Slashdot Mirror
Hacker Indicted In France For Publishing Exploits
Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."
Now you get to search for holes in the French jail system. Find a big enough one and you're free!
What does stenography have to do with software? Didn't they become extinct millions of years ago?
There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly. But I am on your side. Companies that market security products that aren't are committing fraud, IMO. And I'd rather have you publish the vulnerability than someone else publish the automated exploit.
Fred
"A fool and his freedom are soon parted"
-RMS
I'm glad to see that the EU has broken the U.S. monopoly on wacky, mindless computer lawsuits!
I sure am glad I live here in the USA where my right to expose the weaknesses of corporate products is enshrined in our beloved Constitut...
Hold on, there's a SWAT team banging on my door.
I'd better go let them know that they must have the wrong house.
You are in error. No-one is screaming. Thank you for your cooperation.
To move to a sane country. There any left?
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
I'll admit right away that I'm not familiar with France's free speech laws.
But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)
From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
If they publicly called you a terroist in writing without sufficient evidence, can't you sue their berets off for libel?
"You know Myra, some people might think you're cute. But me, I think you're one very large baked potato."
We sue first, and then we call you a terrorist.
SURRENDER to the authorities.
Seriously, though, this sucks ass.
However, I'm quite sure that you're a terrorist, because we all know that terrorists publish the exploits they find. Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
"It's dangerous to be right when the government is wrong".
This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.
Mod down people who tell people how to mod in their sigs
Now, if Microsoft is forced to release the windows source because of the EU, does this mean anyone who points out vulnerabilities will get sued too?
Seems like a strange way to thank someone for helping them. It's like beating someone to death with a tire-iron because they told you your tire is flat.
they sued you for experimenting and testing their claims? ie the virii statement. i cant imagine how this is any different than test environments in larg ecorporations before a deployment or rollout.. did you perhaps send them bill, demanding it be paid or you will reveal their mis statment of facts or perhaps, say you found a way around their security pay you to keep silent or ruin toir prifit model like what happened with google perhaps.. im curious to hear more about how this was taken as extortion it doesnt seem to fit with the words definition.
dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:
www.eff.org
-gary
The French courts would probably back down if you threaten to invade.
Heck I'll help. I could use a spare country.
I have no
don't go tell the company that their product is flawed but rather use your discovery to exploit people who use their product. Either way you will be sued but at least this way they have to find you
this sig intentionally left blank
Is looks like looking for security flaws is increasingly seen as an illegal action by both companies and governments.
Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.
It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...
Sure it can be said that publishing an exploit will encourage a hacker to take advantage of said exploit, but by not publishing & letting it remain a secret is no guarantee that someone is not exploiting that same exploit. In fact, I'm willing to bet that some 3v1| H4x0r would eventually find it anyway. But I would rather know that it exists so that I may act, since, in my experience software companies are slow to react and try to hide or downplay flaws.
Security solely by obscurity doesn't work.
On the flip side, if the door to my house was wide open, I wouldn't want anybody yelling hey your door is wide open (to the world) without allowing me to fix it.
IMO it boils down to common sense, and in this case I think that it is a beneficial thing to publish that sort of information. An even better route would be to alert the software makers first, and give them a 'short' time to release a patch. But only a very short time.
Alternatively, mail a picture of a rifle to the French government. that will make them back down.
Nah... they'll just draw a line on the ground and politely ask you not to cross it, or go around it.
Casual Games/Downloads
Note to Europeans: while it is fun to point and laugh at us "stupid" Americans and our silly laws and lawsuits, you might want to take note that the same things are going on in your countries too, and will continue to get even worse.
Casual Games/Downloads
Unfortunately, it appears that expertise in French law is lacking here at slashdot.
I second the suggestion above: contact eff. Now. If they can't help they probably can point you to organizations that can.
If you were simply using the software and found exploits through the interface, then I totally agree, this is bullshit...
HOWEVER, if you were digging through reverse engineered proprietary code, and publishing exploits at the code level... well, that is infact illegal...
Good luck either way though...
"I used to have a sig, but a cheese eating surrender monkey ate it..."
--Ryan
I know a guy who for his senior thesis worked with a group of people and hacked a company's network. At the end of the semester, they gave the company a 42 page document stating all the problems and exploits the company had.
He got an A for the class and a job offer from the company. Granted, he already had better offers, but it is a good example of how it should be.
safer, but should be completely unnecesary.
I would like to write a letter in support of you. The people that should be legally hassled here is the software vendor whose fraud you exposed-not
you.
