7-11 or the gas station.

Revealing exploits also strikes at people's trust in "the system." This is why various governments take it so much more seriously than actual crimes like armed robbery and murder, which only victimize private persons.

"It is dangerous to be right too soon" -- Robert A. Heinlein

May I suggest a +1 Overkill ducks with bazooka mod

[da5idnetlimit.com]

?
nuff said.

Re: Spelling Vichy

[da5idnetlimit.com]

Spelling Vichist, mon fils ? (lol)

Travail, famille, patrie, et fellation 8)

Re:Look on the bright side...from another french..

[rixstep]

What? And not be able to return to the home of the FREEDOM FRIES and the FREEDOM KISS?

Jamais!

Seriously: too bad you were so naive. Or did you think these jerks would react better? Because they don't. They're petty people, and petty people rule the world.

You have our full support here.

Neighborhood watch

[luckyleprecon666666]

I bet he thought he was "Doing them a favor" by finding these flaws in a french generic anti-virus and other "high security" commercial programs. A hacker sees this as doing them a favor, A company equates this to Neighborhood Watch Would you want someone jiggling your door handles in the middle of the night, just to tell you that you left your window unlocked? I mean come on they may blow things out of proportion but the did break the "Terms of Service".....

wanna trade tales ?

[da5idnetlimit.com]

you really want me to make a list for the "American Governments Sins" ?

I dislike 2-3 pages comments, even more on slashdot... so I'll keep it short and quite recent, say around the same events you mention, and without any google help (yeah, I do like bragging 8)

"Kinda like how the French changed the term "e-mail" to "courriel" at about the same time?"
So what ? english is mandatory in france now ? we don't have the right to have a world translated in our langage ?

"How about how when the French government convicted cop killers like Mumia Abu-Jamal an honorary citizen of Paris or how about when they refused to extradite convicted murderer Ira Einhorn? "
South America small political disturbances the last 50 years or so.
Giving a medal to Sharon.
CIA/FBI/The Others I don't know about various crimes and hoopsys.
Financing the Talibans.
Financing Sadam Hussein.
Lotsa, lotsa things I never heard about.

"These are the same guys who gassed the Kurds"
Yep, the gas formula was french made, and sold for use against Iran. The planes and tanks and pilots training from the US were just a nicety to bring the gas there.

"France should be our best friends, right there with the British"
No comment.
Sorry, found one. LOL.

"But for some reason, the French people take it upon themselves to trash the U.S. any minute you get. Now don't think I'm one of those "the USA saved France" people, I know it was a collective effort from the Allies. However, please don't forget thousands of Americans died defending your country."
First part...So what? If the critics hurts, maybe it's because there is a truth somewhere that someone doesn't want to be said...

Second Part.
One "Lafayette" helped create yours. Along with some men from France....Or maybe history has changed since I last looked.

still wanna play ? ...Feel lucky I didn't even google and that I like to keep them posts short...

Re:wanna trade tales ?

[VilePSU2]

You're proving my point and you don't even know it.

"So what ? english is mandatory in france now ? we don't have the right to have a world translated in our langage ?"

Doesn't it seem funny that the term e-mail was used for so long (let's say ~10 years) and then all of a sudden they want to translate it?

"Yep, the gas formula was french made, and sold for use against Iran. The planes and tanks and pilots training from the US were just a nicety to bring the gas there."

You missed the point, again. I'm saying the the Iraqi regime need to be removed. I don't care who made the gas or who made the tanks, planes, or pilots.

"One "Lafayette" helped create yours. Along with some men from France....Or maybe history has changed since I last looked."

The French aided us in the revolutionary war only because we were fighting the British.

"Feel lucky I didn't even google and that I like to keep them posts short..."

I'm sure if France was important, they'd have all sorts of short-comings on google as well.

Re: Spelling Vichy

[kfg]

Yeah, my French sucks.

I think it has something to do with being so close to Quebec.

KFG

Congratulations...

[algf2004]

...getting sued means that you are on the right track. If they thought your findings weren't important, they wouldn't waste their time and money trying to sue you.

They're trying to cover up their own mistakes with this lawsuit. Everyone knows that.

Keep up the good work!

Classics...

[Boricle]

The Emperor Has No Clothes...

And if you mention it, his controllers will imprison you.

Its just a shame you can't find some 6 year olds to point it out in this case.

Re:And I thought the DMCA was bad ...

