Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Faces Jail For Finding Bugs

Posted by CowboyNeal on from the full-enclosure dept.

An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."

7 of 726 comments (clear)

  1. The real question is... by stubear · · Score: 4, Interesting

    ...will the US extradite him given our decreasing friendly relations with France?

  2. Re:He got what he deserved by isometrick · · Score: 4, Interesting

    From the article: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.

    If he gave them due notice (it wasn't indicated in TFA), then there is nothing wrong with him posting the exploits.

    Otherwise, he is just grandstanding. Pretty much all projects (FOSS included) classify security bugs until a patch or workaround has been worked out. After it has been fixed, though, I think there is an obligation to the users to let them know what happened.

  3. Re:If I break in your car... by eliza_effect · · Score: 4, Interesting

    Actually, there are quite a few models of domestic cars (mainly minivans) out durring the late 80s and early 90s that use only about five different key cuts and remote (door open) codes.

    I'll wait patiently here for the police.

  4. Poor phrasing by rumblin'rabbit · · Score: 4, Interesting
    The article says that he faces 4 months in prison after being sued by Tegam.

    The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?

  5. Re:If I break in your car... by AvitarX · · Score: 4, Interesting

    I had a 93 Saturn SL2 with a worn out key (probobly helped).

    I was at the mall and in the general area of my car gravitated to a maroon SL2, unlocked the door started to get in and noticed it was far too clean and had seat covers. I quickly got out and nervously tried to relock the door, but my key did not spin so I left. I didn't want to get into trouble for an honest mistake.

    One time I also locked my keys in the car at a gas station. The attendand was unable to slim jim the door but went back into the shop and got a small saw zaw blade (or maybe a blade for a scrolling saw) with fairly big teeth. It was a little taller then a key but the teeth were about the right size. The attendant then stuck this into the key whole and jiggled for a about 30 seconds while turning and I was in. It took a few minutes to get the blade out though due to the fact that the teether were only slanted on one side.

    Of course getting into cars ain't all that tricky anyway (big windows) and I can't speak for the ignitions.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  6. Not just overseas, shoot first in America too by mmmbeer · · Score: 4, Interesting

    This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.

    (long story deleted)
    This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.

    I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.

  7. Re:What were his intentions? by khrtt · · Score: 4, Interesting

    What were his intentions?

    Who gives a fuck?

    If you are a security researcher, you look for security holes, right? If you are a responsible researcher, and you find some security holes, you better publish them, right? Right? RIGHT?

    WRONG!! Hear ya, hear ya, hear ya, from now on doing the responsible thing will get you jail time, and a stiff $900,000 bill. From now on, the right, responsible, thing to do when you find security holes is to sell them to spam virus hackers. That way you:

    1. Never get caught.
    2. Profit (note lack of ... item).

    No moral problems either, since the company who looses is the bunch of asshats who'd put you in jail for pointing out their bug, and the people who get spammed are the same shitheads that made the stupid law possible.

    Fuck, I'm pissed. Better go drink my milk. Good thing I'm not a security researcher.