IMHO a pile of letters coming from all parts of the world in your support might send a signal. I also think that Amnesty International should be contacted here. This is even more sleezy than most of the stuff they take on--in this case you appear to be hassled not because of your political opinions, but because French officials are using their offices on the behest of corrupt corporate interests.
This is like a mechanical engineer publishing tips and tricks on how to break open safes that claim to be "burgler proof." Or Diebold suing someone who figured out how to rig elections. This is like the "wag the dog" scenario where you start a fight with someone to move attention to them and away from your shortcomming.
Whats up with this France bashing? Seriously, is this all because France and Germany (unlike Denmark, where I am from) wouldn't fall for baby-boy Bush's nagging and crying? I did not really get the whole "french toast" and "freedom toast" stuff, whats your (and here I mean Americans) problem with the French?
Why are there only 19 people folding@home for slashdot?
Plese note that he has been accused of copyright infrigement. He seems to have reverse engineered and copied/used part of the intern code of the programs. Whether we like it or not DMCA like law forbid it except in a few case (interroperability and maybe for academia). Since he did not publish it for academia, and he did not contact first the company, they can fall on him and he has big probability of being judged guilty.
The law might be broken in that case (as we all know for DMCA like laws) but nonetheless the company has a case...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
... when the intrepid crime-fighters in the US DOJ sue the EU for patent infringement to proect their monopoly.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
French constitution
Or maybe the Declaration of the Rights of Man, which does have a free speech clause, and is a principle as mentioned in the Preamble to the French Constitution, has legal binding. I don't know.
You should also note that France heavily restricted the use (not just the export) of crypto for a long time, (except possibly if you deposited your keys with the government), so I really doubt their commitment to computer freedom per se.
you don't have to be good anymore. You don't even have to look good anymore. All you have to do is sue the pants off of anyone who proves you are not good!
Anyone who buys this company's products needs their fucking heads examined!
It should also be a punishable offense for a software maker to NOT close exploit holes in a timely manner.
I can see the case being made that leaving exploits open is essentially supporting terrorism, or depraved indifference at least.
I don't know the meaning of the word 'don't' - J
He may be in Le Figaro today. Look for "Quand les createurs de virus se font la guerre" in Le Figaro's archive. You have to pay to read the article, though.
I would strenuously advise you *NOT* to discuss your legal situation or case with anyone but your lawyer.
I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.
I'm sure I'll get burned at the stake for this, but what the heck...
How many sides of this story do we have? Hmm, just this guy's side. Interesting.
Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info. It sounds like he just posted it on his web page and published it in a crackers magazine and let the chips fall where they may. Not exactly responsible activism.
What exactly *is* the law regarding this in France? Here in the States we have the DMCA. It's a terrible law, but we all know what we're getting into if we break it. That's what civil disobedience is all about, isn't it? I seem to recall that Europe has similar laws on the books.
I'm sorry, but with the info we've been given this sounds a little like "I did something naughty and I got caught and now I might get PUNISHED! Oh poor me!"
All kneejerk reactions aside, maybe there's more to this situation than we've been given.
I'd be surprised if he were not acquitted, but you never know these days. It's very easy to pay off a judge. Anyways, one thing I would like to know is how publishing code in order to expose security flaws, and where the author(s)/owners of the code are referred to, is any different than publishing excerpts from a book in order to expose, say racist sentiment.
People say I'm crazy, I got diamonds on the soles of my shoes...
The court of Slashdot seems to be siding against the French judicial system, but shouldn't we hear their side of the story first? I'm not saying this guy is lying - just that there are two sides to every story.
A lot of the recent France bashing is due to this, but that is hardly the only reason.
I personally do not like the French in general because both my father and step-father were in the Air Force in Vietnam.
That should be enough info for some of you out there, but for those who don't know:
Some Air Force personnel were shot down over North Vietnam and managed to get themselves safely to the French embassy thinking that since we were allies and we were fighting a war they had started in the first place that they would be smuggled back to their unit.
Instead the French, hoping to get in good for the after war profiteering, turned them over to the North Vietnamese who proceeded to torture and murder them.
That is one reason people (in general, not just Americans) hate the French.
Propaganda, that's the real enemy. Here in the US, Europe is seen as ignorant loaners who don't want to help anyone take over the world. I'm not a big fan of the french attitude, and I am french (Canadian). I just hate to see people blindly spout vulgarities when most of them probably have never met a real frenchman. In my experience, they're annoying but fun at parties.