[falconfighter]

OK.... For all you who missed the Freedom/French toast/fries joke... It's an oblique reference to WWII, when anti-germanism made people change names like "sauerkraut" to "liberty cabbage", or hamburger to "liberty sandwich" because they're words with a german root. It's like the french are the enemy, like the germans were. Anti-french beliefs. :)

intelligence agencies for petty domestic political

[da5idnetlimit.com]

/cynical
Well, let me think... //cynical /wise
doesn't almost everyone ? //wise

Here's an 'exploit' for you...

A friend of mine recently discovered that Clemson University has made all of our student personal information available to the world after a simple Google search. The information can be found directly also. What recourse does a student have when his or her personal information is published like this? And how can we make sure that this will never be done again?

Freedom of speech

[bsDaemon]

"free speech" in the context of the first amendment was intended to mean fredom of political speech, ie, freedom to criticise the government. I am not sure that pointing out exploits in software comes under "free speech," not that i really care because i have little-no interest in the subject. However, I read the constitution and related texts as if they were the bible.
While quite frankly it would be a rather bullshit instance of legislation (which the federal government does on an almost daily basis (the fact they're really not supposed to do much of anything being rather apparant to anyone who actually reads the founding documents)) not withstanding, i expect that it would hold up under judicial review for this fact (although i want to know who gave the judicial branch the de juris power of review).
Not to troll, i'm just saying.

How ironic...

Since flaws are all you people talk about to begin with! (If it's on Monty Python it MUST be true!)

Holmes

[coyotedata]

It always used to be the Maid or the Butler but now enter THE HACKER!

Re:France == better than America!

[MillionthMonkey]

The monetary increase was proposed for the budget, approved, and was to be instituted in the new budget year beginning Oct 2001.

Yes. And do you remember what happened, then, while we were waiting for that new budget year to start in Oct 2001?

But that's besides the point. This is not the 'government' declassifying and putting forth these statements, but rather Clarke himself.

Clarke is a private citizen, so he can't declassify anything. And the 'government' is selectively declassifying his testimony, documents, and emails with an intent on catching him in a contradiction. Bill Frist even threatened a perjury charge against Clarke and withdrew it hours later, just to get the words "Clarke" and "perjury" into newspaper headlines together. This is just thuggish behavior. It's an abuse of government power.

Again, I ask..."which truth"?

Generally, I was referring to these two charges:
-That the Bush administration in the first eight months considered terrorism an important issue, but not an urgent issue.
-That by invading Iraq, the president of the United States has greatly undermined the war on terrorism.

Thank you for the keen interest in my sig.

MOD PARENT +5

[subtropolis]

...drole!

Re:You have to publish exploits or be ignored

It is a sad fact that unless you publish a working proof of concept exploit, the company will ignore you saying it is "only theoretical". And before you say go to the company first, you should know that "responsible disclosure" in stages is quite possibly blackmail (i.e. respond within X days or I go public). The safest way, believe it or not, is to publish the whole thing including the exploit without notifying the company.

Company notification = blackmail charge

Then you get charged with blackmail. Sorry, but the most legally safe option (without releasing the information while staying anonymous) is to go public with everything without any notification to the company at all.

Re:Company notification = blackmail charge

And be charged with blackmail for threatening to reveal the information unless it is fixed, no thanks. Technically, "responsible disclosure" where companies are notified first is blackmail, even though it is standard practice among many people who find security holes. It is much better to just go public without any prior notification to reduce the chance that you can be convicted of a crime if the company wants to come after you.

Geektopia?

[Seraphim_72]

"Billy!! Billy!!! Dammit! I TOLD you to never play with that boy. His family are one of *those* kind, you know the ones I have told you about."
"But daddy, why can't I play with emacs users?"
"Just you listen to me."
"Yes daddy." he runs off.
"A little harsh there werent you dear?"
"What?? Oh sure, do you want him to grow up and marry one of those BSD types?? Do ya?"

Oh yeah, cant wait for geektopia when all is good and wholesome and we all live off the fat o' the lan.

Re:Terrorist??? Sounds like libel to me.

That's never an option.

stenography?

[linoleo]

Ironically, cryptography and stenography are supposed to be terrorists' tools!

In other news, US troops storming a deserted Al Qaeda hideout in the Afghan mountains discovered suspicious notepads full of what an army spokesman described as 'cryptic stenography'. Looking into the matter, the Department of Homeland Security discovered an entire profession devoted to teaching stenography methods in the US. "We had no idea this was going on right under our noses," Tom Ridge declared in a hastily convened press conference. "We'll have these terrorist teachers round up and sent to Guantanamo faster than they can write 'uncle'".

Steganography, people. Big diff.

