Slashdot Mirror
Security Researcher Faces Jail For Finding Bugs
An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
...will the US extradite him given our decreasing friendly relations with France?
From the article: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.
If he gave them due notice (it wasn't indicated in TFA), then there is nothing wrong with him posting the exploits.
Otherwise, he is just grandstanding. Pretty much all projects (FOSS included) classify security bugs until a patch or workaround has been worked out. After it has been fixed, though, I think there is an obligation to the users to let them know what happened.
Actually, there are quite a few models of domestic cars (mainly minivans) out durring the late 80s and early 90s that use only about five different key cuts and remote (door open) codes.
I'll wait patiently here for the police.
The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?
End users have rights, and a contract agreement not to reverse engineer is not fair competition since (near enough) every company would have such a clause, regardless of the customer's wishes. Reverse engineering makes competion act more swiftly, which any amount of feelgood on the customers behalf is not going to outweigh. Why do you think that companies form cartels when they can? Why do big companies lobby so strongly for stronger patents laws?
Wikileaks, no DNS
I had a 93 Saturn SL2 with a worn out key (probobly helped).
I was at the mall and in the general area of my car gravitated to a maroon SL2, unlocked the door started to get in and noticed it was far too clean and had seat covers. I quickly got out and nervously tried to relock the door, but my key did not spin so I left. I didn't want to get into trouble for an honest mistake.
One time I also locked my keys in the car at a gas station. The attendand was unable to slim jim the door but went back into the shop and got a small saw zaw blade (or maybe a blade for a scrolling saw) with fairly big teeth. It was a little taller then a key but the teeth were about the right size. The attendant then stuck this into the key whole and jiggled for a about 30 seconds while turning and I was in. It took a few minutes to get the blade out though due to the fact that the teether were only slanted on one side.
Of course getting into cars ain't all that tricky anyway (big windows) and I can't speak for the ignitions.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
In fact recalls occur very often. Your point about media being damaged is the same as "warranty for parts and labor", reverse engineering is what causes recalls to happen. Two different things. So the analogy, while a bit weak, still holds.
Full disclosure ensures the best security because it forces accountability. As long as companies continue to try and over up their flaws through litigation, we're ever going to be ab;e to trust their products.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.
(long story deleted)
This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.
I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.
What were his intentions?
... item).
Who gives a fuck?
If you are a security researcher, you look for security holes, right? If you are a responsible researcher, and you find some security holes, you better publish them, right? Right? RIGHT?
WRONG!! Hear ya, hear ya, hear ya, from now on doing the responsible thing will get you jail time, and a stiff $900,000 bill. From now on, the right, responsible, thing to do when you find security holes is to sell them to spam virus hackers. That way you:
1. Never get caught.
2. Profit (note lack of
No moral problems either, since the company who looses is the bunch of asshats who'd put you in jail for pointing out their bug, and the people who get spammed are the same shitheads that made the stupid law possible.
Fuck, I'm pissed. Better go drink my milk. Good thing I'm not a security researcher.
In a world where you can be put into jail for pointing out the emperor is naked, its best to keep quiet. Companies and people don't want to hear about it. Take a hint.
And don't laugh at the naked pricks when they get their just desserts.
You'll be branded a terrorist, halled off to gitmo (or worse) and cornholed by our men in green (or worse, perhaps by other men in dark suits).
We have managed to do something our enemies never could: set up architectures of control designed specifically to keep our society from correcting its errors and improving itself.
No society that does this to itself survives even in the short term. Ours will be no exception, and I for one don't feel a great deal of lament for it anymore.
The Future of Human Evolution: Autonomy
I saw a number of posts where people saying that uncovering security vulnerabilities and publishing the research may hurt the customers. OK, let's put that to the test, let's imagine that we are in the world where such publications are prohibited. Last time I checked, the major driving force behind the scientific research was a desire to be recognised. Yes, white hats and black hats have the same personal reason to do what they do -- they want to be famous. If the only way for a white hat to get famous is the court hearing, then you can say bye-bye to the independent security research. From that point on we will be finding out about vulnerabilities when our systems turn against us. As a rule, patches will be coming out after vulnerabilities have been successfully exploited by bad guys. This would be the last blow to the positive meaning of "hacker", and who wants that? I would rather have white hats held in honour, and software companies held accountable for their mistakes.
And have you even tried to assess the threat of such publications? On one side you have a bunch of black hats who are poorly organized, do not have very effective channels of communication, have an inferior understanding of the vulnerable product; on the other side you have a corporation which does nothing but, which is on top of things, which, for a change, has the entire source code along with people who understand it completely. Who will win in this race? By jailing independent researchers they are effectively sending a message: we are incapable of beating a bunch of amateurs in our own game. The reality is that they simply do not want to, because it costs them more money -- they would rather watch us crash and burn, and then jump in and save the day. Once a day. For all eternity.
Granted, OT, but is that like healthcare or what?