Hacker Indicted In France For Publishing Exploits

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

Good luck!

I wish you the best. You should be given job offers, contracts, and cash for what do you, not put on a cross to die! It's a shame, really. Hopefully your case goes public and some good lawyers will help you for cheap if they think the press for themselves is worthwhile. Good luck!

There is no faster way

[ThisIsFred]

There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly. But I am on your side. Companies that market security products that aren't are committing fraud, IMO. And I'd rather have you publish the vulnerability than someone else publish the automated exploit.

Terrorist??? Sounds like libel to me.

[JDRipper]

If they publicly called you a terroist in writing without sufficient evidence, can't you sue their berets off for libel?

Re:'Bout Time

[Orgazmus]

Could try Norway?
DVD-Jon got off the hook over here, why should'nt it work this time? ;)

Signs of the future?

Now, if Microsoft is forced to release the windows source because of the EU, does this mean anyone who points out vulnerabilities will get sued too?

Seems like a strange way to thank someone for helping them. It's like beating someone to death with a tire-iron because they told you your tire is flat.

did they redefine extorion and not tell me...?

[spacepimp]

they sued you for experimenting and testing their claims? ie the virii statement. i cant imagine how this is any different than test environments in larg ecorporations before a deployment or rollout.. did you perhaps send them bill, demanding it be paid or you will reveal their mis statment of facts or perhaps, say you found a way around their security pay you to keep silent or ruin toir prifit model like what happened with google perhaps.. im curious to hear more about how this was taken as extortion it doesnt seem to fit with the words definition.

The morale of the story is..

[Murf_E]

don't go tell the company that their product is flawed but rather use your discovery to exploit people who use their product. Either way you will be sued but at least this way they have to find you

Good or Not?

[Prince+Vegeta+SSJ4]

I haven't brushed up on the law concerning publishing exploits in either France or the US, but it seems a little ridiculous to indict someone for pointing out a security hole.

Sure it can be said that publishing an exploit will encourage a hacker to take advantage of said exploit, but by not publishing & letting it remain a secret is no guarantee that someone is not exploiting that same exploit. In fact, I'm willing to bet that some 3v1| H4x0r would eventually find it anyway. But I would rather know that it exists so that I may act, since, in my experience software companies are slow to react and try to hide or downplay flaws.

Security solely by obscurity doesn't work.

On the flip side, if the door to my house was wide open, I wouldn't want anybody yelling hey your door is wide open (to the world) without allowing me to fix it.

IMO it boils down to common sense, and in this case I think that it is a beneficial thing to publish that sort of information. An even better route would be to alert the software makers first, and give them a 'short' time to release a patch. But only a very short time.

Re:Good or Not?

[OldMiner]

So, let's face something. This point here, it's just a repeat of what's been said time and time again. It's what people mean when they say "Slashdot groupthink". Althought the author supports her point with seemingly sound arguments, there are no references. It's all idealism.

Here's a heads up to the rest of the world: Most people who abuse security holes don't write them. Most crackers are young and clever, but ignorant of many things. And, among those things, is how to search for, write code to abuse, and utilize security holes. The reason people fight publication of exploit code is because, without that code, most exploits would not happen. The reason people fight publication of mere issues is that there are people who will not search for security holes but will write and distribute code.

There are simple so many discontent script kiddies out there compiling together other people's code to break into machines to retain some feeling of power and importance. One feels powerless, and breaking into systems and making others feel violated suppresses that feeling. It's the control that muggers and disadvantaged youths revel in, otherwise disregards them. This is the advantaged youth's power grap. And similar motivation goes to the people who publish security exploiting code. And who find these exploits. Each level up, you find a more sophisticated mind and a different sort of disenfranchisement.

But what it breaks down to is that completely nonpublic disclosure of many application-specific vulnerabilities would fix these problems and filter out most actual acts of exploiting security holes.

Pardon me for straying offtopic.

Re:Good or Not?

[carn1fex]

but it seems a little ridiculous to indict someone for pointing out a security hole. Exactly. What if the magazine Consumer Reports was reviewing their product and found this defect? Could the magazine then be indicted? How does this bode for private entities doing public reviews of a product?

Re:Proposterous!

[General+Wesc]

It's illegal to insult people. But so long as he didn't release the vulnerabilities saying 'this moronic company. . .' :-)

(Are companies 'people' in France?)