Re:You have to publish exploits or be ignored

[Shirov]

What is this need to go public... Send it to the company. Thank them for fixing it and move on...

Oh wait, we all want to be famous...

-1 Off-topic?

[SeanDuggan]

*blink* -1 Offtopic? Since when is providing a translation off topic? Bleh.

solaris

[SHEENmaster]

Ever looked in /etc/ on a Solaris box? I have 72 binaries in mine. So, to answer your question, Sun puts configuration files in with userland binaries.

-1 Troll

[Le+Marteau]

You, Sir, can bite me. I demand satisfaction! How DARE you cast aspersions on my motives! The quote was appropriate, and I don't need the karma - I'm quite sure I'm well in the 40's, even with the karma suicides I had fun with last week. I will see you in hell, you miscreant, and blight on the earth!

Re:-1 Troll

[Thing+1]

You made me a foe because I agreed with you? That's weird.

I'm not casting any aspersions; I never said the quote was not appropriate. What I said was whenever I use it, I get +5, so I've learned that it might be fun to seek out the opportunities to use it. That's all.

I got to 47 when they switched to "fuzzy logic" so I never actually saw a karma cap but I'm pretty sure I'm there now. Unless they changed the rules again.

I do say some Insightful, Interesting, and sometimes Funny things from time to time; I know I probably won't change your mind but check my history and perhaps reconsider your decision to publicly hate me. You just may find I'm worth beFriending.

Reviewing your post I think I may have actually hit the nail on the head, as you start it with "ohh ohhh a quotation contest!" -- but even so, I'm not trying to be unfriendly.

Re:-1 Troll

[Le+Marteau]

OK, OK, I stand (er, sit) corrected. I thought you were calling me a karma whore, and seeing as you have set me straight, I've put you on my friends list.

I was just trying to be comical and overly dramatic (I've always wanted to "demand satisfaction" ;) and no offense was intended.

Last effort to save the fool...

[da5idnetlimit.com]

"Doesn't it seem funny that the term e-mail was used for so long (let's say ~10 years) and then all of a sudden they want to translate it?"

Doesn't it feel funny that French Fries became Freedom fries ?
Also, it was not out of the blue... the term has been in discussion in the French Speaking world, and we finally used...the Canadian usual expression.

"
You missed the point, again. I'm saying the the Iraqi regime need to be removed. I don't care who made the gas or who made the tanks, planes, or pilots."

where did you imply ? I seem to have missed it ...
"These are the same guys who gassed the Kurds"",
So, if I follow your line of though, when the US gave money to Saddam to help him in the war against Iran, it was a long-term plan to have him suffocate under dollars...yes, interesting...

"The French aided us in the revolutionary war only because we were fighting the British."
Yeah ! We most certainly had a political motivation...Just like the US started getting interested in WW2 only after the German Allies (japaneses) bombed pearl harbor, and didn't want to give any sort of aid before that...

The fact that USSR was doing a nice military comeback in Europe also didn't have any effect on the american intervention decision...

"
"Feel lucky I didn't even google and that I like to keep them posts short..."(me)

"I'm sure if France was important, they'd have all sorts of short-comings on google as well."(you)

Here are my 2 cents... Go buy a brain upgrade with them.

you sure need them, seeing such powerfull, intelligent and effective arguments as you demonstrated.

You're not even worth being the first entry in my foes list.

Yours faithfully...

Da5id

+1 Friend

[Thing+1]

Heh, yeah I got the comical and dramatic part but the Foeing seemed a bit much.

Btw, I just used that quote in another thread and got (so far) a +1. ;-) (But I see you already saw that as you replied to a child.)

Yer a Friend now too. Enjoy!

NO, of course not

[RMH101]

we'd just bitch about him on Slashdot, and how he didn't have any proof if it wasn't up on BugTraq.

Clearly

[fw3]

You did not go to the same France I did. What time of year did you go?

You could not possibly have eaten at "La Tour d'Argent", which features the best food and service I've ever seen (the only experience that has come even vaguely close in the US was "Absinthe" in San Francisco). We spoke passable french (my accent is better than my diction) and in Paris we found that once people figured out that English was our native language they would switch to that.

The only time I ever experienced rudeness was when I made the mistake of summoning a waiter in a bistro by raising my index finger -- very bad form which I knew but managed to lapse. And generally the only bad mark I'd put against service in general over there is that it can be a bit slow -- which I'll take any day over the all-too-usual US choices ... either feeling rushed through every part of a meal, or over-attended to death by waitstaff who seem to think that constant interruptions will get them a better tip.