Der Tod ist der einzige Weg hier raus!
I remember some articles on Slashdot about something like this happening to hackers like that. Obviously this hacker missed those articles. And now with all the terrorist crap and new laws, it's very easy to put people in prison for anything.
1/ Call France 3, TF1 if you can.
TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.
2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.
2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
The Libel one will only bring you 1Eu (the official price for honor)
3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)
60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.
Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...
Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.
Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...
If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
So, this is just the top of my head ideas, but I hope it will help you...
In such cases, the better defense is offense...
Bonne Chance, Courage, et ne te laisses pas faire !!!!
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Unfortunately, it appears that expertise in French law is lacking here at slashdot.
You must be new here. On Slashdot, everyone is a legal expert in everything.
Vulnerabilities in security products, especially those making outrageous claims, need to be exposed.
excerpt from NAI ePolicy Orchestrator Format String Vulnerability
"When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce."
-weld
Computer security can be increased by the following methods:
.com
1) Deny the flaw exists
2) Sue the person who discovered the flaw under the DMCA or something similar in your locale
3) Blame "hax0rs" who write tools like diff
4) "Donate" to campagin funds of elected officals who pass laws that make security research a federal crime
Not an all inclusive list, but it should be a good start for your security minded company or
My only question is, aside from application of the DMCA in the U.S., how is this kind of information any different from say, Consumer Reports? Those guys go out of their way to break cars, appliances, and other consumer products.
1. Everyone has the right to freedom of expression. this right shall include freedom to hold opinions and to receive and impart information an ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.
2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or the rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.
France is a signatory to the Convention though I have no idea how (or indeed if) it is implemented in French law directly.
-- Nothing unusual happened today
1/ Call France 3, TF1 if you can.
2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.
2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
3/ ???
4/ Profit!
<cynicism>
I have no sympathy for terrorists. I'm glad this company is protecting us.
<cynicism>
My Greasemonkey scripts for Digg &
I believe Rice's Theorem only applies if your computational model allows for infinite storage (or something equivalent).
:)
Computers don't have infinite storage, so you could theoretically map out all possible states that a computer could be in and get a proof of termination (or any other property) that way.
Obviously this isn't practical by any means, but that's no excuse for being imprecise.
HAND.
Mon conseil:
- marrie toi a une americaine
- prends la citoyennete US
- ne retourne jamais en France
(ou la meme chose avec une Canadienne si tu aimes la neige).
there's no place like ~
Your rights may become even far less, if the EU gets away with it's latest round of internet-despotism.
...
... organized by BxLug
Soon, scientists and others all over europe may become sued when exposing flaws or reverse-engineering stuff. I therefor urge everyone to react, and this is how:
*PLEASE HELP TO WIDESPREAD*
14-15 April 2004 : Brussels is the Hub to go
Conferences and LUG in Brussels European Parliament Chaired by Dany Cohn-Bendit MEP
http://plone.ffii.org/events/2004/bxl04
http://www.greens-efa.org/agenda
http://laurence.domainepublic.net
Most legal frame related to new technologies is cooked up at Brussels. To get a feet into European Parliament's door and show that you care right before the election. Its future Members will decide on the patentability of software, on data privacy issues, TPRM, and so on), join an install party within parliament (and bring your favourite MEP with you), attend a panel with eg Alan COX, Georg GREVE, Jon Lech JOHANSEN (of decss fame), participate in a guided tour through brussels (anti-swpats "demo"), meet LUGs and programming rights groups from all over the place, and some chaotic nerds of FFII. A Wiki DSL connection will be available.
On 14 April evening, there will be a diner/party at restaurant La Tentation, in the center of Brussels. http://plone.ffii.org/events/2004 (also to book you hotel).