Please Publish Address of Officials here

[randall_burns]

I would like to write a letter in support of you. The people that should be legally hassled here is the software vendor whose fraud you exposed-not
you.

IMHO a pile of letters coming from all parts of the world in your support might send a signal. I also think that Amnesty International should be contacted here. This is even more sleezy than most of the stuff they take on--in this case you appear to be hassled not because of your political opinions, but because French officials are using their offices on the behest of corrupt corporate interests.

Re:Stops 100% of unknown viruses?

[lavalyn]

Catching all viruses is easy. Label all files viruses. Isn't all that helpful but absolutely "true."

Just like flagging all spam is easy, or flagging all important email important is easy.

(For those in statistics, Type I and Type II error.)

I'm sorry I spent money there... (OT)

[copponex]

I was looking forward to my two week France trip as an escape to a place where people knew how to live life. The country was beautiful. The history and art that are simply everwhere was incredible. I'm by no means jingoistic, however, I came back with these conclusions:

1. French culture exists mainly to perpetuate itself. I know all cultures do this, but if you aren't a French-speaking Frenchman doing something French in France, they just don't like you.

2. For a country that derives so much of their income from tourism, they have the worst customer service I have ever experienced.

3. There aren't any fat people in France because their food consists of vegetables boiled to the consistency of glue and the worst cuts of meat I have ever tasted. Service and food were always better in ethnic restaurants.

So, it's not so bad here at home. As long as Bush gets kicked out of office, education becomes a priority, lobbyist power is reduced, the Patriot Act and the DMCA are revoked, and we redesign the city plan of every city not in the Northeast, we'll be just fine.

Ahh, and now my favorite joke. What do you call 100,000 men with their arms raised?

The French Army.

Re:Who was it that said...

[Le+Marteau]

ohh ohhh a quotation contest!

"Did you really think that we want those laws to be observed? We want them broken.
You'd better get it straight that it's not a bunch of boy scouts you're up against . . .
We're after power and we mean it. You fellows were pikers, but we know the real trick,
and you'd better get wise to it. There's no way to rule innocent men. The only power
any government has is the power to crack down on criminals. Well, when there aren't
enough criminals, one makes them. One declares so many things to be a crime that it
becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding
citizens? What's there in that for anyone? But just pass the kind of laws that can
neither be observed nor enforced nor objectively interpreted - and you
create a nation of law-breakers - and then you cash in on guilt. Now that's the system,
Mr. Rearden, and once you understand it, you'll be much easier to deal with."

From "Atlas Shrugged" by Ayn Rand

Re:Enshrined protection of whatever

[Maestro4k]

• You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.

At one time I would have agreed with you. Having had an encounter with the government over false accusations made against me (not even computer-related), and having seen the results, I have to say that in theory we have freedom of speech, in PRACTICE, the government can quite easily ruin your life over something you say, even if they can't even charge you with anything.

Remember, publicity about something you're accused of is all the court of public opinion needs to convict you. Winning at trial (if you're charged) or having things dropped later on aren't enough to undo that. To use what's probably a bad example, remember the OJ trial? He was found not guilty of murder, but exactly how many people do you know who believe that to be the truth? And how many do you know who'd hire him to work for them, even if it was digging ditches?

Finally don't forget that fighting charges against you can bankrupt you. Even if you end up innocent, you may find your life utterly and totally destroyed thanks to this. Frankly our "justice" system has lost all its justice, and innocent into proven guilty has gotten forgotten somewhere along the way.

Re:Look on the bright side...

It has always been illegal to compromise security in France, whether exposed or not.
Hack a smartcard, descramble pay tv, find a flaw in apache, whatever, u will get busted.
Whether french law allows for it or not, companies and judges will not tolerate it, and bust you ass, and you usually lose out.
They dont care about reason, just dont do that kind of stuff.
Sad but true.

Re:Stops 100% of unknown viruses?

Just a variation on a classic result in theory of computation, which is itself related to Godel's Theorem.

Such limitative results are old hat by now, interesting as they were in the 20's. Now that Godel has showed us the general trick, you can crank them out by the barrel, sort of like Cantor and diagonalization proofs.

But there's still an interesting question buried in there: there may be "true but unprovable" theorems -- but are there any that don't embody just this style of self-reference? The incompleteness proof is sufficient to disprove a mathematically certain claim, but what is the real scope of such limits in a practical sense? The fact that not all programs can be proven to halt doesn't stop us from testing for correct termination on the programs we happen to be interested in.

