Slashdot Mirror
Security Researcher Faces Jail For Finding Bugs
An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
And now we have people getting arrested for pointing out someone else's mistake...
When did greed become more important than helping someone?
...can you do that?
Geez, if he'd helped a murderous dictator build nuclear reactors they'd probably elect him president....
This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.
...when they discover the next Internet Exploder 6 SP2 hole?
A free trip to Redmond?
Saskboy's blog is good. 9 out of 10 dentists agree.
I would have thought not -- but seeing how easy AAA can get in my car, I think that's how most physical security works.
Will the little Dutch boy be executed for sticking his finger in the dike?
Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".
I don't see any problem with reverse engineering the software, but if he is going to post exploits, he should be sued or at least warned. If someone did that with a program I wrote, I would see it as a threat or someone just trying to show off.
Thats like being sent to prison because you found out why goodyear tires blew out*!!!!!!!! *That is, of course, assuming you showed everyone else how to blow out everyone else's tires too.
"A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.
The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.
So? Are you implying that hacker has a negative connotation?
He's a security researcher for Harvard, not some script kiddie breaking into systems to improve his botnet.
Slashdot: You will never find a more wretched hive of spam and zealotry. We must be cautious.
Same with the jerks breaking WEP keys - of course you can do it technically - but that doesn't mean you should.
Just to stave off any rants, this was not US law, a US court, or a US company. He happens to be working "at Harvard" now, but this matter has apparently been taken up in France.
To agree to the terms of a binding agreement with the intent of breaking it is and should be illegal.
If he got a hold of the software and agreed to the terms of a EULA that specifically forbids reverse-engineering, then he violated a contract.
He has the freedom not to use the software if he doesn't like the EULA. Just like we have the freedom not to buy software if we don't like the license.
Don't like the license? Stay away from the software or see if you can get a special license by contacting the vendor. Plain and simple.
And I thought European courts are a little less boneheaded?
ELOI, ELOI, LAMA SABACHTHANI!?
All those "Researchers" trying to cure AIDS are hackers? Since when?
And you will be....
He was only trying to help. So many people today are blinded by money, that they forget to see people helping them out, and helping try to make programs more secure.
making a broad generalization = idiot
This is almost as bad as what the NYT did to Adrian Lamo, getting people in shit for trying to help them. What is this world coming to?
If he were just researching the security of the program, then it would be unreasonable for the company to complain. However, he took a security program and published a list of exploits. He puts a lot of innocent users in unsafe positions by doing that. It seems reasonable to sue him, from that perspective.
I absolutely hate this backwards shit. Software engineers and governments and everone just best get used to the fact that people are going to reverse engineer everything they can. Until they get used to it, lawmaking is just going to go overboard, stifling development and competition.
And I believe the proper response to pointing out an error in your system is "Thank You."
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
well, when viguard is advertised with clauses like this: "Hundreds of thousands of workstations protected by VIGUARD have never been infected by viruses without a single signature update!"
showing bugs from their product shouldn't be illegal, hell, viguard should be the fuckers to sue(only way i can figure out that their product really works is that it stops just about fucking everything from working - otherwise, how can you possibly possibly detect an ftp server from a trojanised one?).
besides.. being a 'hacker' shouldn't be illegal, doing nasty things with those hacks should.
world was created 5 seconds before this post as it is.
Now im waiting that when Microsoft attacks against Secunia or some other company. I can't think anything more stupid than this, if someone pointed out failures in my software I would be thanking the guy.
"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.
Well, you see, with a physical object like a car, minor variances in materials and manufacturing can lead to random defects showing up in any specific vehicle.
With software, unless the media it came on is damaged, it is unlikely that the version that you bought is different from the others sitting next to it on the shelf. Binary copies are exact copies.
The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.
If these people would just stop "researching" their "security", then maybe I wouldn't have to keep spending time patching and rebooting all these Windows servers. It seems like every time there's a bug it's discovered by some "security researcher" and then I have to patch and reboot again. It's clear who is the cause of the problem, hopefully with 1 less of them out on the streets things will calm down a little.
Stories like this are just the Slashdot editors' way of warning us to shut up already about the Firefox rendering errors on this site. 8^)
Crumb's Corollary: Never bring a knife to a bun fight.
Yes. However, it is also true that we live in a society under the rule of law. You really ought to look up what "rule of law" really means if you don't understand the implications of it yet.
Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.
--
make install -not war
...will the US extradite him given our decreasing friendly relations with France?
Tobacco companies are now suing medical research facilities............phockin' pikers....
was take what he knew about the exploit and write+release a patch for it. Seems a bit more reasonable than giving crackers an extra target to shoot at.
I doubt that this will be held up in a hogher court. I'd be very surprised if it did, but then again it is surprising that this case has gotten so far in the first place.
Maybe somebody who knows French laws and the Fremch constitution could comment on this? Is science and academic freedom protected in the French constition (as in the German)? If so shouldn't this trump any intellecual property rights?
Just because it's law, doesn't mean it's morally correct!
Corporation = Ogre
Law = large club
Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.
My rights don't need management.
It doesn't really matter if he works at Harvard or not. As long as he follows good scientific tradition, where he works or not work doesn't matter.
It is extremely important that research can be carried out without penalties. What if he had found out that a particular type of car was unsecure, should he still have been stopped for in detail describing what was wrong. I think not.
God is REAL! Unless explicitly declared INTEGER
How dare G. W. Bush and his Homeland Security cronies lock up a researcher, for just trying to help protect people from these terrible security flaws. When I hear stories like this, I think the U.S. is becoming more and more like Nazi Germany.
Oh, wait? It was in France? Oh, my bad, I guess it was a totally reasonable thing for the French government to do!
If a company makes a product, and I point out a flaw, shouldn't they be offering me a job?
It could've saved the pharmaceutical industry.
fast as fast can be. you'll never catch me.
