Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Indicted In France For Publishing Exploits

Posted by timothy on from the known-and-unknown-is-high-flimflammery dept.

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

9 of 561 comments (clear)

  1. Stops 100% of unknown viruses? by RubiCon · · Score: 5, Informative
    Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:
    if ( is_a_virus(me) ) { do_nothing() } else { replicate() }
    So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?
    1. Re:Stops 100% of unknown viruses? by HeghmoH · · Score: 5, Informative

      This is nicely covered by Rice's Theorem. In short, Rice's Theorem says that it's impossible to write a program to determine with 100% accuracy any property of another program's behavior or output.

      Rice's Theorem is basically a generalized version of Turing's proof that the halting problem can't be solved, and it uses exactly the argument you outline.

      --
      Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  2. contact the eff by gmr2048 · · Score: 5, Informative

    dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:

    www.eff.org

    -gary

  3. Re:Who was it that said... by MarkusH · · Score: 5, Informative

    That would be Voltaire.

    Another good quote: "There are some acts of justice which corrupt those who perform them." - Joubert

  4. Re:French First Ammendment? by aat · · Score: 4, Informative
    Here is the English translation of the constitution of Fifth Republic, France's current constitution, written in 1958. Last time I looked at it, I couldn't find any free speech clause. (Some of France's earlier constitutions had such clauses though).

    French constitution

    Or maybe the Declaration of the Rights of Man, which does have a free speech clause, and is a principle as mentioned in the Preamble to the French Constitution, has legal binding. I don't know.

    You should also note that France heavily restricted the use (not just the export) of crypto for a long time, (except possibly if you deposited your keys with the government), so I really doubt their commitment to computer freedom per se.

  5. Re:Enshrined protection of whatever by bugnuts · · Score: 4, Informative

    Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection.

    It's not just copy protection, but encryption schemes, which you can easily claim steganography is, since it shares many qualities. Remember that Adobe used the DMCA to prosecute someone for "breaking" their ROT13 encryption. And IIRC, 2600 lost their appeal for publishing links.

    This law is being cited to enable all sorts of abuses by corporations that have roomfuls of attorneys, and has been used to leverage threats to a researcher from disclosing weaknesses at a convention. It was initially cited to threaten the guy that disclosed the "shift-key" exploit on CD protection. No sane researcher would rule it out in the USA -- you still would have to answer to it being abused.

  6. Look on the bright side...from another french... by da5idnetlimit.com · · Score: 5, Informative

    1/ Call France 3, TF1 if you can.
    TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.

    2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

    2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
    The Libel one will only bring you 1Eu (the official price for honor)

    3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)

    60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.

    Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...

    Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.

    Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...

    If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
    So, this is just the top of my head ideas, but I hope it will help you...

    In such cases, the better defense is offense...

    Bonne Chance, Courage, et ne te laisses pas faire !!!!

    --
    It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
  7. No other side by greppling · · Score: 4, Informative
    Unless he is lying extremely grossly (about which we would have gotten to know about it by now), I really cannot see how there can be a "other side" that is worth hearing.

    I read his originial analysis (in french) of this antivirus software which, according to him, prompted the charges of "counterfeiting". This article contains a description of the software, a section about "exploits" (you will agree about my question marks in a minute), a section where he demonstrates false positives, a test against a couple of known viruses, a short section about 2 points he liked about the software, then a list of detailed suggestions to improve the product, and finally an epilogue on the response from the company.

    Probably didn't like the first suggestion for improvement "First of all: stop making believe that Viguard can do miracles." (The other suggestions are completely technical.) But let's focus on section 2, containing the 6 "exploits":

    • 2.2 Deactivating Viguard by simulating the mouse-clicks with which a human would deactivate it
    • 2.3 Just use TerminateProcess() (the windows equivalent of kill -9 if I understand correctly)
    • 2.4 Add the md5sum of the trojan to an (unencrypted) whitelist of md5sums maintained by Viguard
    • 2.5 In each directory, Viguard maintains a file "certify.bvd" which lists all known-good executables in this directory, "encrypted" by a XOR with a fixed key. So a virus just has to install itself in a new directory along with the appropriate certify.bvd file.
    • 2.6 "For a good laugh": Rename a virus from .exe to .bat
    • 2.7 Almost the same as 2.5.
    All completely trivial. The only thing that comes close to the counterfeiting charges is that he offered programs for download that decrypt the configuration file and the certify.bvd files (both "encrypted" by XOR with a constant and short byte sequence).
  8. Re:Look on the bright side...from another french.. by Bun · · Score: 4, Informative

    " The first comment recommended hiding from his accusers instead of fighting them."

    Actually, he recommended going to America, finding an American, (or Canadian - if you like snow) girlfriend, and marrying her for the citizenship so you could live there. It was funny.

    "The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is."

    Nope (or are you trying to be funny?). The second poster asked him why he would want to live in the USA when everyone in the world detests its citizens, when it has a government with a president that caters to rich people and their companies, etc., etc... He then said it was better to go to Canada, which is a thousand times more sensible than the USA. (I'm paraphrasing here, since my French isn't so good these days.)

    --
    "Anyone that has ever gotten an idea based on any of my work and done something better with it-good for you."--J.Carmack