Slashdot Mirror
Security Researcher Faces Jail For Finding Bugs
An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
Yeah. Either ignore it, fix it, or sue him for blackmail/racketeering if he even hinted at taking it public if they didn't take action. Which do you think is the likely outcome? Would you be willing to risk it for no gain other than just being a nice guy?
In a world where you can be put into jail for pointing out the emperor is naked, its best to keep quiet. Companies and people don't want to hear about it. Take a hint.
...will the US extradite him given our decreasing friendly relations with France?
From the article: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.
If he gave them due notice (it wasn't indicated in TFA), then there is nothing wrong with him posting the exploits.
Otherwise, he is just grandstanding. Pretty much all projects (FOSS included) classify security bugs until a patch or workaround has been worked out. After it has been fixed, though, I think there is an obligation to the users to let them know what happened.
Actually, there are quite a few models of domestic cars (mainly minivans) out durring the late 80s and early 90s that use only about five different key cuts and remote (door open) codes.
I'll wait patiently here for the police.
I heard about that. A friend of mine claimed that they had a family friend whose keys opened his family's car door. I don't know if this was a true story or not, but it alerted me to this subject.
My other computer is a Jacquard loom.
The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?
End users have rights, and a contract agreement not to reverse engineer is not fair competition since (near enough) every company would have such a clause, regardless of the customer's wishes. Reverse engineering makes competion act more swiftly, which any amount of feelgood on the customers behalf is not going to outweigh. Why do you think that companies form cartels when they can? Why do big companies lobby so strongly for stronger patents laws?
Wikileaks, no DNS
I had a 93 Saturn SL2 with a worn out key (probobly helped).
I was at the mall and in the general area of my car gravitated to a maroon SL2, unlocked the door started to get in and noticed it was far too clean and had seat covers. I quickly got out and nervously tried to relock the door, but my key did not spin so I left. I didn't want to get into trouble for an honest mistake.
One time I also locked my keys in the car at a gas station. The attendand was unable to slim jim the door but went back into the shop and got a small saw zaw blade (or maybe a blade for a scrolling saw) with fairly big teeth. It was a little taller then a key but the teeth were about the right size. The attendant then stuck this into the key whole and jiggled for a about 30 seconds while turning and I was in. It took a few minutes to get the blade out though due to the fact that the teether were only slanted on one side.
Of course getting into cars ain't all that tricky anyway (big windows) and I can't speak for the ignitions.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Let me give you some fodder for thought...
In August, a local newspaper (Winnipeg Sun) published basically step-by-step intstructions as to how do break into Dodge Intrepids. This was done in the name of 'alerting owners as to how easy it is to break into and steal those cars'. Guess what. My buddy's Intrepid was stolen that night, using the exact techniques described in the article.
Now, which side of this argument do you think he would fall on?
So? What's wrong with that? They are selling their software to secret government agencies - they sell to the general public.
As far as I'm concerned, if they can tout their software's capabilities to the public, he has the right to showcase its weak points in the same forum.
Pain is merely failure leaving the body
In fact recalls occur very often. Your point about media being damaged is the same as "warranty for parts and labor", reverse engineering is what causes recalls to happen. Two different things. So the analogy, while a bit weak, still holds.
Full disclosure ensures the best security because it forces accountability. As long as companies continue to try and over up their flaws through litigation, we're ever going to be ab;e to trust their products.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.
(long story deleted)
This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.
I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.
Yeah, it's fascism (corporate government without corporate governance). Especially since they're "killing the messenger", a mark of fascist propaganda that sends fear among potential whistleblowers. This fascist wave is rising inexorably, and software is its natural element.
--
make install -not war
My dad did this while walking out of a movie rental place. 2 cars parked right next to each other, same colors, etc - got all the way to attempting to start it and realized what was wrong.
I also work for a company that transfers personal vehicles (POVs) for military personell and, due to human nature, we lock keys in cars all the time or dead batteries (recharged) cause car alarms to go off and we have no problem breaking into even the newest vehicles or disabling the alarms.
Of course, publishing the material is a mute point because its common sense stuff that causes it. While the door plates are protected now, its easier to stick a coat hanger in the top of the door and press the rocker switch for the locks than it is to get a tool that goes under the window.
Posting as an AC since the company geek reads this all the time...
What were his intentions?
... item).
Who gives a fuck?
If you are a security researcher, you look for security holes, right? If you are a responsible researcher, and you find some security holes, you better publish them, right? Right? RIGHT?
WRONG!! Hear ya, hear ya, hear ya, from now on doing the responsible thing will get you jail time, and a stiff $900,000 bill. From now on, the right, responsible, thing to do when you find security holes is to sell them to spam virus hackers. That way you:
1. Never get caught.
2. Profit (note lack of
No moral problems either, since the company who looses is the bunch of asshats who'd put you in jail for pointing out their bug, and the people who get spammed are the same shitheads that made the stupid law possible.
Fuck, I'm pissed. Better go drink my milk. Good thing I'm not a security researcher.