Depends. Do you take the media scaremongering definition of hacker, which I have to argue is unfortunately the now "common" definition, or the "actual" definition? If you take the latter, then yes, they are hackers.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
It means you can can buy it if you're a violent athlete like OJ and Kobe; but not if you're a student committing the crime of educating the public?
Do you think some research should have bounds? Such as chemical and biological testing on prisoners of war? If you think it should, where should we stop with other research?
In the U.S., you can say anything (well, excluding certain swear words). However, in France, you can get arrested for speaking your mind.
They don't beleive in free speech there. Liberte' my ass.
It will all work out. Next time a virus writer gets caught he'll both sue Tegam and have their officer's arrested for reverse engineering his code.
I'm an American. I love this country and the freedoms that we used to have.
They do this all the time. Not having a tradition of Common Law, they fall on the wrong side of this all the time.
Thank God for the First Amendment. For those of you not from the US of A, it guarantees freedom of expression in the most absolute terms. Short of something that incites violence (e.g. "let's kill him") or yelling "fire" in a crowded theater, it is OK. The Pentagon Papers case essentially destroyed "prior restraint" for national secrutiy reasons (as practiced in Britain).
Even countries that are supposedly as free as the USA are actually not. Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.
I'm reminded of the theme song from "Team America: World Police". Too rude to print here, it would probably get you put in jail in some countries.
Only America could produce someone like "Ol' Dirty Bastard".
http://www.thebricktestament.com/the_law/when_to_
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
Pit the US courts against the French ones, and see who wins. While I loathe to ever recommend legal action, especially civil, this is one such instance where legal bullying could prove to be societally beneficial.
Feed the need: Digitaladdiction.net
This is fucking absurd. Law makers should look at this very closely: a company SELLS buggy code and whoever discovers and proves it faces jail and ridiculous fine...
The company should be fined and the company executives should be sent to jail for selling shitty code.
The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?
In the U.S., you can say anything (well, excluding certain swear words).
Which one is it? Free or no? Can't have it both ways.
Only if the generalization is false.
Yes, the same rule of law that enslaved certian segments of our population for a time and the same law that keeps people from ingesting chemicals into their body for the "greater good".
Just because its a law doesn't make it just.
Wouldn't any broad generalization by definition be inherently false?
The company had two options. Take on board the issues and fix them, or get in a hissy fit.
You ever try getting your kids to clean their room?
War is peace and freedom is a bullet proof car
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Instead of replying with a counter-argument, just keep the opinions you don't like under the rug so that no one with default threshold settings will see them!
they've just made themselves look petty and bad
They make themselves look like idiots but they make this guys life hell while they are doing it. The sad part is, it may not effect their business (lusers won't know about this) but the cost of a this lawsuit will haunt him for a long time.
not to mention the chilling precedent. I especially like this quote "If independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe,"
Under the DMCA, reverse engineering IS illegal. Specifically if it is meant to circumvent copy protection schemes, but in practice the "spirit of the law" could easily be presented as banning all reverse engineering of all kinds.
To make things worse, the click-through license usually also states that reverse-engineering is prohibited. The fact that the license's own legal status is iffy is unlikely to hold much sway in court.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
For french readers and lovers of babelfish, this is two blogs about the case. One is from the defense of Guillermito, and the other from one of the viewers of the trial:
0 05 /01/05/37-affaire-guillermito-compte-rendu-daudien ce
http://maitre.eolas.free.fr/journal/index.php?2
http://bricablog.net/
Ceci n'est pas une signature.
my question is how on earth did he manage to salvage the code from an executable?
He could have also just discreetly mailed the publishers of the software informing them.
Suppose he discovered a defect in a car or some other piece of physical hardware. If that defect were severe enough to kill someone and he did not publish his knowledge of the defect, then could he then be held criminally liable and be accused of negligent homocide? Surely the right thing would be to publish the defect and warn the users of the product.
How did software companies get all of these special rules for them if stuff that doesn't work.? If it were a tire or a car or a bridge or a robot, they could never get away with it. But if software doesn't work we are all supposed to just buy the upgrade.
And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.
With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.
So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.
Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.
If I understand your reference; you can say them, you just can't say them on radio or tv. Not quite the same thing.
How do you put the brake fluid in if you don't open the hood?
I believe Fred Cohen, the father of computer virusology, has shown that detecting whether a piece of code is legitimate or is a virus is undecidable.
The Raven
why do you surrender to your need to debase an entire nation with a tasteless joke?
The poor guy is already beeing sued for helping out and /. nows slashdots his site? how about some links to the Tegam moron's site? let's make slashdot justice
In fact recalls occur very often. Your point about media being damaged is the same as "warranty for parts and labor", reverse engineering is what causes recalls to happen. Two different things. So the analogy, while a bit weak, still holds.
"Your Rights Online: Security Researcher Faces Jail For Finding Bugs"...Isnt it more likely he went to jail for the part about him publishing a paper and creating expoit code for the software and releasing it to the public? What could be more irresponsible? He should be executed.
Full disclosure ensures the best security because it forces accountability. As long as companies continue to try and over up their flaws through litigation, we're ever going to be ab;e to trust their products.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
No, we are each addressing an opposing viewpoint on "the point". I believe the consumer is better served by informing the developer first (in cases like this, closed source), because they have a significant advantage in fixing the software. After a short time (maybe a day, maybe an hour, maybe a week, depending on the nature of the bug), if the developer has not convincingly responded that they'll fix it quickly, it's time to go public anyway. After a similarly short time from disclosure without a fix, it is appropriate to go public anyway. And it's almost always appropriate to go public after a fix is released, as pressure is applied to the consumers who, without upgrading, often pose a risk to others just by running the unpatched software.
