Slashdot Mirror
Security Researcher Faces Jail For Finding Bugs
An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
And now we have people getting arrested for pointing out someone else's mistake...
When did greed become more important than helping someone?
This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.
Will the little Dutch boy be executed for sticking his finger in the dike?
Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".
Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.
The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.
I absolutely hate this backwards shit. Software engineers and governments and everone just best get used to the fact that people are going to reverse engineer everything they can. Until they get used to it, lawmaking is just going to go overboard, stifling development and competition.
And I believe the proper response to pointing out an error in your system is "Thank You."
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
SO i guess by your logic, you should be able to sell anything you want, and people shouldn't be allowed to point out bugs or flaws because you might not like it?
Tough Shit.
Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.
--
make install -not war
Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.
My rights don't need management.
Which should be equally encouraged.
If it becomes illegal for people to figure out how things work, we'll find ourselves living in a society of morons (even more than now).
They do this all the time. Not having a tradition of Common Law, they fall on the wrong side of this all the time.
Thank God for the First Amendment. For those of you not from the US of A, it guarantees freedom of expression in the most absolute terms. Short of something that incites violence (e.g. "let's kill him") or yelling "fire" in a crowded theater, it is OK. The Pentagon Papers case essentially destroyed "prior restraint" for national secrutiy reasons (as practiced in Britain).
Even countries that are supposedly as free as the USA are actually not. Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.
I'm reminded of the theme song from "Team America: World Police". Too rude to print here, it would probably get you put in jail in some countries.
Only America could produce someone like "Ol' Dirty Bastard".
http://www.thebricktestament.com/the_law/when_to_
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
Suppose he discovered a defect in a car or some other piece of physical hardware. If that defect were severe enough to kill someone and he did not publish his knowledge of the defect, then could he then be held criminally liable and be accused of negligent homocide? Surely the right thing would be to publish the defect and warn the users of the product.
How did software companies get all of these special rules for them if stuff that doesn't work.? If it were a tire or a car or a bridge or a robot, they could never get away with it. But if software doesn't work we are all supposed to just buy the upgrade.
And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.
With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.
So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.
Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.
Nope, that won't work. Vulnerability disclosures must include a working exploit; otherwise I could anonymously destroy my competitors by posting false but hysterical vulnerability reports about their products.
As I said in another post: software companies don't give us their software for free; similarly, we shouldn't give them consulting services for free. If I find a vulnerability, I don't owe the software company anything and I'm under no particular obligation to tell them before I tell anyone else.
Or are you saying it is irresponsible / immoral / illegal to state a provable fact about the security of a software system?
All's true that is mistrusted
>Yes, but the kinds of things that make contracts
>void are very few indeed.
How about someone forcing you to agree to it so that you can use something you bought? Imagine next time you buy a TV, get how, and then find a piece of paper stuck on top of were to plug the antenna in. It says that by removing the piece of paper you agree that the TV is not yours, that they can come and pick it back whenever they want, and that they WILL do it if you watch channels that are not theirs or try to figure out how it works in any way and so on...
It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.
evil is as evil does
The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.
I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"