Entrance is free however to access the building you have to register online before 7 April http://www.greens-efa.org/agenda
Contact : lvandewalle@europarl.eu.int
euroG/LUGparty
Brussels European Parliament room ASP 1G2
15 April 2004
The Greens in European parliament invite representatives of GNU/Linux Users Groups of the 25 Member States of the European Union to come to Brussels to
- enhance the networking among the free software community in Europe(in particular with the New Member states)
- prepare the second reading on the software patents directive
- show inside EP what free software is, how it works and what ideas lie behind
- participate to the FFII conference and demo against software patents on 14 April
Programme and registration on http://www.greens-efa.org
lvandewalle@europarl.eu.int
PROGRAMME
9.00-11.00 25 G/LUGs for a Free Europe
Gathering European GNU/Linux Users Groups and associations for the promotion of free software : BxLUG - Belgium, RWO - Plug - Poland, Vrijschrift - The Netherlands, LiLux - Luxemburg, FFS Software - Austria, APRIL - HNS-info.net - France, GUUG - Germany, SSLUG - Sweden&Denmark, LUGOS - Slovenia, Debian - Latvia, AKL - Lithuania, LugRoma - Italy, Grece, Cyprus, Finland, Estonia,
11.00-12.30 Linux Install Party for MEps with Monica Frassoni Dany Cohn-Bendit, Hiltrud Breyer, Bart Staes,
15.00 PANEL I: FAIR USE/COPIE PRIVEE
Gwen Hinze(Electronic Fronteer Foundation), Laurence Lebersorg(Test-Achat Belgium), Jon Lech Johansen(DVD-Jon)
16.00 PANEL II: FREE/OPEN SOURCE SOFTWARE
Cristiano Paggetti(Italy): eGovernment,Andrea Glorioso (Italy) : Free Content, Herman Bruynickx(Belgium): Free software in education, Jens Muhlhaus(Germany): Public administration: Linux fur Munchen
17.00 PANEL III : FREE AS IN FREEDOM
Georg Greve, FSF Europe (Germany) Agenda 1910
17.30 Alan Cox www.linux.org.uk co-signatory of the letter sent by Linus Torvalds to the President of EP against software patents(UK)
--- "To pee or not to pee, that is the question." ---
I've mentioned it, over and over on various fora since 9/11: anti-terrorist laws were not written to prosecute terrorists.
All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.
For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?
What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.
I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.
The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.
stop going through the wrong chain of command with these issues.
First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.
Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.
Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.
And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.
If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.
If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.
By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.
If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.
If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.
You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.
Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.
Ben
Work Safe Porn
> marrie toi a une americaine
I thought you were trying to make this guy feel better?
What's he going to do, chance his place of birth to "Freedom"?
Norman Cook's Ode to Sl
Becoming an American citizen won't help you. We have this nasty piece of merde called DMCA that provides for hefty fines. A company that doesn't like you can point to DMCA as a vehicle to charge you under.
I agree with the previous poster, a good offense is the best defense. Hit them hard in the court of public opinion, and if it is indeed true that you cannot punish someone in France for telling the truth, then by all means, hammer away.
Bien vu tout ca!
Is "Arte", channel 5 still around? I'd definitely give these guys a call. While their audience is prolly a small fraction of France 3's, they're usually an educated audience. They like doing documentaries, seek out truth and present things as they are. i couldn't find any direct contact information beside this mailing address:
I'd do whois arte-tv.com and send an email to the contact info on there, you never know.
Bon courage vieux! Fous-leurs une grosse bite au cul de ma part, avec mes remerciments ;]
Extraordinary Vacations. Exceptional Prices
The ironic thing is that if he had told the company before he released the exploit, they could probably have been able to charge him with the French equivalent of Blackmail.
It kind of brings a whole new meaning to the saying, "you're damned if you do and damned if you don't."
..the loser in the next world war has to keep France.
Hey - maybe we say the French gubmnet is supporting al Quida and use this as an excuse to invade and set up a puppet government.
Wait. Nevermind. I guess we can see it already has one.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
See the American Jury Institue/FIJA page for more info. We need juries that also decide whether the laws are valid, not just whether they were broken. That is the whole reason we have juries and not 'Star Chambers.'
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
My council (advice):
:) And why the US? With the DMCA, isn't that going from the frying pan into the fire?
- Marry to an American (woman, -in postfix like in German?)
Correct.
- Pretend you're a citizen of the US
I think: Get the US nationality.
- Never return to France again
Correct
Though I have no clue what the last one means, apart from mentioning "with a Canadian". Any better translators than me?
"Or the same thing with a Canadian, if you like the snow."
This sig under construction. Please check back later.
I haven't spoken French since High School, but I think this is doable:
My advice:
- Marry an American girl.
- Acquire a US citizenship.
- Never return to France
Or do the same thing with a Canadian girl if you like snow.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Even if he did break the DMCA, he was charged in France.
The US is not the World.
Justice is supposed to be blind, but not the judges. I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.
BTW, I really enjoyed your steganography articles. It's comforting to realize just how difficult it is to implement stego correctly. It really puts mainstream media hand-waving about terrorist use of steganography into perspective.
---- Just another spud server.
Because we all know this could never have happened in the U.S.
