Slashdot Mirror
Hacker Indicted In France For Publishing Exploits
Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."
I'll admit right away that I'm not familiar with France's free speech laws.
But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)
From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
SURRENDER to the authorities.
Seriously, though, this sucks ass.
However, I'm quite sure that you're a terrorist, because we all know that terrorists publish the exploits they find. Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
"It's dangerous to be right when the government is wrong".
This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.
Mod down people who tell people how to mod in their sigs
I realized France had joined the 'stupid lawsuit that wins anyway' club with the whole Mobilix/Obelix thing...
Hacker Public Radio is our Friend
Don't mess with Proprietary Software(tm). They'll whack ya every time. They don't take kindly to any reverse engineering, hacking or peeking under the hood. They don't want people knowing that their products are usually worthless.
- - - If the sun is a star, why can't I see it at night?
Is looks like looking for security flaws is increasingly seen as an illegal action by both companies and governments.
Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.
It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...
You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.
Note to Europeans: while it is fun to point and laugh at us "stupid" Americans and our silly laws and lawsuits, you might want to take note that the same things are going on in your countries too, and will continue to get even worse.
Casual Games/Downloads
Unfortunately, it appears that expertise in French law is lacking here at slashdot.
I second the suggestion above: contact eff. Now. If they can't help they probably can point you to organizations that can.
If you were simply using the software and found exploits through the interface, then I totally agree, this is bullshit...
HOWEVER, if you were digging through reverse engineered proprietary code, and publishing exploits at the code level... well, that is infact illegal...
Good luck either way though...
"I used to have a sig, but a cheese eating surrender monkey ate it..."
--Ryan
You are in error. No-one is screaming. Thank you for your cooperation.
DVD-Jon also got tried twice for the same crime. I'll stick in the US where double-jeopardy (and a very large back yard to hide in) affrods some sort of protection from that sort of thing.
If is_a_virus() gives some false positives, there would be no contradiction. I don't think this is an airtight argument.
safer, but should be completely unnecesary.
Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in? You can start by sending a few bucks to the EFF.
Quidquid latine dictum sit, altum viditur
This is like a mechanical engineer publishing tips and tricks on how to break open safes that claim to be "burgler proof." Or Diebold suing someone who figured out how to rig elections. This is like the "wag the dog" scenario where you start a fight with someone to move attention to them and away from your shortcomming.
Why not GIS for "DMCA" and you'll see that this law DOES have a chilling effect on speech regarding security and security research.
Only if your security research has little to do with security and more to do with breaking copy protection. Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection. I don't like that law too much either, but it's not really relevant at all to this issue.
Whats up with this France bashing? Seriously, is this all because France and Germany (unlike Denmark, where I am from) wouldn't fall for baby-boy Bush's nagging and crying? I did not really get the whole "french toast" and "freedom toast" stuff, whats your (and here I mean Americans) problem with the French?
Why are there only 19 people folding@home for slashdot?
If you discovered a critical safety flaw in a particular model of automobile, do you:
i) Let everybody know, so those who drive that particular model can get it fixed, or
ii) Let only the manufacturer know, so they can fix it in next years model first.
What about the poor souls who are relying on the software for the security of their business? With your door analogy, it is equivalent to letting the lock manufacturer know that their locks are defective, without notifying the homeowner. (End user) It is their doors that are vulnerable. Of course by broadcasting this to the world, you let the bad guys know at the same time, but IMHO it is better than saying nothing.
My rights don't need management.
Tim
you don't have to be good anymore. You don't even have to look good anymore. All you have to do is sue the pants off of anyone who proves you are not good!
Anyone who buys this company's products needs their fucking heads examined!
It should also be a punishable offense for a software maker to NOT close exploit holes in a timely manner.
I can see the case being made that leaving exploits open is essentially supporting terrorism, or depraved indifference at least.
I don't know the meaning of the word 'don't' - J
He may be in Le Figaro today. Look for "Quand les createurs de virus se font la guerre" in Le Figaro's archive. You have to pay to read the article, though.
I would strenuously advise you *NOT* to discuss your legal situation or case with anyone but your lawyer.
I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.
Sort of like calling spitting on the sidewalk a "terrorist act" because it could be labeled a "biohazard" if you really stretched it.
I echo the parent posters' sentiment: bon chance!
I'm sure I'll get burned at the stake for this, but what the heck...
How many sides of this story do we have? Hmm, just this guy's side. Interesting.
Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info. It sounds like he just posted it on his web page and published it in a crackers magazine and let the chips fall where they may. Not exactly responsible activism.
