Slashdot Mirror
Security Researcher Faces Jail For Finding Bugs
An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
And now we have people getting arrested for pointing out someone else's mistake...
When did greed become more important than helping someone?
This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.
Will the little Dutch boy be executed for sticking his finger in the dike?
Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".
Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.
The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.
Just to stave off any rants, this was not US law, a US court, or a US company. He happens to be working "at Harvard" now, but this matter has apparently been taken up in France.
And I thought European courts are a little less boneheaded?
ELOI, ELOI, LAMA SABACHTHANI!?
And you will be....
I absolutely hate this backwards shit. Software engineers and governments and everone just best get used to the fact that people are going to reverse engineer everything they can. Until they get used to it, lawmaking is just going to go overboard, stifling development and competition.
And I believe the proper response to pointing out an error in your system is "Thank You."
Ignorance kills, complacency kills, hatred kills, but usually not the ones guilty of them.
well, when viguard is advertised with clauses like this: "Hundreds of thousands of workstations protected by VIGUARD have never been infected by viruses without a single signature update!"
showing bugs from their product shouldn't be illegal, hell, viguard should be the fuckers to sue(only way i can figure out that their product really works is that it stops just about fucking everything from working - otherwise, how can you possibly possibly detect an ftp server from a trojanised one?).
besides.. being a 'hacker' shouldn't be illegal, doing nasty things with those hacks should.
world was created 5 seconds before this post as it is.
"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.
Well, you see, with a physical object like a car, minor variances in materials and manufacturing can lead to random defects showing up in any specific vehicle.
With software, unless the media it came on is damaged, it is unlikely that the version that you bought is different from the others sitting next to it on the shelf. Binary copies are exact copies.
The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.
SO i guess by your logic, you should be able to sell anything you want, and people shouldn't be allowed to point out bugs or flaws because you might not like it?
Tough Shit.
Stories like this are just the Slashdot editors' way of warning us to shut up already about the Firefox rendering errors on this site. 8^)
Crumb's Corollary: Never bring a knife to a bun fight.
Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.
--
make install -not war
...will the US extradite him given our decreasing friendly relations with France?
Tobacco companies are now suing medical research facilities............phockin' pikers....
From the article: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.
If he gave them due notice (it wasn't indicated in TFA), then there is nothing wrong with him posting the exploits.
Otherwise, he is just grandstanding. Pretty much all projects (FOSS included) classify security bugs until a patch or workaround has been worked out. After it has been fixed, though, I think there is an obligation to the users to let them know what happened.
Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.
My rights don't need management.
The users was already in an unsafe position. If you fortget to lock your door, putting on a blindfold that prevents you from seeing the open door, will not protect you from burglary.
If he could find the open door, so could sombody else. But he was kind enough show the open door rather than leaving it open.
God is REAL! Unless explicitly declared INTEGER
It will all work out. Next time a virus writer gets caught he'll both sue Tegam and have their officer's arrested for reverse engineering his code.
I'm an American. I love this country and the freedoms that we used to have.
They do this all the time. Not having a tradition of Common Law, they fall on the wrong side of this all the time.
Thank God for the First Amendment. For those of you not from the US of A, it guarantees freedom of expression in the most absolute terms. Short of something that incites violence (e.g. "let's kill him") or yelling "fire" in a crowded theater, it is OK. The Pentagon Papers case essentially destroyed "prior restraint" for national secrutiy reasons (as practiced in Britain).
Even countries that are supposedly as free as the USA are actually not. Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.
I'm reminded of the theme song from "Team America: World Police". Too rude to print here, it would probably get you put in jail in some countries.
Only America could produce someone like "Ol' Dirty Bastard".
http://www.thebricktestament.com/the_law/when_to_
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?
End users have rights, and a contract agreement not to reverse engineer is not fair competition since (near enough) every company would have such a clause, regardless of the customer's wishes. Reverse engineering makes competion act more swiftly, which any amount of feelgood on the customers behalf is not going to outweigh. Why do you think that companies form cartels when they can? Why do big companies lobby so strongly for stronger patents laws?
Wikileaks, no DNS
Yes, the same rule of law that enslaved certian segments of our population for a time and the same law that keeps people from ingesting chemicals into their body for the "greater good".
Just because its a law doesn't make it just.
they've just made themselves look petty and bad
They make themselves look like idiots but they make this guys life hell while they are doing it. The sad part is, it may not effect their business (lusers won't know about this) but the cost of a this lawsuit will haunt him for a long time.
not to mention the chilling precedent. I especially like this quote "If independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe,"
Under the DMCA, reverse engineering IS illegal. Specifically if it is meant to circumvent copy protection schemes, but in practice the "spirit of the law" could easily be presented as banning all reverse engineering of all kinds.