-- Repeat with me: "There is no right to profits".
I read his originial analysis (in french) of this antivirus software which, according to him, prompted the charges of "counterfeiting". This article contains a description of the software, a section about "exploits" (you will agree about my question marks in a minute), a section where he demonstrates false positives, a test against a couple of known viruses, a short section about 2 points he liked about the software, then a list of detailed suggestions to improve the product, and finally an epilogue on the response from the company.
Probably didn't like the first suggestion for improvement "First of all: stop making believe that Viguard can do miracles." (The other suggestions are completely technical.) But let's focus on section 2, containing the 6 "exploits":
-
2.2 Deactivating Viguard by simulating the mouse-clicks with which a human would deactivate it
- 2.3 Just use TerminateProcess() (the windows equivalent of kill -9 if I understand correctly)
- 2.4 Add the md5sum of the trojan to an (unencrypted) whitelist of md5sums maintained by Viguard
- 2.5 In each directory, Viguard maintains a file "certify.bvd" which lists all known-good executables in this directory, "encrypted" by a XOR with a fixed key. So a virus just has to install itself in a new directory along with the appropriate certify.bvd file.
- 2.6 "For a good laugh": Rename a virus from
.exe to .bat
- 2.7 Almost the same as 2.5.
All completely trivial. The only thing that comes close to the counterfeiting charges is that he offered programs for download that decrypt the configuration file and the certify.bvd files (both "encrypted" by XOR with a constant and short byte sequence).A few years ago, Serge Humpich discovered a flaw in the French smart-card payment system, and proved that it was possible to get money from an ATM with a false card ; he never earned money with it and just showed journalists he could get money, and gave it back.
Banks sued him, and won: 10 months jails (deferred), about 4000 euros to pay (amends+banks' laywers fee). Technically, he was guilty of "unallowed access to a computer system". Banks have denied that the flaw existed but changed their system ; it didn't prevent many false cards to appear in the following years. Disgusted, Humpich wrote a book ('Le Cerveau Bleu').
Although similar, I hope it won't finish the same way. Guillermito didn't crack any computer, so the Humpich precedent does not apply. The European version of the DMCA is not yet voted in France (it won't last), and copyright infringment claims are stupid. But America does not have the monopoly of technically illiterate judges, and he influence of good lawyers, as was already shown in his case. The "terrorist" accusation should be enough to sue ("diffamation"). Ironically, cryptography and stenography are supposed to be terrorists' tools!
I'd say he should contact "60 millions de consommateurs" and "UFC-Que Choisir", two powerful consumer organizations.
Christophe (Don't hesitate to point out my spelling and grammar mistakes, I want to learn - Thanks).
Here, read it in french (his native language) and see if it flows better.
His English spelling and grammar are significantly better than my French spelling and grammar. You did notice that he is French, didn't you?
flossie
Write now. Defend liberty
is a link to the actual text of the indictment anywhere? without it we won't know exactly what the claims are, and only have his version of the story to go on.
The NZ government has gone out of their way to try and destroy my life since I publicized the risks associated with home-built cruise missiles.
:-(
I still have my missile (largely due to the fact that a network of friends have stored it safely in such a way that I can honestly say "I have no idea where it is") and had considered taking it on a tour of the country so that people could actually see what I've been talking about.
My lawyer advises me however, that to do so would almost certainly result in a very severe prison term. After all, they've already broken the law in respect to the actions they've taken against me so they've proven that, as far as they're concerned, the ends justifies the means.
He's strongly of the opinion that the government is just itching for an excuse to throw me in jail on some trumped-up terrorism charge because I've become such a thorn in their side.
In this country It's not illegal to build a cruise missile, and it's not even illegal to own one, nor is it illegal to transport one -- but, as a criminal lawyer of long standing he made it quite clear to me that under the new anti-terrorism laws we now live in a police state and that the government can do whatever it wants to who-ever it wants to -- by simply accusing them of terrorist activities.
In the case of my tour, they'd likely accuse me of moving the missile as the precursor to a terrorist action.
It wouldn't matter whether they were able to win such a trumped-up case, because here in NZ (as in the USA), people accused of such things seem to spend inordinately long periods of time in jail just waiting for their case to come to court. We have a guy here who's been in prison for 16 months already and, even though our High Court ruled just the other day that the head of our Security Inteligence Service had shown bias against the guy and has had to resign -- the imprisoned "suspect" is still having to wait at least another 6 months for his day in court.