What exactly *is* the law regarding this in France? Here in the States we have the DMCA. It's a terrible law, but we all know what we're getting into if we break it. That's what civil disobedience is all about, isn't it? I seem to recall that Europe has similar laws on the books.
I'm sorry, but with the info we've been given this sounds a little like "I did something naughty and I got caught and now I might get PUNISHED! Oh poor me!"
All kneejerk reactions aside, maybe there's more to this situation than we've been given.
I'd be surprised if he were not acquitted, but you never know these days. It's very easy to pay off a judge. Anyways, one thing I would like to know is how publishing code in order to expose security flaws, and where the author(s)/owners of the code are referred to, is any different than publishing excerpts from a book in order to expose, say racist sentiment.
People say I'm crazy, I got diamonds on the soles of my shoes...
The court of Slashdot seems to be siding against the French judicial system, but shouldn't we hear their side of the story first? I'm not saying this guy is lying - just that there are two sides to every story.
I remember some articles on Slashdot about something like this happening to hackers like that. Obviously this hacker missed those articles. And now with all the terrorist crap and new laws, it's very easy to put people in prison for anything.
My only question is, aside from application of the DMCA in the U.S., how is this kind of information any different from say, Consumer Reports? Those guys go out of their way to break cars, appliances, and other consumer products.
I believe Rice's Theorem only applies if your computational model allows for infinite storage (or something equivalent).
:)
Computers don't have infinite storage, so you could theoretically map out all possible states that a computer could be in and get a proof of termination (or any other property) that way.
Obviously this isn't practical by any means, but that's no excuse for being imprecise.
HAND.
I've mentioned it, over and over on various fora since 9/11: anti-terrorist laws were not written to prosecute terrorists.
All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.
For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?
What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.
I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.
The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.
stop going through the wrong chain of command with these issues.
First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.
Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.
Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.
And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.
If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.
If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.
By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.
If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.
If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.
You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.
Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.
Ben
Work Safe Porn
Pourquoi veut-on prendre la citoyennete US? Il n'y a aucun pays dans le monde dont on deteste les citoyens. On a un gouvernement dingue avec un president non elu et qui est au service des personnes riches et leur compagnies. De plus en plus on enleve les droits des citoyens avec l'aide du Cour Supreme, controle aussi par le president et ses amis neo-conservateurs.
Mieux d'aller au Canada, qui est mille fois plus sensible que les USA.
(Je m'excuse pour des erreurs... je parle francais mais ce n'est pas ma langue maternelle. J'aime bien essayer de le parler de temps en temps.)
Karma: Excellent Birds (mostly as a result of listening to Laurie Anderson)
Becoming an American citizen won't help you. We have this nasty piece of merde called DMCA that provides for hefty fines. A company that doesn't like you can point to DMCA as a vehicle to charge you under.
I agree with the previous poster, a good offense is the best defense. Hit them hard in the court of public opinion, and if it is indeed true that you cannot punish someone in France for telling the truth, then by all means, hammer away.
The ironic thing is that if he had told the company before he released the exploit, they could probably have been able to charge him with the French equivalent of Blackmail.
It kind of brings a whole new meaning to the saying, "you're damned if you do and damned if you don't."
Unless you're accused of "Terrorism" (as the poster was). That's the tricky point - even here in the U.S., if they use the "magic word", the Patriot Act trumps the constitution. I'm not being facetious - that was the whole (only) point of the Patriot Act. "The bill of rights makes it hard to fight terrorism, so repeal it for people we say are terrorists. We promise we won't abuse it."
Proud neuron in the Slashdot hivemind since 2002.
On the third hand (this guy must be a mutant! ;)) a lot of companies won't bother to fix flaws if they aren't publicly and obviously posted, so crackers might find the flaws and use them for exploits, while the company that makes the software gleefully ignores the problem and gets to avoid responsibility and liability. That's definitely not good. I don't know (it's not clear from the English writeup) whether any attempt was made to notify, but many people who release exploit data do so only as a last resort.
i am a soviet space shuttle
Jeez, anyone who's taken Criminal Justice 101 knows that this is not double jeopardy!! If you steal a credit card number and make purchases on it, chances are, your state has a law against this kind of fraud, so you've committed a crime against the state. Theft of a credit card is also a Federal Offense. And you've probabally also violated a Civil law that will open you up to a lawsuit from the theft victim for his "pain and suffering". Yes, you've committed "one" act, but that act is a crime in three separate jurisdictions - ergo three separate crimes, which means each jurisdiction will have an opportunity to get a piece of you. Double Jeopardy would be if you had been aquitted of the State charges, and afterwords the State charged you again for the same crime.
Xenon, where's my money? -Borno
Even if he did break the DMCA, he was charged in France.
The US is not the World.