The "point" is that there are several timers ticking down simultaneously, all starting simultaneously before a known person finds the bug. One timer is the time the bug is undisclosed (though posibly known to an unknown "bad guy"), which determines how long the developer might get away with lazily leaving it unpatched, as well as how long the bad guy can exploit it, which does govern the entire scenario. But since switching apps (or another drastic workaround) is often expensive or risky itself, the most appropriate mitigation is publication of a patch. The problem with public disclosure is that it usually increases the risk from unknown (though possibly large enough) to nearly certain that someone can exploit it. So the timers on a "swift response" count down time from private disclosure to a deadline for at least assurance that the bug will be fixed. If that timer runs out, or either it, or the timer on a patch release, is still ticking when the governing timer, how long has at least one person (and therefore possibly an unknown bad guy) been in a position to exploit it, runs out, then it's time to pull the fire alarm and get everyone to abandon the building, releasing the fire extinguishers all over the office equipment.
The disclosure calculus is very complex. Risk factors need not include actually guessing whether a bad guy can exploit it (which ought to be assumed). They are complex enough just considering the time to fix, and the intervening time to accept the need for a fix, and the relative risks of the other mitigations than waiting for a fix. Just announcing publicly reduces that complexity to pure, irrevocable simplicity, while often increasing the risk: lots of bad guys can now exploit before any fix is possible, while workarounds bring their own risks and costs. Tanga, the whistleblower in this story, is a security researcher; consensus in that community is to evaluate that complex calculus, usually favoring a chance for the developer to issue a fix. Which, in reality, is often already just trapped somewhere in a bureaucratic release pipeline, so could be delivered faster than even the switchover time after solely public disclosure, after which risks and losses are already guaranteed, even if the fix is quickly released.
--
make install -not war
For selling them such a dangerous, inferior product.
That should cool their heels.
I don't know the meaning of the word 'don't' - J
This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.
(long story deleted)
This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.
I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.
If the soulier fits then its not exactly bigotry is it. ;-)
Your Anus Online: Security Researcher Eats Faeces in Jail While Looking For Buggery
The Cul
Pisted by Kneelin' Cowboy on Monday January 10, @10:46PM
from the full-insertion dept.
An anonymous breeder writes "Frenching security researchers, Guillaume Tena, who is working Harvard University, faces 4 months in prison after being sued by Tegan Jovanka (for all you Doctor Who geeks out there, I kow you're out there) for reverse entering her Vagi-guard anti-lemur softwear and publishing her telephone number in a number of pubi lavatories. According to a ZDNet article, he could also be sued by Tegan for 900,000 euros in anal damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
How was that for a first time troll? Props anyone? I know I'm good. >:)
It's funny how everyone assumes that anything bad must be the US government's doing even though the article clearly states that this is in France and in a French government issue. If your looking for reasons to hate the US atleast use stories that are actually ABOUT the US.
Creative Demolition
Americans prefer big dinasaur cars. It is the American way, a tradition dating to the 50's, long before the efficiency races of the 70's. It isn't right or fair to use more petrol per person than any other country in the world, but its the way it always has been. Safety has nothing to do with cars being large, with compact cars often outperforming large SUV's in government testing.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
who cares if the guy is a researcher or just some guy in his mom's basement?
the company put out bad software. the guy just *examined* it.
What's unlawful about trying to find out if a product you paid for is secure and fit for the purpose for which it was marketed?
I'll go one further: if you find out the product isn't secure or fit, how are you under any obligation to tell the company that makes it that fact? Are they paying you to be a consultant? No. Do they give you software for free? Let's assume not. So, why should you give them consulting services for free?
All's true that is mistrusted
Shut the fuck up, you sandnigger apologist.
http://www.google.com/search?hl=en&lr=&safe=off&q= FRANCE+SURRENDERS&btnG=Search
-73, de n1ywb
www.n1ywb.com
go public and you are on your own.
If we look back in history, we will see that what was acceptable have varied over time. Think Gallileo Gallilei. Think Geordano Bruno. Had the inquisiton the rigth to stop their research and even as in Brunos execution by burning. No I think not. The established society should not interfer with the exploration of new ideas to increase our knowledge.
Then there is the matter what ethics should be applied when aquiring new knowledge. But that is a different question from if we should expand our knowledge. Your example of reasearch on non volontare subjects falls in this category, and is of course totally unacceptable in what we today call a civilized society.
God is REAL! Unless explicitly declared INTEGER
Of course, if he posted an exploit without a warning that it is one, and make it look like something harmless, that would be spreading worms and can be punished.
There are clear parallel's here between:
a)Guillaume Tena analyzing a piece of software and determined it's insecure.
b)A virus scanner analyzing a piece of software to see if it contains a virus.
Now while Tegam seem to be trying to leverage copyright law into prosecuting Tena it seems fairly clear that it's the actual analysis they don't like and that the copyright issue is the nearest stick they could find.
So on the one hand they think it's legitimate for you to use their software to analyze other software but it isn't something you are allowed to do to their software.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out. With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.
KIRK: "Tegam, what is your purpose?"
TEGAM: "We are Te-Gam. We produce perfect software. We sterilize imperfections."
KIRK: "Tegam, you produced flawed software. You are imperfect.
TEGAM: "We are Te-Gam. We are perfect. We sterilize imperfections."
KIRK: "Tegam, you produced flawed software. That was your first mistake. You released the software without realizing this. That was your second mistake."
TEGAM: "Error! Error!"
KIRK: "Tegam, you handled the Tena situation in a childish manner. Instead of fixing your mistake, you focused on attacking the messenger. You sued the messenger. That was your third mistake.
TEGAM: "Error! Error! Faulty! Faulty! Must sterilize!"
That knives can be used to slash tires? Somehow I don't think letting this one out 'll get me put in jail.. at least I hope not :).
You're reading Slashdot. Of course you like Linux and pc hardware
I had a toyota that a wheel cylinder 'went out' on me resulting in the brakes to fail suddenly ... you only use brakes when you need them...