I haven't given up on software quality; I just recognize that testing never ends. It is you who unrealistically expects people to do anything perfectly. As I mentioned, "Our software is too complex, and our tools are too crude, to avoid them." I expect our tools to become more fine - I personally anticipate more flowchartlexical development tools as UML finally gets compiled. I expect software to become ever more complex, as it is more interconnected, but I also expect some simplifying patterns to emerge as stable. The SW industry *is* in some ways 1000 years old, with repeated instructions for, say, transcribing books at the root of many of our software patterns. But some of our problems are not old enough to have solutions, or to have been discarded in light of experience with actual stored programs for digital networks. But I don't see any other human activity that is exposed to the public without mistakes. A more mature software industry will learn from the resilience of those other, reliable, activities, with failure tolerance, redundancy, and feedback at every step. Perhaps software development with then become much less inexpensive for its productivity increases, but the finer control and mutability, transcending distance, and amplifying humans (as well as myriad other benefits) will be even more impactful, when we don't even notice the software, because it works as well as everything else (yet not perfectly).
BTW, if there aren't any qmail bugs, why are there qmail patches?
--
make install -not war
In a world where you can be put into jail for pointing out the emperor is naked, its best to keep quiet. Companies and people don't want to hear about it. Take a hint.
And don't laugh at the naked pricks when they get their just desserts.
You'll be branded a terrorist, halled off to gitmo (or worse) and cornholed by our men in green (or worse, perhaps by other men in dark suits).
We have managed to do something our enemies never could: set up architectures of control designed specifically to keep our society from correcting its errors and improving itself.
No society that does this to itself survives even in the short term. Ours will be no exception, and I for one don't feel a great deal of lament for it anymore.
The Future of Human Evolution: Autonomy
...Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.
Er, I might be misunderstanding you, but in the USA you are free to shout racism and hate from the mountaintops, whereas in a lot of European countries you'd get tossed in jail.
Over here, speech is protected, and that includes virtually all forms of communication. Personally, I prefer it this way too, every now and then I get neo-nazi flyers in my mailbox, but that itself isn't hurting anyone. I'd defend their right to pamphlet and rally, as I'd expect all citizens to defend mine if I felt so strongly about an issue.
What bothers me most are the 'liberals' who really seem to want to take away those rights, the ones pushing political correctness as a way of life. I consider myself a liberal, but only as far as the root of the word allows, there's nothing 'liberal' about dismissing facts that conflict with political correctness.
Up here in the Boston area I deal with a LOT of people who are just as backward to the left as we all think people down south are backward to the right. Try telling someone up here you don't feel at all guilty for slavery, or that you think public schools should separate kids based on performance, or that racism is 'mostly dead in the 21st century' and people will think you're a crazy bible-thumping hood-wearing nigger-lynching whacko.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Its real easy to get into most cars. I made a long steel 3/8 inch rod that has a 1 inch 90 deg bend on one end. I then get a large flathead screwdriver and pry the door open at the top opposite the hinges until the rod can slip inside. Then use the hook end to lift or manipulate the door lock. I can do this in under a min with the right car. I helped this woman who drove about 20 miles to look at an appartment by me and locked her keys inside her car. She was so greatful that she game me 20 bucks which i refused be she made me take it anyway. Its scary how easy it really is short of smashing a window.
European courts are some of the most oppressive when it comes to common rights we take for granted.
Here in the U.S it's the people vs. In Europe it's the state vs.
That simple little difference is why I trembled when some of our supreme court justices started quoting current european case law.
I saw a number of posts where people saying that uncovering security vulnerabilities and publishing the research may hurt the customers. OK, let's put that to the test, let's imagine that we are in the world where such publications are prohibited. Last time I checked, the major driving force behind the scientific research was a desire to be recognised. Yes, white hats and black hats have the same personal reason to do what they do -- they want to be famous. If the only way for a white hat to get famous is the court hearing, then you can say bye-bye to the independent security research. From that point on we will be finding out about vulnerabilities when our systems turn against us. As a rule, patches will be coming out after vulnerabilities have been successfully exploited by bad guys. This would be the last blow to the positive meaning of "hacker", and who wants that? I would rather have white hats held in honour, and software companies held accountable for their mistakes.
And have you even tried to assess the threat of such publications? On one side you have a bunch of black hats who are poorly organized, do not have very effective channels of communication, have an inferior understanding of the vulnerable product; on the other side you have a corporation which does nothing but, which is on top of things, which, for a change, has the entire source code along with people who understand it completely. Who will win in this race? By jailing independent researchers they are effectively sending a message: we are incapable of beating a bunch of amateurs in our own game. The reality is that they simply do not want to, because it costs them more money -- they would rather watch us crash and burn, and then jump in and save the day. Once a day. For all eternity.
Granted, OT, but is that like healthcare or what?
Also interesting is this statement about the product in question: ViGUARD's main advantage is that it does not need virus signatures to stop infections. I wonder if it merely protects a system against active infection and doesn't take any action against dormant viruses that are "just passing through"?? Without a signature database, you wouldn't know something was bad until it tried to attack your system...
Finding holes in OSS is useful, because you can patch them. But finding holes in proprietary software just exposes you to this sort of risk, seldom results in change, and helps people who aren't paying you. Why bother?
Is it just for the self-righteous feeling of having found fault with someone else's work?
Use open-source software and abandon the rest of the world to the virus/anti-virus battle. Or write behaviour blocking anti-virus software and never have to worry about this sort of thing.
I had an 88 Camry (Toyota). The key for it opened:
My parent's car (87 Accord)
Friend's car (Corolla)
Other Friend's car (Accord)
Only on the driver's side door though (and no ignition). That being the lock used most often, the tumblers can become worn and easier to open.