To make things worse, the click-through license usually also states that reverse-engineering is prohibited. The fact that the license's own legal status is iffy is unlikely to hold much sway in court.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
For french readers and lovers of babelfish, this is two blogs about the case. One is from the defense of Guillermito, and the other from one of the viewers of the trial:
0 05 /01/05/37-affaire-guillermito-compte-rendu-daudien ce
http://maitre.eolas.free.fr/journal/index.php?2
http://bricablog.net/
Ceci n'est pas une signature.
Suppose he discovered a defect in a car or some other piece of physical hardware. If that defect were severe enough to kill someone and he did not publish his knowledge of the defect, then could he then be held criminally liable and be accused of negligent homocide? Surely the right thing would be to publish the defect and warn the users of the product.
How did software companies get all of these special rules for them if stuff that doesn't work.? If it were a tire or a car or a bridge or a robot, they could never get away with it. But if software doesn't work we are all supposed to just buy the upgrade.
And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.
With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.
So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.
Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.
I don't know why I should be wasting my time correcting AC's in here. Still, here's a good phrase and my personal interpretation:
SECURITY THRU OBSCURITY IS NO SECURITY AT ALL.
Maybe you won't see people shouting bugs on the streets. But the hackers are there, posting the exploits in underground networks. Away from the police forces.
With public exploits, at least you can see the enemy (the security hole). With "unpublished" exploits, the enemy will strike you from behind.
Is this what you REALLY want?
In fact recalls occur very often. Your point about media being damaged is the same as "warranty for parts and labor", reverse engineering is what causes recalls to happen. Two different things. So the analogy, while a bit weak, still holds.
Full disclosure ensures the best security because it forces accountability. As long as companies continue to try and over up their flaws through litigation, we're ever going to be ab;e to trust their products.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
No, we are each addressing an opposing viewpoint on "the point". I believe the consumer is better served by informing the developer first (in cases like this, closed source), because they have a significant advantage in fixing the software. After a short time (maybe a day, maybe an hour, maybe a week, depending on the nature of the bug), if the developer has not convincingly responded that they'll fix it quickly, it's time to go public anyway. After a similarly short time from disclosure without a fix, it is appropriate to go public anyway. And it's almost always appropriate to go public after a fix is released, as pressure is applied to the consumers who, without upgrading, often pose a risk to others just by running the unpatched software.
The "point" is that there are several timers ticking down simultaneously, all starting simultaneously before a known person finds the bug. One timer is the time the bug is undisclosed (though posibly known to an unknown "bad guy"), which determines how long the developer might get away with lazily leaving it unpatched, as well as how long the bad guy can exploit it, which does govern the entire scenario. But since switching apps (or another drastic workaround) is often expensive or risky itself, the most appropriate mitigation is publication of a patch. The problem with public disclosure is that it usually increases the risk from unknown (though possibly large enough) to nearly certain that someone can exploit it. So the timers on a "swift response" count down time from private disclosure to a deadline for at least assurance that the bug will be fixed. If that timer runs out, or either it, or the timer on a patch release, is still ticking when the governing timer, how long has at least one person (and therefore possibly an unknown bad guy) been in a position to exploit it, runs out, then it's time to pull the fire alarm and get everyone to abandon the building, releasing the fire extinguishers all over the office equipment.
The disclosure calculus is very complex. Risk factors need not include actually guessing whether a bad guy can exploit it (which ought to be assumed). They are complex enough just considering the time to fix, and the intervening time to accept the need for a fix, and the relative risks of the other mitigations than waiting for a fix. Just announcing publicly reduces that complexity to pure, irrevocable simplicity, while often increasing the risk: lots of bad guys can now exploit before any fix is possible, while workarounds bring their own risks and costs. Tanga, the whistleblower in this story, is a security researcher; consensus in that community is to evaluate that complex calculus, usually favoring a chance for the developer to issue a fix. Which, in reality, is often already just trapped somewhere in a bureaucratic release pipeline, so could be delivered faster than even the switchover time after solely public disclosure, after which risks and losses are already guaranteed, even if the fix is quickly released.
--
make install -not war
This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.
(long story deleted)
This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.
I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.
Nope, that won't work. Vulnerability disclosures must include a working exploit; otherwise I could anonymously destroy my competitors by posting false but hysterical vulnerability reports about their products.
As I said in another post: software companies don't give us their software for free; similarly, we shouldn't give them consulting services for free. If I find a vulnerability, I don't owe the software company anything and I'm under no particular obligation to tell them before I tell anyone else.
Or are you saying it is irresponsible / immoral / illegal to state a provable fact about the security of a software system?
All's true that is mistrusted
>Yes, but the kinds of things that make contracts
>void are very few indeed.