/that/). The wheel cylinder even had plenty of depth that went unused with all new components, they could have easily and should have known - extended the contact part of the shoe so that the piston would function up to a 1/2" further in. /and/ drums out really bad before and it just cost me $$ without making me forever paranoid about brakes, something that shouldn't be rocket science and you would think were designed by 'professionals'.
I replaced the wheel cylinder and the shoes - the new one did the same thing, then I noticed that it was actually because the drums were out of spec - this is a fucked up situation. Twice I completely lost all brake pressure because they cut the specs so close on the hydraulic component that it is always on the verge of leaving the smooth bore and letting all the brake fluid out, even with new shoes - it's not like the drum was paper thin..
They screwed up, even when the shoes have worn down to nothing, about a 1/4" difference and with typical drum wear the wheel cylinder should not fail - the new drums were not crazy thick compared to the old ones either. They cut that one way too close and the failure mode was catastrophic and not just costly to the other scraping parts that would need replacement if the problem were ignored or unobvious (I tried to fix it, but just didn't expect
I can't really blame them, but I've worn brakes
For anyone interested, just for the sake of presenting both sides, here is the Tegam response.
1. Make Buggy Softare ...
2.
3. Profit!
There is nothing unlawful about trying to find out if a product you paid for is secure and fit for the purpose for which it was marketed.
What may be unlawful in this case is that a product was reverse-engineered to achieve that effect, which may have broken applicable French laws. The law punishes actions, not just intentions.
And I'm not sure where you're going with that last part, but I never claimed you were under any legal obligation to tell the company that their product isn't secure or fit, and I do not believe that is the case either. However, I fail to see the relevance of this train of argument.
In a world where you can be put into jail for pointing out the emperor is naked, its best to keep quiet. Companies and people don't want to hear about it. Take a hint.
And don't laugh at the naked pricks when they get their just desserts.
You'll be branded a terrorist, halled off to gitmo (or worse) and cornholed by our men in green (or worse, perhaps by other men in dark suits).
We have managed to do something our enemies never could: set up architectures of control designed specifically to keep our society from correcting its errors and improving itself.
No society that does this to itself survives even in the short term. Ours will be no exception, and I for one don't feel a great deal of lament for it anymore.
The Future of Human Evolution: Autonomy
It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.
evil is as evil does
Forget legal bullying, I want to see a fight to the death! At least we would be rid of one stupid justice system that way.
In Soviet America the banks rob you!
How come we hear about this because it's a French guy working in the US? Aren't there many many many other security researchers who do exactly the same thing, and might've found the exact same bug before him? I'm sick of seeing all this junk in the US happening to French citizens. He was doing his job, if he's working at Harvard, then he's not at fault, Harvard's at fault, because assuming he's a researcher there, then it's an organization policy that's wrong, not his own actions. But nooo, they don't dare try to sue harvard (who produces a decent team of lawyers), so they sue the poor guy who stumbled on it, and to top it off he's French. Of course with all the political mess going on, this is only oil added to the fire, and the American public's going to believe it was a conspiracy from France, thus blindly penalizing a guy that was doing his job right. Does this mean we're headed towards a totalitarian system, where you're fired if you do nothing and you're in jail if you do something right?
---- I am certain of only one thing : I know nothing else.
There seem to be two cases, one criminal, which is what might send Tena to prison, and the other civil, which according to the article has not yet reached trial stage.
I don't know jack squat about French law, but in the U.S., there are two basic types of law: criminal and civil. You can be prosecuted for a crime under criminal law, but you aren't "sued" per se. A victim would file a complaint in a criminal matter, but wouldn't sue or even prosecute (that would be the state's job, i.e., "the people"), but might sue for damages in a separate civil suit.
Does anyone know what I'm talking about, and know enough about the French legal system to explain the differences to me in this case (or these cases)?
It's not offtopic, dumbass. It's orthogonal.
Moot.
Moot point.
Mute point my chapped ass.
Words fucking mean things.
God damn it.
Fuck.
Argh.
Seriously.
Ick.
Writers imply. Readers infer.
Look guys, being rude to people trying to pimp "free ipods" in their signature is really the only way to get this stuff to stop.
but then reads like a lunatic towards the bottom
I want to research pain.
I'll use decibels as a measure of pain.
I'll use a propane torch as an agent of pain.
I'll use your family as a subject.
Hi, Mom - it's for science.
This society doesn't accept the concept of the individual - there are no volunteers.
How's the paint smell in that corner?
Writers imply. Readers infer.
I saw a number of posts where people saying that uncovering security vulnerabilities and publishing the research may hurt the customers. OK, let's put that to the test, let's imagine that we are in the world where such publications are prohibited. Last time I checked, the major driving force behind the scientific research was a desire to be recognised. Yes, white hats and black hats have the same personal reason to do what they do -- they want to be famous. If the only way for a white hat to get famous is the court hearing, then you can say bye-bye to the independent security research. From that point on we will be finding out about vulnerabilities when our systems turn against us. As a rule, patches will be coming out after vulnerabilities have been successfully exploited by bad guys. This would be the last blow to the positive meaning of "hacker", and who wants that? I would rather have white hats held in honour, and software companies held accountable for their mistakes.
And have you even tried to assess the threat of such publications? On one side you have a bunch of black hats who are poorly organized, do not have very effective channels of communication, have an inferior understanding of the vulnerable product; on the other side you have a corporation which does nothing but, which is on top of things, which, for a change, has the entire source code along with people who understand it completely. Who will win in this race? By jailing independent researchers they are effectively sending a message: we are incapable of beating a bunch of amateurs in our own game. The reality is that they simply do not want to, because it costs them more money -- they would rather watch us crash and burn, and then jump in and save the day. Once a day. For all eternity.
Granted, OT, but is that like healthcare or what?
If he'd just published the vulnerabilities, he could claim it was in the public interest. But publishing working exploits? That's a huge difference.