Re:Enshrined protection of whatever

[Short+Circuit]

I guess the results are on a case-by-case basis. When my mother (who had/has custudy...we're all grown now.) took me and my brother on a vacation to Florida, my biological father called the FBI telling them she had kidnapped us.

The FBI got really pissed at him when she provided the court documents proving she had custody.

The moral of the story is to document everything that can serve as evidence on your defence.

I may wear a tin foil hat, but I wear it with pride.

Same country, similar case (?) : Serge Humpich

[christophe]

A few years ago, Serge Humpich discovered a flaw in the French smart-card payment system, and proved that it was possible to get money from an ATM with a false card ; he never earned money with it and just showed journalists he could get money, and gave it back.
Banks sued him, and won: 10 months jails (deferred), about 4000 euros to pay (amends+banks' laywers fee). Technically, he was guilty of "unallowed access to a computer system". Banks have denied that the flaw existed but changed their system ; it didn't prevent many false cards to appear in the following years. Disgusted, Humpich wrote a book ('Le Cerveau Bleu').

Although similar, I hope it won't finish the same way. Guillermito didn't crack any computer, so the Humpich precedent does not apply. The European version of the DMCA is not yet voted in France (it won't last), and copyright infringment claims are stupid. But America does not have the monopoly of technically illiterate judges, and he influence of good lawyers, as was already shown in his case. The "terrorist" accusation should be enough to sue ("diffamation"). Ironically, cryptography and stenography are supposed to be terrorists' tools!

I'd say he should contact "60 millions de consommateurs" and "UFC-Que Choisir", two powerful consumer organizations.

The DIY Cruise Missile and freedoms

[NewtonsLaw]

The NZ government has gone out of their way to try and destroy my life since I publicized the risks associated with home-built cruise missiles.

I still have my missile (largely due to the fact that a network of friends have stored it safely in such a way that I can honestly say "I have no idea where it is") and had considered taking it on a tour of the country so that people could actually see what I've been talking about.

My lawyer advises me however, that to do so would almost certainly result in a very severe prison term. After all, they've already broken the law in respect to the actions they've taken against me so they've proven that, as far as they're concerned, the ends justifies the means.

He's strongly of the opinion that the government is just itching for an excuse to throw me in jail on some trumped-up terrorism charge because I've become such a thorn in their side.

In this country It's not illegal to build a cruise missile, and it's not even illegal to own one, nor is it illegal to transport one -- but, as a criminal lawyer of long standing he made it quite clear to me that under the new anti-terrorism laws we now live in a police state and that the government can do whatever it wants to who-ever it wants to -- by simply accusing them of terrorist activities.

In the case of my tour, they'd likely accuse me of moving the missile as the precursor to a terrorist action.

It wouldn't matter whether they were able to win such a trumped-up case, because here in NZ (as in the USA), people accused of such things seem to spend inordinately long periods of time in jail just waiting for their case to come to court. We have a guy here who's been in prison for 16 months already and, even though our High Court ruled just the other day that the head of our Security Inteligence Service had shown bias against the guy and has had to resign -- the imprisoned "suspect" is still having to wait at least another 6 months for his day in court.

It makes no difference apparently, that I've always been totally open in my activities and the reasoning behind them, and was planning to have a media contingent on my little tour. I don't recall any *real* terrorists inviting the media along on one of their attacks or offering to share all their information with the government.

I don't know whether I should really angry that governments have used the war against terror to give themselves such draconian powers, or if I should feel sad that the public are allowing them to do this without even a whimper.

I suspect that we will eventually regard these days as a dark period in the world's history -- not because of terrorist activities, but because so many people gave up so many freedoms so easily.

P.T. Barnum was right I'm afraid :-(

Godel off topic

It's actually not that hard to detect infinite loops of the parent variety. It's only a nondeterministic finite autonoma with two elements. A computer looking at the program would do just what a person would do. It would see that if you followed it you simply oscillated between being virus ladden and not virus ladden.

The proof is that the number of states in an infinitely long running program would be infinite. If the number of possible program states is larger than what you can pack into your memory then you cannot determine if there is an infinite loop. Consider for example how a computer program would determine if this were an infinite loop:

while(rand()) { // do something }

You need knowledge about the statistics of the rand() function in order to answer this question quickly. Otherwise you would have to just run the program for all the possible rand() seeds before you could answer it.

Michael