Hacker Indicted In France For Publishing Exploits

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

Stops 100% of unknown viruses?

[RubiCon]

Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:

if ( is_a_virus(me) ) { do_nothing() } else { replicate() }

So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?

Re:Stops 100% of unknown viruses?

[HeghmoH]

This is nicely covered by Rice's Theorem. In short, Rice's Theorem says that it's impossible to write a program to determine with 100% accuracy any property of another program's behavior or output.

Rice's Theorem is basically a generalized version of Turing's proof that the halting problem can't be solved, and it uses exactly the argument you outline.

contact the eff

[gmr2048]

dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:

www.eff.org

-gary

Re:Who was it that said...

[MarkusH]

That would be Voltaire.

Another good quote: "There are some acts of justice which corrupt those who perform them." - Joubert

Look on the bright side...from another french...

[da5idnetlimit.com]

1/ Call France 3, TF1 if you can.
TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.

2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
The Libel one will only bring you 1Eu (the official price for honor)

3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)

60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.

Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...

Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.

Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...

If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
So, this is just the top of my head ideas, but I hope it will help you...

In such cases, the better defense is offense...

Bonne Chance, Courage, et ne te laisses pas faire !!!!