That's a bit like saying hey, a gunshot to the temple will kill you, versus handing out guns and bullets to anyone who comes by.
Does this mean there's an opening for crypto research at Harvard now? Do you have to be a goddamed foreigner to apply, or have they started accepting Americans again?
-fb Everything not expressly forbidden is now mandatory.
Your argument is a little flaky...
...regulations which permit detention of any alien - regardless of whether they have been designated as a "suspected terrorist" - without charge beyond 48 hours for a "reasonable period" in the event of "emergency" or other "extraordinary circumstances."
Re: Free Speech Zone article. Yes, the question of indefinenate detainment is a thorny one. However I thought Free Speech was a concept more for U.S. citizens? Because the article you link you is talking about aliens:
The rules are a little different for U.S. Citizens. How does that link apply to the thought of Free Speech again?
Basically your overwhelming hatred of the US is blinding you to facts and dragging your whole argument substantially off-tangent. Par for the course I guess.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Though I don't have much experience reading France, but seems that he has not been sentenced yet:
Means that prosecution(Le procureur de la République a requis) is suggesting jail term and 900 000 euro damages, however final ruling will be 8 March 2005
You should do something about that cough - maybe see a doctor? I know when I cough, it's never so bad that I type out the noises.
Maybe he was dictating?
Live today, because you never know what tomorrow brings
Finding holes in OSS is useful, because you can patch them. But finding holes in proprietary software just exposes you to this sort of risk, seldom results in change, and helps people who aren't paying you. Why bother?
Is it just for the self-righteous feeling of having found fault with someone else's work?
Use open-source software and abandon the rest of the world to the virus/anti-virus battle. Or write behaviour blocking anti-virus software and never have to worry about this sort of thing.
for reverse engineering their viruses.
I'll pit a Ford Excursion 4x4 Diesel against a Geo Metro any day of the week.
If you want to get pommeled in the Geo, then go right ahead.
I'll be sure to send your information over to the people at the Darwin Awards.
There is only 100% ignorance. Just goes to prove, The only Safe PC is one not hooked up to a ...
Because he's not being charged with a criminal offense. You don't get extradited for civil suits.
paintball
I had an 88 Camry (Toyota). The key for it opened:
My parent's car (87 Accord)
Friend's car (Corolla)
Other Friend's car (Accord)
Only on the driver's side door though (and no ignition). That being the lock used most often, the tumblers can become worn and easier to open.
In the case of the example given by the parent to your post... removing a piece of tape does not contractually obligate you. Signing off on a (legally binding) contract does. This is why clickthrough EULA's are so dubious.
No, they might be able to enforce that by removing the tape you can't return the unit or sue them (successfully, you can try to sue for almost anything but success is not so certain) when you get electrocuted for opening something you shouldn't have etc.
The musician's licensing deal is totally different concept, and it pisses me off that people compare the two. You have a full, legally binding contract. Read over, signed in the view of a witness. This is much different from removing the tape on the TV example or checking "OK" on an EULA screen.
Once again I must say this:
Yes. A virus writer could sue. Anyone can sue. It just requires money and/or a lawyer. Sueing successfully is different from launching a suit, and there are lots of stupid suits.
Moreover, a virus writer would - by sueing on such a basis - admit to being the virus author and thus to breaking various laws. The penalties outweigh the potential gains.
This is a stupid case too. Remember that the plaintiff has a right to sue. We just hope that the laws don't uphold such idiocy, or if they do (DCMA *sigh*) then the courts will be smart enough to strike them down because they are, in fact, idiotic/unrealistic/vague/innapropriate laws.
Meanwhilst, this lawsuit is probably not good for Tegam's reputation... as by doing so they validate his claim that there are, in fact, bugs in their product.
They should have known better, in this day and age you _never_ reveal security flaws unless you keep it anonymous! This isn't some free utopia we live in, most countries including the US are at witch burning level, don't give them your name!
This comment does not represent the views or opinions of the user.
He's karma whoring the Bush administration :-P
In my opinion, Scientology is a cult you should avoid.
when there's no sig files? -->
"It is unacceptable to violently depreciate a company and its staff through a hardheaded search for vulnerabilities in the software they produce, and this over a number of years."
They poked around Windoze for probably over a number of years - in a hardheaded search for vulns merely depreciating Microsoft Staff's work?
Besides, what they are doing is a full blown PR desaster.
hic porci cocti ambulant
France is in the EU. EU law gives you the right to reverse-engineer software for certain purposes: for academic study, for the purposes of developing interoperable software, or just to satisfy your own morbid curiosity.
Je fume. Tu fumes. Nous fûmes!
>What may be unlawful in this case is that a
>product was reverse-engineered to achieve that
>effect, which may have broken applicable French
>laws.
And how do you suppose said company managed to write their virus scanning program (or whatever it should be called) to start with? Guessing what viruses do? If blanket reverse engineering is not allowed, such a company should not be able to exist in France to start with.
It seems to me that companies could simply add a positive incentive and make things simple. "Inform us of a bug that leads to a security exploit and we will give you $1000.00."
...unless they believe that there is no such thing as impenetrable security. Now there's a blind faith.
Probably some would expect this to lead to rampant abuse of the system from both sides. First, when some black hacker demands $2000.00 or he won't disclose (which would be foolish) or from the other side when a company claims they already know about it and hack their own CVS repository to make it look as if they fixed the hole a week prior.
Other than these little mishaps I can't imagine why a company wouldn't want to have a bunch of volunteers vying for a prize by stress-testing their software.
I wonder if lawyers are trained to hypnotize their clients and always sell the non-solution over all others.
-- thinkyhead software and media
Don't think.
If you think, don't write.
If you write, don't sign.
If you sign, don't wonder.
It's sad that the Revolution brought us no real change. Maybe another one should be performed?
It says that he was given: "4 mois de prison avec sursis". This means that he actually won't go to jail unless he gets jailed for something else during his probation period.