Justice is supposed to be blind, but not the judges. I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.
BTW, I really enjoyed your steganography articles. It's comforting to realize just how difficult it is to implement stego correctly. It really puts mainstream media hand-waving about terrorist use of steganography into perspective.
---- Just another spud server.
His English spelling and grammar are significantly better than my French spelling and grammar. You did notice that he is French, didn't you?
flossie
Write now. Defend liberty
is a link to the actual text of the indictment anywhere? without it we won't know exactly what the claims are, and only have his version of the story to go on.
I Television also has a pretty good local coverage, but less audience than France 3. I'd also suggest writing to Le Canard Enchaine, which has a dedicated column for this kind of stories ("Couac").
I'm not as optimistic as the previous poster, remember what happened to Serge Humpich. This guy found a way to crack the so-called most secure bank card system in the world (french Carte Bleue). He then contacted the system's proprietor (GIE Cartes Bancaires), offering help (not freely, alas for him) to fix the system thanks to his expertise, and as a demonstration bought a handful of metro tickets. He was indicted, temporarily jailed and found guilty of fraud, falsification and unauthorized access to an automated system. During the trial GIE kept on claiming that their system was unbreakable, yet some time later the first "Yes-cards" appeared on the black market and cracking info spread on the Net. Had the GIE taken Humpich seriously, no yes-cards could have been produced and no businesses harmed (usually small ones such as automated video cassette rental).
Merde pour la suite (frenchmen never wish good luck)
The problem is such exploits are published and not referred to the companies in question for them to fix these faults.
And there's absolutely no ethical obligation on the part of the person who finds the flaw to inform the company before informing the public. It's up to the company to prevent the sudden appearance of egg all over their faces, not folks who aren't their employees and aren't getting paid by said company to find such faults in the first place.
Funny how well corporations have managed to brainwash some people into thinking otherwise...as if in the end we're all their employees and 'owe' them something beyond the price we pay for their (buggy and insecure) software. I wonder when this little tidbit was included in the definition of 'capitalism'?
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
This became a rubber stamp court, with only one request out of over 7,500 since its inception being rejected by the judges. Of course, the people are unaware of it because the proceedings of the court are secret, and the defendents are usually unaware of the evidence being used against them.
The existence of the court is not secret though, as it was created by a law passed in the 80s, and the quantity of searches granted by the court is public. Indeed, the US government was accused of abusing this court recently to broaden its purpose, before the Patriot Act was "clarified" to permit such abuse by the US prosecutors, FBI and intelligence agencies. One of the judges on the panel scolded the US government for being deceptive in the types of cases it was bringing, indicating that the US government does try to bring people before FISA that are not spies, but instead ordinary criminals. The US appealed a decision to legally obtain a broading of the courts purpose, originally without legislation.
If I remember correctly, congress passed a law to "clarify" that the Patriot Act extended this to cover those suspects of "terrorism". Hasn't it occurred to anyone that none of the trials of suspected terrorists are public?
This is such a sad demise of the US Constitution and American liberty. To me, I'd be willing to die like our forefathers did to preserve American freedom and create the Bill of Rights. I just wish we weren't so willing to discard it today under the illusion that our life-spans will be longer. When I was a child, being willing to die to perserve American freedom was a common notion. Now, being willing to give up freedom to avoid the remotest chance of dying, no matter how statistically improbable, has become a de facto notion. To suggest otherwise, well, that would be unpatriotic! Or would it be terrorist?
Unfortunately, without the ability for the press or the people to attend trials of suspected terrorists, it's unlikely that this will ever be overturned. We'd have to prove that the system as used unjustly, but the Patriot Act has removed all accountability, so that it is nearly impossible to prove the injustice.
The question is, if it was "spies" yesterday, and now includes those labeled as "terrorist" or "threats to national security" by the investigators and prosecutors today, then what label is next? Or, are the current labels broad enough to permit US prosecutors to throw anyone in prison for life that they see fit? It's hard to discern when our government is no longer accountable to the people it's supposed to represent.
Is there anyway to determine what cases the government has filed to prevent public accountability under the Patriot Act? I'd like to follow up on this to at least try to estimate how many cases there are today. If at all possible, I'd like to know if it even remotely possible to discover any injustices occurring. Justice is, after all, the purpose of all this. Right?
Links:
THE SECRET FISA COURT: RUBBER STAMPING ON RIGHTS
Secret court meets to consider Justice Department appeal
Secret court gives U.S. gov't wiretap powers
Secret Court Rebuffs Ashcroft
Secret court may limit government power to spy on domestic terror
These links aren't in chronological order, and I obtained them using a simple
Open Standards Portal