It makes no difference apparently, that I've always been totally open in my activities and the reasoning behind them, and was planning to have a media contingent on my little tour. I don't recall any *real* terrorists inviting the media along on one of their attacks or offering to share all their information with the government.
I don't know whether I should really angry that governments have used the war against terror to give themselves such draconian powers, or if I should feel sad that the public are allowing them to do this without even a whimper.
I suspect that we will eventually regard these days as a dark period in the world's history -- not because of terrorist activities, but because so many people gave up so many freedoms so easily.
P.T. Barnum was right I'm afraid
The creation of an unauthorised copy of a copyrighted work, in French law, is a form of counterfeiting ("you are creating illegitimate goods"). This just means he's indicted for a copyright violation and an attempt to conceal that he (allegedly) did.
Tough time for the guy. I hope he did things the right way (ie. that the allegations are proven false or falling within fair use), and has enough juice in the bank to countersue and prevail for his costs.
I Television also has a pretty good local coverage, but less audience than France 3. I'd also suggest writing to Le Canard Enchaine, which has a dedicated column for this kind of stories ("Couac").
I'm not as optimistic as the previous poster, remember what happened to Serge Humpich. This guy found a way to crack the so-called most secure bank card system in the world (french Carte Bleue). He then contacted the system's proprietor (GIE Cartes Bancaires), offering help (not freely, alas for him) to fix the system thanks to his expertise, and as a demonstration bought a handful of metro tickets. He was indicted, temporarily jailed and found guilty of fraud, falsification and unauthorized access to an automated system. During the trial GIE kept on claiming that their system was unbreakable, yet some time later the first "Yes-cards" appeared on the black market and cracking info spread on the Net. Had the GIE taken Humpich seriously, no yes-cards could have been produced and no businesses harmed (usually small ones such as automated video cassette rental).
Merde pour la suite (frenchmen never wish good luck)
" The first comment recommended hiding from his accusers instead of fighting them."
Actually, he recommended going to America, finding an American, (or Canadian - if you like snow) girlfriend, and marrying her for the citizenship so you could live there. It was funny.
"The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is."
Nope (or are you trying to be funny?). The second poster asked him why he would want to live in the USA when everyone in the world detests its citizens, when it has a government with a president that caters to rich people and their companies, etc., etc... He then said it was better to go to Canada, which is a thousand times more sensible than the USA. (I'm paraphrasing here, since my French isn't so good these days.)
"Anyone that has ever gotten an idea based on any of my work and done something better with it-good for you."--J.Carmack
"Arte" ... They like doing documentaries, seek out truth and present things as they are.
:)
This is the same station that did the documentary about how Stanley Kubrick faked the moon landings for the Americans... screened here on April 1 a couple of years back, and from that link looks like they'll be playing it again very soon.
deus does not exist but if he does
It's quite interesting to discover, from the inside, how the french justice system works. I'm back from Paris. I've just been indicted and charged of distributing programs that violated Intellectual Property rights (literally translated, it's "counterfeiting and concealment of counterfeiting"). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I'm not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees. I already talked about my story here (in french).
That's the way justice systems work in general: if someone accuses you of a crime and makes what looks like a reasonable case to the police, it ends up costing you money. Welcome to the real world. Life sucks sometimes.
If it's a civil complaint, in some countries, the people sueing you may have to pay your expenses if they lose, but that's also not exactly a blessing--it also means that if you have a complaint against someone else, you may end up paying them a lot of money if you lose--a strong disincentive to enforcing your rights when you have been wronged.
In Europe, many people have private legal insurance, which will pay for legal fees and lawyers when you get sued; something like that might cover this case. Many people who work professionally in some field also get professional insurance, which also often covers them against lawsuits. So, the short answer is: in order to avoid getting bankrupted by frivolous legal claims, people insure themselves.
If you have been falsely accused, your accuser may have committed a criminal offense themselves and you may also be able to recover damages in civil court. However, in a case like this, that may be too hard to prove even if it is obvious to you and me.
If independant researchers cannot analyse security softwares and publish their discoveries, final users will just have marketing press releases from editors to assess the quality of a sofware. Unfortunately, it seems that we are heading to this kind of world in France and maybe in Europe.
No, it just means you have to go about exposing their product differently. Publish an article in a respected publication. Then, they'd have to take on the publisher.
Or file a complaint against them for false advertising. That could be either a complaint to an organization like the Better Business Bureau (or the French equivalent), or an legal complaint.
It may still be worth filing a counter-complaint at this point. You need to talk to a lawyer about that.