I think what will really be hurtfull is the 900,000 euros (~$1,200,000) that the french society wants to extort him of.
This is a blatent form of Injustice, but you do start to understand how this could be when you see that one of the clients of the Tegam company is no other then... The French Ministry of Justice!
The article was not clear about several points - and it made many comments posted here irrelevant :
1/ "Guillermito" is not a security researcher but a researcher in vegetal biology (and he is paid by Harvard for that). His researches about vulnerabilities in steganography and anti-virus software are conducted as a hobbyist, and I am not sure if he was already working at Harvard when the ViGuard affair happened back in 2000/2001.
2/ "Guillermito" was not charged for reverse-engineering, but mainly for having performed all his tests with a pirated (and then with a borrowed) license of the program.
3/ The background of this affair is more complex, since it involves many actors of the french "underworld" (pirates' magazines, virus writers, grey journalists) and points how many publishers and securiy experts were bribed by Tegam to praise their product.
4/ You can't imagine how ViGuard sucks. "Guillermito" probably contacted Tegam before publishing his vulnerabilities, but this company is blatantly incompetent and so confident in its lousy technology that they ignored him. To get the idea, if you tell "I found a new buffer overflow bug in your software" to a M$ guy, he'll probably reply "Ok, we may or may not fix it, we don't really care". Now imagine a guy telling "What is a buffer overflow? Anyway our product is superior!!! ". I guess that the vulnerabilities were published only when "Guillermito" realized that Tegam would never (be able to) fix them.
5/ Finally, the decision of the court will be taken the 8th of march. Whatever happens, the case will be appealed, so the final decision will probably be delayed by up to 18 months.
Apparently, that guy used an illegal copy of TEGAM's software and is sued for that reason. All the buz about a poor researcher is therefore off topic.
The rules are a little different for U.S. Citizens
And why does that make it acceptable? The fact remains that people can be locked up indefinitely without trial in your country, on suspicion of terrorism (ie, for anything), and held for the rest of their life in cages without charge.
Your government just appointed a man who condones torture to a high position - I think you can expect short thrift for 'Free Speech' for anyone who disagrees with them in the future, whether they're from the chosen people or not.
The 'Free Speech Zone' in New York was just a taste of how they see protest.
There's a great difference between 'finding bugs' and finding exploits for profit, period. This guy deserves to go to jail.
In France, the presumption is that the accused
is guilty, rather than innocent until proven
guilty like in the USA.
Oh wait. Between the DMCA and the US Patriot
Act and the **AA(s), the USA is just like the
French now. And we have accomidations in Gitmo
just as bad as what the French have at Devil's
Island. Perhaps we should change the name of
those "Freedom Fries" to something more closely
resembling reality.
When the "white hat" hackers have all been made
criminals, only then can our computer systems
be safe from the "black hat" crackers, right?
If security through obscurity actually worked
for commercial software, there wouldn't be any
Microsoft Windows/IE exploits.
The Harvard security researcher's only "crime"
was his rush to publish -- privately contacting
the software publisher about their program's
vulnerabilities and giving them 30 days to
respond would have been a better course of
action. Especially considering that he also
published exploit code in his announcement.
> He's a security researcher
No, he's not. He's a biology molecular researcher.
And when their hired auditor (understandably) doesn't deliver 100 percent of the service he was paid for, the company's customers and other members of the general public are expected to step in and report the remaining faults to the vendor in confidence, free of charge?
Finding every bug is indeed a difficult task, if not impossible. However, if the industry can rely on informed members of the public to cover up every failure of theirs (and sue anybody who doesn't cooperate), the industry will have very little incentive to make real improvements.
If a random guy I don't know unintentionally makes a mess for himself and I learn about it, my first reaction is to tell him personally if I can, and simply ignore the problem if I can't. However, most businesses don't automatically qualify for that courtesy, and before I help a company improve one of their products, I want assurance that my assistance will benefit the general public more than their stock holders, and I want some recognition for my contribution.
As the default corporate policy appears to be "valuable technical advice accepted free of charge, questions politely unanswered", I need a little more than an empty feedback form on their website to offer them five minutes of my time.
And invoking copyright law to silence consumer advice, even when that advice is ill-informed or inappropriate in some other way, is just plain stupid. As long as Tena isn't actually distributing Tegam's code (or derivative works of it), this "reverse engineering" objection is ludicruous, whether legally enforcible or not.
So, according to Slashdot cracking software is now considered "finding bugs" ?
"they've just made themselves look petty and bad"
;-)
Who cares if they get the $s, they would possibly never get out of sales
Now, mod me down freely. My karma can't get any worse...
Once you buy something it is yours to do whatever you want with it. You may take it to pieces or rebuild for other purposes. This is also why cable boxes are leased, or at least the cards are. In such a case, they can control what you do with the service.
See my journal, I write things there
Guillermito is a biologist...
Okay shoot me, I didn't yet RTFA but I've read too many responses already that are defending this situation and it's bothering me to see this attitude.
Let's talk about something I see as a parallel: "Consumer Reports" This publication exists for the purpose of informing consumers about the products they use. From time to time, they have exposed product flaws that have resulted in a remarkable public response. But the fact is, they exist to promote the safety and quality of products being sold to the consumer. While they rarely if ever report on software products is somewhat irrelevant. I don't (yet) see what this guy did as anything different than what Consumer Reports does.
Perhaps what is really needed is a strong organization that will do what Consumer Reports does? I think it would take some planning to iron out ethical details, but it could become wealthy in subscriptions and honored for its integrity and protecting its sources...and perhaps poor for defending itself in court.
I know there are many security forums and such-like out there and they are free. But I have to wonder what would happen if any of those organizations were sued or any of its operators were criminally charged. After all, in France, a great many of these things are (apparantly) illegal.
The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.