How about someone forcing you to agree to it so that you can use something you bought? Imagine next time you buy a TV, get how, and then find a piece of paper stuck on top of were to plug the antenna in. It says that by removing the piece of paper you agree that the TV is not yours, that they can come and pick it back whenever they want, and that they WILL do it if you watch channels that are not theirs or try to figure out how it works in any way and so on...
And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out. With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.
KIRK: "Tegam, what is your purpose?"
TEGAM: "We are Te-Gam. We produce perfect software. We sterilize imperfections."
KIRK: "Tegam, you produced flawed software. You are imperfect.
TEGAM: "We are Te-Gam. We are perfect. We sterilize imperfections."
KIRK: "Tegam, you produced flawed software. That was your first mistake. You released the software without realizing this. That was your second mistake."
TEGAM: "Error! Error!"
KIRK: "Tegam, you handled the Tena situation in a childish manner. Instead of fixing your mistake, you focused on attacking the messenger. You sued the messenger. That was your third mistake.
TEGAM: "Error! Error! Faulty! Faulty! Must sterilize!"
For anyone interested, just for the sake of presenting both sides, here is the Tegam response.
In a world where you can be put into jail for pointing out the emperor is naked, its best to keep quiet. Companies and people don't want to hear about it. Take a hint.
And don't laugh at the naked pricks when they get their just desserts.
You'll be branded a terrorist, halled off to gitmo (or worse) and cornholed by our men in green (or worse, perhaps by other men in dark suits).
We have managed to do something our enemies never could: set up architectures of control designed specifically to keep our society from correcting its errors and improving itself.
No society that does this to itself survives even in the short term. Ours will be no exception, and I for one don't feel a great deal of lament for it anymore.
The Future of Human Evolution: Autonomy
It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.
evil is as evil does
Moot.
Moot point.
Mute point my chapped ass.
Words fucking mean things.
God damn it.
Fuck.
Argh.
Seriously.
Ick.
Writers imply. Readers infer.
I saw a number of posts where people saying that uncovering security vulnerabilities and publishing the research may hurt the customers. OK, let's put that to the test, let's imagine that we are in the world where such publications are prohibited. Last time I checked, the major driving force behind the scientific research was a desire to be recognised. Yes, white hats and black hats have the same personal reason to do what they do -- they want to be famous. If the only way for a white hat to get famous is the court hearing, then you can say bye-bye to the independent security research. From that point on we will be finding out about vulnerabilities when our systems turn against us. As a rule, patches will be coming out after vulnerabilities have been successfully exploited by bad guys. This would be the last blow to the positive meaning of "hacker", and who wants that? I would rather have white hats held in honour, and software companies held accountable for their mistakes.
And have you even tried to assess the threat of such publications? On one side you have a bunch of black hats who are poorly organized, do not have very effective channels of communication, have an inferior understanding of the vulnerable product; on the other side you have a corporation which does nothing but, which is on top of things, which, for a change, has the entire source code along with people who understand it completely. Who will win in this race? By jailing independent researchers they are effectively sending a message: we are incapable of beating a bunch of amateurs in our own game. The reality is that they simply do not want to, because it costs them more money -- they would rather watch us crash and burn, and then jump in and save the day. Once a day. For all eternity.
Granted, OT, but is that like healthcare or what?
Does this mean there's an opening for crypto research at Harvard now? Do you have to be a goddamed foreigner to apply, or have they started accepting Americans again?
-fb Everything not expressly forbidden is now mandatory.
Finding holes in OSS is useful, because you can patch them. But finding holes in proprietary software just exposes you to this sort of risk, seldom results in change, and helps people who aren't paying you. Why bother?
Is it just for the self-righteous feeling of having found fault with someone else's work?
Use open-source software and abandon the rest of the world to the virus/anti-virus battle. Or write behaviour blocking anti-virus software and never have to worry about this sort of thing.
for reverse engineering their viruses.
I had an 88 Camry (Toyota). The key for it opened:
My parent's car (87 Accord)
Friend's car (Corolla)
Other Friend's car (Accord)
Only on the driver's side door though (and no ignition). That being the lock used most often, the tumblers can become worn and easier to open.
Apparently, that guy used an illegal copy of TEGAM's software and is sued for that reason. All the buz about a poor researcher is therefore off topic.
The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.
I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance.
The chance to what? Sue or threaten to sue the researcher and get a gag order placed on them before they're able to warn the users of the software, preventing the vulnerability from ever being seen?
I agree that notifying the company first is the responsible thing to do, but only if the company is going to be responsible which fewer and fewer are showing the capacity for. It isn't clear to me how this situation would have been different for Tena if he had first told Tegam about the exploit, they told him to be quiet about it and did nothing themselves, then he published. Maybe we would think him more diligent and responsible... or maybe we wouldn't have heard about him -- or the flaws he discovered -- at all.
The enemies of Democracy are