Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Faces Jail For Finding Bugs

Posted by CowboyNeal on from the full-enclosure dept.

An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."

19 of 726 comments (clear)

  1. Here we go by lordkuri · · Score: 5, Insightful

    And now we have people getting arrested for pointing out someone else's mistake...

    When did greed become more important than helping someone?

    1. Re:Here we go by smokeslikeapoet · · Score: 4, Insightful

      Lets get this straight. Lets say Consumer Reports did a review of 4 safes: Safe A and Safe B can be opened with a fingernail file, Safe C can be opened with a bobby pin. Safe D was inpenatrable with known methods, so buy that one.

      Should Consumer Reports, their reporters, or editors be criminaly or finacially liable for posting the exploits? Should they contact the manufacturer and not inform the public? Should they be applauded and rewarded for offering the consumer a service? I'm sure your smart enough to figure out the answer there.

      If my antivirus software or firewall isn't secure than I sure as hell want to know about it!!!

  2. What were his intentions? by linolium · · Score: 4, Insightful

    This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.

  3. What's next? by DamienNightbane · · Score: 4, Insightful

    Will the little Dutch boy be executed for sticking his finger in the dike?

  4. If I break in your car... by Anonymous Coward · · Score: 5, Insightful
    with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.


    Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".

    1. Re:If I break in your car... by Seumas · · Score: 5, Insightful

      If I break in your car with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.

      If you bought a car, figured out some ways to break into YOUR OWN CAR, then published those ways to alert other consumers as to the lack of security the car has, should you still be arrested?

    2. Re:If I break in your car... by barc0001 · · Score: 4, Insightful

      He lives in Winnipeg. Car theft capital of Canada right behind Surrey and Regina. It was only a matter of time regardless.

      But to address your argument at face value, is it :

      a) better to have a hidden flaw that is only known to criminals (which is undoubtedly where the Sun heard about it from) that is built into cars for years to come, providing hundreds of thousands of easy targets...
      or
      b) expose the flaw to daylight and both force the manufacturer to do something about, and alert all owners of said existing cars to the problem so they can buy additional anti-theft devices.

      I mean, come on. If we replace the word "theft" with "car has tendancy to spontaneously explode, killing occupants in a fiery inferno of doom", everyone and their dog would be lining up to lynch any bastard who tried to defend option a.

      I don't know about you, but I would always prefer to know well in advance if my car was either easy to steal or about to explode.

    3. Re:If I break in your car... by Anonymous Coward · · Score: 5, Insightful

      With software, you only own the right to use one instance of it - right to use, not right to do whatever you want.

      Copyright stops you from copying. It does not prevent you from looking at the inner workings of something.

      A book critic can find fault in the language the author uses. A music critic can find fault in the way an instrument is played. A journalist can find fault in the actions of soldiers. Why can't a software engineer find fault in the software he looks at? Oh, that's right, it's e-magical so we have to come up with entirely new sets of laws and ethics.

  5. This would set a terrible precedent (in France...) by Anonymous Coward · · Score: 5, Insightful

    Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.

    The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.

  6. Re:He got what he deserved by furiousgeorge · · Score: 5, Insightful

    SO i guess by your logic, you should be able to sell anything you want, and people shouldn't be allowed to point out bugs or flaws because you might not like it?

    Tough Shit.

  7. same difference by Doc+Ruby · · Score: 5, Insightful

    Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.

    --

    --
    make install -not war

    1. Re:same difference by grcumb · · Score: 5, Insightful

      "Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers."

      That's a really decent analysis. Thank you for that. The distinction between acting responsibly and acting foolishly is often a little difficult to discern, especially at first glance.

      The thing that upsets me, though, is that apparently foolhardiness by the whistle blower carries a penalty of over USD 1 million and potential jail time, whereas the (arguably criminal) negligence of software makers seems to carry no cost at all.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  8. By this logic... by earthforce_1 · · Score: 4, Insightful

    Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.

    --
    My rights don't need management.
  9. Re:Bad analogy by Anonymous Coward · · Score: 4, Insightful
    The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.

    Which should be equally encouraged.

    If it becomes illegal for people to figure out how things work, we'll find ourselves living in a society of morons (even more than now).

  10. You miss the point entirely... by jrl · · Score: 5, Insightful

    The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.

    When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.

    Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.

    An uninformed person will not only miss the advisory, but will likely miss the patch as well.

    Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.

    I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.

    It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn .. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?

  11. The damage is done, and company's own fault by Alwin+Henseler · · Score: 4, Insightful
    If the software maker presses this upon the researcher, the customers need to press the software maker.

    And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.

    With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

    So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.

    Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.

  12. Re:The devil is in the details by Pofy · · Score: 5, Insightful

    >Yes, but the kinds of things that make contracts
    >void are very few indeed.

    How about someone forcing you to agree to it so that you can use something you bought? Imagine next time you buy a TV, get how, and then find a piece of paper stuck on top of were to plug the antenna in. It says that by removing the piece of paper you agree that the TV is not yours, that they can come and pick it back whenever they want, and that they WILL do it if you watch channels that are not theirs or try to figure out how it works in any way and so on...

  13. Time to stop. by killjoe · · Score: 4, Insightful

    It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.

    --
    evil is as evil does
  14. not exploits, exploit CODE by dirk · · Score: 4, Insightful

    The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.

    I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.

    --

    "Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"