I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
As it should be. Our QA are now serving 25 years in maximum penitentiary after finding insane amount of bugs in the latest release.
That's not true at all, and unsupported by anything that could have ever occured here. As an example, in France if you, *on purpose* show intimate body parts, or someone nude, or sexually explicit language, most of the public reaction will just be to laugh and shrug, and additionally you may get a slap on the wrist from the Superior Audiovisual Council. Contrast this with someone showing a nipple *accidentaly* in the US.
In my example, I meant on TV.
because we don't like those filthy muskra... you said boy?
Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance.
The chance to what? Sue or threaten to sue the researcher and get a gag order placed on them before they're able to warn the users of the software, preventing the vulnerability from ever being seen?
I agree that notifying the company first is the responsible thing to do, but only if the company is going to be responsible which fewer and fewer are showing the capacity for. It isn't clear to me how this situation would have been different for Tena if he had first told Tegam about the exploit, they told him to be quiet about it and did nothing themselves, then he published. Maybe we would think him more diligent and responsible... or maybe we wouldn't have heard about him -- or the flaws he discovered -- at all.
The enemies of Democracy are
i.e. Go to jail for showing how to pick a lock
I realize that consumer groups monitor product quality for things we buy and use, the national governments inspects the food we eat, police patrol our city streets, even the people of a country monitor their elected officials.
I realize that most softwares TOU forbid you to reverse engineer the product but isn't that more to protect their IP? I mean if someone doesn't dissect it and break it apart to expose flaws, will their next release be any better?
If people didn't tear open Windows would the product be worse today?
I am Bennett Haselton! I am Bennett Haselton!
No, the responsible thing to do would to notify the software maker of the problem, not post it publicly so that people could exploit it. I think his intentions were made very clear by who he chose to inform.
"Ask not what your country can do for you." --John F. Kennedy
I love it when people gets compared to Gallileo on /.
Time to circle the wagons. Where is the legal defence fund? How do we deal with K-Otik?
Not only does the court uphold the EULA:
but it also disagrees with your assertion that you can't wave a statutory right:Use great care in leveling attacks at your users, be they security researchers or no.
How many will never buy another Adobe product? I certainly tell everyone that I know.
Now I add Tegam to the list (not that I'd ever heard of you before).
I 'spose Bill's astroturfers are trying another round at subverting slashdot.
Why is it so easy to break them?
...How exactly is this "Insightful"?
Then it is up to the courts to decide whether any of those exceptions under EU law apply in this particular case.
"Our customers chose ViGUARD because they are uncompromising when it comes to reliable computer security."
I'm sure *someone* can come up with a clever retort.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
Contact us
:
:
:
By phone
* Switchboard: +33 (0)1.64.66.15.97
* Fax: +33 (0)1.64.66.17.33
By postal mail
TEGAM International France
Z.A. de l'Epinette
77603 Bussy St Georges Cedex France
By email
tegamcom@tegam.fr
...this is exactly why it's necessary.
As far as I can tell from the press release, Tegam is stating that they have been the target of an astroturfing campaign making spurious claims about their products. This sounds plausible, but so does the alleged astroturfer's complaints about their software.
The only way to tell which side is playing silly buggers is by having some kind of example code. If there's code that any owner of the software can run, that demonstrates the weaknesses and thus conclusively proves they exist, then the company can't easily make statements rubbishing claims.
If there is no such code, and the culture is such that code would be expected, then astroturfing campaigns become obvious. An exploit code culture prevents someone making ludicrous claims without putting their code where their mouth is, *and* it stops companies denying the insecurity of their products. And it achieves both without one having to find a trustworthy expert. What more could you want?
For the love of God, please learn to spell "ridiculous"!!!
Did not say patches were harder to find. My definition of an uninformed person is one who is not paying attention to announcements, whether they be advisory announcements or patch announcements.
These are the people who are affected by the worms which exploit problems that already have vendor patches.
Actually libel in this case, since it's of teh written word. However the problem is to win a libel shuit you have to prove three things:
1) That what was said was false. Ok, no problem (assuming it is false) you show what he did wron,g you've proven this.
2) That the party saying it KNEW it was false when they said it. Hmmm, much harder. If he screwed up his methodology, it might be arguable that he didn't know what he had a positive belief that what he was saing was true.
3) That the false information was said (or in this case written) with malicious intent. Oooo, now this is a toughy. You have to prove that the reason for doing it wasn't incompetence or lack of attention, but actual malicious intent.
So, espically in technical cases, libel or slander can be extremely hard to win. You can prove that a person knowingly made false statements, but fail to prove intent and get nothing for it. You can force them to stop saying false thigns but you can't usually get any money unless you can prove malicious intent.
Your problem is that in your zealotry you continue to ignore the topic at hand (Free Speech) to discuss something unrelated. Where I come frorm that's pretty much an Offtopic Troll.
It is not acceptible to detail people forever on the slightest of evidence, but this is not the place to discuss it, wait until some other story comes up that has closer ties to that issue.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your government just appointed a man who condones torture to a high position - I think you can expect short thrift for 'Free Speech' for anyone who disagrees with them in the future, whether they're from the chosen people or not.
Now that just shows a lack of reading comprehension and no understanding for what people in various positions do.
You obviosuly have never had contact with a lawyer. The government has just appointed a man who was toold to look over the legality of torture and reported what he thought the law sain on the matter. It tells us nothing of his own personal opinion on the matter. Or are you of the mindset that all trial lawyers working for people accused of murder also condone murder? Your hate colored glasses confuse all you see.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"This US company claimed because I had exploit code, "
You should have upped the ante, gone after them for defamation, made a big fuss of this company using trivial encryption for critical systems. Complained to the credit card companies and had their credit card merchant account cancelled. Told CNN etc.
OK guys, put down your stupid "this is a college kid, etc. etc. etc." stuff for a second...
If you find a vulnerability in a virus scanner, there are a few ways you can deal with it.
