Slashdot Mirror
Hacker Indicted In France For Publishing Exploits
Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."
Now you get to search for holes in the French jail system. Find a big enough one and you're free!
What does stenography have to do with software? Didn't they become extinct millions of years ago?
There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly. But I am on your side. Companies that market security products that aren't are committing fraud, IMO. And I'd rather have you publish the vulnerability than someone else publish the automated exploit.
Fred
"A fool and his freedom are soon parted"
-RMS
I'm glad to see that the EU has broken the U.S. monopoly on wacky, mindless computer lawsuits!
I sure am glad I live here in the USA where my right to expose the weaknesses of corporate products is enshrined in our beloved Constitut...
Hold on, there's a SWAT team banging on my door.
I'd better go let them know that they must have the wrong house.
You are in error. No-one is screaming. Thank you for your cooperation.
To move to a sane country. There any left?
Mix the failings of Usenet with the shortcomings of the World Wide Web and the result is slashdot.
I'll admit right away that I'm not familiar with France's free speech laws.
But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)
From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
If they publicly called you a terroist in writing without sufficient evidence, can't you sue their berets off for libel?
"You know Myra, some people might think you're cute. But me, I think you're one very large baked potato."
We sue first, and then we call you a terrorist.
"It's dangerous to be right when the government is wrong".
This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.
Mod down people who tell people how to mod in their sigs
Now, if Microsoft is forced to release the windows source because of the EU, does this mean anyone who points out vulnerabilities will get sued too?
Seems like a strange way to thank someone for helping them. It's like beating someone to death with a tire-iron because they told you your tire is flat.
dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:
www.eff.org
-gary
Is looks like looking for security flaws is increasingly seen as an illegal action by both companies and governments.
Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.
It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...
Sure it can be said that publishing an exploit will encourage a hacker to take advantage of said exploit, but by not publishing & letting it remain a secret is no guarantee that someone is not exploiting that same exploit. In fact, I'm willing to bet that some 3v1| H4x0r would eventually find it anyway. But I would rather know that it exists so that I may act, since, in my experience software companies are slow to react and try to hide or downplay flaws.
Security solely by obscurity doesn't work.
On the flip side, if the door to my house was wide open, I wouldn't want anybody yelling hey your door is wide open (to the world) without allowing me to fix it.
IMO it boils down to common sense, and in this case I think that it is a beneficial thing to publish that sort of information. An even better route would be to alert the software makers first, and give them a 'short' time to release a patch. But only a very short time.
I would strenuously advise you *NOT* to discuss your legal situation or case with anyone but your lawyer.
I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.
I'm sure I'll get burned at the stake for this, but what the heck...
How many sides of this story do we have? Hmm, just this guy's side. Interesting.
Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info. It sounds like he just posted it on his web page and published it in a crackers magazine and let the chips fall where they may. Not exactly responsible activism.
What exactly *is* the law regarding this in France? Here in the States we have the DMCA. It's a terrible law, but we all know what we're getting into if we break it. That's what civil disobedience is all about, isn't it? I seem to recall that Europe has similar laws on the books.
I'm sorry, but with the info we've been given this sounds a little like "I did something naughty and I got caught and now I might get PUNISHED! Oh poor me!"
All kneejerk reactions aside, maybe there's more to this situation than we've been given.
The court of Slashdot seems to be siding against the French judicial system, but shouldn't we hear their side of the story first? I'm not saying this guy is lying - just that there are two sides to every story.
1/ Call France 3, TF1 if you can.
TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.
2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.
2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
The Libel one will only bring you 1Eu (the official price for honor)
3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)
60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.
Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...
Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.
Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...
If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
So, this is just the top of my head ideas, but I hope it will help you...
In such cases, the better defense is offense...
Bonne Chance, Courage, et ne te laisses pas faire !!!!
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
My only question is, aside from application of the DMCA in the U.S., how is this kind of information any different from say, Consumer Reports? Those guys go out of their way to break cars, appliances, and other consumer products.
Mon conseil:
- marrie toi a une americaine
- prends la citoyennete US
- ne retourne jamais en France
(ou la meme chose avec une Canadienne si tu aimes la neige).
there's no place like ~
I've mentioned it, over and over on various fora since 9/11: anti-terrorist laws were not written to prosecute terrorists.
All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.
For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?
What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.
I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.
The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.
stop going through the wrong chain of command with these issues.
First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.
Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.
Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.
And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.
If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.
If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.
By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.
If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.
If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.
You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.
Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.
Ben
Work Safe Porn
A few years ago, Serge Humpich discovered a flaw in the French smart-card payment system, and proved that it was possible to get money from an ATM with a false card ; he never earned money with it and just showed journalists he could get money, and gave it back.
Banks sued him, and won: 10 months jails (deferred), about 4000 euros to pay (amends+banks' laywers fee). Technically, he was guilty of "unallowed access to a computer system". Banks have denied that the flaw existed but changed their system ; it didn't prevent many false cards to appear in the following years. Disgusted, Humpich wrote a book ('Le Cerveau Bleu').
Although similar, I hope it won't finish the same way. Guillermito didn't crack any computer, so the Humpich precedent does not apply. The European version of the DMCA is not yet voted in France (it won't last), and copyright infringment claims are stupid. But America does not have the monopoly of technically illiterate judges, and he influence of good lawyers, as was already shown in his case. The "terrorist" accusation should be enough to sue ("diffamation"). Ironically, cryptography and stenography are supposed to be terrorists' tools!
I'd say he should contact "60 millions de consommateurs" and "UFC-Que Choisir", two powerful consumer organizations.
Christophe (Don't hesitate to point out my spelling and grammar mistakes, I want to learn - Thanks).