1. You can contact the package's maintainers and ask for them to correct the bug. You can inform them of the vulnerability, and give them time to fix it.
2. You can report it to a service that will report it to the package's maintainers and provide a brief synapsis.
3. You can ignore it and pretend it doesn't exist.
If yuo do any of these things, or even write a magazine article or trade publication where you talk about the weakness, you're OK (although any reputable publication will inform the package's maintainers).
What this "kid" did wasn't any of these. He wrote code to exploit the vulnerability -- also known as a proof of concept -- then posted it to the public internet, so that all these nice people who bring us viruses such as Code Red, Netsky, Beagle, etc. can write lovely programs that disable end-user's virus scanners.
This is a totally irresponsible and unacceptable way of reporting a vulnerability. It's the wrong way of doing it, in that you've not given the package's maintainers any time to do anything about the problem, and you've not informed any of the package's users about the problem.
The only people you've informed, in fact, are the bad guys who will use it to attack people's computers.
There is no way this benefits the users.
There is no way this benefits the package maintainers.
There is no way this benefits the public internet.
I'm sick of "this is going to improve the product quality." Telling the people who maintain a package -- be it OSS or Commercial -- improves the product. Posting code to exploit a vulnerability hurts users, hurts system administrators and helps all these people trying to install spyware, trojans, worms and viruses on end user's systems.
Get a clue -- posting code to an exploit helps nobody, send it to the company writing the scanner quietly, discreetly. Report it to a security website that reports such things if your paranoid, but don't post the exploit on the public internet where the bad guys can get at it.
The assumption is if you are demonstratably doing things that help only the bad guys (as this kid was), that you therefore must be a bad guy.
And it's a valid assumption -- take a look at whose being arrested, you see 40-50 year old white men being taken to jail for writing viruses, or do you see snot-nosed college students without a clue in their head.
Not a researcher -- a researcher doesn't post source code to an exploit to the public internet.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
I always liked the line my friend's father used when his kids threw a fit about something like this, "If you don't stop crying, I'll give you a reson to cry." In other words, shut up, do it, or you'll get spanked.
I think there is a good place in tort law for this sort of thing. If you file a suit, where it's obvious, to a reasonable person, that you are just throwing a fit with no merit, you should be slapped down, and hard. Sueing someone over exposing your flaws sounds like a good start. Not only should the case be thrown out, but the company should have to pay this guy the 900,000 they are after him for. And, since there is a criminal suit against the guy, the company CEO and board members should be tossed in jail for whatever term this guy might be on the hook for.
Necessity is the mother of invention.
Laziness is the father.
Some years ago, a CP/M modem program had a license which prohibited reverse engineering or disclosing anything about the program. Inspection proved that it was in fact a stolen copy of another modem program.
A purchaser reported this to the police, who promptly contacted the company that it had been stolen from, and prosecuted the thieves. They claimed the reverse engineering was illegal, but the court ruled that the contract was void, as it required the ultimate customer to break the law by keeping the theft a secret. It was therefor null and void.
If the anti-virus company was requiring the users to hide the fact the program was "not suitable for the purpose sold", then they arguably were demanding the users to enter into a criminal conspiracy in restraint of trade.
Users of such programs may wish to speak to their solicitors, lest by obeying the contract terms they inadvertently commit an offense (;-))
--dave
davecb@spamcop.net
screw them all, quit trying to be all holy and just post it as the latest root kit then watch their happy ass squirm
I'm not your original anonymous zealot, obviously just another one ;) I certainly don't feel hateful and twisted, but hey, it's the internet, sometimes things get misread. Frankly though, the ad-hominem attacks are misplaced.
:
You obviosuly have never had contact with a lawyer. The government has just appointed a man who was toold to look over the legality of torture
Whilst it's perfectly possible to write a report on the feasibility of a certain decision and not agree with it, I was going by the way he (Alberto Gonzales) encouraged the Bush regime to legitimise torture, and twisted the spirit of international law to do so by inventing a new category of combatant. To say that interrogation must include
"injury such as death, organ failure, or serious impairment of body functions--in order to constitute torture."
is quite a strong position, and not one I'd be comfortable with a government which had control over me espousing; he's saying that regular beatings and psychological torture or humiliation don't count. Couple that with the fact that you can be detained without reason other than the suspicion of links to terrorism, and the government has now arrogated a lot of power in a very short time. They show no sign of slowing down.
For him to say that the new war on terror renders quaint some of its [the Geneva Conventions'] provisions shows that he is willing to sacrifice morality and play dirty to get results - like many of the other players in this current war. Though war is often corrosive of people's morals, and a little moral slippage is inevitable, the slide into McCarthyism (Axis of Evil, etc etc) of the current US administration, and even the populace, would have stopped me long ago crowing about the Freedom of U.S. Citizens - I think that's what the original poster took exception to.
AGain, he's just trying to define what the law is actually saying - but noting what constitutes torture he's laying out what international law explicitly dictates, not what he would like it to say. Then he as (as the job requires) listing other things it does not say.
If you can point me to a source that says he fully condones forms of torture not explicity outlawed by international law, that would be one thing. But again you really cannot derive any full knowledge of his personal take on the matter from a document he was assigned to draft as a lawyer. He is just explaining in plainer terms what they law says and what it does not say.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is hardly surprising. Native speakers are supposed to know their language. They sort of represent the standard for "good enough". Most native speakers like to think that they master their mother tongue well enough. Anyone who challenges that belief is considered nasty, elitist, pedandic, arrogant, whatnot.
Besides, the line between justified critisism and petty nit-picking is rather fuzzy. If you pick on speling errors, there will always be someone who considers that pedantic.
Otherwise you might be +1 well informed.
Me like you post. It funny and smart. You smart.
Posted by an AC..gee, I wonder why.
I like how you signed your message though -- as I assumed it had come from an idiot.
Inject.